Friday, June 8, 2012

IPv6 Security: Back to square one?

After enjoying with a IPv6 "Hello World!" and surfing IPv6 a bit during the IPv6 World Launch I've notice something while reading some IPv6 configuration guides available around for Unix. Let me see... Interface definition, tunnel creation, end-point IP, DNS, etc. Everything seems in order but something is missing: The firewall!
With all that rush to set up our new IPv6 connection and after all that time working behind a NAT connection we didn't pay attention to that important element and some machines are plugged-in wide open.
Are just a couple of poorly configured systems or a epidemic? Let's scan the network "old style". Any sequential IPv6 scan approach is not viable due the size of the IPv6 range (2^128) so I took an IP list from this IPv6 database http://flyr.info/ . From there I've got 16839 unique IPv6 addresses. A good sample to test.
With the nc Linux command, the IP list and a loop we have a low cost IP scanner:

#!/bin/bash
while read ip; do
    nc -6zv -w 1 $ip $1
done < "list"

Scan result: From 16839 scanned IPs:
6660 machines with Port TCP 22 SSH open
53 machines with Port TCP 5900 VNC open
181 machines with Port TCP 3389 Windows Remote Desktop open
and the list goes on...

I know, some of those machines have those ports open on purpose. But when you see something like these nmap scan results you realise that these are computers without any IP filtering active. And this is not good.

# nmap -6 2001:**:**:**::**
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 00:48 CEST
Nmap scan report for ****.******.cr (2001:**:**:**::**)
Host is up (0.22s latency).
Not shown: 972 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
88/tcp   open     kerberos-sec
143/tcp  open     imap
311/tcp  open     asip-webadmin
389/tcp  open     ldap
443/tcp  open     https
445/tcp  open     microsoft-ds
464/tcp  open     kpasswd5
548/tcp  open     afp
587/tcp  open     submission
625/tcp  open     apple-xsrvr-admin
636/tcp  open     ldapssl
749/tcp  open     kerberos-adm
993/tcp  open     imaps
2000/tcp open     cisco-sccp
5222/tcp open     xmpp-client
5269/tcp open     xmpp-server
5900/tcp open     vnc
8088/tcp open     radan-http
9999/tcp filtered abyss
Nmap done: 1 IP address (1 host up) scanned in 27.74 seconds

# nmap -6 2607:**:**:**::**
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 09:04 CEST
Nmap scan report for ****.******.com (2607:**:**:**::**)
Host is up (0.24s latency).
Not shown: 973 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
25/tcp    open     smtp
26/tcp    open     rsftp
53/tcp    open     domain
79/tcp    open     finger
80/tcp    open     http
88/tcp    open     kerberos-sec
110/tcp   open     pop3
143/tcp   open     imap
389/tcp   open     ldap
443/tcp   open     https
515/tcp   open     printer
548/tcp   open     afp
631/tcp   open     ipp
636/tcp   open     ldapssl
993/tcp   open     imaps
995/tcp   open     pop3s
1025/tcp  open     NFS-or-IIS
5900/tcp  open     vnc
10001/tcp open     scp-config
Nmap done: 1 IP address (1 host up) scanned in 45.27 seconds

# nmap -6 2a02:**:**:**::**
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 08:59 CEST
Nmap scan report for 2a02:**:**:**::**
Host is up (0.11s latency).
Not shown: 981 closed ports
PORT      STATE    SERVICE
80/tcp    open     http
135/tcp   open     msrpc
445/tcp   open     microsoft-ds
554/tcp   open     rtsp
1433/tcp  open     ms-sql-s
3389/tcp  open     ms-wbt-server
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
49158/tcp open     unknown
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds


3 comments:

  1. my OpenBSD PF Servers Config


    # cat /etc/pf.conf
    ### ### ### SBSBox4 - Web ### ### ###
    set skip on lo
    pass # to establish keep-state
    block in on ! lo0 proto tcp to port 6000:6010
    ### ### ### SBSBox4 - Web ### ### ###

    ### ### ### SBSHosting.biz Services ### ### ###

    ## Options
    ### set block-policy return
    ### set log interface axe0

    ### ### ### Unlimited Traffic for AXE1 and Loopback ### ### ###
    # unlimited traffic for vpn and loopback
    ### set skip on {lo0, axe1}

