Securing D-Star Port 40000

From KJ4BYI D-Star Wiki

Jump to: navigation, search

The ICOM D-Star Port 40000 by default will accept traffic from any ip address, and then process it, This has been a known security bug for a long time, however, until recently, nobody took the time to secure it., even the new release of the G2.2 Software doesnt secure the port.

There are several methods of securing the port.

1) Manaully editing/updating the iptables entry to restrict access to port 40000
2) By using Robin Cutshaws (AA4RC) dsesc software (closed source, available via the D-Star Admins Yahoo Group)

If you are using a Router running RouterOS, you can use some scripts I have developed that will authomatically add/del ip address in an address list on your RouterOS Enabled Firewall.

RouterOS Add IP Script
RouterOS Del IP Script

You can download this complete package from: Link

Please note: You must define the following firewall rules on your mtik: 


; First two entries marks bad packets into a list for 30 minutes (you may add additional rules for additional ports)

 0   chain=forward action=add-src-to-address-list dst-address=10.0.0.2 src-address-list=!gw_addr address-list=bad_gw_ip 
     address-list-timeout=30m dst-port=40000 protocol=udp 
 1   chain=input action=add-src-to-address-list src-address-list=!gw_addr address-list=bad_gw_ip address-list-timeout=30m 
     dst-port=22 protocol=tcp 

; Next entry just makes a "Log Entry" this one can be deleted.

 2   chain=forward action=log dst-address=10.0.0.2 src-address-list=!gw_addr dst-port=40000 protocol=udp log-prefix="badgw" 

; This entry only allows traffic from a GW listed in the gw_addr list into port 40000

 3   chain=forward action=drop dst-address=10.0.0.2 src-address-list=!gw_addr dst-port=40000 protocol=udp 

; These entries BLOCKS any/all traffic to your GW from any IP that took the bate on Rules 0 & 1
; Note, Rule 4 allows SSH Access incase you accidently tripped your own trap.

 4   chain=forward action=drop src-address-list=bad_gw_ip dst-port=!<SSHPORT> protocol=tcp 

 5   chain=forward action=drop src-address-list=bad_gw_ip 

 6   chain=input action=drop src-address-list=bad_gw_ip protocol=icmp 

; Don't forget to have default accept rules for just the ports you want, don't do the any any method..
; Also, Only allow SSH traffic from your trusted networks... don't use 0.0.0.0/0 that is not a trusted network!

make sure you have defined the src-address-list to match the list in your scripts.

Retrieved from "http://wiki.kj4byi.org/index.php/Securing_D-Star_Port_40000"
Personal tools