2/13/2015

DataPower: Keeping your appliances less prone to attacks

Chances are if you have your DataPower appliances facing the Internet, you have suffered or are suffering right now brute force attacks. Don't you think so? Check your logs...

This problem becomes more evident when you have default ports open to the Internet, let's say ports 22, 80, 443, 5550, 9090, etc...

This happens because there are thousands of robots out there scanning for all IPs and ports open all around the world. They use something called brute force technique.

Brute force is a type of attack that tries to get access to servers by repeating different combinations of credentials. It may also make use of a dictionary with the most commonly used passwords out there, like 123456, password, qwerty, abc123, etc.

Let's take a look at this real case scenario:

20150213T043514Z [network][error] : tid(2): TCP connection attempt refused from 159.226.43.96 to X.X.X.X port 80
20150213T043515Z [network][error] : tid(2): TCP connection attempt refused from 159.226.43.96 to X.X.X.X port 80
20150213T063841Z [auth][error] : User '/etc/init.d/iptables stop' failed to log in.
20150213T063841Z [auth][error] : User 'service iptables stop' failed to log in.
20150213T063841Z [auth][error] : User '/tmp/init.d/iptables stop' failed to log in.
20150213T072620Z [auth][error] : User 'service iptables stop' failed to log in.
20150213T072628Z [auth][error] : User 'chmod 777 148080' failed to log in.
20150213T072636Z [auth][error] : User 'cd /tmp' failed to log in.
20150213T073442Z [network][error] : tid(2): TCP connection attempt refused from 78.101.49.77 to X.X.X.X port 80
20150213T073443Z [network][error] : tid(2): TCP connection attempt refused from 78.101.49.77 to X.X.X.X port 80
20150213T084505Z [auth][error] : User 'service iptables stop' failed to log in.
20150213T084513Z [auth][error] : User 'chmod 777 148080' failed to log in.
20150213T084521Z [auth][error] : User 'cd /tmp' failed to log in.
20150213T120039Z [network][error] : tid(2): TCP connection attempt refused from 199.217.118.79 to X.X.X.X port 10000
20150213T120350Z [network][error] : tid(2): TCP connection attempt refused from 112.221.251.221 to X.X.X.X port 80
20150213T124135Z [auth][error] : User '/etc/init.d/iptables stop' failed to log in.
20150213T124135Z [auth][error] : User 'service iptables stop' failed to log in.
20150213T124135Z [auth][error] : User '/tmp/init.d/iptables stop' failed to log in.

Someone trying to login with the user id "service iptables stop" or "chmod 777 148080", looks suspicious, right? LOL

By observing this behavior for a few months now, I noticed that most IPs are from China. On the connection attempts I received today however, just one is from China (159.226.43.96), then we have one from Qatar (78.101.49.77), one from United States (199.217.118.79), and one from Korea (112.221.251.221). Before you are start blaming these countries, keep in mind that it is really simple to fake an IP like that in order to hide the real source of the attacks.

What I want to say here is that blocking IPs with ACLs will barely provide a solution, even if you block huge ranges of IPs of a given country. It may work for the short term, but will fail on the long term as other IPs will rise. Trust me, I tried! :-)

The truth is you are never 100% safe, what you can do is to try to understand how these robots work and come up with a strategy to deceive or avoid them. Some robots are more intelligent than others, so they will spend some time performing a full port scan in a certain IP in order to determine what the open ports are, and then direct an specific attack for specific services. For example, if port 22 is open, it will start with user id and password, and only after it succeeds it will try actual OS commands. If port 80 is open, it will probably try to exploit some recently discovered vulnerabilities pertaining to Web Servers.

Your best bet to avoid this kind of attack is to just eliminate the default ports from your configuration, as well as limiting the number of ports open to the Internet, for example, there is hardly the need to leave the administration related services, such as SSH, SOMA, and WebGUI, open to the Internet, when most of the companies have VPN services that would allow administrators to access those interfaces from a more secured environment.

EDIT: Dan Zrobok also wrote a very interesting article about security titled Five Common Security Issues Found in DataPower Environments. We highly recommend this reading as he mentions other very important topics on Firmware Currency, Administrative Accounts, TLS Cipher Suites and Protocol Versions, and Exception Information Leaks (when you give more information in the error message than needed).

By having all this information in mind, you are not only keeping your device safer, but you are also implementing best practices that are used in the most secure enterprises around the globe.

Have other ideas to prevent attacks, share with us!

1 comment: