Category Archives: Daemons

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

Email Server Attack

Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Pi GPPS Clocks

Use Chris’ PPS kernel (until I have time or am compelled to compile my own).

Compile ntp 4.2.6p5 as follows (from aquarat):
But first: apt-get install libcap-dev

./configure --enable-ATOM --enable-NMEA --enable-linuxcaps; make; make install

Disable TTY on /dev/AMA0 in /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

Set baud rate in /boot/config.txt
init_uart_baud=9600

and
Disable GPU sdram pause
# Disable GPU sdram mem pause
disable_pvt=1

Comment out getty in /etc/inittab:

#Spawn a getty on Raspberry Pi serial line
#T0:23:respawn:/sbin/getty -L ttyAMA0 115200 vt100

Add pps-gpio to /etc/modules

Useless SNMPD Logging Debian

I found a blurb about ridding my logs of those useless “Connection from UDP” messages in my log files.
Why this isn’t the default I can only imagine (some will claim security I’m sure).

http://raetsel.wordpress.com/2008/02/15/snmpd-filling-up-varlogmessages/

Here’s what I got out of it. That the below settings, added to /etc/default/snmpd will get rid of the useless messages but still log error messages.

SNMPDOPTS='-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid'

I restarted snmpd and it seems to function as expected.