Good day.
How did they access the server, since I don't have any website (port: 80) on it or other service?
They probably scanned all system ports. If you have disabled firewall, it can be a problem
Can the Demo page access the root server?
No, WCS just throws an exception to server logs if it cannot recognize packet received. All the media ports are just inactive until websocket session to 8443 is established. So WCS can be DDOSed at worst, but cannot be penetrated.
To secure WCS server, you should do the following:
1. Change default password for WCS web interface admin user to stronger password
2. If you do not use example applications such as Player by direct links
https://wcs:8444/client2/examples/demo/streaming/player/player.html, disable demo user via
CLI
Code:
update user -a false demo
or by database.yml file editing (requires restart)
Code:
demo: {username: demo, password: fe01ce2a7fbac8fafaed7c982a04e229, active: false}
3. Enable and set up firewalld with a typical WCS ports range
Code:
yum -y install firewalld
systemctl start firewalld
firewall-cmd --permanent --zone=public --add-port=8888/tcp
firewall-cmd --permanent --zone=public --add-port=8443/tcp
firewall-cmd --permanent --zone=public --add-port=1935/tcp
firewall-cmd --permanent --zone=public --add-port=1935/udp
firewall-cmd --permanent --zone=public --add-port=554/tcp
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=8081/tcp
firewall-cmd --permanent --zone=public --add-port=8084/tcp
firewall-cmd --permanent --zone=public --add-port=8082/tcp
firewall-cmd --permanent --zone=public --add-port=8445/tcp
firewall-cmd --permanent --zone=public --add-port=8444/tcp
firewall-cmd --permanent --zone=public --add-port=34001-35000/tcp
firewall-cmd --permanent --zone=public --add-port=30000-33000/udp
firewall-cmd --permanent --zone=public --add-port=30000-33000/tcp
firewall-cmd --reload
or set up iptables
Code:
#!/bin/bash
#
export IPT="iptables"
# External server interface
export WAN=eth0
# Clean all the chains
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Set default policies
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Allow local loopback traffic
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# Allow outgoing connections
$IPT -A OUTPUT -o $WAN -j ACCEPT
# Set up established connections rules
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop invalid packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow ping
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# DNS
#$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT
# NTP
#$IPT -A INPUT -i $WAN -p udp --dport 123 -j ACCEPT
# WCS specific ports
$IPT -A INPUT -p tcp --dport 8888 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1935 -j ACCEPT
$IPT -A INPUT -p udp --dport 1935 -j ACCEPT
$IPT -A INPUT -p tcp --dport 554 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8081 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8084 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8082 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8445 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8444 -j ACCEPT
$IPT -A INPUT -p tcp --dport 34001:35000 -j ACCEPT
$IPT -A INPUT -p udp --dport 30000:33000 -j ACCEPT
$IPT -A INPUT -p tcp --dport 30000:33000 -j ACCEPT
$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP
# Save the rules to file
/sbin/iptables-save > /etc/sysconfig/iptables
