Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SSH connections getting through
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
binro
l33t
l33t


Joined: 06 May 2005
Posts: 742
Location: Bangkok
PostPosted: Thu Mar 23, 2006 3:08 pm    Post subject: SSH connections getting through Reply with quote
I am getting the following messages in my syslog:

    Mar 23 02:07:53 opal sshd[26492]: refused connect from 1001@148.235.36.85 (148.235.36.85)
    Mar 23 02:20:42 opal sshd[27199]: refused connect from 213.205.146.22 (213.205.146.22)
    Mar 23 02:27:55 opal sshd[27578]: refused connect from 213.205.146.22 (213.205.146.22)

The addresses are not on /etc/hosts.allow so are getting rejected. What puzzles me is that I use iptables and port 22 is not open, so I would not expect the packets to get through at all. I use nulog to analyze my netfilter messages and a search shows no packets arriving for port 22. My iptables rules are listed below:

    # Generated by iptables-save v1.3.5 on Mon Mar 20 15:27:38 2006
    *mangle
    :PREROUTING ACCEPT [160500052:112409973595]
    :INPUT ACCEPT [160467402:112396552720]
    :FORWARD ACCEPT [13305:12215637]
    :OUTPUT ACCEPT [180056242:122932182611]
    :POSTROUTING ACCEPT [210063235:123546546129]
    COMMIT
    # Completed on Mon Mar 20 15:27:38 2006
    # Generated by iptables-save v1.3.5 on Mon Mar 20 15:27:38 2006
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [4329:892380]
    :OUTPUT ACCEPT [180026293:122899508491]
    :block - [0:0]
    [160399888:112340360347] -A INPUT -j block
    [0:0] -A FORWARD -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    [0:0] -A FORWARD -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    [0:0] -A FORWARD -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    [8976:11323257] -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    [199553:9942200] -A block -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
    [152151422:111867106641] -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
    [264545:15612817] -A block -s 127.0.0.1 -j ACCEPT
    [71703:6859112] -A block -s 192.168.0.0/255.255.0.0 -j ACCEPT
    [13664:806838] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
    [1097:75394] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
    [354:15694] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT
    [0:0] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 389 -j ACCEPT
    [35:1880] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
    -A block -p udp -m state --state NEW,ESTABLISHED -m udp --dport 4444 -j ACCEPT
    [6449322:326933061] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 55000:55009 -j ACCEPT
    [323491:21730340] -A block -j ULOG --ulog-prefix "netfilter"
    [1142710:103813985] -A block -j DROP
    COMMIT
    # Completed on Mon Mar 20 15:27:38 2006
    # Generated by iptables-save v1.3.5 on Mon Mar 20 15:27:38 2006
    *nat
    :PREROUTING ACCEPT [517845:29223903]
    :POSTROUTING ACCEPT [670971:37507998]
    :OUTPUT ACCEPT [670922:37504675]
    [4:260] -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE
    COMMIT
    # Completed on Mon Mar 20 15:27:38 2006


Any comments appreciated.
_________________
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
Back to top
View user's profile Send private message
morodoch
Guru
Guru


Joined: 22 Sep 2005
Posts: 523
Location: England
PostPosted: Fri Mar 24, 2006 8:12 am    Post subject: Reply with quote
I'm not familiar with the output of the iptables save command; this command should produce more human readable output:

Code:
iptables -L -n -v


However, I'm guessing that these lines may have something to do with it:

Quote:
:PREROUTING ACCEPT [160500052:112409973595]
:INPUT ACCEPT [160467402:112396552720]
:FORWARD ACCEPT [13305:12215637]
:OUTPUT ACCEPT [180056242:122932182611]
:POSTROUTING ACCEPT [210063235:123546546129]


The default policy for INPUT and FORWARD is ACCEPT; which means that if a packet doesn't match any of these rules, it'll be accepted. Try these commands and see if it makes any difference:

Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP

_________________
Well, the Sister was right. You boys could use a little churching up. Slide on down to the Triple Rock, and catch Rev. Cleophus. You boys listen to what he's got to say.

-- Curtis
Back to top
View user's profile Send private message
ASID
Apprentice
Apprentice


Joined: 22 Mar 2006
Posts: 195
PostPosted: Fri Mar 24, 2006 8:30 am    Post subject: Reply with quote
I believe you have as default strategy to allow INPUT traffic unless you block some ports. A good firewall should be the other way round. You should block all INPUT traffic unless you want some ports open for your services. You should set:
Code:
iptables -t filter -P INPUT DROP

With this, you set as default to drop any INPUT traffic.
Back to top
View user's profile Send private message
binro
l33t
l33t


Joined: 06 May 2005
Posts: 742
Location: Bangkok
PostPosted: Fri Mar 24, 2006 8:45 am    Post subject: Reply with quote
Thanks for the tip. I changed the default policy as you suggested and iptables output is now:

    opal linux # iptables -L -n -v
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    164M 116G block all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 4329 packets, 892K bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW,ESTABLISHED
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
    8976 11M ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT 183M packets, 127G bytes)
    pkts bytes target prot opt in out source destination

    Chain block (1 references)
    pkts bytes target prot opt in out source destination
    265K 13M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 5/sec burst 5
    155M 116G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    266K 16M ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
    73871 6972K ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
    13666 807K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:25
    1103 75634 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:80
    354 15694 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:110
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:389
    35 1880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:443
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED udp dpt:4444
    6450K 327M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:55000:55009
    330K 22M ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `netfilter' queue_threshold 1
    1149K 104M DROP all -- * * 0.0.0.0/0 0.0.0.0/0


It doesn't seem to have caused any harm, so I shall wait to see if it catches any miscreants!

