Home AMX User Forum AMX Technical Discussion

Hackers spread - NetLinx lockups ensue

John NagyJohn Nagy Posts: 1,742
in AMX Technical Discussion
We're seeing a real upswing in internet hacking attempts as shown in NetLinx logs on jobs with Internet connections. This can lock up the NetLinx as it cannot clear dead IP connections as fast as they come in (as many as hundreds an hour in logs we have reviewed). We see systems locking up again within hours of reboots.

You can:
Turn off port forwarding (but then you can't service the job)
Use Virtual Private Networking (but that's a pain to set up)
... both of these also kill off remote use of mobile devices.

Or you can restrict the ranges of IP addresses accepted for connection, if your router permits that.

Note that these attempts don't get in, if you have password protection/security turned on. If you don't have security on, these get right in and malicious deletion of data is likely, as well as reboots and attempts to command the system.

They are coming from all over the globe, it's a large networked effort. The hacking will look like this in telnet:
(0000477325) Accepted Telnet connection:socket=35 addr=195.211.85.91 port=3615
(0000549316) Accepted Telnet connection:socket=35 addr=27.31.218.107 port=4165
(0000585163) Accepted Telnet connection:socket=35 addr=79.131.92.71 port=62538
(0000667722) Accepted Telnet connection:socket=35 addr=124.244.205.87 port=4880
(0000731193) Accepted Telnet connection:socket=35 addr=14.199.123.96 port=1183
(0000732944) Accepted Telnet connection:socket=35 addr=183.178.199.140 port=3127
(0000735616) Accepted Telnet connection:socket=35 addr=61.92.5.244 port=1362
(0000737521) Accepted Telnet connection:socket=35 addr=183.178.99.222 port=2569
(0001082359) Accepted Telnet connection:socket=35 addr=195.211.85.91 port=4833
(0001254581) Accepted Telnet connection:socket=35 addr=27.31.218.107 port=3022
(0001267361) Accepted Telnet connection:socket=35 addr=124.244.205.87 port=1045
(0001320306) Accepted Telnet connection:socket=35 addr=79.131.92.71 port=57859
(0001385227) Accepted Telnet connection:socket=35 addr=14.199.123.96 port=3588
(0001385768) Accepted Telnet connection:socket=35 addr=183.178.199.140 port=4881
(0001387382) Accepted Telnet connection:socket=35 addr=61.92.5.244 port=4497
(0001393102) Accepted Telnet connection:socket=35 addr=183.178.99.222 port=2293

If you WHOIS these, you see they are in China, Russia, Ukraine, UK, Canada, and more.

At the least, use security. Also use passwords on any VNC ports for panels. These are the easiest hack if open and un-passworded, and evildoers in China will be pressing your panel buttons merrily.

Be prepared, this may happen to your customers and they will first blame you, and you'll presume it is a software problem. It will affect ANY system the same... software or none.

Comments

  • jjamesjjames Posts: 2,908
    You can also use non-standard ports for your telnet, ICSP, VNC, FTP, etc. connections.
  • John NagyJohn Nagy Posts: 1,742
    jjames wrote: »
    You can also use non-standard ports for your telnet, ICSP, VNC, FTP, etc. connections.

    That won't help a whole lot, the hackers are running the port tables looking for responses. They start with the obvious ones, but once they find a reply on any port, the botnet takes over and hammers away with brute force account pounding til it gets in. We only get to see the TELNET attack because the NetLinx makes it visible. Usually there are simultaneous attacks on multiple ports.

