1 Topic by dank41 (edited by dank41 2009-02-10 11:59:09)

  • Registered: 2009-02-09
  • Posts: 5

Topic: help me.....!!! user can bypass chillispot login....

hai everyone....

i'm using FC8,squid26, latest chillispot, freeradius117, all at the same machine..

all configuration is work well.. but after few... month... when i check my log messages, there was unknown MAC that can browsing without authentication...

i have load firewall.iptables but he's still can browsing without login...

here is my firewall.iptables :

====begin======

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 8080 --syn -j DROP
#$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

===end===

my chilli.conf :

====begin=====
pidfile /var/run/chilli.pid
net 192.168.180.0/24
dns1 208.67.222.222
domain key.chillispot.info
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiusauthport 1812
radiusacctport 1813
radiussecret ******
dhcpif eth1
uamserver https://192.168.180.1/uam/hotspotlogin.php
uamsecret ******
======end======

pls help.. me...!!! how to fix it....

  • Registered: 2009-02-11
  • Posts: 2

Re: help me.....!!! user can bypass chillispot login....

Let me just say first off that I'm not a ChilliSpot expert, but I've been using the system for about 2 years now.  Hopefully my input is helpful.

I see your firewall script is the default included with ChilliSpot, except for the PREROUTING lines.  These make sense since you're running your web server on port 8080.  As far as I can tell, this configuration should be preventing all but authenticated users from gaining access.  That is unless there's an issue with your FreeRADIUS configuration.  I know this sounds obvious, but have you tried authenticating from a test client with a bad username and/or password, to check this part of the setup?

One possibility is that your uamsecret password is insecure.  Is it shorter than 16 characters or does it include dictionary words?  This part of a ChilliSpot setup is open to a dictionary attack with an insecure uamsecret password, due to the nature of the CHAP protocol.  (See the ChilliSpot FAQ entry: "http://www.chillispot.info/FAQ.html#mozTocId967226".)  Also, if this password is as short as 6 characters, even if random, it can easily be brute-forced.  It's possible this unauthenticated user has used a dictionary or brute-force attack to determine this password and gain access.  This is just a guess.  I'd recommend using a password greater than 16 characters and preferably random, if you're not already.

Another possibility that came to mind does involve the firewall.  Is your firewall script set up to run on server startup, or do you have to run it manually?  If the latter, it's possible your firewall has opened up due to a server reboot.  Many Linux distros have a default iptables policy that allows all traffic through on the INPUT, OUTPUT & FORWARD chains, and this would be in effect in that case.

Good luck with tracking this down.


Does anyone else see a problem with this configuration that could have let an unauthorized user through?  Another set of eyes would be helpful.

Regards,

Will

  • Registered: 2009-02-09
  • Posts: 5

Re: help me.....!!! user can bypass chillispot login....

willds wrote:

I see your firewall script is the default included with ChilliSpot, except for the PREROUTING lines.  These make sense since you're running your web server on port 8080.  As far as I can tell, this configuration should be preventing all but authenticated users from gaining access.  That is unless there's an issue with your FreeRADIUS configuration.  I know this sounds obvious, but have you tried authenticating from a test client with a bad username and/or password, to check this part of the setup?

One possibility is that your uamsecret password is insecure.  Is it shorter than 16 characters or does it include dictionary words?  This part of a ChilliSpot setup is open to a dictionary attack with an insecure uamsecret password, due to the nature of the CHAP protocol.  (See the ChilliSpot FAQ entry: "http://www.chillispot.info/FAQ.html#mozTocId967226".)  Also, if this password is as short as 6 characters, even if random, it can easily be brute-forced.  It's possible this unauthenticated user has used a dictionary or brute-force attack to determine this password and gain access.  This is just a guess.  I'd recommend using a password greater than 16 characters and preferably random, if you're not already.

Another possibility that came to mind does involve the firewall.  Is your firewall script set up to run on server startup, or do you have to run it manually?  If the latter, it's possible your firewall has opened up due to a server reboot.  Many Linux distros have a default iptables policy that allows all traffic through on the INPUT, OUTPUT & FORWARD chains, and this would be in effect in that case.

Will

thx for attention... and ur explaination....

my uam is less than 16 character.... i'll try to change my uamscreet.

about my freeradius... i had check with bad user or bad password, but i can't login..

my firewall running start up...

once again thx...

  • Registered: 2009-02-09
  • Posts: 5

Re: help me.....!!! user can bypass chillispot login....

i have to change my uamsecret.. but the client still can logon without login.....

i'm really confuse.... how to fix it....

is there another solution ? pls help me.....

  • Registered: 2009-02-14
  • Posts: 3

Re: help me.....!!! user can bypass chillispot login....

Could it be apache?  Whats does your httpd.conf look like?  Anything in the error logs?

6 Reply by dank41 (edited by dank41 2009-02-16 11:31:59)

  • Registered: 2009-02-09
  • Posts: 5

Re: help me.....!!! user can bypass chillispot login....

i'm using httpd.conf default and on my httpd log... nothing courage except this :

"OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Fedora) (internal dummy connection)"

and i don't know what's that mean...

do i have to change my httpd.conf ? what kind configuration... ?

pls guide me how to do that...

  • Registered: 2008-02-04
  • Posts: 15

Re: help me.....!!! user can bypass chillispot login....

maybe you have to change the ip of your second internet eth1 not the eth0 for internet you maybe might using the known ip block like 192.168.1.1
because if your eth1 is 192.168.1.1 it can easily bypass your billing system... if i will configured my PC ip into same block as your eth1 ip and specify the gateway to 192.168.1.1 and the DNS server into your ISP DNS.....

Just maybe.... who knows..... your client accidentally guest the right ip of your eth1

  • Registered: 2008-02-04
  • Posts: 15

Re: help me.....!!! user can bypass chillispot login....

in addition to my posted opinion:

as you said you are using squid. Try to remove your SQUID as transparent proxy in your server, because i think user can easily bypass Chillispot login page. if they specify server's IP address (for example 192.168.182.1) in to there BROWSER proxy setting  to HTTP proxy input and the port (usually 3128), user do not need to login to access/browse the internet.

  • Registered: 2009-02-09
  • Posts: 5

Re: help me.....!!! user can bypass chillispot login....

dannymagat wrote:

maybe you have to change the ip of your second internet eth1 not the eth0 for internet you maybe might using the known ip block like 192.168.1.1
because if your eth1 is 192.168.1.1 it can easily bypass your billing system... if i will configured my PC ip into same block as your eth1 ip and specify the gateway to 192.168.1.1 and the DNS server into your ISP DNS.....

Just maybe.... who knows..... your client accidentally guest the right ip of your eth1

my eth1 is DHCP so there is no ip....


dannymagat wrote:

in addition to my posted opinion:

as you said you are using squid. Try to remove your SQUID as transparent proxy in your server, because i think user can easily bypass Chillispot login page. if they specify server's IP address (for example 192.168.182.1) in to there BROWSER proxy setting  to HTTP proxy input and the port (usually 3128), user do not need to login to access/browse the internet.

i have tried to put ip proxy on my browser, but i can't bypass login page. i have add another rule to firewall.iptables to prevent that way.......


thanks for ur opini...

is there another way ??