Etikettarkiv: Hacking

IP-Tables control of traffic by Country

Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.

First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:

0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets

So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.

First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.

I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
  echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

This script should be placed before any rules that will allow any traffic what so ever!

After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
  echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

Now you should create the following directories:

sudo mkdir /etc/iptables
sudo mkdir /etc/iptables/banned-hosts/
sudo mkdir /etc/iptables/restricted-hosts/

Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.

Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).

Delete the files that you do not wish to impose any restrictions on.

Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.

Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.

So run the script now, it may take some time.

When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.

Full example

echo "### IP-tables ###"

IPTABLES=/sbin/iptables

echo "Default policies."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "Flushing old rules"
$IPTABLES -F
$IPTABLES -X

echo "Create LOGDROP chain"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7
$IPTABLES -A LOGDROP -j DROP

echo "Create LOGACCEPT chain"
$IPTABLES -N LOGACCEPT
$IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7
$IPTABLES -A LOGACCEPT -j ACCEPT

echo "Create INVALIDDROP chain"
$IPTABLES -N INVALIDDROP
$IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7
$IPTABLES -A INVALIDDROP -j DROP

echo "Killfile certain IP chain"
$IPTABLES -N BANNED
$IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7
$IPTABLES -A BANNED -j DROP

echo "Create a country block chain"
$IPTABLES -N CBLK
$IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7
$IPTABLES -A CBLK -j DROP

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!

echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
 echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Enabling ICMP"
$IPTABLES -A INPUT  -p icmp -j LOGACCEPT
$IPTABLES -A OUTPUT -p icmp -j LOGACCEPT

echo "Enabling http on standard port"
$IPTABLES -A INPUT  -p tcp --dport http -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries

echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
 echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Dropping invalid packets"
$IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP

echo "Enabling DNS server connections."
$IPTABLES -A INPUT  -p tcp --sport domain -j ACCEPT
$IPTABLES -A INPUT  -p udp --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT

echo "Enabling NTP server connections."
$IPTABLES -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW         -j LOGACCEPT

echo "Applying rules for inbound and outbound ssh"
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT  -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT

echo "Applying rules for outbound ssh standard port"
$IPTABLES -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

echo "Enabling https traffic out from this machine"
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state NEW         -j LOGACCEPT

echo "Dropping all other input packets."
$IPTABLES -A INPUT -j LOGDROP

echo "Done."

echo "IPV6 setting policy"

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP

echo "IPV6 flushing tables"

/sbin/ip6tables -F

echo "IPV6 Done."

Using your Android for network monitoring

Using a small software called RF Signal Tracker it is possible to create a log file detailing the coverage parameters your phone has at every point a long a route. This is something that other software like TEMS charge you thousands of € in order to facilitate and now you can do it for free using nothing but a bit of computer skills and an Android phone.

The RF Signal Tracker is a little buggy so in order to use it properly you should turn of auto-rotation of your screen and avoid running too many other applications at the time. When the phone is in idle mode you will get less accurate readings but usually good enough in order to make well reasoned assumptions about the network.

Starting the RF Signal Tracker software you have an option to record your data. It will use the built-in GPS receiver in the phone to find out where you are and then log together with the signal strength (in dBm) and other parameters such as the base station Cell ID, the LAC and many other important parameters as well as the base station position (if it is known).

This can then be exported to the Micro SD-card in the phone as a CSV file which is the easiest format to use. Once you have it as a CSV file you may tether the phone to your computer and transfer this file to your working directory.

If you are running some flavour of Linux, BSD or other Unix you are set but if you are running Windows you need to install a package called Cygwin. Standard settings should do, you need a command line that works and a tool called ”awk” which is awesome. Tutorial for AWK can be found here.

Open a shell, navigate to your working directory and find the CSV file. Then issue a command like this:

awk <export_091130170020.csv ’BEGIN {FS=”,”}; {print $3/1000000 “,” $2/1000000 “,” 130+$4}’ >coord.txt

This should export a file called ”coord.txt” in your working directory with coordinates in WGS84 decimal format (ddd.ddddd, dd.ddddd) with the easting/westing and the northing/southing in that order.

The next step is to take the following KML file and open it in a text editor, just copy it straight to the editor of your choice.

<?xml version="1.0" encoding="UTF-8"?>
<kml xmlns="http://www.opengis.net/kml/2.2">
  <Document>
    <name>Paths</name>
    <description>Examples of paths. Note that the tessellate tag is by default
      set to 0. If you want to create tessellated lines, they must be authored
      (or edited) directly in KML.</description>
    <Style id="yellowLineGreenPoly">
      <LineStyle>
        <color>7f00ffff</color>
        <width>4</width>
      </LineStyle>
      <PolyStyle>
        <color>7f00ff00</color>
      </PolyStyle>
    </Style>
    <Placemark>
      <name>Signal Strength Test Run</name>
      <description>Some description here</description>
      <styleUrl>#yellowLineGreenPoly</styleUrl>
      <LineString>
        <extrude>1</extrude>
        <tessellate>1</tessellate>
        <altitudeMode>relativeToGround</altitudeMode>
        <coordinates>
<!-- YOUR COORDINATES GOES HERE -->
        </coordinates>
      </LineString>
    </Placemark>
  </Document>
</kml>

Find the section that says<coordinates> </coordinates>  in the above and then cut and paste the coordinates from the coordinates.txt file in between the two tags.

If you have google earth you can now double-click on the KML file you created and view the result. The height over ground is the signal strength calculated such as that a strength of -130 dBm is flat on the ground and for every dBm above the measurement point is placed 1 m/dBm above ground. This means that a signal strength of -90 dBm will place the point at 130-90 = 40 m above ground.

Happy hacking!

Brazilians hacks satellites for personal communications

Satellite

Apparently resurceful people in Brazil have learned how they can use modified HAM radio equipment and satellite dishes to hijack military transponder satellites to use as a country-wide radio network.

It all started with a radio station that realized they could use the transponders to broadcast a radio signal and today many people from truckers to drug runners are using the satellites to broadcast warning information or just chatter about the latest football score.

Quite impressive! Using the US Navy’s Fleet Satellite Communications System like this is excellent stuff! :)

Here is the story in Wired

Hackers Stole Joint Strike Fighter Plans

Hackare piratkopierade Joint Strike Fighter – Ny Teknik.

China vs. Pentagon
China vs. Pentagon

Hackers stole plans for Joint Strike Fighter II. The Swedish paper ”Ny Teknik” (mainly an engineering and technology news paper) reports today that what seems to be Chinese hackers have broken into the most secret parts of Pentagon and stolen the secret plans of the Joint Strike Fighter aircraft. 

The Wall Street Journal cites that the hacks were performed during 2007 and 2008 and several terbytes of data where stolen.  The attacks came through a supplier in Turkey via the Lockheed facility there.

The american defense forces are now taking measures to increase their IT security. 

The cost of developing the JSF is one of the most prestigious and expensive projects undertaken and the stolen data could possibly be used by someone to analyze the JSF for its weaknesses and develop an effective defense against it.

Retro-Hacking: Commodore 64 Portable

Recently on one of the mailinglists I read there was a link posted to this guy who has made a portable C64 laptop. I was amazed at the level of attention to details this guy has and how well his design rhymes with the design of the times used when the C64 was originally designed.

That designed was called the ”bread box” here in Sweden with that typical beige gray sort of colour for the Commodore computers. Way before the redesigned almost Volvo-looking C128 and C128D and the futuristic sort of looking Amiga 500.

The C64 Portable - Brilliant retro hack!
The C64 Portable - Brilliant retro hack!

Click the image to read the full article.