Re: RE: [suse-security] Problems with ssh and firewall script

2 Apr 2002


      ...
Hallo Ralf,
you specified IFACE=ppp0 but the packets are received on ippp0.
Yes, sorry. I have the same configuration at home. But at work we have
Hello Holger,

Holger Gossmann  schrieb am 02.04.2002,
09:49:54:
the IFACE=ippp0
...
thanks for all the answers. Unfortunately, I still cannot find the solution.
My sshd is running on port 10022. I verified this several times.
If I am opening the firewall with the default policies ACCEPT and drop all
my
rules I can connect to my server from outside without any problem. Therefore
I can guess that I have some problems with the firewall and not the sshd.
I will cut the parts of my firewall with drop rules and the kernel flags.
Beneath the rules I will paste a short chunk from my logfile.
Please, please help me. I am really desperate and running out of ideas.
Regards, Ralf Schoenian.
# Default policy.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
### ===========================================================
### Variablen
IFACE="ppp0"
IFACE2="vmnet1"
IFACE3="eth0"
BROADCAST="192.168.1.255"
LOOPBACK="127.0.0.0/8"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
#UP_PORTS="1:65535"
### ============================================================
### Auf Pings reagieren wir nicht.
/bin/echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
### Auf broadcasts wollen wir auch nicht reagieren.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Source routed packets werden nicht akzeptiert. Mit ihnen kAönnen
Angreifer
### vorgeben, dass sie aus dem inneren des Netzwerkes kommen.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
### ICMP redirects wollen wir nicht, da sie missbraucht werden kAönnen, um
### unsere Routen zu Aändern.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### SYN-FLOODING PROTECTION
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
### SPOOFING
#
### Alle Pakete die aus dem Internet kommen u. vorgeben aus einem Class-C
Netz zu stammen
### werden ignoriert
iptables -A INPUT  -i $IFACE -s $CLASS_C -j DROP
iptables -A INPUT  -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
### SSH inbound
#
iptables -A INPUT  -i $IFACE -p tcp --dport 10022 --sport $UP_PORTS -j
ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 10022 --dport $UP_PORTS -j
ACCEPT
#
### SSH outbound
#
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 10022 -j
ACCEPT
iptables -A INPUT  -i $IFACE -p tcp --dport $UP_PORTS --sport 10022 -j
ACCEPT
----------------------------------------
Here is some part of my firewall log
-----------------------------------------
Mar 28 17:01:02 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42963 DF PROTO=TCP
SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:01:14 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42964 DF PROTO=TCP
SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:01:38 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42965 DF PROTO=TCP
SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:02:26 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=42966 DF PROTO=TCP
SPT=32791 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:04:22 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24380 DF PROTO=TCP
SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:04:25 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24381 DF PROTO=TCP
SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:04:31 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24382 DF PROTO=TCP
SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:04:43 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24383 DF PROTO=TCP
SPT=32792 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:08:07 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59595 DF PROTO=TCP
SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:08:10 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59596 DF PROTO=TCP
SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:08:16 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59597 DF PROTO=TCP
SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 28 17:08:28 kitrlx01 kernel: IN=ippp0 OUT= MAC= SRC=62.134.105.240
DST=217.51.83.86 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=59598 DF PROTO=TCP
SPT=32793 DPT=10022 WINDOW=5840 RES=0x00 SYN URGP=0
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

ralf＠schoenian-online.de

tags

participants (1)