Hi people. I have the next problem or Vulnerability.
If I try to conect to my external IP X.X.X.X and por 22 I can't because the firewall block it.
But In the notification area I see how someone from China try to enter to My clearOS.
Then I try to conect to my external ip (I use Putty) but the mensaje is conection refuse, How did the guy to connect whitout firewall rules????
PS: The china guy can't connect because I use a secured password.
PS2: I disabled SSHD for security.
If I try to conect to my external IP X.X.X.X and por 22 I can't because the firewall block it.
But In the notification area I see how someone from China try to enter to My clearOS.
Then I try to conect to my external ip (I use Putty) but the mensaje is conection refuse, How did the guy to connect whitout firewall rules????
PS: The china guy can't connect because I use a secured password.
PS2: I disabled SSHD for security.
Share this post:
Responses (9)
-
Accepted Answer
Hi Dennis,
There are two ways which IDS can run, inside the firewall and outside the firewall and I think there is a lot of debate about which is better. ClearOS chose to run IDS outside the firewall. This means you will see intrusion attempts even though the firewall is closed. You can easily check if the firewall is closed using some of the on line port checkers such as Shields Up at grc.com (but treat some of his security stuff with a pinch of salt).
In ClearOS, incoming WAN ports are closed by default except one or two (tcp:81 and a few others). You can check which are open by doing an "iptables -nvL INPUT" and all your ones are pretty normal apart from extended OpenVPN rules. Personally I'd also close tcp:81 and always connect by OpenVPN although to the ClearOS LAN IP. Similarly, if you wanted SSH access, I'd do it via OpenVPN to the LAN IP to avoid opening 22 on the WAN.
If ports are shut, there is no point in running IDS on those ports. I personally would disable the SSH rules as they serve no purpose in your set up.
Also by default all LAN traffic is allowed into ClearOS -
Accepted Answer
I just today updated/reinstalled from ClearOS 6 to 7.
It was literally a matter of minutes before I got hit by the same IP address trying to log in by SSH. Obviously, they are not getting through, but how do we as users 'convince' ourselves of the protections are working.
Intrusion detection logs the attempt, but does the other active intrusion app morph the firewall rules to be more aggressive against the intruder?
Where can I verify that root does not have access by ssh? I though that can we limit access to webmin and ssh by network adapter also- like not from the WAN side but allow from the LAN side.
Dennis
. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
[root@kyt01 ~]# iptables -nvL INPUT
Chain INPUT (policy DROP 848 packets, 53231 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd-ddos src reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,220,993,110,995 match-set f2b-postfix-sasl src reject-with icmp-port-unreachable
199 12017 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
16 11724 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- enp4s9 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- enp4s9 * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- ppp0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- ppp0 * 169.254.0.0/16 0.0.0.0/0
315 33287 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
9879 774K ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
831 24099 ACCEPT icmp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
1 156 ACCEPT icmp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
9 296 ACCEPT icmp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
831 24099 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
38 3388 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 XXX.XXX.XX.XX tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0 XXX.XX.XX.XXX tcp dpt:1194
67633 18M ACCEPT udp -- * * 0.0.0.0/0 XXX.XXX.XX.XX udp dpt:1195
0 0 ACCEPT udp -- * * 0.0.0.0/0 XXX.XX.XX.XXX udp dpt:1195
64943 16M ACCEPT udp -- * * 0.0.0.0/0 XXX.XXX.XX.XX udp dpt:1196
0 0 ACCEPT udp -- * * 0.0.0.0/0 XXX.XX.XX.XXX udp dpt:1196
0 0 ACCEPT udp -- * * 0.0.0.0/0 XXX.XXX.XX.XX udp dpt:1197
0 0 ACCEPT udp -- * * 0.0.0.0/0 XXX.XX.XX.XXX udp dpt:1197
0 0 ACCEPT udp -- * * 0.0.0.0/0 XX.XXX.XX.XX udp dpt:1194
0 0 ACCEPT udp -- * * 0.0.0.0/0 XX.XX.XX.XXX udp dpt:1194
12 829 ACCEPT tcp -- * * 0.0.0.0/0 XX.XXX.XX.XX tcp dpt:81
9 561 ACCEPT tcp -- * * 0.0.0.0/0 XX.XX.20.XXX tcp dpt:81
0 0 ACCEPT udp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- enp4s9 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
3154 956K ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
80 54622 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Thank for the help -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »