OP25 Security Warning for OP25 Users

[KA1RBI]

The OP25 Group is aware of multiple hack attempts occurring on servers running OP25 on public facing IP addresses, typically on TCP port 8080.

The HTTP web server code in OP25 has not undergone any security-hardening or vulnerability review and is not intended for public web-facing applications, as noted (several times) in the various OP25 README files; for example:

*WARNING*: there is no security or encryption. Be careful when using "0.0.0.0"
as the listening address since anyone with access to the network can connect.

Also it should be noted that just because the server may not be "advertised" has no bearing on this. Hackers have methods of locating such open ports with ease.

Users are strongly cautioned to apply external security measures (firewalling, etc). for these servers. The OP25 Group cannot be responsible for any damage or loss of data caused by failure to adhere to these warnings...

Max

 

[NebraskaCoder]

If you must, and have the technical know-how, setup a local VPN (not one of the VPN services) on your local network and use a VPN client on the machine you want to access it on.

 

[krutzy]

Ok thank you - I will change it. Is that the reason for errors?

 

[KA1RBI]

Ok thank you - I will change it. Is that the reason for errors?

We have several corroborating indications (and no contra-indications) for that being the root cause. As already noted a fix has been committed for a second error that cascades from the first one......

 

[krutzy]

Ok - I shut down the port forward so it is only visible locally. I will now give the updated changes a try.

 

[WX4JCW]

is it possible to change ports? 8080 is a pretty common one for attacks

 

[NebraskaCoder]

is it possible to change ports? 8080 is a pretty common one for attacks

A port scan will still find it.

 

[lwvmobile]

Any outward facing service you run on a server or a computer is always at risk of being exploited, its just a matter of popularity, known exploit(s) being available, if its a high profile target, and so on. Just so happens that services like LAMP and WAMP are big targets, and if not the service itself, the website code that can also be exploited to many end. I used to have a wordpress on an old machine just for fun, and that thing got defaced a few times back in the day.

If you must, and have the technical know-how, setup a local VPN (not one of the VPN services) on your local network and use a VPN client on the machine you want to access it on.

This is usually the best type of practice, require tunneling in via VPN or SSH to get to local area assets.

 

[boatbod]

is it possible to change ports? 8080 is a pretty common one for attacks

It sure is possible to use a different port, but it'll still be horribly insecure. The op25 terminal has *zero* security and should never be accessible from a network where unknown actors can attack it.

Any outward facing service you run on a server or a computer is always at risk of being exploited, its just a matter of popularity, known exploit(s) being available, if its a high profile target, and so on. Just so happens that services like LAMP and WAMP are big targets, and if not the service itself, the website code that can also be exploited to many end. I used to have a wordpress on an old machine just for fun, and that thing got defaced a few times back in the day.

This is usually the best type of practice, require tunneling in via VPN or SSH to get to local area assets.

Absolutely!

 

[krutzy]

I know there is a way to secure it - I just have dig in my notes on another project to do it.

I am well aware of the things that go on on the internet maintaining 2 WP sites. I knew what I was doing. Frankly it wasn't to be long term but just a reminder how fast it can happen. Thanks for the sanity check!

 

[krutzy]

A follow up. Would something like Fail2ban be ok vs. setting up a local VPN? Just curious of peoples thoughts.

Kevin

 

[avery_k]

A follow up. Would something like Fail2ban be ok vs. setting up a local VPN? Just curious of peoples thoughts.

Kevin

If the terminal were password-protected, it might but if it has no security as boatbod says, there would be nothing to fail and ban, at least as I understand it.

I've had a VPN set up on a RPI for a couple years for external access and it worked great. PiVPN is great for that.

 

[krutzy]

Cool - thanks for the recommendation!

 

[krutzy]

avery_k - I have tried twice to install and run pivpn. I went through all set steps after checking multiple guides. It still doesn't seem to block traffic. I asked a guy if he could try to see my op25 and he had no problem going to the port. Now am I missing something dumb or is there something else I missed. I had him use my dns to it.
Worse case I am thinking of just putting a lmhost file in the www directory. Only other thing I can think of.

I know out of scope but I figured I would ask.

 

[lwvmobile]

It still doesn't seem to block traffic.

Close that incoming port on your modem/router, leaving only the incoming port for the VPN. Also, change your httpd server (not sure what OP25 uses for web) to only accept connections from your local area network, don't use 0.0.0.0 as a catch all IP for incoming connection, specify a local area network subnet, like 192.168.7.0 or similar.

 

[krutzy]

I wondered if that was the way to get it to do it. I will take a look and give a try - thanks.

 

[krutzy]

Thank you but I have run out of talent to do this. Appreciate the help.

 

[lwvmobile]

Thank you but I have run out of talent to do this. Appreciate the help.

Never a good thing to straight up give up on something. Nothing wrong with taking a step back or coming back to a project another day, or re-evaluating your steps or what your trying to accomplish in the long run, but never good to just straight up give up on it. I often find that if I take a step back and don't think about it for a day or two, I'll have an epiphany or if nothing else, just get the itch to want to work on it again until I figure it out.

 

[krutzy]

I usually don't. I probably won't. But for now I have let it go. Other things to do.

 

[avery_k]

You can also change the default port from 1194 to something else. Just bear in mind to use that same port in whatever VPN client client you use. 1194 is pretty well known for VPN traffic. And I typically set up a certificate set for authentication instead of a password. This functionality is built in.

Block the http server port at the router as lwvmobile said. You only want external access to it thru the VPN.

When the VPN is properly set up and you connect externally you should be able to see your local network just as if you were at your house connected to the router. It creates an encrypted tunnel to pass traffic between your client and the local network.

Don't let it get you down, those who have knowledge in these things have spent untold hours failing before finally getting it right. When you are clear headed again, read the documentation. Then read it again, especially the parts that were tripping you up. It will start to make sense.