Cheers.
_________________
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
Back to top
View user's profile Send private message
binro
l33t
l33t


Joined: 06 May 2005
Posts: 742
Location: Bangkok
PostPosted: Mon Mar 27, 2006 11:11 am    Post subject: Reply with quote
Hmm, I am doing something very stupid here. I logged on via dial-up and used nmap against my domain and I am not stopping anything! Yet my tables are derived from the standard HOWTO but I must have borked something somewhere along the line. Here is the iptables output again, and I must say it looks logical to me:
Code:

opal ~ # iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 174M  133G block      all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 4329 packets, 892K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spt:ftp dpts:1024:65535 state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
 8976   11M ACCEPT     all  --  eth0   tun0    anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 194M packets, 133G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain block (1 references)
 pkts bytes target     prot opt in     out     source               destination
 356K   18M ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/sec burst 5
 166M  133G ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 285K   17M ACCEPT     all  --  any    any     localhost.localdomain  anywhere
75010 7013K ACCEPT     all  --  any    any     192.168.0.0/16       anywhere
13668  807K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:smtp
 1109 75906 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:http
  355 15738 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:pop3
    3   148 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:ldap
   36  1940 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:https
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED udp dpt:krb524
6451K  327M ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW,ESTABLISHED tcp dpts:55000:55009
 337K   23M ULOG       all  --  any    any     anywhere             anywhere            ULOG copy_range 0 nlgroup 1 prefix `netfilter' queue_threshold 1
1156K  105M DROP       all  --  any    any     anywhere             anywhere


Help!
_________________
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
Back to top
View user's profile Send private message
ASID
Apprentice
Apprentice


Joined: 22 Mar 2006
Posts: 195
PostPosted: Mon Mar 27, 2006 11:47 am    Post subject: Reply with quote
First of all you shouldn't panic 8)
What was the result of the scan? Did you see port 22 open? Did you set the default rules for INPUT to DROP? Did you make sure that you set this to the correct position so that no other rule bypass it?

Also, if you could provide us with the script for your firewall we would be more helpfull.
Back to top
View user's profile Send private message
binro
l33t
l33t


Joined: 06 May 2005
Posts: 742
Location: Bangkok
PostPosted: Mon Mar 27, 2006 1:21 pm    Post subject: Reply with quote
No panic, /etc/hosts.allow is keeping them out. Yes, I changed the default policy to DROP, you can see that at the top of the chain definitions. nmap showed the ports for all the active services open, including 22. I don't have a script, I use the /etc/init.d/iptables service which reads /var/lib/iptables/rules.save and effectively issues an iptables command against each line. Here is the output of iptables-save which might be easier to read:
Code:

opal ~ # iptables-save
# Generated by iptables-save v1.3.5 on Mon Mar 27 19:54:02 2006
*nat
:PREROUTING ACCEPT [670283:37326261]
:POSTROUTING ACCEPT [843626:48033093]
:OUTPUT ACCEPT [843577:48029770]
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Mon Mar 27 19:54:02 2006
# Generated by iptables-save v1.3.5 on Mon Mar 27 19:54:02 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [4329:892380]
:OUTPUT ACCEPT [194514623:132901943717]
:block - [0:0]
-A INPUT -j block
-A FORWARD -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -s 127.0.0.1 -j ACCEPT
-A block -s 192.168.0.0/255.255.0.0 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 389 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A block -p udp -m state --state NEW,ESTABLISHED -m udp --dport 4444 -j ACCEPT
-A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 55000:55009 -j ACCEPT
-A block -j ULOG --ulog-prefix "netfilter"
-A block -j DROP
COMMIT
# Completed on Mon Mar 27 19:54:02 2006
# Generated by iptables-save v1.3.5 on Mon Mar 27 19:54:02 2006
*mangle
:PREROUTING ACCEPT [174401991:133507937670]
:INPUT ACCEPT [174369302:133494513378]
:FORWARD ACCEPT [13305:12215637]
:OUTPUT ACCEPT [194544574:132934619340]
:POSTROUTING ACCEPT [224551713:133548988706]
COMMIT
# Completed on Mon Mar 27 19:54:02 2006


Any packet for the INPUT or FORWARD should drop through to the block table and if it not matched, gets logged and dropped.
HTH
_________________
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
Back to top
View user's profile Send private message
ASID
Apprentice
Apprentice


Joined: 22 Mar 2006
Posts: 195
PostPosted: Mon Mar 27, 2006 2:28 pm    Post subject: Reply with quote
Wierd! Everything looks good. Try adding a rule to block port 22 and test again. If this fails then your firewall is not running.
Back to top
View user's profile Send private message
binro
l33t
l33t


Joined: 06 May 2005
Posts: 742
Location: Bangkok
PostPosted: Mon Mar 27, 2006 2:42 pm    Post subject: Reply with quote
Ok, I found the problem by comparison with a machine that I have not been improving! The problem rule is:
Code:

-A block -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT


which is supposed to stop SYN floods. Any attempt which sends more 5 packets per second is accepted, which is not what you want. I have deleted it, although perhaps it should just be changed to DROP.

Thanks for the suggestions. :D
_________________
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
Back to top
View user's profile Send private message
morodoch
Guru
Guru


Joined: 22 Sep 2005
Posts: 523
Location: England
PostPosted: Mon Mar 27, 2006 8:07 pm    Post subject: Reply with quote
I think the problem may be your "block" rule; I think packets may drop off the end of it, maybe you need to

Code:
itpables -A block -j DROP


On the end, so that any packets not matched explicitly by any of the other rules are dropped.
_________________
Well, the Sister was right. You boys could use a little churching up. Slide on down to the Triple Rock, and catch Rev. Cleophus. You boys listen to what he's got to say.

-- Curtis
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy