Re: [suse-security] Problems with ssh and firewall script
Hi,
is ssh active on port 10022? check your /etc/ssh/sshd_conf
normaly it's port 22
Yes, it is running at port 10022 and listenAddress is 0.0.0.0 that should be ok and I can connect if the firewall is down.
Am Mittwoch 27 März 2002 07:19 schrieben Sie:
Hello list,
I cannot connect to our network from at home. I always get the error message: Connection refused at port 10022. The sshd doesn' t log anything in /var/log/messages and the firewall script is also empty. Without the active firewall I can login without any problems. We are running SuSE Linux 7.3 Has anyone an idea, what is wrong with our firewall script?
Any hint is welcome.
is ssh active on port 10022? check your /etc/ssh/sshd_conf
normaly it's port 22
Yes, it is running at port 10022 and listenAddress is 0.0.0.0 that should be ok and I can connect if the firewall is down.
OK- you can type ipchains/iptable -L -v to get a list of the rules that are active if your policies are set to DENY, any traffic is forbidden and so you cant connect rules to set the port free are ipchains -I input -j ACCEPT -i $externalname --dport 10022 [-s a.certain.ip.adress] ipchains -I output -j ACCEPT -i $externalname --sport 10022 [-d a.certain.ip.adress] or iptables -I INPUT -j ACCEPT -i $externalname --dport 10022 [-s a.certain.ip.adress] iptables -I OUTPUT -j ACCEPT -i $externalname --sport 10022 [-d a.certain.ip.adress] Yours Michael Appeldorn
Hello list, thanks for all the answers. Unfortunately, I still cannot find the solution. My sshd is running on port 10022. I verified this several times. If I am opening the firewall with the default policies ACCEPT and drop all my rules I can connect to my server from outside without any problem. Therefore I can guess that I have some problems with the firewall and not the sshd. I will cut the parts of my firewall with drop rules and the kernel flags. Beneath the rules I will paste a short chunk from my logfile. Please, please help me. I am really desperate and running out of ideas. Regards, Ralf Schoenian. # Default policy. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ### =========================================================== ### Variablen IFACE="ppp0" IFACE2="vmnet1" IFACE3="eth0" BROADCAST="192.168.1.255" LOOPBACK="127.0.0.0/8" CLASS_C="192.168.0.0/16" UP_PORTS="1024:65535" #UP_PORTS="1:65535" ### ============================================================ ### Auf Pings reagieren wir nicht. /bin/echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all ### Auf broadcasts wollen wir auch nicht reagieren. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ### Source routed packets werden nicht akzeptiert. Mit ihnen kAönnen Angreifer ### vorgeben, dass sie aus dem inneren des Netzwerkes kommen. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route ### ICMP redirects wollen wir nicht, da sie missbraucht werden kAönnen, um ### unsere Routen zu Aändern. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ### Enable bad error message protection. /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ### SYN-FLOODING PROTECTION # iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP ### SPOOFING # ### Alle Pakete die aus dem Internet kommen u. vorgeben aus einem Class-C Netz zu stammen ### werden ignoriert iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP # Refuse broadcast address packets. iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP ### SSH inbound # iptables -A INPUT -i $IFACE -p tcp --dport 10022 --sport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 10022 --dport $UP_PORTS -j ACCEPT # ### SSH outbound # iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 10022 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport $UP_PORTS --sport 10022 -j ACCEPT ---------------------------------------- Here is some part of my firewall log ----------------------------------------- Mar 28 17:01:02 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42963 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:01:14 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42964 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:01:38 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42965 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:02:26 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42966 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:22 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24380 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:25 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24381 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:31 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24382 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:43 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24383 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:07 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59595 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:10 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59596 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:16 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59597 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:28 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59598 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Hi! On Tue, 2 Apr 2002, Ralf Schoenian wrote:
If I am opening the firewall with the default policies ACCEPT and drop all my rules I can connect to my server from outside without any problem. Therefore I can guess that I have some problems with the firewall and not the sshd.
### SSH inbound # iptables -A INPUT -i $IFACE -p tcp --dport 10022 --sport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 10022 --dport $UP_PORTS -j ACCEPT
Are you sure the connections are coming from an unprivileged port? IIRC, rhosts authentication requires use of a privileged source port; try "UsePrivilegedPort no" in ssh_config. Alternatively, you could allow connects from all ports (I don't think restricting connects to unprivileged has any security benefits, anyway). Martin
participants (4)
-
Martin Köhling
-
Michael Appeldorn
-
Ralf Schoenian
-
ralf@schoenian-online.de