JANOS Help: blacklisting

Blacklisting Security BLACKLISTING Even with the use of all of the techniques listed so far (strong passwords, limited connectivity, greylisting, etc.) malicious activity can disrupt your JNIOR. This then falls under the category of Denial of Service (DoS). A remote bad actor repeatedly making connection with the JNIOR and trying to guess at usernames and password consumes processing resources. While the JNIOR is a very capable device those resources are still limited. If connectivity is tied up in these situations your legitimate connection request may not be successful preventing you from using your automation. Cryptography is computationally expensive and that means that while JANOS is busy calculating encryption other tasks have to wait. The system slows. While this is acceptable when you need a secure connection, it is another matter when bad actors repeatedly waste processing cycles and impact performance. One solution is to limit access to the JNIOR using the IpConfig/Allow Registry entry. This can be used to restrict access to the JNIOR to only your IP address or range of IP addresses preventing others from seeing the product. If the JNIOR application is to more generally provide a service and others should have access to it, then this approach is too limiting. The alternative is Blacklisting. A text file may be created containing a list of IP addresses and IP address ranges to be blocked. The Blacklist is enabled by defining the file in the setting of the IpConfig/Blacklist Registry key. When a valid file specification appears in this key JANOS ingests the file and filters all incoming packets. Any packet from the blacklisted IP address is outright ignored. These packets are considered then to be Network Noise and can be filtered from the NETSTAT sniffer output. The blacklist file may be edited at any time. The change will be detected and take effect within seconds. The list may contain many thousands of IP addresses before network performance is impacted. Blacklists can be obtained from various sources that contain 10s of thousands of IP addresses known to be generating malicious communications. These lists contain far too many addresses and will impact network performance. A very large list can render the JNIOR network connection unusable requiring some undoing from the command line through the serial COM port. Note that the NETSTAT -Bn command is available to export your blacklist sorted by IP address, block count or last time blocked (depending on 'n'). Those statistics are exported with the list. The exported output can be edited and established directly as a new list. Any text other than the IP address detail at is ignored as comment. BLACKLIST FORMAT The Blacklist file is a text file containing one or more lines. An IP address is specified using the standard IPv4 form of NNN.NNN.NNN.NNN and must start in the first position of the line at the left margin. If a valid IP address is not found on a line the line is ignored and considered to be commentary. The '#' character may also be used to indicate comments for clarity. To specify a single address it must be formatted as above (e.g. 68.21.75.25) and followed by an end-of-line or space. Anything after the space is considered to be commentary. A range of IP addresses may be specified using the '-' dash (no surrounding spaces). This defines a starting address and ending address (inclusive). For example: 68.221.75.20-68.221.75.30 The above specification defines a range of 11 addresses which includes the dot 30 address. All eleven will be blocked. You may also define a range using the subnet format. For example the following would block addresses from 68.221.75.0 to 68.221.75.31: 68.221.75.0/27 In this case the number 27 indicates the number of 1's present in the associated netmask. Here that would be 0xFFFFFFE0 which is usually given in the form 255.255.255.224. The above could be equivalently specified as: 68.221.75.0-68.221.75.31 This is the format that is used when the range is exported by NETSTAT. PROCEDURE The procedure would be to watch the network activity of the JNIOR using the NETSTAT -SDN command. This is best done after enabling Greylisting where the -N option will hide the noise. If you notice a specific IP address making repeated unnecessary connections you can add its IP address to the blacklist. The built-in EDIT editor is a useful tool for this. You can also periodically review the access.log file for IP addresses responsible for failed login attempts using obvious lists of user credentials. Those IP addresses can be added to the blacklist. This log also lists SSH DoS attempts. Those IP addresses are good candidates for the blacklist as well. Similarly you can review the web.log for HTTP requests snooping the JNIOR for files that are obviously targets on computers. Often corrupt forms of URL are tried in an attempt to access restricted parts of the ayatem. Those IP addresses are worth blocking. If the JNIOR has been running for some time you can export the blacklist sorted by timestamp. Typically a number of addresses at the bottom of this list have not returned in some time and may be safely removed to prune the list. The following command pipes the list to the editor where it can be shortened and saved to the current blacklist file. netstat -b3 | edit Finally, this blocking of malicious activity can be automated. We have experimented with a Blacklister.jar application that watches for new entries in log files, analyzes them for malicious triggers and appends the IP addresses to a blacklist. If you are interested you can contact INTEG Support for more information. NOTES When Blacklisting is enabled, the DNSBL (DNS Blocklist) service is enabled on Port 53 compliant with RFC 5782. When an IP address is blacklisted a DNSBL request will resolve the domain with IP address 127.0.0.2. If the request is not resolved then the IP address is not blacklisted by the JNIOR. This service allows other systems to query the validity of an IP address for use with the JNIOR. If you are using an automated Blacklister, DSNBL may be used to determine if valid IP addresses have been improperly blacklisted. It may also be used by other systems as an additional way to determine if an IP address should be blocked. Security Summary Security SUMMARY JNIOR can be made relatively unaffected by ongoing malicious network activity. We have proven the ability to resist all unsolicited contact to the point that if it is left alone the JNIOR remains silent without issuing a packet in response to background public traffic for hours on end. All of that while remaining reachable by legitimate means from anywhere on the globe. In fact in remaining silent for hours we had uncovered an issue with Internet Service Providers upstream equipment in default configurations for residential service used still to support business customers. The typical Digital Subscriber Line Access Multiplexer (DSLAM) is configured with a 60 minute timeout after which it assumes that the customer connection is not longer active. It ceases to route packets to our configured fixed external IP address. To prevent this the JNIOR resolves the gateway MAC address ever half hour even though it has been cached. This query is sufficient to keep the DSLAM aware of our presence and on task. With the procedures detailed in this section the JNIOR can be used with confidence while directly connected to the hostile world of the Internet. And while an external IP address is infrequently acquired for a device such as the JNIOR on its own, external traffic is often allowed to reach the product through routers, proxies and firewalls. INTEG will continue to work to secure the JNIOR but to achieve reliable safe undisturbed operation you need to do your part as well. [/flash/manpages/manpages.hlp:1982]