[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?

Ben West ben at gowasabi.net
Sun Feb 15 22:57:55 UTC 2015 

Thank you, Xavier, for the tip about possible API calls from a wayward
Android client.  I also couldn't Google anything meaningful about the
filenames"apkupdate.php," etc and assumed the client was malicious.

Are there options for dealing with chilli clients who open many many many
simultaneous connections, for whatever reason?  For example use iptables
connlimit module to limit the number of new connections per unit time on
unauthenticated clients?
https://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable

I'd hate to apply filters that could potentially impede portal
authentication for all clients, but having a small handful of misbehaving
clients (whether intentional or not) crash the AP is also problematic.

P.S. Thank you also for your answer to my question about chilli_query in
the previous thread!


On Sun, Feb 15, 2015 at 4:13 PM, Xabier Oneca -- xOneca <xoneca at gmail.com>
wrote:

> Hello Ben,
>
> 2015-02-15 22:35 GMT+01:00 Ben West <ben at gowasabi.net>:
> > A Nanostation M2 running Openwrt AA with coova-chilli v1.2.9 stopped its
> > periodic heartbeat, and I had a chance to SSH in locally w/in 1 hour of
> the
> > last heartbeat.
> >
> > I didn't get a chance to inspect the APs local state very well before
> having
> > to issue a "reboot -f" after the initial SSH session appeared to freeze.
> >
> > Besides, the device only have 1Mbyte of remaining free memory, I did
> notice
> > these log messages from coova-chilli (trimmed and anonymized):
> >
> > Feb 15 20:43:56 Openwrt local6.notice coova-chilli[2056]: chilli.c: 5005:
> > Client MAC=8C-84-01-XX-XX-XX assigned IP 101.209.43.124
> > Feb 15 20:44:16 Openwrt local6.err coova-chilli[18240]: redir.c: 3462:
> > invalid file extension! [wwwroot/apkupdate.php]
> > Feb 15 20:44:19 Openwrt local6.err coova-chilli[18243]: redir.c: 3462:
> > invalid file extension! [wwwroot/xmlupdate.php]
> > ...
> > Feb 15 20:44:42 Openwrt local6.err coova-chilli[18283]: redir.c: 3462:
> > invalid file extension! [getTasklist.php]
> > Feb 15 20:44:42 Openwrt local6.err coova-chilli[18284]: redir.c: 3462:
> > invalid file extension! [getAccountNum.php]
> > Feb 15 20:44:46 Openwrt daemon.info hostapd: wlan0: STA
> 8c:84:01:XX:XX:XX
> > IEEE 802.11: authenticated
> > Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA
> 8c:84:01:XX:XX:XX
> > IEEE 802.11: authenticated
> > Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA
> 8c:84:01:XX:XX:XX
> > IEEE 802.11: associated (aid 3)
> > Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA
> 8c:84:01:XX:XX:XX
> > RADIUS: starting accounting session 0000002F-000001AD
> > Feb 15 20:59:46 Openwrt local6.err coova-chilli[18919]: redir.c: 3462:
> > invalid file extension! [getTasklist.php]
> > ...
> > Feb 15 20:59:49 Openwrt local6.err coova-chilli[18923]: redir.c: 3462:
> > invalid file extension! [getTasklist2.php]
> > ...
>
> The PHP file names seem like Android API function calls. Maybe it's
> some sort of Android managing software that has a web interface, and
> the App is making calls to it, thinking Chilli is the manager
> server...
>
> I googled those names, but the searches came empty.
>
> Cheers,
>
> Xabier Oneca_,,_
>



-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20150215/6803e08c/attachment.html>

More information about the Chilli mailing list