    And it will get worse.
  • viningvining Posts: 4,368
    VPN's aren't really a pain to setup, I've been using the Cisco RV082 or RV042 which cost around $300/$150 for years and to set up a PPTP server on the router takes all of 2 minutes and you basically just need to input a user name and password. On the client side setting up an iPad or PC as a PPTP client is just slightly more difficult and takes maybe 3 minutes and you additionally need to know the jobs/router dyndns account but that's about it. IPSEC or L2TP is a bit more complicated but if you leave the default settings in the router and just enter your security paramters it's pretty simple to and then you can do Gateway to Gateways tunnels for linking customers homes or just bewteen your office and the clients homes for testing intercoms or anything else you might want using equipment in your office through the processor on the job. The AMX TPs w/ intercoms work very well between sites. Instead of using a VNC connection on a job site TP I often just use a TP in my office and connect it to the remote system. I've been reserving a TP DPS in my UI arrays for testing form the office or for bringing my own portable TP to the job site for testing.

    I ususally don't even set up the client's clients (iPads/PCs) since it's so simple. I have the procedure written down for them to follow. I have the procedure for setting up iTeleport too but that gives them trouble since there's around 6 more steps.
  • ariesaries Posts: 27
    vining wrote: »
    VPN's aren't really a pain to setup, I've been using the Cisco RV082 or RV042 which cost around $300/$150 for years and to set up a PPTP server on the router takes all of 2 minutes and you basically just need to input a user name and password. On the client side setting up an iPad or PC as a PPTP client is just slightly more difficult and takes maybe 3 minutes and you additionally need to know the jobs/router dyndns account but that's about it. IPSEC or L2TP is a bit more complicated but if you leave the default settings in the router and just enter your security paramters it's pretty simple to and then you can do Gateway to Gateways tunnels for linking customers homes or just bewteen your office and the clients homes for testing intercoms or anything else you might want using equipment in your office through the processor on the job. The AMX TPs w/ intercoms work very well between sites. Instead of using a VNC connection on a job site TP I often just use a TP in my office and connect it to the remote system. I've been reserving a TP DPS in my UI arrays for testing form the office or for bringing my own portable TP to the job site for testing.

    Yes, exactly! This is what I have been doing for years. I almost *never* leave an NI exposed directly to the Internet! Works well, no problems.
  • the8thstthe8thst Posts: 470
    I turn on ICSP security and encryption and that is the only Netlinx Master port that is directly available via the internet. I do this to allow iPads 3G access and for my method of switching between multiple houses on an iPad (I don't really see any need to have multiple house systems directly connected, so the iPad just changes URLs to connect to the desired residence directly).

    All other service is done via VPN. VPNs are very easy to implement and manage these days. I personally use SonicWall (now owned by Netgear) in my clients houses, but Mikrotik is a VERY cost effective alternative.

    You can even get around the VPN issue all-together by having a computer onsite and using Teamviwer/LogMeIn/etc services to gain remote desktop access. I use the remote desktop method (via a VPN connection) on all jobs that have multiple Modero touchpanels because it is MUCH faster to transfer TP4 files via a LAN than over an internet connection.
  • PhreaKPhreaK Posts: 966
    vining wrote: »
    VPN's aren't really a pain to setup

    Agreed. If your job is to deploy *any* network attached device it is well and truly worth having a working knowledge of basic network security. There are loads of freely available resources and plenty of products to make this simple and painless.

    I actually began creating a little white hat NetLinx worm a while back as a proof of concept to assist people with understanding the importance of considering security in installations, particularly those visibile from the outside world. As you can FTP between masters and also identify other masters it is extremely straightforward to create a self replicating piece of malicious NetLinx code. If your system interfaces with anything in the physical world (security systems, lift motors, HVAC etc) its very easy to see how this can have some rather significant and potentially dangerous consequences.
  • DHawthorneDHawthorne Posts: 4,584
    It depends on your router whether VPN is a pain or not. Netgear routers are a royal pain, whereas Pakedge are cake.

    That said, I do VPN whenever I can, but usually have to set up port forwarding as well, so the client can use their own mobile devices to connect to things in the house. I put passwords on everything. I had a customer going nuts that someone was turning on his stereo at 5AM daily, and it turned out to be a hacker. I put a password on the VNC, and it stopped ... but I never would have suspected someone would even bother until I ran across it.
Sign In or Register to comment.