I enabled ufw yesterday, and am finding log entries like:
Jun 30 13:07:51 xxxx kernel: [15702368.296557] [UFW BLOCK] IN=eth1 OUT= MAC=00:22:19:5e:8f:23:00:0c:db:fc:8b:00:08:00 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=47632 PROTO=TCP SPT=58875 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
What is puzzling is I did the command: ufw allow 80.
how to block all ports except pop,pop3,smtp in nat using iptables in squid on redhat A3
View 2 Replies View RelatedHow do you delete ufw rules which you didn't make?
I want to block the FTP ports (20 & 21) but even if I put in DENY rules, it appears that these rules are letting traffic through
Code:
9 400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
How do I delete these rules? I've tried.
Code:
sudo ufw delete allow 20
sudo ufw delete proto tcp from any to any 20
but I get "Could not delete non-existent rule".
Since I didn't make those rules I have no idea what OpenBSD's PF syntax (what ufw uses) is for them.
Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?
One obvious example that probably clarifies my question:
When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic.
Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.
I was following the directions over on the page How to watch Hulu overseas without a proxy server and got to the section about blocking ports, which I need to block port 1935. I figured this would be easy, as the mac instructions are
Code:
sudo ipfw add 0 deny tcp from any to any 1935
sudo ipfw add 0 deny udp from any to any 1935
and the Windows instructions are practically a book in itself. Since this page was lacking instructions on how to do it in Ubuntu, and ipfw seemingly doesn't exist in Ubuntu, how do I block the ports
I have a Suse 10.3 router with 4 network cards. 1 is to connect to the big network and thereby also the internet, 2 are for 'client' subnets and I want to use the last one as a DMZ. In this DMZ will be a web server which has to be accessible from the other 2 subnets and from the big network. I could do it with a few simple clicks in Yast firewall, but I have some issues with this firewall and there for I want to use it as minimal as possible, using Iptables.
So now I'm struggling a bit with Iptables. Basicly what I'm looking for is how to block all ports but 80 in this last subnet with iptables.
How can I block all ports except
ssh (port 22)
httpd (port 80)
using iptables and iphains?
I am working on software that is to run on a variety of linux machines where changing the os/version is not an option.My software uses the inotify_rm_watch call, and this is occassionally failing. In every case the operands are both valid, yet the result is EINVAL. This appears to only occurr when a watched file is deleted, and the read command on the inotify yeilds two events IN_DELETE_SELF AND IN_IGNORE (at the same time).I have seen a few messages detailing this same scenario - but no workarounds.
View 7 Replies View RelatedIs there anyway i can ssh/rdp/telnet into my server from the outside bypassing comcast ALL blocked ports
View 1 Replies View RelatedI have open ports on my computer for vsftpd, pptpd, and I need help to filter this ports because they aper as open ports on internet, and this is pretty risky
View 3 Replies View RelatedAfter reading a lot about networking and security I decided to check the security of my own ubuntu box. So I went installing Nmap and discovered that port 139 was "open". Since I 'd read how to use ufw I created a deny rule for port 139. After a second scan with Nmap it still said that port 139 was open as shown below.
[Code]...
I'm locking down my laptop. I know I can use a firewall to ensure nothing gets through that I didn't catch, and I certainly plan on using one, but in the meantime, I want to know what exactly is running on my system.
nmap localhost returns:
Code:
james@james-linux:~$ nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 994 closed ports
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
However, I know that localhost goes back to the loopback interface, 127.0.0.1. So, to see what was really open, I ran nmap 192.168.0.108, which is my laptop's IP at the moment.
Code:
james@james-linux:~$ nmap 192.168.0.108
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT
Interesting ports on 192.168.0.108:
Not shown: 996 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Now if I understand correctly, I can attribute 139 and 445 to my Samba share. That I'm okay with. What I don't know is 111 and 2049. Does anyone know what these ports are, what's running on them, and how I could turn them off, supposing that they are a security risk?
I'm getting heat from the head networking office that ports 21, 110, and 143 are open. I can telnet to those ports from a remote machine (not localhost) and get a prompt. There does not seem to be anything listening on those ports according to netstat. I've tried using iptables to discard all traffic to a from those ports but I can still telnet to them. This is a lucid desktop machine.
View 4 Replies View RelatedWe do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
View 4 Replies View Relatedlooking at my router logs i've noticed for the past while a range of source ports from 60000 to about 65000 from my source external ip to destination external ip always on port 80. I have 3 boxes on this network and this only seems to happen when i connect the one laptop. I even reinstalled the distro downloaded from trusted source but the router is still logging this.. netstat -ntulp shows nothing operating in this range. chkrootkit shows nothing.. Was thinking maybe someone was spoofing the external address but it's been happening on network startup for a month now
View 4 Replies View Relatedhave tried to close ports 443,80,22 & 23 without success.Does anybody have any idea how to do this. I close them in a terminal and their still opened. I closed them in services and their still open what am I not doing right?
