search

GoFlex Home iptables firewall security

For remote access you have to open up ports to the GoFlex Home but that attracts brute force attacks. You will see all those attempts if you check your router logs. If you have a good router then you can reject requests unless they come from a whitelisted ip address, but with Netgear routers it is all or nothing, so what can you do to beat the hackers?


HTTP and FTP make things easy for hackers, so if you want to use those protocols for remote access then firewall rules are a good idea.
In addition to brute force attacks, vulnerabilities have been discovered in the hipserv api which could allow unauthenticated Remote Command Execution. A post titled we are getting hacked on the Netgear Community forum suggests the vulnerabilities are being exploited. The Netgear Stora is virtually the same device as the Seagate GoFlex Home and maybe these recently uncovered vulnerabilities are why Seagate switched off remote access. 

If you travel a lot or use free wifi all over town to access your Goflex Home or if you share with a whole bunch of people then this tip probably isn't going to be much use to you, but if you only need access from a small number of ISPs then this might be worthwhile.

Like any linux system, the GoFlex Home  has its own firewall (iptables). The /etc/init.d/iptables script sets up firewall rules on boot or when started manually. This is a great script which has lots of features that can be used by setting parameters in separate config files, but by default it is also all or nothing for external requests, that is, it either accepts all requests to a port or blocks all requests, so  we need to tweak it just a little.


First we need to block all external requests. This is easy, just add the text to /etc/iptables/config


vi /etc/iptables/config

i to enter insert mode and add the following text.

BLOCK_FTP_EXT=yes
BLOCK_FTP_INT=no
BLOCK_ICMP_ECHO_EXT=yes
BLOCK_HTTP_EXT=yes
BLOCK_HTTPS_EXT=yes
BLOCK_SSH_EXT=yes

Esc ZZ to save and exit vi editor
You can try connecting from the internet to confirm that the firewall is blocking requests.
Note that except for the FTP lines, the script only checks the length is not zero so BLOCK_SSH_EXT=no or BLOCK_SSH_EXT=123 has the same result.

Next we need to tweak the /etc/init.d/iptables script to look for a whitelist of accepted IPs. 

vi /etc/init.d/iptables

i to enter insert mode and move down to just before the lines

# Make sure remote IDENT requests are rejected, so that they get
# on with whatever is happening

and insert the text

# Append the whitelisted ip addresses
if [ -f /etc/iptables/wan-whitelist ]; then
   for ip in `cat /etc/iptables/wan-whitelist` ; do
            iptables -A INPUT -s $ip -j ACCEPT
        done || die
fi

ESC ZZ to save and exit.


/etc/init.d/iptables restart to flush and recreate the firewall rules and check that the script runs without errors.

At this point access from outside your LAN is still blocked because we haven't created a whitelist.

vi /etc/iptables/wan-whitelist


i for insert mode and enter the IP addresses you want to allow together with the subnet mask in CDIR notation (ip address / subnet mask) with each entry on a separate line. 


What this means is that if you connect from your mobile phone, the actual IP address allocated to your device by the mobile network will probably change from one day to the next, but it will usually still be in the same subnet.

So say, just for example, that your mobile ISP is ChinaNet Jiangsu Province Network then today your IP address could be 222.186.129.44 and tomorrow it might be 222.191.132.179, but the first part is unlikely to change or will be within a small number of IP ranges


In your whitelist enter 222.186.0.0/16 to accept all addresses starting with 222.186
To accept all IP addresses starting with 222. then enter 222.0.0.0/8
To accept all IP addresses between 222.184.0.1 to 222.191.255.254 then enter 222.184.0.0/13

If your ISP actually is ChinaNet Jiangsu Province Network then the bad news is that a lot of hackers also use that ISP so it will be tricky to block them while still giving yourself remote access, so make sure you have good passwords.


Here's a link to a handy calculator someone has made available on the web.
http://jodies.de/ipcalc?host=222.184.0.0&mask1=13&mask2=

The easiest way to check the IP subnet you need to whitelist is to connect remotely when you have access to your router log and see the IP address that shows up in the log, then decide how far back in the subnet you want to allow. The smaller the netmask number, the larger the range of ip addresses allowed. Too high a number means you risk locking yourself out remotely when your remote ip address changes.

Add all the IP address subnets you want to allow, one per line.
When you are done, Esc ZZ to save and exit, then test it out by restarting the iptables script

/etc/init.d/iptables restart


/sbin/iptables -v -L will list all the firewall rules and you should see the whitelisted IP subnets you entered.

Now you should be able to connect remotely while anyone outside the whitelisted IP subnets will be blocked. 
If you go to a port scanning website, like Shields Up it will show your ports as closed, but you can still connect remotely from the whitelisted IPs.

/sbin/iptables -v -L will also show you the number of dropped packets from all the failed hacking attempts.
4009  491K DROP       all  --  any    any     anywhere             anywhere