Ubuntu Security :: UFW Is Blocking Connections Even Though It's Set To Allow For In/Out
Aug 1, 2011
I might be misunderstanding the log but it looks like UFW is blocking connections. I want to allow all incoming and outgoing. I guess what I'm saying is that the servers on my computer will open ports but all other ports should respond with closed just like a default Ubuntu install. Trying to use UFW to monitor connections without really doing any firewalling.
Mobloquer starts up at boot and before I've even opened firefox or transmission or anything, mobloquer shows that is has started blocking several outgoing connections as well as ton of incoming connections. I was wondering if the outgoing connections is normal and what's a normal amount of network activity to show up in system monitor when I'm not actively using the internet.
Ok so, buddy of mine has his ssh server setup and upon checking his logs he sees a ton of failed attempts. Now obviously these are people that are scanning him and trying to brute force him. So is there a way to block them? We know you can block each IP but is there a way to block ALL connections except for certain ones, such as his and mine? Maybe a couple others.
My home computer has 11.3 and SuSEfirewall enabled. It connects to the net over the wireless and SuSEfirewall has this connection in the external zone.
I can successfully ssh into this computer from remote (the work computer) but none of the ssh port-forwarded connections work. I'm trying to tunnel VNC over ssh. I also tried setting http on the home computer to serve pages on a high-numbered port (8090) and tunnelling that but it also didn't work - proving that it's not a VNC problem.
Here are the relevant messages from the firewall logs on the home machine:
Code:
I don't understand why this isn't working now, I had the same setup on 11.2 and it worked fine.
The 95.91.92.92 is the public IP address of my home router, I don't understand why a connection would appear to be coming from there when I use ssh-tunnelling?
I need to write program for non blocking socket connections.I have made extensive research but could only get to non blocking READ or WRITE after the connection is established. run the program do a series of tasks (ex: counter printing time on screen) if there is request for connection, connect send or receive data.
Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
I can see what Firestarter is blocking in the Firestarter/Events tab, but after reading all the man pages of UFW, I still don't know how to check what the UFW is blocking.
After reading a lot about networking and security I decided to check the security of my own ubuntu box. So I went installing Nmap and discovered that port 139 was "open". Since I 'd read how to use ufw I created a deny rule for port 139. After a second scan with Nmap it still said that port 139 was open as shown below.
im having a bit of a problem with Firestarter, i have Transmission opened and i am downloading a movie but when i check Firestarter i see hundreds and hundreds of Ip's that are blocked, and like 10ip's every second that get blocked.
I've been using Deny Hosts for a couple of years now without trouble. My router forwards SSH calls to host tock on my LAN. My router's internet hostname is michigan. I keep an svn repository on tock and access it through michigan. In this way I can update my repository when I'm at home or away.Just today, however, whenever I try any ssh to michigan, I get a closed connection and find michigan in my hosts.deny file. I delete it, make a successful connection, but then on my next attempt - there I am in the hosts.deny file again.
I've worked around it by putting michigan into my hosts.allow file, but I would really like to know what's going on. I've configured Hosts Deny to lock out IPs after three failed attempts, but it is locking out michigan after one successful connection.
Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)
I would like to know if there is a way to block access from that machines to others in the network. I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.
When I turn on my SeLinux to enforcing mode on my Red Hat system ssh stops working and my http server stops responding.
I went into the SeLinux GUI and enabled things in there but still it wont work.
Any thoughts on what to check?
permissive mode and disabled they work
I read several articles that say it should not be affect by SeLinux and the setting look correct but the only thing I do is turn on SeLinux and ssh /httpd stop working
I am running Fedora 11 and every time i plug in my iPod it tells me... SELinux is preventing mkdir (podsleuth_t) "read" security_t ... I have no idea on how to create a policy module to allow access.
I want to ask about securing the FTP connection... I have one server that Installed with Redhat Linux Fedora 6.
And now, i want to securing the FTP access, so only the selected IP will be allowed to connect. Do anyone know how to do this?
Another thing is, my server using Webmin 1.3 to manage the server and there not installed / not configured yet with Frox FTP, ProFTPD Server, WU-FTP Server... even there is such thing in my Webmin...
Can i make use one of the three FTP i mention above, and if yes, will it be affecting the current FTP access?
I'm assuming that the following should block the complete 178.123.xxx.xxx address range.
Code: iptables -I INPUT -s 178.123.0.0/24 -j DROP Then I believe that I need to save this change.
Code: service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
However, I'm not so sure that it is actually working based on the fact that there continues to be access to my wiki from that address range. The following is after I made the firewall change.
Quote:
178.123.177.61 - - [31/Dec/2010:04:24:40 -0500] "GET /mywiki/Opera%20Web%20Browser?action=edit&editor=text HTTP/1.1" 200 6346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" code....
