How to disable ssh from RED

How can i find out why the ssh-connection from RED is working?

Whatever i try, the ssh Connection from extern is always reachable if the sshd is running.!

1 Like

Normally, the only way you could get ssh access into IPFire from RED would be to have a Firewall Rule permitting that. Otherwise the default setting is that any access from RED to the IPFire Firewall itself or any of the zones is blocked.

What do you have in your Firewall Rules section.

2 Likes

What about using the ListenAddress configuration option in /etc/ssh/sshd_config for only the interfaces you allow incoming ssh connections to?

Hi,

are you testing this from behind your IPFire installation?

Either way, this suspiciously reminds me of that topic:

In case there is a scenario where IPFire exposes it’s SSH port to RED by accident, we have got to nail down it and fix the underlying problem. Otherwise, it would be interesting to see the full configuration of your IPFire machine. Please post as much as information as you can.

Thanks, and best regards,
Peter MĂĽller

3 Likes

Hello Adolf Belka,

In the Firewallsection there are about 220 Rules but no one for Port 222 from RED or *.

Hello Data Morgana,

This would work, but i dont want to make too much extra configs.
And this shouldnt work out of the box.

Hello Peter MĂĽller,

What do you mean with “Behind your IPFire installation”?
I have tested from the Internet (RED-Interface). Sure.
==> That should not work !!

I think there is no special Scenario.
What do you need to see the full configuration.

Thanks

Hi Helmut, my workaround would certainly also not be an appropriate solution in the light of a suspected security issue with the IPFire configuration, which is yet to be verified.

I would suggest you see what Steve Gibson’s ShieldsUp! says about port 222 on your firewall. That is assuming you’re using port 222, of course. I checked mine and it’s “stealth” which is apparently Gibson-speak for blocking unsolicited incoming traffic.

hxxps://www.grc.com/x/portprobe=222

1 Like

Hello Data Morgana,

Ok i will fix it on this way for now.
But i want to know why this is working.

Hello krasnal .

  1. I can connect to the Firewall from anywhere in the Internet via ssh (Port 222).
  2. A Penetrationtest have found the Port.
    => Why i should test it once more? I dont wish the Port is reachable from Internet !!

Hi,

this should not happen indeed.

Could you please post the output of the following commands (or DM them to me in case you do not want to make them public):

  • iptables -L -n -v -t nat
  • iptables -L -n -v -t raw
  • route
  • ifconfig
  • netstat -tulpen

Cc: @troll-op

Thanks, and best regards,
Peter MĂĽller

Unless a specific rule is written…

Hi,

well, according to OP, there is none - at least none written with that intention in mind.

This is why I am asking for raw information…

Thanks, and best regards,
Peter MĂĽller

1 Like

@pmueller … promise it was not me this time… I’ve been good.
:innocent:

sxfire if you don’t have entries in the firewall rules section, did you by any chance create any manuel entries in /etc/sysconfig/rc.local or /etc/sysconfig/firewall.local?

If you created any entries that accept, for example from a country region, it will permit all kinds of things not defined in any iptables for that region. WebGUI becomes accesible, SSH opens up, etc. You get the picture.

Wish you all a lekker evening

I checked the log summary and to my surprise found the following:

Remote user logins:

 Negotiation failed:
    no matching key exchange method found
       141.98.10.202: 1 Time
       209.141.58.169: 1 Time
       62.233.50.53: 2 Times
       92.255.85.28: 1 Time

 **Unmatched Entries**
 error: kex_exchange_identification: Connection closed by remote host : 7 Times
 error: kex_exchange_identification: banner line contains invalid characters : 1 Time

After this finding I have used this test: heise Security

The test then showed me a problem (marked red) with SSH and DNS.

I also saw under “Status” “Services” that IPS was no longer running.

After a restart everything is OK again. Also with the above test.
How can this be?

SSH Access was turned on (I had forgotten to turn it off). Now when I have SSH Access on, everything is OK too…, strange…

Again!

Presuming that you don’t have any firewall rules opening port 22 up to the red zone and that there are no rules doing something similar in /etc/sysconfig/firewall.local then I would suggest following the input from @pmueller in post 9 in this thread.
https://community.ipfire.org/t/how-to-disable-ssh-from-red/4030/9

1 Like

This is very strange. I don’t have any corresponding firewall rules active. I have now run the network check from heise several times throughout the day. Everything OK. Then I just ran the test again and then again:


Port 22 is probably just not there because I have SSH off. I am sure that port 22 shows up as open when I turn SSH on.

Now I have rebooted IPFire and the test shows everything OK again.

How can this be?

Can you please check that too? Maybe others are affected too and just haven’t noticed?

Okay I just ran the Heise check and the only result I got was for ports 80 and 443 which is correct because I have a web server there and I have port forward firewall rules to get there.

My ssh was running and port 22 did not show up in the test, also not port 53 for DNS.

My IPFire has been running for 12 days since the last time that I rebooted it.

1 Like

Thanks. Any idea?

I am afraid I don’t have any further ideas at the moment.

Maybe reinstall IPFire completely?
Currently everything OK. But tomorrow will certainly come the surprise again.