    ### ### ### BLOCK ALL ### ### ###
    block in log all
    block out all

    ### ### ### GREEN INTERFACE ### ### ###
    pass in quick on msk0 from any to msk0
    pass out quick on msk0 from msk0 to any

    set skip on msk0

    pass in quick on axe1 from any to axe1
    pass out quick on axe1 from axe1 to any

    set skip on axe1

    ### ### ### IPv6 Anti Spoofing ### ### ###
    # activate spoofing protection for all interfaces
    block in quick from urpf-failed

    # antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
    antispoof log quick for axe0 inet6

    ### ### ### IPv6 BLOCK NMAP SCANS ### ### ###
    # Try to block nmap scans
    block in log quick on axe0 inet6 proto tcp from any to any flags FUP/FUP

    ### ### ### ACCESS CONTROL LIST ### ### ###

    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###
    #IPv6 - pass in/out all IPv6 ICMP traffic
    pass in quick proto icmp6 all
    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###

    ### ### ### IPv6 Administrator Access ### ### ###

    ### ### ### IPv6 Maschine to Internet Access ### ### ###
    # Allow outgoing services
    pass out on axe0 inet6 proto tcp to any port ssh
    pass out on axe0 inet6 proto tcp to any port smtp
    pass out on axe0 inet6 proto tcp to any port domain
    pass out on axe0 inet6 proto tcp to any port www
    pass out on axe0 inet6 proto tcp to any port https
    pass out on axe0 inet6 proto tcp to any port 122
    pass out on axe0 inet6 proto tcp to any port ntp
    pass out on axe0 inet6 proto tcp to any port 43

    pass out on axe0 inet6 proto udp to any port domain
    pass out on axe0 inet6 proto udp to any port ntp

    ### ### ### IPv6 Internet Access to Maschine ### ### ###
    # Allow incoming services
    pass in on axe0 inet6 proto tcp from any to axe0 port https
    pass in on axe0 inet6 proto tcp from any to axe0 port http

    ### INCOMING - TunnelBroker - SBSHosting.biz - xxx-tun1 ###
    # xxx.tunnel.xxx.xxx.ipv6.he.net
    # 2001:470:xxx:xxx::/64
    pass in on axe0 inet6 proto tcp from 2001:470:xxx:xxx::/64 to axe0 port ssh
    # 2001:470:xxx::/48
    pass in on axe0 inet6 proto tcp from 2001:470:xxx::/48 to axe0 port ssh
    ### INCOMING - TunnelBroker - SBSHosting.biz - xxx-tun1 ###

    ... and so on ...

    # pass in on axe0 inet6 proto udp from any to axe0 port ntp
    ### ### ### IPv6 Internet Access to Maschine ### ### ###

    ### ### ### IPv6 Trace Route ### ### ###
    # Trace route out
    pass out on axe0 inet6 proto udp from any to any port 33433 >< 33626 keep state

    ### ### ### IPv6 Router advertisement ### ### ###
    # Router advertisement out
    pass out on axe0 inet6 proto icmp6 all icmp6-type routeradv

    # Router solicitation in
    pass in on axe0 inet6 proto icmp6 all icmp6-type routersol

    ### ### ### IPv6 ND advertisement ### ### ###
    # ND advertisement in
    pass in on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    # ND solicitation out
    pass out on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    ### ### ### IPv6 Ping Pong ### ### ###
    # Allow Ping pong in
    pass in on axe0 inet6 proto icmp6 all icmp6-type echoreq

    # Allow ping pong out
    pass out on axe0 inet6 proto icmp6 all icmp6-type echoreq keep state

    ### ### ### SBSHosting.biz Services ### ### ###

    ### EOF ###

    ReplyDelete
  2. my OpenBSD PF Servers Config



    # cat /etc/pf.conf
    ### ### ### SBSBox4 - Web ### ### ###
    set skip on lo
    pass # to establish keep-state
    block in on ! lo0 proto tcp to port 6000:6010
    ### ### ### SBSBox4 - Web ### ### ###

