Security considerations with Traccar Server
Only accept traffic from known networks.
What if the gps-devices don't have a static ip-address?
They more than likely won’t. But I accept (genially). The up range of my mobile network.
Doesn’t kill off the attack vector. But at least reduces it significantly
I was also thinking about reducing the attack vector with ip ranges but then you have the problem with roaming. You will get a new IP-Address from the foreign country.
Are you Europe? I’m nz. Surrounded by water. I can’t drive to another country. So don’t really have an answer for you if that’s the problem.
I don’t think most (car tracking) devices have any sort of security let alone way of passing some authentication data. Maybe higher up ones do. Or the ones that use http or mqtt.
Yes that is the problem, I am from central europe and roaming is very common here. I was thinking about certificates for the gps devices but that is not supported with most trackers.
I am just really curious why the protocols don't send some security token or password by design. Probably because of legacy devices?
Most are very cheap and relatively stupid. They don’t have dns capability even. Needing a fixed ip to work.
But as I said above, I suspect if you pay more for a device you might get access to better features. Https, client certs, authenticates mqtt (basic or cert based).
If those hardware devices exist then I suspect support will be built them for if it doesn’t already exist.
@fhofi
Your assumption seems rather exaggerated.
Whats the point ? even if you found out the imei number. To send data to a server for a tracker that is not in your account.
Besides that you would need to know the protocol port to send the correct protocol data to.
By default i change the protocol port.
So first you are gonna figure out my device imei's and then search the protocol port for the specific protocol you are going to sent data too ?
For a device that you do not have a server account for ?
It rather seems a waste of time.
@Track-trace
I get your point, but see it as a form of ddos attack. Sometimes it is not the goal of the attacker to hack a system and obtain valuable information but disturbing or corrupting data. Even if you don't have access to the trackers account, you can still manipulate the gps data.
Many telecommunication companies have a solution to this. They can provide you SIM cards that connect directly to your network via VPS. It solves both a problem of non-encrypted communication that some devices have and you can be sure only your devices can connect to the server. I believe it should work cross-border as well, but not 100% sure about that part.
@fhofi
Well over the years i actually saw a lot of port scanning on all ports of my server. But never saw anyone trying to send device data to any port. Did you?
I get your point, but it is also rather simple to allow or deny all ip's from regions / country's / networks if you are getting paranoid.
I also think it's not a common problem.
@fhofi
Set your server with fail2ban rules and filters:
- use 22 port as honeypot
- detect port scanning attempt
- ban every single ip address used to port scanning and discovered into honeypot.
Currently it is possible for an attacker to enumerate devices and send fake data. All he has to do is to guess the IMEI and send a test packet to the server. As the IMEI consists of the TAC (8 Byte) + SEN (6 Byte) it is fairly easy to enumerate as the TAC is equal among the same device type.
What is the best way to cope with this attack?