Pi-Star security vulnerability

... have you opened it up to the outside world?

My Jumbospot based hotspot had been running continuously for weeks without problems, then I noticed that it had begun hanging most nights. This carried on for a couple of weeks with me trying out various configuration changes without success. Then I logged in via SSH one evening and got a "disk full" error message referring to "/var/log". When I checked, I found that the "auth.log" file had grown to fill the entire "/var/log" partition. Viewing it revealed that my hotspot was under continual attack from the internet - bots around the world were flooding it with login attempts with random user ids and passwords on a range of port numbers and protocols!

My network is behind a commercial grade firewall and is pretty secure - so I was surprised. Then I remembered that I had enabled public SSH access to the hotspot in the pi-star dashboard a few weeks earlier. The pi-star software sends uPNP requests to the network firewall to open up ports and it had quietly opened my main firewall up! The internet is full of bots that spend their time scanning the world looking for vulnerable computers and then trying to break into them - my hotspot had been noticed and was then under attack. The result was that the auth.log file was growing out of control, filling the filing system up before the late night housekeeping could compress and archive it. The network interface on the hostspot was also heavily loaded and the overall effect seemed to be instability.

I turned off the public SSH access in the hotspot and tightened up the rules in the main firewall - now it has run for several days without blinking and the "/var/log" partition has plenty of free space! uPNP can be handy, but it is also a big security vulnerability!

Posted by Martin (G8FXC)
1/2




There seems to be a periodic housekeeping function that cleans out the auth.log, so in normal operation we should not need to do anything. The problem is that the pi-star image puts auth.log into a small disk partition - just 64k, I think - so if your pi-star comes under attack in the way mine did, the auth.log rapidly grows to completely fill that partition and that seems to make the software unstable. Addressing the auth.log overflow is not the way to approach this - we need to be concerned about the security of our networks. If an attacker had managed to break into my hotspot, he would then have been in a trusted position within my network and apart from screwing up the hotspot, it could have given him the springboard to break into my other computers - which contain far more sensitive data than the hotspot.

Ultimately, it's the uPNP functionality within pi-star that we should be worried about - that allows it to ask the main firewall in our network (for example in the router that connects your network to the internet) to open up access for it. You need to think carefully about how much access you need to the hotspot from outside your home network and make sure that you don't allow the hotspot to request more access than you are comfortable giving it.

Posted by Martin (G8FXC)
2/3



Firewall Configuration" near the bottom of the main configuration page. You can turn the entire uPNP function off, or just disable the three options "Dashboard access", "ircddbgateway remote" and "ssh remote". I've left uPNP on but disabled the three remote access options and that seems to have stopped the external attacks. I have not tried turning uPNP off yet - I suspect that that would then require you to manually configure your network firewall - usually in your router - to permit the necessary traffic. From the security viewpoint, that is probably the best thing to do - it will give you the opportunity to work out what you really want to let into your network, but it does require you to understand both the requirements of Pi-Star and how to configure traffic rules into your router...

Martin (G8FXC)
3/3



Brilliants, and More available ...
https://groups.io/g/PiStar/topic/

Andre f = t ∇ sτ

No comments:

Post a Comment

.
PiStar Users Discussion Group
Pi-Star Users Support Group
https://groups.io/g/PiStar

BrandMeister Network Users Discussion Group
https://groups.io/g/BrandMeister
.

Note: only a member of this blog may post a comment.