View 14 Replies View RelatedI installed Ubuntu 9.10 recently. I heard that there will be no open ports in the system unless I specifically open one. How do I scan to find a open port in my system.
View 9 Replies View Relatedwhen i enable my ufw it completely shuts me out and closed my internet connection. i installed firewall configuraiton interface and through it defined rules to accept incoming internet connections on port 80, i can see the rules are there but when i enable my firewall it just shuts me out completely again.
when i do(with my firewall enabled):
Code:
$ sudo ufw status
it gives me:
Quote:
Status: active
[Code].....
I also messed around with fwbuilder and iptables but since then deleted fwbuilder(besides i just compiled firewall policy and never actually installed it because of errors while trying to install it. Iptables I cleared with:
Code:
$ sudo iptables -F
I know how to forward ports in my router. Now I need to open a port to help with testing a project and no matter what I've tried, every port under 1055 shows up as stealthed (with 1-71 closed) according to Shields Up! I'm happy to run it at a port > 1024, but whatever I try also shows up stealthed. I even tried (briefly) turning on DMZ and still the same thing. My ISP swears that they only block port 80, 21 and 25, none of which I'm trying to use. UFW status reports inactive and I'm not using firestarter. I'm not running any other server (apache, light speed etc). If it's not my router and it's not my ISP, and there's no other server apps running, then that kind of leaves Ubuntu as far as I can see,
View 8 Replies View RelatedWhat ports does Firefox use to connect to the Internet?
View 9 Replies View Relatedmy ufw rules have been loaded and active yet using iptraf i see tcp connections on ports that were never allowed by ufw. can anyone explain this too me does ufw just not work?
View 6 Replies View RelatedWhat are the security implications of closed ports?
View 5 Replies View RelatedWhat is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
Quote:
A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)
Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
I am trying to configure Bittorando and iptables using Firestarter. I have got it working but am concerned about security holes.
Let me explain.
AIUI, the Bittornado program contacts the "tracker" on various ports which (from the previously blocked connections in Firestarter) ranged from 4664 to 65532. Therefore, currently I have set this range to be open to allow downloads of the torrent.
However, this seems, IMHO, to devalue to point of having a restrictive exit policy for Firestarter since now virtually all ports are open. I can see nothing on the Bittornado client to restrict the outgoing ports although the "listening" (incoming) ports can be restricted.
I would prefer to have my system locked-down so that the minimal number of ports are open to initiate external connections so is there any way to achieve this with Bittornado?
While (attempting) to set up ssh on a couple of machines (not this one) I've noticed that I keep getting some strange unknown ports showing as open on my PC when I do a port scan on its address. They are only opened transiently, they are all high numbers eg 33348, 41147, 50370 etc. I have opened no ports on this machine at any time and ufw is set to deny all incoming.
View 3 Replies View RelatedThis morning I was looking at the router's log file and noticed a certain IP address was able to gain LAN access on port 2222. That just happens to be the port my SSH server is listening on! A whois search revealed that IP address is in Germany. As soon as I found this out I stopped forwarding all ports to this machine in my router.
how to tell what had happened, what information this person was able to obtain, and if he left any goodies behind that could hurt me? I've read through some of the logs on my computer and haven't been able to find much at all. I did have some personal information on the hard drives, but that information is encrypted. I'm thinking if they were able to get my SSH password then that information probably isn't safe either (assuming they have some of it).
Perhaps it is my misinterpretation of AppArmor, how can it be configured to restrict TCP or UDP traffic to/from specific ports?
The profile "abstractions/nameservice", under the section "# TCP/UDP network access", doesn't seem to lock the application to port 53. What am I missing? Restriction to specific ports is something that systrace can do so I'd expect nothing less from AppArmor.
My friends all request that I join Farmville so they can build their points. I don't play games but tried to oblige them. My firewall went nuts and I received requests to "open" certain ports. Can some one tell me what is going on and is this a security risk or not. I am 4 years deep into Linux and I haven't used microcrap in as many years but I am still learning, as there is so many things to master with Linux.
View 4 Replies View RelatedI am trying to understand why when running nmap against a SonicWALL firewall at a remote location, the SonicWall firewall is saying that most of its 65535 ports are open? I know this cant be correct and remember reading about how some of these network appliances are setup this way to thwart off attacks.
View 7 Replies View Related