Tonight my server started making the now familiar chik-chik-chik sound that signals yet another of the daily brute force password guessing attempts being logged. Given the repeating pattern of user names being guessed, they are the work of of people with spare computing power and without the brains to write their own tools. The chance of success is pretty slim here; the root account can’t log in, and none of other users exist.

I decided to install a dynamic firewalling tool anyhow to drop connects from attacking hosts. I downloaded daemonshield, a python script that monitors log files and creates iptables rules as needed. The install was simple - taking about 2 minutes from the download completing to the first rules being created to drop connections from 74.67-18-68.reverse.theplanet.com, tonight’s unwanted guest.

That should extend the log disk’s life a bit.

I updated the firmware on the WRT54G router today to the latest release of Sveasoft’s code. Dyndns updates are working again, after being broken in Alchemy 5.2.

I modified the firewall to block the XBox’s access to XBox Live (ports 88 and 3074), since I don’t want my son connecting to it by accident. I had blocked all access to the Internet from the XBox, but that also broke the weather lookup in XBMC, which is becoming handy as we move into fall.

Part of the process for filtering XBox Live involved defining new services through the web interface. I kept getting errors on the page when I tried to apply the updates. After a fair amount of searching, mainly because I didn’t make a good choice of keywords, I found the problem is a bug, or limitation, of IE. Apparently it can’t handle Java variables of 2.3K in size very well. Repeating the process in Firefox worked perfectly.

In a recent article, Phillip Hallam-Baker, Principal Scientist at Verisign suggests reverse firewalls ought to be built into cable modems and home use WAPs. The idea is to filter outbound traffic before it leaves the source instead of letting it travel to its destination before being filtered.

Perhaps filtering might better be done at the ISP first, since it’s probably more cost effective to implement and manage a solution there than it is to replace cable modems. Vendors of small DSL/Cable routers should have outbound filtering as a default. The current norm is minimal filtering and security on by default to make it simple for users to install.

The idea works; many companies already employ this type of filtering on their corporate LANs (we only allow SMTP connections from the mail servers).

NetGear got itself into a bit of hot water recently when it was discovered that a backdoor admin account was in the firmware of the WG602 access point.

Any user logging in with the username “super” and the password “5777364″ is in complete control of the device.

In response, NetGear released a firmware update to fix the “illegal user access the WEB configuration utility.” But they didn’t fix the problem, and today there’s a mesasge on BugTraq stating:

I can confirm that this vulnerability still exists in the latest firmware upgrade(1.7.14) for the WG602. They’ve simply gone and changed the username to superman and password to 21241036.

I actually don’t own any NetGear products myself, but do have a couple of small switches at the office for use on the test bench. I won’t be buying any of their products either. To be fair this apparently was installed by their OEM, but the fix issued in response to the initial finding is a completely uncceptable answer to the problem.