[Dxspider-support] SECURITY MEASURES TO MINIMIZE ATTACKS

Anthony (N2KI) n2ki.ham at gmail.com
Tue Mar 4 11:56:18 GMT 2025 

Mikel,

Can you explain the reason for having bidirectional node connections?  I do
not run my node that way here and never have.

Thanks!




*Regards,Anthony *
*   N2KI*









On Tue, Mar 4, 2025 at 6:33 AM Mikel EA2CW via Dxspider-support <
dxspider-support at tobit.co.uk> wrote:

> Good morning all,
>
> I share your concernings about how information is sometimes too spreaded
> along the list, and after seeing this last weekends situation, I've
> tried to resume the measures which sysops can adopt to minimise the
> impact of attacks.
>
> To avoid the CR\LR cuts of some lines, I'll to attach the original text
> file too.
>
> Here they are. If there is something wrong or not clear enough, please
> correct me.
>
> 73, Mikel
>
>
> ==============================================================================
>
> MINIMUM SECURITY MEASURES TO MINIMIZE ATTACKS TO THE DX CLUSTER NETWORK
>
> First of all, be conscious that these all measures don't depend on the
> software developers nor the users, but only on the nodes sysops.
> It is mainly our responsability to keep the cluster network safe.
>
>
> ==============================================================================
> NOTES:
>      - The "$" shown at the beginning of the command lines is not to be
> included, but just an indication of being logged as sysop and at the
> command prompt of your computer
>      - When some text is enclosed between "<" ">", they don't have to be
> included. It is just to say that some info must be typed.
>        f.i., if you see <callsign>, a callsign (without < >) must be
> typed. It must include the -SSID in case, f.i.: EA2XX-23
>
>
> ==============================================================================
> MEASURES NEEDED: JUST FOUR!
>
> ==============================================================================
> 1.- KEEP YOUR CLUSTER SOFTWARE UPDATED.
>         If new solutions to enforce security are implemented on the new
> node
> software versions, only after updating it they can be enabled.
>
>         Procedure:
>         * Download check_build.pl , from your command prompt and as sysop
> user:
>                 $ wget -q
> https://raw.githubusercontent.com/EA3CV/dxspider_info/main/check_build.pl
>
>         * Move the file to your /spider/local_cmd/ directory:
>                 $ mv check_build.pl /spider/local_cmd/
>
>         * Add to /spider/local_cmd/crontab file the following line to
> check for
> new versions at least once per day, except weekends (don't change
> version during contests):
>                 sysop at spider:~$ nano /spider/local_cmd/crontab
>
>         * Include the following line, changing days and/or hours. The
> following
> one will check for updates from Mon to Fri at 03:18 UTC:
>                 18 03 * * 1,2,3,4,5 spawn('cd /spider/local_cmd; wget -q
> https://raw.githubusercontent.com/EA3CV/dxspider_info/main/check_build.pl
> -O /spider/local_cmd/check_build.pl')
>
>         (You can use https://crontab.guru/ to check your crontab syntax,
> but be aware that dxspider crontab file doesn't follow exactly linux
> cron rules)
>
>
> ==============================================================================
> 2.- CONNECT TO NO MORE THAN 4-6 NODES AND SECURE THESE CONNECTIONS WITH
> PASSWORDS.
>         All the spots are forwarded to all the nodes in the network. There
> is
> no need to have each single spot being received from 30 nodes, and then
> forwarded again by your node to all your partners. This only causes
> unnecessary traffic overload. 4 to 6 partner connections are far enough
> to avoid network problems, giving redundancy enough.
>         On the other hand, a large number of partner nodes could be
> difficult
> to be mantained on good shape. If some of partners stop working, change
> their configurations, etc., the connections will become erroneous, and
> it could also constitute a hole for hackers to come into your system.
>
>      Procedure:
>      * Agree a password with your partner node sysop. It can be the same
> on both senses (your partner connecting you or you connecting your partner
>
>      * At the spider console type: (don't include the symbols < and > on
> the commands or lines)
>                 set/register <partner_call>
>                 set/spider <partner_call>
>                 set/password <partner_call> <password>
>
>         * Then, edit the /spider/connects/<partner_call> (include the
> -SSID if
> it exist) file:
>                 $ sudo nano /spider/connects/<partner_call>
>
>      * Add the following line after the 'ogin:' '<your_node_call>' line:
>         'word:' '<here_your_password>'    # send your password while
> connecting to your partner
>
>
> ==============================================================================
> 3.- DON'T LINK AS PARTNERS TO NODES WHICH:
>         - Are running outdated or deadware (not updated regularly or
> deprecated).
>         - Allow sending spots to all their users without identifying
> themselves.
>         - Are running software versions that doesn't inform of users
> connections and disconnections, deadware or with connections to insecure
> 3rd part nodes.
>         - have connections to other partners with no or poor security
> policies.
> That is, your connection is secured, but your partner connects other
> nodes on an insecure way.
>
>
> ==============================================================================
> 4.- ALLOW SPOTTING FROM YOUR NODE *ONLY* TO REGISTERED USERS.
>     (optionally and better, also ask them for a password to authenticate.)
>
>         Procedure:
>         * Edit your /spider/scripts/startup file:
>                 $ nano /spider/scripts/startup
>
>         * Include the following lines on your /spider/scripts/startup file:
>                 set/var $main::reqreg = 1           # allow sending spots
> to
> registered users only.
>                 set/var $main::passwdreq = 0        # 0: no password
> required just for
> receive spots, required for send spots , 1: password required also for
> login.
>
>         * Then you can register the users from the dxspider console with
> the
> command:
>                 set/register <callsign>
>
>         * If you also want to assign a password to the registered user
> type,
> again from dxspider console:
>                 set/password <callsign> <password>
>
>         * NOTICE: Dont use "set/pass", type the full command
> "set/password" !!!
>
>         * Then, you must send this password to the user by means of
> e-mail,
> whatsapp, telegram, signal or any other more-or-less private way...
>
>
>
> --
> 73 de Mikel Berrocal EA2CW-AE2CW
> Bilbao, Basque Country
> ea2cw at gautxori.com
> https://www.ea2cw.eus
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250304/53d91145/attachment-0001.htm>

More information about the Dxspider-support mailing list