I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Tue, 03 Nov 2020 07:54:15 -0500, Bit Twister <BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

Care to give an example of how to do so? It isn't some protocol or port to block.

We did NAT see that coming: How malicious JavaScript can open holes in your

firewall for miscreants to slip through

https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

From what I'm reading at https://github.com/samyk/slipstream, the ALG is the part
of Network Address Translation that allows multiple computers within the lan to
access the same external ip address and port.

The hack is just another method of hacking routers, so the same advice applies.

In the router - Turn off UPNP. Change it's password so it isn't the default. Change
the local address of the router, so that if the router does get hacked and reset to
it's defaults, it stops working until you figure out what happened and fix it.

In all computers connected to the router - Use a firewall on every computer. Do not
rely on the firewall features in the router to protect your systems. With Mageia,
it defaults to using shorewall. Do not set it to allow all traffic from anywhere.

I don't use any internet of things devices, so can't give any advice on those.

This is not as bad as the soap attacks on upnp or a reason to panic. As usual the
press is clearly looking to grab as much attention as possible.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your

firewall for miscreants to slip through

https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

What are the consequences if one does disable? My system has four ALG configurations PPTP, IPSec(VPN), RTSP,SIP. Do all four need to be
terminated?

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-11-03, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Tue, 03 Nov 2020 07:54:15 -0500, Bit Twister

<BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

Care to give an example of how to do so? It isn't some protocol or port to

block.

On my router, a DLink router, on the Firewall page there is a tiny note
on the bottom right which says Advanced Options. This turns out to be
entirely ALG-- it gives an option to disable 4 different ALG options.
I do not know what they mean exactly and asked in another message.

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

From what I'm reading at https://github.com/samyk/slipstream, the ALG is

the part

of Network Address Translation that allows multiple computers within the lan

to

access the same external ip address and port.

The hack is just another method of hacking routers, so the same advice

applies.

In the router - Turn off UPNP. Change it's password so it isn't the default.

Change

the local address of the router, so that if the router does get hacked and

reset to

it's defaults, it stops working until you figure out what happened and fix

it.

In all computers connected to the router - Use a firewall on every computer.

Do not

rely on the firewall features in the router to protect your systems. With

Mageia,

it defaults to using shorewall. Do not set it to allow all traffic from

anywhere.

I don't use any internet of things devices, so can't give any advice on

those.

This is not as bad as the soap attacks on upnp or a reason to panic. As

usual the

press is clearly looking to grab as much attention as possible.

Regards, Dave Hodgins

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Tue, 03 Nov 2020 12:25:47 -0500, David W. Hodgins wrote:

On Tue, 03 Nov 2020 07:54:15 -0500, Bit Twister

<BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

Care to give an example of how to do so? It isn't some protocol or port to

block.

Going to depend on your router. :)

Looking at my notes, I have


UPnP Disabled
ALG Passthrough Disabled

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

From what I'm reading at https://github.com/samyk/slipstream, the ALG is

the part

of Network Address Translation that allows multiple computers within the lan

to

access the same external ip address and port.

The hack is just another method of hacking routers, so the same advice

applies.

In the router - Turn off UPNP. Change it's password so it isn't the default.

Change

the local address of the router, so that if the router does get hacked and

reset to

it's defaults, it stops working until you figure out what happened and fix

it.

That is not a bad idea. I have an hourly cron job to warn me if I can not ping yahoo.com.
I have found it handy to have a script to ping each connection point in my setup
to identify failure point.

In all computers connected to the router - Use a firewall on every computer.

Do not

rely on the firewall features in the router to protect your systems. With

Mageia,

it defaults to using shorewall. Do not set it to allow all traffic from

anywhere.

I don't use any internet of things devices, so can't give any advice on

those.

Treat them just like another computer. Turn off everything not required for operation. Block inbound access from the device.
I have one bricked webcam, and three cracked webcams.

I have a hourly cron job to warn about any shorewall drops.
Once a day or so, I see full port scans from the wireless webcam.

This is not as bad as the soap attacks on upnp or a reason to panic. As

usual the

press is clearly looking to grab as much attention as possible.

The fact that they thought it merited press space is good enough for me.

I ignored a security update notice for a week and wound up with a
$80 bricked Cisco VOIP phone.