    ### ### ### SBSHosting.biz Services ### ### ###

    ## Options
    ### set block-policy return
    ### set log interface axe0

    ### ### ### Unlimited Traffic for AXE1 and Loopback ### ### ###
    # unlimited traffic for vpn and loopback
    ### set skip on {lo0, axe1}

    ### ### ### BLOCK ALL ### ### ###
    block in log all
    block out all

    ### ### ### GREEN INTERFACE ### ### ###
    pass in quick on msk0 from any to msk0
    pass out quick on msk0 from msk0 to any

    set skip on msk0

    pass in quick on axe1 from any to axe1
    pass out quick on axe1 from axe1 to any

    set skip on axe1

    ### ### ### IPv6 Anti Spoofing ### ### ###
    # activate spoofing protection for all interfaces
    block in quick from urpf-failed

    # antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
    antispoof log quick for axe0 inet6

    ### ### ### IPv6 BLOCK NMAP SCANS ### ### ###
    # Try to block nmap scans
    block in log quick on axe0 inet6 proto tcp from any to any flags FUP/FUP

    ### ### ### ACCESS CONTROL LIST ### ### ###

    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###
    #IPv6 - pass in/out all IPv6 ICMP traffic
    pass in quick proto icmp6 all
    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###

    ### ### ### IPv6 Administrator Access ### ### ###

    ### ### ### IPv6 Maschine to Internet Access ### ### ###
    # Allow outgoing services
    pass out on axe0 inet6 proto tcp to any port ssh
    pass out on axe0 inet6 proto tcp to any port smtp
    pass out on axe0 inet6 proto tcp to any port domain
    pass out on axe0 inet6 proto tcp to any port www
    pass out on axe0 inet6 proto tcp to any port https
    pass out on axe0 inet6 proto tcp to any port 122
    pass out on axe0 inet6 proto tcp to any port ntp
    pass out on axe0 inet6 proto tcp to any port 43

    pass out on axe0 inet6 proto udp to any port domain
    pass out on axe0 inet6 proto udp to any port ntp

    ### ### ### IPv6 Internet Access to Maschine ### ### ###
    # Allow incoming services
    pass in on axe0 inet6 proto tcp from any to axe0 port https
    pass in on axe0 inet6 proto tcp from any to axe0 port http

    ### INCOMING - TunnelBroker - SBSHosting.biz - xxx-tun1 ###
    # xxx.tunnel.xxx.xxx.ipv6.he.net
    # 2001:470:xxx:xxx::/64
    pass in on axe0 inet6 proto tcp from 2001:470:xxx:xxx::/64 to axe0 port ssh
    # 2001:470:xxx::/48
    pass in on axe0 inet6 proto tcp from 2001:470:xxx::/48 to axe0 port ssh
    ### INCOMING - TunnelBroker - SBSHosting.biz - xxx-tun1 ###

    ... and so on ...

    # pass in on axe0 inet6 proto udp from any to axe0 port ntp
    ### ### ### IPv6 Internet Access to Maschine ### ### ###

    ### ### ### IPv6 Trace Route ### ### ###
    # Trace route out
    pass out on axe0 inet6 proto udp from any to any port 33433 >< 33626 keep state

    ### ### ### IPv6 Router advertisement ### ### ###
    # Router advertisement out
    pass out on axe0 inet6 proto icmp6 all icmp6-type routeradv

    # Router solicitation in
    pass in on axe0 inet6 proto icmp6 all icmp6-type routersol

    ### ### ### IPv6 ND advertisement ### ### ###
    # ND advertisement in
    pass in on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    # ND solicitation out
    pass out on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    ### ### ### IPv6 Ping Pong ### ### ###
    # Allow Ping pong in
    pass in on axe0 inet6 proto icmp6 all icmp6-type echoreq

    # Allow ping pong out
    pass out on axe0 inet6 proto icmp6 all icmp6-type echoreq keep state

    ### ### ### SBSHosting.biz Services ### ### ###

    ### EOF ###

    ReplyDelete
  3. ... on of the base servers config ...

