I recently started using a TP-Link C7 router to host a guest network at my house. I typically avoid consumer/prosumer gear for my network, sticking to either whitebox (homemade) or older enterprise gear. Alas, the price was right ($0). Every time I do encounter one of these devices I always manage to find something fun and interesting to poke… Bad SSH server First red flag was the sshd server running on this router.
About two weeks ago, I upgraded my single node ElasticSearch cluster from 6.8.6 to the latest 7.9 version. Last night, all hell broke loose… The upgrade itself wasn’t perfect. There were some issues with my setup that the helpful “Upgrade Assistant” didn’t pick up before I had already committed. I was missing a few formerly optional parameters in my elasticsearch.yml config file, there were some odd field mappings that weren’t supported any more, and some date format issues with my grok scripts.
Starting a little less than two weeks ago, my IDS sensors have been detecting the spread of a new botnet. Unlike previous Mirai botnets, this appears to specifically target the GNU/Linux firewall distribution, “ZeroShell”. While it’s not especially dangerous as far as botnets are concerned, it does appear to be rather vigorous when it sends probes. However, we got lucky this time. Just as quickly it appeared, the C&C server went offline stopping the spread of this worm dead in its tracks.
In my endless quest to essentially create a Cisco Firepower firewall for poor people, I found a bit of a gap in the open source security ecosystem. While we have great tools for detecting malicious network traffic patterns, we don’t have easy ways of detecting malicious files in transit. So, a bit of fiddling around later, and I have a fairly basic system for integrating Suricata’s ‘filestore’ functionality with ClamAV’s real time scanning, thereby producing a log containing the source and destination addresses of any malicious files detected.
The idea of this setup is to protect the Small Systems as well as we protect the Big Systems. This solution uses a proven stack to protect webservers from modern threats. Using OSSEC, Suricata, and the built-in firewall capabilities of a modern Linux system it is possible to build a low maintenance and stable threat protection platform with relatively low performance impacts. It’s been specifically designed to be simple. The idea is that it will keep you on a ‘need to know basis’ and otherwise stay quiet and do it’s job.