[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?

reiner otto augustus_meyer at yahoo.de
Mon Feb 16 00:03:58 UTC 2015


You might have a look at "logtrigger" or "fail2ban".
 

     Ben West <ben at gowasabi.net> schrieb am 22:35 Sonntag, 15.Februar 2015:
   

 A Nanostation M2 running Openwrt AA with coova-chilli v1.2.9 stopped its periodic heartbeat, and I had a chance to SSH in locally w/in 1 hour of the last heartbeat.

I didn't get a chance to inspect the APs local state very well before having to issue a "reboot -f" after the initial SSH session appeared to freeze.

Besides, the device only have 1Mbyte of remaining free memory, I did notice these log messages from coova-chilli (trimmed and anonymized):

Feb 15 20:43:56 Openwrt local6.notice coova-chilli[2056]: chilli.c: 5005: Client MAC=8C-84-01-XX-XX-XX assigned IP 101.209.43.124
Feb 15 20:44:16 Openwrt local6.err coova-chilli[18240]: redir.c: 3462: invalid file extension! [wwwroot/apkupdate.php]
Feb 15 20:44:19 Openwrt local6.err coova-chilli[18243]: redir.c: 3462: invalid file extension! [wwwroot/xmlupdate.php]
...
Feb 15 20:44:42 Openwrt local6.err coova-chilli[18283]: redir.c: 3462: invalid file extension! [getTasklist.php]
Feb 15 20:44:42 Openwrt local6.err coova-chilli[18284]: redir.c: 3462: invalid file extension! [getAccountNum.php]
Feb 15 20:44:46 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX IEEE 802.11: authenticated
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX IEEE 802.11: authenticated
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX IEEE 802.11: associated (aid 3)
Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX RADIUS: starting accounting session 0000002F-000001AD
Feb 15 20:59:46 Openwrt local6.err coova-chilli[18919]: redir.c: 3462: invalid file extension! [getTasklist.php]
...
Feb 15 20:59:49 Openwrt local6.err coova-chilli[18923]: redir.c: 3462: invalid file extension! [getTasklist2.php]
...

The "invalid file extension" instances, if which there are a couple dozen, are only a few seconds apart.  The URL parts like "getTasklist.php" and "getAccountNum.php" seem to suggest whatever the client is doing (i.e. hammering the chilli agent with lots of bogus port 80 requests) is abusive.  These log messages did coincide with this particular Nanostation verging on unresponsive, although I didn't get a chance to run "top" or "uptime" before needing to force a reboot.

Besides simply blocking this particular MAC from associating, are the other measures to ward off intrusions like this?

-- 
Ben Westhttp://gowasabi.net
ben at gowasabi.net
314-246-9434

_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20150216/c699cf22/attachment-0001.html>


More information about the Chilli mailing list