[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?

Ben West ben at gowasabi.net
Sun Feb 15 21:35:00 UTC 2015 

A Nanostation M2 running Openwrt AA with coova-chilli v1.2.9 stopped its
periodic heartbeat, and I had a chance to SSH in locally w/in 1 hour of the
last heartbeat.

I didn't get a chance to inspect the APs local state very well before
having to issue a "reboot -f" after the initial SSH session appeared to
freeze.

Besides, the device only have 1Mbyte of remaining free memory, I did notice
these log messages from coova-chilli (trimmed and anonymized):

Feb 15 20:43:56 Openwrt local6.notice coova-chilli[2056]: chilli.c: 5005:
Client MAC=8C-84-01-XX-XX-XX assigned IP 101.209.43.124
Feb 15 20:44:16 Openwrt local6.err coova-chilli[18240]: redir.c: 3462:
invalid file extension! [wwwroot/apkupdate.php]
Feb 15 20:44:19 Openwrt local6.err coova-chilli[18243]: redir.c: 3462:
invalid file extension! [wwwroot/xmlupdate.php]
...
Feb 15 20:44:42 Openwrt local6.err coova-chilli[18283]: redir.c: 3462:
invalid file extension! [getTasklist.php]
Feb 15 20:44:42 Openwrt local6.err coova-chilli[18284]: redir.c: 3462:
invalid file extension! [getAccountNum.php]
Feb 15 20:44:46 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
IEEE 802.11: authenticated
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
IEEE 802.11: authenticated
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
IEEE 802.11: associated (aid 3)
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
RADIUS: starting accounting session 0000002F-000001AD
Feb 15 20:59:46 Openwrt local6.err coova-chilli[18919]: redir.c: 3462:
invalid file extension! [getTasklist.php]
...
Feb 15 20:59:49 Openwrt local6.err coova-chilli[18923]: redir.c: 3462:
invalid file extension! [getTasklist2.php]
...

The "invalid file extension" instances, if which there are a couple dozen,
are only a few seconds apart.  The URL parts like "getTasklist.php" and
"getAccountNum.php" seem to suggest whatever the client is doing (i.e.
hammering the chilli agent with lots of bogus port 80 requests) is
abusive.  These log messages did coincide with this particular Nanostation
verging on unresponsive, although I didn't get a chance to run "top" or
"uptime" before needing to force a reboot.

Besides simply blocking this particular MAC from associating, are the other
measures to ward off intrusions like this?

-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20150215/5cf4ae2a/attachment.html>

More information about the Chilli mailing list