Disable ipv6 in OpenWRT

解除咗 dns amplification attack 之後，又發現佢因為無 ipv6 地址又不斷 spam 自己個 system log，所以把心一橫 disable 埋佢！

/etc/config/dhcp

under

config dhcp 'lan'

加句

option dhcpv6 'disabled'

唔知有無得鎖定SSH password retry 次數呢。

OpenWRT 的 DNS Amplification attack, dnsmasq setting 漏洞

真係 there is something happened always! 呢次我自己覺得都幾嚴重，所以希望有緣人睇到呢篇文並修正問題，避免問題惡化並做咗幫凶都唔知。

話說小弟家有一台 tp-link 的 router，型號係 wrt1043nd，其實我幾鐘意呢個 router，一、性價比高。二、可以安裝 3rd party firmware。幾年前我係安裝 ddwrt，但後來唔知點解佢做唔到我想要o既嘢，但家陣唔記得係咩 function，就膽粗粗自己走去裝個 openwrt，呀，點知又 work 喎。以我半桶水o既性格，用得都不亦樂乎。

既然用得 openwrt，就梗係調下 wifi settings、做下小小 firewall、port forwarding、起下 vpn pptp server、開埋 ddns service to update ddns 之類。。。

早幾日，細妹投訴話屋企上網好慢，有時仲 load 唔到網頁，youtube 又睇唔到，甚至 smartone 個勁慢o既無限 3G plan 都快過用 wifi 連去 netvigator 200M。有咩可能？小弟又要出動去 check 下咩事。。。

唔 check 好地地，一 check 就覺得怪怪地：

Tue Feb 24 10:31:01 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:12 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:24 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:30 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)

一開頭唔識睇，心諗，屋企最多二台 desktop，一台 NAS，三部手提電話，計落都係 6 台 device，有咩理由會打爆 150 limit。咁我咪 click 入去 dhcp and dns setting 去睇下。依然無頭緒。咁咪逐個 setting 睇下囉，點知又俾我咁啱 click 咗：

Log queries

 Write received DNS requests to syslog

咁我返轉頭再睇下個 system log，嘩，不得了，俾啲 log 嚇傻咗：

Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 70.234.253.75
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.239.253.115
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 109.108.209.151
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.239.253.115
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 109.108.209.151
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.240.130.123
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 70.234.253.75
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90

無端端係咁 query url，一睇個網址就知古怪喇，第一時間我以為係有嘢中毒，或者係 NAS 中咗招，咁我二話不說就 remote power off 台 HP N40L。點知 check log 都係一樣。咁我咪試下改個 dns port 做其他，咦，即係無事喎，無晒啲無聊 query。咁以為自己搞掂喇，點知打番屋企一問，屋企人投訴上唔到網就知出事，估計係改咗 dns port 連 lan 內o既 device/PC 都 lookup 唔到 dns，咁即係改 port 方法行唔通。咁唯有上網搵料。上網一查原來呢個係叫做 dns amplification attack，即係不斷咁問 dns server 去解個網址，俾人係咁問，唔識就 forward 去自己個 dns server，再 reply 去目標電腦，jam 到目標無晒反應，做到 DoS，唔係 Disk Operation System，係 denial of service。

搵咗一大輪，又話要 set firewall，加句 iptables 咩咩咩咁，又要係 specify 係 drop 咩網址o既 packet 又成，搞到頭都大，加上呢個攻擊應該係 update 咗，上網都唔多搵到呢個 fkfkfkfz.guru o既資訊，類近網址就搵到o的。最終都係唔成功，礙於第二日要早起返工，唯有暫時放棄唔整住，但個心都係好唔安樂。

第二日，返工嗰時有時間都繼續搵下料。俾我搵到小小線索：原來係 OpenWRT 有個小問題，就係佢個 dnsmasq service default 係會 listen 所有 interface，即係 lan 同 wan o既 dns query 都會應機。頂，有無咁痴線呀，街外 dns query 關你鬼事咩，多餘。咁咪睇下有咩 setting 要整。

/etc/config/dhcp
under
config dnsmasq
加句
list notinterface 'wan'

意思係唔再 listen 來自 wan o既 dns query。叫做成功解決咗問題，router loading 由 3x% 跌番去  less than 10%。好彩 netvigator 無 blacklist 我咋，做咗'助攻'成兩個幾月都唔知道。最衰都係 OpenWRT，佢 dnsmasq default 應該要 list notinterface 'wan'喇，仲要 gui 無得俾人 set，下下要 telnet 入去改 config 檔，大老呀，真係唔係個個識整。故寫下此文，希望有緣人能 search 到，幫到手、用得著。

所以話，久唔久要睇下 log，真係好緊要。同埋，唔好隨便開 server 俾街入到嚟，唔係中咗招都唔知咩事。

OpenWRT pptpd 續集

話說身處海外，係新裝o既寬頻o既環境連返屋企 VPN。
一直都連唔到，error 807。上網搵咗好Q耐，又話被人 block port 1723，又話無 pptp nat passthrough 又話成。頂，我之前都用到。玩幾兩日，又 reboot router，又重裝 pptpd 啲 package。話說自己 ps 睇過都搵唔到個 pptpd 個 process，但係我又打咗十九幾次 /etc/init.d/pptpd start，又 restart 又 enable。無理由未踢著個 service。

點知，俾我搵咗幾耐，有個 blog 介叫人打一下 pptpd。點知，真係得咗。真係佢老味。
記得係 /etc/rc.local 度，係 exit 0 之前加番句 pptpd。咁第日 reboot router 都唔會唔記要手動開個 pptpd 個 service。

特此一  post。

OpenWRT DDNS updater

Although all packages are installed, you have to add the update url manually so that it works.
/usr/lib/ddns/services


"changeip"
"dyndns" "http://[USERNAME]:[PASSWORD]@members.dyndns.org/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG"
"dyndnsit"
"no-ip" "http://[USERNAME]:[PASSWORD]@dynupdate.no-ip.com/nic/update?hostname=[DOMAIN]&myip=[IP]"
"ovh"

Done!

OpenWRT and PPTP VPN

opkg update
opkg install pptpd
opkg install kmod-mppe

edit /etc/ppp/options.pptpd
====================
speed 115200
stimeout 10
localip 192.168.1.1
remoteip 192.168.1.200-230
====================


edit /etc/pptpd.conf
====================

lock
debug
name vpn1 #control the usrs allowed
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
#require-mppe-128
ms-dns 192.168.1.1
proxyarp

====================



edit /etc/ppp.chap-secrets
for login and pw

/etc/config/firewall
======================

#modify
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'drop_invalid' '1'
option 'forward' 'ACCEPT'


config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'

#add

config 'rule'
option '_name' 'pptpvpn'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'dest_port' '1723'
option 'target' 'ACCEPT'


======================

/etc/init.d/pptpd start
/etc/init.d/pptpd stop
/etc/init.d/pptpd restart
killall pptp