--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Tue, 03 Nov 2020 12:39:36 -0500, William Unruh <unruh@invalid.ca> wrote:

What are the consequences if one does disable? My system has four ALG configurations PPTP, IPSec(VPN), RTSP,SIP. Do all four need to be
terminated?

See the appropriate wiki articles https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol https://en.wikipedia.org/wiki/IPsec https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol https://en.wikipedia.org/wiki/Session_Initiation_Protocol

If you're not using the applications described, disable them. If you later
find that you do need one of them, re-enable that one.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Tue, 3 Nov 2020 17:39:36 -0000 (UTC), William Unruh wrote:

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

What are the consequences if one does disable?

Depends if you have to have it or not.

My system has four ALG
configurations PPTP, IPSec(VPN), RTSP,SIP. Do all four need to be
terminated?

That is your decision. You are responsible for any damages from your device(s)/system(s).

Personally, I have no desire for people, in black glasses and black
jackets with big 3 letters on them, showing up at my house hauling
me and my hardware off to who knows where.

I can only guess I would not be getting the hardware back anytime soon.



--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 3/11/20 11:54 pm, Bit Twister wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your

firewall for miscreants to slip through

https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

My router has two entries for ALG

one for SIP --disabled
one for H.323 --enabled..

H.323 is for packet based multimedia


SIP Session Initiation Protocol), a protocol designed for the setup, management, and termination of a media session.

they could both be disabled. I don't run webcam or zoom/skype



--
faeychild
Running plasmashell 5.15.4 on 5.7.19-desktop-3.mga7 kernel.
Mageia release 7 (Official) for x86_64 installed via Mageia-7-x86_64-DVD.iso


--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

On Tue, 3 Nov 2020 17:39:36 -0000 (UTC), William Unruh wrote:

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

What are the consequences if one does disable?

Depends if you have to have it or not.

My system has four ALG
configurations PPTP, IPSec(VPN), RTSP,SIP. Do all four need to be
terminated?

That is your decision. You are responsible for any damages from your device(s)/system(s).

I am asking a technical question: Does leaving some of them running also
run the risk of my router opening a hole to my machines? If not which
are the crucial ones. The web pages talks about SIP. Do the others
present equal problems.

Personally, I have no desire for people, in black glasses and black
jackets with big 3 letters on them, showing up at my house hauling
me and my hardware off to who knows where.

So shut down your computers and make a bonfire in the back yard to get
rid of them. Running computers is always a tradeoff. I was asking for
guidance as to this tradeoff regarding the various types of ALG that my
router allows. "I don't know" is an acceptable response. The one you
gave is not.

I can only guess I would not be getting the hardware back anytime soon.

--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-11-03, faeychild <faeychild@nomail.afraid.org> wrote:

On 3/11/20 11:54 pm, Bit Twister wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

My router has two entries for ALG

one for SIP --disabled
one for H.323 --enabled..

H.323 is for packet based multimedia

SIP Session Initiation Protocol), a protocol designed for the setup, management, and termination of a media session.

they could both be disabled. I don't run webcam or zoom/skype

I shut down all four of the ones on my router. Zoom continued to work
without problem (I held a zoom session with someone in the UK
afterwards-- I am in Canada). Also my web cam continued to work, but
then again, it is a local (on the machine) webcam so I would not expect
it to even need the router.




--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Wed, 4 Nov 2020 00:42:28 -0000 (UTC), William Unruh wrote:

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

On Tue, 3 Nov 2020 17:39:36 -0000 (UTC), William Unruh wrote:

On 2020-11-03, Bit Twister <BitTwister@mouse-potato.com> wrote:

I hope you have disabled ALG in your router

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through
https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

What are the consequences if one does disable?

Depends if you have to have it or not.

My system has four ALG
configurations PPTP, IPSec(VPN), RTSP,SIP. Do all four need to be
terminated?

That is your decision. You are responsible for any damages from your
device(s)/system(s).

I am asking a technical question: Does leaving some of them running also
run the risk of my router opening a hole to my machines? If not which
are the crucial ones. The web pages talks about SIP. Do the others
present equal problems.

I would assume so since it is a port exploit and not a protocol (SIP) exploit.

Glad to see your feedback about disabling all ALG's and zoom continued to work.
I have VOIP (sip) phone and ALG disabled, but have poked holes to pass
SIP ports to my VOIP/audio adapter.


--- MBSE BBS v1.0.7.17 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)