Let me state that I'm new at this iptables thing. I did some reading and decided that I need to make the above change to the firewall but it doesn't seem to make a difference.
since I upgraded to F15 I noticed that "su -l" is very slow, it takes about 20sec before it gives the prompt. I traced it down to a problem with "xauth" as su asks for the authorization for the display running "xauth nlist :0" which times out with an error. Actually, the command "xauth nlist :0" by itself gives: xauth: timeout in locking authority file /home/user/.kde/tmp-host.domain/xauth-200-_0
If I put SELinux in permissive mode both command work without problem so I suppose SEL is the problem. I checked the permissions and settings of the file which is "unconfined_u:object_r:config_home_t:s0" but I have no idea if this is the right value, running "restorecon" on the file, directory or the whole /home/user didn't change anything.
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP ... $IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
I want to block some ips permanently ie. even I as the root user cannot unblock these ips without having to format the whole system.
So i thought if some blocking software provided passwords for editing rules and I put a 'junk' password there and so that I can't delete the rules without the 'junk' password which I don't know.
So I examined iptables and I saw that it is a kernel module so there is no use of that since I can probably throw it away.
But the basic question is to block ips and gulp the key.
In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.
We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.
But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.
So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP 192.168.20.15(lets say he is jack.ourorganization.com) is defined in our DNS, we should allow access... where as if IP 192.168.20.16(this does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.
I've small issue with blocking local clients. I mean I've webserver that I want to allow limited number to clients to that let say I've 10 users from 10.5.1.1-10 I would like to block 1-9 and allow only last client to access that webserver . Ive tried the following
Code:
iptables -A -p tcp -i eth1 -d 10.1.1.14 -s ! 10.5.1.10 -j REJECT iptables -A INPUT -p tcp -d 10.1.1.14 -i eth1 -s ! 10.5.1.10 -j DROP
I'm running a program called Synergy+ to let my keyboard and mouse control multiple computers. One of Synergy+'s features is that clipboard (copy-paste) data is able to be shared, as in copy on one machine, paste onto another. I would like this functionality removed but Synergy+ has no way to disable it. I'm looking for any ideas to block clipboard data from being transferred. Is there a way to block a program from accessing the machine's clipboard data?
I have a fiberoptic broadband 20MB synchronous pipe at my home. Over summer at my place of employment its pretty much dead for 3 months so when I'm not busy I play around on my home server. I have my 20mb pipe going directly into my wrt54gl, from there I have a wired connection going to my server (Centos 5.3 recently upgraded to 5.5 through updates.) It serves as a file server(Samba, SSH). My wrt54gl handles natting port 22 to my server. I have my wireless AP setup to hand out leases from .2-.20 and my server has a static of .100. Dyndns.org handles my name resolution via their free account method.
I have a Mac Pro, iMac, Macbook, and a Toshiba Laptop with 64bit 7 running off wireless along with our cell phones, and my XBOX 360 also is wired directly for the gaming speed. I use all of the computers around my home to access the samba shares via unc path for file sharing and or working on projects. I had originally planned to upgrade the wrt54gl with a cisco e3200 or an e3000 but unfortunately I've come to find out dyndns and the e lines of cisco wireless AP's dont work with dyndns and get banned. So I would have to install the daemon on my server and put it as a directly connected server to my WAN link and install a second ethernet card and pass traffic through my server for the rest of my home which I am not going to do.
All of the previous sentence because it would update dyndns with a 192.168.x.x address since its not directly connected. I use a combination of putty.exe and vnc viewer to tunnel 5900 through port 22 to my server. So from anywhere I am at I can access my screen securely and then rdp or vnc to the desktop of my local LAN computers. This allows me to only have port 22 open. I've been looking at my ssh logs and noticed I have been getting hit alot with ssh scans. I want to implement an iptables firewall on my linux machine just for the purpose of further securing port 22. I dont necessarily need natting on the iptables firewall but all I need is ssh in and out, web in, and samba out to local ip's only.
For SSH this is what I want. I want to allow SSH from any IP but if it tries to login more than 3 times in one minute I want to block that IP for a full minute before it can try 3 more attempts. I also would like log to a file but have been having issues getting that to work as well. That way when I review logs and I see that an ip tries three times and then waits a minute and tries three more, etc... I can permanently block that ip or range of ip's by adding it to the iptables script. Here is my current iptables script and it doesnt seem to be working for me. I have played with this and read for almost two weeks and still cannot get it to work correctly.
Code: #!/bin/bash # In order to use this iptables firewall script you must have iptables installed. You also must be using a 2.4.x series Kernel, with iptables suppport compiled into it, which is standard for most newer linux distributions. # If you need help compiling iptables into your kernel, please see our kernel Compile/Upgrade Guide located at [URL] # Once the script has been edited with all your relevant information (IP's Network Interfaces, etc..) simply make the script executable and run it as root. # chmod 700 fw_rules.sh # ./fw_rules.sh .....
# Our final trap. Everything on INPUT goes to the dropwall # So we don't get silent drops. $IPT -A INPUT -j dropwall
I am trying to keep linhost274.prod.mesa1.secureserver.net (IP 208.109.14.77) from accessing my machine. Several times per evening (as far as I see) it connects to my machine, each time on a different port, and pushes up data transfer. I can't find what it does, it just pushes a GB or more over the line and then stops. I try to keep it out with UFW:
