JNIOR Internet-Safe Operation
Overview
The JNIOR offers an affordable form of Automation for Control and/or Monitoring. Generally these applications operate safely on a separate network or behind a firewall. There are reasons that you would want a JNIOR to have access to the Internet. The ability to update the system clock using the Network Time Protocol (NTP) is an example. The JNIOR might also be configured to issue an email alert under certain conditions and the email servers are typically remotely hosted. In Monitoring situations, the JNIOR often reports data to servers out on the Internet, in the Cloud.
There are applications where individuals or systems may need to connect to services on the JNIOR through the Internet. The most secure way to do this is through a Virtual Private Network (VPN). Although, the application may provide information or services to a more general audience. In these cases the JNIOR is either connected directly to the Internet or made accessible through router port forwarding rules. A fixed Internet Protocol (IP) address is then required to allow others to find the JNIOR and a domain name may be registered with the Domain Name System (DNS) to make that even more convenient. This connectivity does come with a certain level of security concern.
The JNIOR can survive on the open (and hostile) Internet and provide value for its users. This article details the recommended steps for protecting the device under these circumstances. First let’s cover the obvious. Later we will discuss some of the unique features that JNIOR has for dealing with this.
Strong Passwords
Your greatest line of defense against any attack is to employ good and strong passwords. You do not need to follow rules as to minimum and maximum characters in a password, or usage of upper and lower case, numbers and symbols. Your password selections must NOT be guessable; You should not use the same password across many devices; And you certainly should not be sharing the password with others. The PASSWD command is your tool for changing passwords.
The JNIOR does ship with default passwords, those should be changed as soon as possible. The JNIOR also comes with more than one Administrator account enabled. You may change the password for the account that you use, but if you don’t alter the others (or disable the accounts) you leave the device at risk. If you are logged in as an Administrator you may use the PASSWD command to change the password for other accounts.
The USERS command lists your account and others on the JNIOR. In addition to changing passwords you may disable an account with the USERMOD +D command. These steps are important if you truly want to lock down your JNIOR.
Note that the HELP command lists all of the available commands. Issuing a command with the -? option will provide the short form details regarding command syntax. Entering HELP followed by the command will get you pages from the Users Manual detailing how it is used.
Finally, if you need to share the password, consider creating an account for that purpose and assigning a unique password. Do not share the password of an Administrator account.
Limit Access
If you do connect the JNIOR to the open Internet allowing the general public to connect, you are likely not wanting to restrict the ranges of IP addresses allowed. There is a way to do that if needed. You do need to provide access to the services that you intend to share and restrict the others. For example, with JNIOR you can use SSH (or Telnet) to access command line functions, if your application shares information only through web pages, you probably don’t want the world trying to connect via SSH.
In addition to the WebServer, SSH and Telnet, there is also FTP, optional MODBUS, the JANOS Management Protocol (JMP), and the JNIOR Protocol. Each of these can be disabled for the case where the JNIOR is directly connected. If you are behind a router, your port forwarding should allow connection to only those services that you need to share.
The ports supporting open servers are displayed with the NETSTAT command. MODBUS can be optionally enabled. It is an application all by itself. There is an issue in that login capabilities for MODBUS are an extension that is not widely implemented. MODBUS should not be enabled if the product will be open to the Internet.
Bot Repellent
Unique to JNIOR is the ability to thwart bots. Most malicious code is spread through the action of these bots. There is a constant background of third parties attempting to locate systems and start trying to login. While most systems are happy to let your passwords protect the system, this malicious activity consumes valuable system resources. It clogs the connection tables and increases risk that a legitimate user has difficulties with access. And where cryptography is involved, the computational requirement slows processing and impacts performance.
Experience has shown that if you connect a device with a never before used IP address, a malicious actor will likely start making attempts to access it within 15 minutes. The NETSTAT -S command provides a network sniffer function to where you can witness this activity yourself from the JNIOR command line.
