IMG_6666

Fort de la Chartreuse

Last summer, I’ve went to visit an abandoned military fort located in Liege, Belgium. Initially intimidated, because there were cops roaming the roads around the place, I soon noticed that it seems to be a popular place, with people walking their dogs, some pseudo-Jamaican local group of youngsters filming some music video, and even some other urbexers. Here’s a bunch of images and some more information.

http://en.wikipedia.org/wiki/Fort_de_la_Chartreuse

Outside view, Aussenansicht

Entrance tunnel, Eingang

Gate gateway, Tor Eingang

Corridor with broken windows, Flur mit kaputten Fenstern

Doorway to rubble, Zugang zu Trümmer

Staircase stairwell stairway, Treppenhaus

Stone pillars, Steinsäulen


IMG_6759  IMG_6726  IMG_6715

IMG_6708  IMG_6695  IMG_6690

IMG_6674  IMG_6670  IMG_6666

IMG_6663  IMG_6649  IMG_6734

headeripv6

Security by IPv6

Well, this is annoying. After setting up my blog, checking out the variety of log files the web server generates, I have to find out that my WordPress instance is subject to a slow but constant brute force attack, trying to weasel its way into the administration interface.

Yeah, this is why we can’t have nice things.

Late September, my Internet service provider finally enabled native IPv6 to all their customers that are using their newest DSL modem. I figured that might be a nice venue for access control for the next few years.

The current advantage of using IPv6 right now is the rather low usage and penetration of it. This brings sort of an aspect of security through obscurity. The majority of end users, whose computers usually make up botnets, are still running IPv4 due to lack of support by their ISPs and also modem hardware. By restricting access to various parts of a webserver to IPv6 only addresses, you’re essentially taking the wind out of the sails of various attackers.

Additionally, address assignments in IPv6 are purely hierarchical. Starting from continental address registries with their own prefixes, they’re assigning sub-prefixes to service providers who again distribute sub-sub-prefixes to companies and end users. This allows for easy filtering at a continental, as well as service provider level. The chaotic address allocations with IPv4 made it hard to set up such filters, because you had to go out and figure out all the different allotments a certain service provider may use to create a proper whitelist. At least if you’re sitting on a dynamic IP address at home, anyway, and don’t want to lock yourself out occasionally.

Security measurements I’ve currently taken on my own dedicated box consists of configuring SSH to listen on IPv6 only (its logfiles are blowing up, too), plus additional ip6tables rules restricting all SSH access to addresses originating from my provider’s network only, blackholing everything else.

ip6tables -P INPUT -DROP
...
ip6tables -A INPUT -s 2a02:a000::/26 -p tcp --dport 22 -m state --state NEW -j ACCEPT

And furthermore, I configured Apache to do something similar to various parts of the WordPress blog of mine. For one blocking access to the wp-login.php script, and for another, block all of the /wp-admin directory. While this returns 403 errors instead of blackholing the requests, at least no one’s getting to POST any whacky data to the scripts.

<Files wp-login.php>
 Order allow,deny
 Allow from 2a02:a000::/26
</Files>

<Directory /web/tomservoeu/wp-admin>
 Order allow,deny
 Allow from 2a02:a000::/26
</Directory>

As long IPv6 traffic remains a fraction of the total Internet traffic, there’s a huge barrier of entry to pass. Given how old the IPv6 protocol is right now and what effort and time it took to get initial deployments started, I’d wager there are a few years this can act as an effective barrier.

And even if at some point all traffic were IPv6, there’s still an effective filter running, locking access to a single network only, containing the potential pool of botnet zombies a damn lot.

Of course, this doesn’t mean you shouldn’t harden your servers and stop installing patches and updates.

Because screw hackers…

fullsize-6958

The Eifel

There’s a bunch of boardwalks in a nature reserve not far from here. I figured there’d be some nice motives. Most of the haul wasn’t that useful, since I didn’t pack the proper primes for the trip, but there were a few winners. All pictures posted were taken with a Canon EOS 6D and a Sigma 35mm/1.4.

fullsize-6954

fullsize-6934

fullsize-6958

When I headed back to the parking, the sun stood just right:

fullsize-7033

Photography and occasional unrelated rants from a guy in rural Belgium.