Can IPFire firewall rules help? IPS?

https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits

This above way over my head!
:exploding_head:
Is there something on IPFire that can be enabled to help prevent?

Like many others I have lots of IoT devices!

Hi Jon,

The problem here is most of the devices that would be exploited by this security issue will be in front of your firewall and not behind it. ie DSL routers, fibre boxes etc. The main key here is keep your devices firmware updated. Check those DSL boxes. Do they need an update. you would be amazed at how many people throw a device online and forget about it. That device routes all traffic and can be used to intercept traffic. A man in the middle attack as it were.

BR
Joe.

I have a “cable modem” which is device between the Cable Company’s RG-59 coax and a single ethernet port. (“cable modem” is a very inaccurate description of the box). Anyway it is run by DOCSIS 3.x and is NOT upgradable by the user. Only by the cable TV company. Ugh!

So I was hoping to find something IPFire-ish to assist!

Hi Jon,

I had a Docsis3 modem with Virgin which used Docsis 3.0 and I put it into modem mode and bridged the device to my ipfire.
It sort of worked but everynow and then it would not connect and I would need to reset the router and connect a windows laptop to set the dhcp for some reason. I reckon it was an issue with their dhcp server.
That limited the function of the unit. Still not perfect though.

BR
Joe.

Hello Jon,

first, my apologies for this tardy reply. I thought I’ve replied earlier, but I now realised I did not. :expressionless:

According to the article, …

  • the malware in question uses port 19412 for C&C communication. While this is certainly not a fail-safe criterion, it might be wise to block any outgoing traffic to this port (and check the logs for devices trying to establish such connections).
  • there are already IPS signatures available (see “detection methods”). I took a list at those one beginning with ET EXPLOIT, and all of them are available in the Emerging Threats community ruleset, enabled by default.
    So, all you need to do is to activate the IPS and the emerging-exploit.rules category.

In general, restricting network access to the bare minimum should help as well - provided the affected devices are located behind IPFire, not in front of it. Let’s hope the CPE/DOCSIS vendors and ISPs do their job properly. (fingers crossed) :slight_smile:

Thanks, and best regards,
Peter Müller

2 Likes