    # cat /etc/pf.conf
    ### ### ### SBSBox4 - Web ### ### ###
    set skip on lo
    pass # to establish keep-state
    block in on ! lo0 proto tcp to port 6000:6010
    ### ### ### SBSBox4 - Web ### ### ###

    ### ### ### SBSHosting.biz Services ### ### ###

    ## Options
    ### set block-policy return
    ### set log interface axe0

    ### ### ### Unlimited Traffic for AXE1 and Loopback ### ### ###
    # unlimited traffic for vpn and loopback
    ### set skip on {lo0, axe1}

    ### ### ### BLOCK ALL ### ### ###
    block in log all
    block out all

    ### ### ### GREEN INTERFACE ### ### ###
    pass in quick on msk0 from any to msk0
    pass out quick on msk0 from msk0 to any

    set skip on msk0

    pass in quick on axe1 from any to axe1
    pass out quick on axe1 from axe1 to any

    set skip on axe1

    ### ### ### IPv6 Anti Spoofing ### ### ###
    # activate spoofing protection for all interfaces
    block in quick from urpf-failed

    # antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
    antispoof log quick for axe0 inet6

    ### ### ### IPv6 BLOCK NMAP SCANS ### ### ###
    # Try to block nmap scans
    block in log quick on axe0 inet6 proto tcp from any to any flags FUP/FUP

    ### ### ### ACCESS CONTROL LIST ### ### ###

    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###
    #IPv6 - pass in/out all IPv6 ICMP traffic
    pass in quick proto icmp6 all
    ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ###

    ### ### ### IPv6 Administrator Access ### ### ###

    ### ### ### IPv6 Maschine to Internet Access ### ### ###
    # Allow outgoing services
    pass out on axe0 inet6 proto tcp to any port ssh
    pass out on axe0 inet6 proto tcp to any port smtp
    pass out on axe0 inet6 proto tcp to any port domain
    pass out on axe0 inet6 proto tcp to any port www
    pass out on axe0 inet6 proto tcp to any port https
    pass out on axe0 inet6 proto tcp to any port 122
    pass out on axe0 inet6 proto tcp to any port ntp
    pass out on axe0 inet6 proto tcp to any port 43

    pass out on axe0 inet6 proto udp to any port domain
    pass out on axe0 inet6 proto udp to any port ntp

    ### ### ### IPv6 Internet Access to Maschine ### ### ###
    # Allow incoming services
    pass in on axe0 inet6 proto tcp from any to axe0 port https
    pass in on axe0 inet6 proto tcp from any to axe0 port http

    ### INCOMING - TunnelBroker - SBSHosting.biz - Net1 ###
    # xxxx-1.tunnel.xxxx.xxxx.ipv6.he.net
    # 2001:470:xxxx:xxxx::/64
    pass in on axe0 inet6 proto tcp from 2001:470:xxxx:xxxx::/64 to axe0 port ssh
    # 2001:470:xxxx::/48
    pass in on axe0 inet6 proto tcp from 2001:470:xxxx::/48 to axe0 port ssh
    ### INCOMING - TunnelBroker - SBSHosting.biz - Net1 ###

    … and so on …

    # pass in on axe0 inet6 proto udp from any to axe0 port ntp
    ### ### ### IPv6 Internet Access to Maschine ### ### ###

    ### ### ### IPv6 Trace Route ### ### ###
    # Trace route out
    pass out on axe0 inet6 proto udp from any to any port 33433 >< 33626 keep state

    ### ### ### IPv6 Router advertisement ### ### ###
    # Router advertisement out
    pass out on axe0 inet6 proto icmp6 all icmp6-type routeradv

    # Router solicitation in
    pass in on axe0 inet6 proto icmp6 all icmp6-type routersol

    ### ### ### IPv6 ND advertisement ### ### ###
    # ND advertisement in
    pass in on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    # ND solicitation out
    pass out on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}

    ### ### ### IPv6 Ping Pong ### ### ###
    # Allow Ping pong in
    pass in on axe0 inet6 proto icmp6 all icmp6-type echoreq

    # Allow ping pong out
    pass out on axe0 inet6 proto icmp6 all icmp6-type echoreq keep state

    ### ### ### SBSHosting.biz Services ### ### ###
    #

    ReplyDelete