There is a background level of connection requests, about 5 to 10 per minute, each attempting to locate a server at any of the 65,000+ TCP/IP ports. When the remote client strikes an existing port the JNIOR responds in an attempt to make the connection. Often the connection is then refused by the client. We have named this procedure “Probing” where the client attempts the connection only to solicit a single packet response. It then declines to complete the connection and, presumably, your IP address is added to a list and sold. This is valuable information for bots then working the actual attack.
On the JNIOR about 95 to 98% of this activity can be blocked. This takes advantage of the fact that these malicious algorithms do not retry connections. By making the following registry setting you can make your device invisible to the majority of these bad-actors.
IpConfig/Greylisting = enabled
In this mode, the remote client’s first request is ignored without response (JNIOR does not supply the “Port Unreachable” ICMP response). The client must retry in a manner consistent with TCP/IP specifications in order to proceed. Most do not. With this engaged, the JNIOR might go an hour or more without having to service a malicious connection. Meanwhile there is no apparent impact on normal connections.
The PING function that is typically built into most TCP/IP stacks is also used for Probing. We recommend, also for security reasons, that this be disabled with the following registry setting.
IpConfig/PingReply = disabled
It makes sense to prevent your IP address from being discovered for malicious use.
A note for those that use Windows or Linux commands for route tracing, originally those commands relied upon PING and the corresponding response to map a route from client to server. These procedures now prefer to use the “Port Unreachable” ICMP responses (UDP mode) as more and more servers disable the PING response. We mentioned above the JNIOR does not provide this ICMP message. That is not entirely true as we do detect the trace route case and do sent send the reply in support of those tools. We understand the value in this diagnostic.
Blacklisting
Even with the aforementioned Greylisting enabled, a percentage of malicious connection attempts (albeit small) will be established. The JNIOR will detect random login attempts and other nefarious actions and log them. Entries are made in the jniorsys.log , access.log and web.log files as may be appropriate. You may monitor these files to discover any particularly irritating IP addresses.
IP addresses may be Blacklisted. You can define a Blacklist file containing IP addresses one per line. The file name is arbitrary but here we establish a list in the file nblst.txt .
IpConfig/Blacklist = /flash/nblst.txt
In this case the JNIOR will ingest the file and ignore the IP addresses. The JNIOR becomes invisible to client with matching addresses. You may edit this file at any time. Once it is saved, the system will reread it and continue with the new set. The NETSTAT -B command will display the active list sorted by IP address. The -B2 option here will display the active list sorted by decreasing blocking counts. Each blocked packet is tallied and so you can see which addresses are most active. And, finally the -B3 provides the list sorted by the timestamp of the last blocking of the address. You can use this to decide if a malicious client has gone away. Note that each line in the blacklist format must start with the IP address (or a ‘#’ character) and the rest of the line may contain other information.
* Note that active blacklist statistics such as the count and timestamp are lost when the unit reboots.
Automation
The JNIOR is an Automation device and, well, why not automate the blacklisting? We have written an application that scans the appropriate LOG files for new entries every few minutes. This then manages the blacklist file and updates it when new addresses are added. The system then detects that and the actor is quickly blacklisted. Often this occurs midstream in some exchange. Hopefully this causes the bot some headache.
Details of the implementation is beyond the scope of this article. If this interests you, contact support and we can share the program code with you. We want to encourage users to program their own applications and we will assist you. This is an unprecedented level of technical support that do provide.
Summary
An Automation providing control functions needs to be secure. And while it may make little sense to assign an Internet IP address to a JNIOR, providing bi-directional Internet connectivity through port forwarding can be useful. This must be done carefully. It is important to know that it can be securely done with the JNIOR. If this is something that you need to do and you are concerned about it, contact support for assistance.
For us there was a reason to directly connect the product. We have two JNIORs out there directly connected to Internet IP addresses, and configured as we have discussed here. We’ve used these units to harden JANOS, our operating system. You can experience one of those units yourself at http://honeypot.integpg.com. For questions and further discussion fell free to contact the author.