Re: RE: [suse-security] Problems with ssh and firewall script
Hallo Ralf, you specified IFACE=ppp0 but the packets are received on ippp0. Yes, sorry. I have the same configuration at home. But at work we have
Hello Holger,
Holger Gossmann
thanks for all the answers. Unfortunately, I still cannot find the solution. My sshd is running on port 10022. I verified this several times.
If I am opening the firewall with the default policies ACCEPT and drop all my rules I can connect to my server from outside without any problem. Therefore I can guess that I have some problems with the firewall and not the sshd.
I will cut the parts of my firewall with drop rules and the kernel flags. Beneath the rules I will paste a short chunk from my logfile.
Please, please help me. I am really desperate and running out of ideas.
Regards, Ralf Schoenian.
# Default policy. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
### =========================================================== ### Variablen
IFACE="ppp0" IFACE2="vmnet1" IFACE3="eth0"
BROADCAST="192.168.1.255" LOOPBACK="127.0.0.0/8" CLASS_C="192.168.0.0/16" UP_PORTS="1024:65535" #UP_PORTS="1:65535"
### ============================================================ ### Auf Pings reagieren wir nicht. /bin/echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
### Auf broadcasts wollen wir auch nicht reagieren. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Source routed packets werden nicht akzeptiert. Mit ihnen kAönnen Angreifer ### vorgeben, dass sie aus dem inneren des Netzwerkes kommen. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
### ICMP redirects wollen wir nicht, da sie missbraucht werden kAönnen, um ### unsere Routen zu Aändern. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### Enable bad error message protection. /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### SYN-FLOODING PROTECTION # iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
### SPOOFING # ### Alle Pakete die aus dem Internet kommen u. vorgeben aus einem Class-C Netz zu stammen ### werden ignoriert iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP # Refuse broadcast address packets. iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
### SSH inbound # iptables -A INPUT -i $IFACE -p tcp --dport 10022 --sport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 10022 --dport $UP_PORTS -j ACCEPT # ### SSH outbound # iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 10022 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport $UP_PORTS --sport 10022 -j ACCEPT
---------------------------------------- Here is some part of my firewall log -----------------------------------------
Mar 28 17:01:02 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42963 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:01:14 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42964 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:01:38 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42965 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:02:26 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42966 DF PROTO=TCP SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:22 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24380 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:25 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24381 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:31 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24382 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:04:43 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24383 DF PROTO=TCP SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:07 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59595 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:10 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59596 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:16 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59597 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 28 17:08:28 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240 DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59598 DF PROTO=TCP SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
ralf@schoenian-online.de