Good day,
I have just noticed a strange firewall rule in my IPFire setup, one that I KNOW I did not implement and just want to ask if this is a rule installed by default or is my IPfire setup compormised somehow? The rule is first on the list and comprises the following:
Protocol: All
Source: 184.105.247.196 (Which directs to The Shadow Server Foundation)
Destination: Any
The rule is enabled.
Anyone who could shed some light on this rule please?
No that was not put there by IPFire. If you didn’t create it then delete it, or certainly at the very least disable it.
The only rule that is now installed by default in new installations from Core Update 182 is a rule that blocks outgoing traffic to the smtp port 25.
Your rule is a rule that is opening up your firewall to that IP to allow it to access any port on any zone in your network.
That IP is listed in the AbuseIP Database as definitely being a site that is being reported a lot for abuse.
You might well be compromised somewhere because that firewall rule has been added into your IPFire system and there are only two ways to access that - via the console with the root password or via the WUI via the admin password.
Personally I would do a fresh install and choose completely new passwords.
@bonnietwin Thank you for your reply, sir. I will definitely delete it immediately and check my system for any compormises. I am in the process of hardening my IPFirewall, so I don’t think a complete reinstall is necessay at the moment, I am going through the wiki page by page and following the instructions there. I will report back on any new noticed compromises (which I may cause or have caused). Thank you again.
I just did some searching on that IP. It shows up on around 5 blacklists that I found from a general blacklist search of that IP.
It looks to be being flagged as a spammer probably looking to find systems that it can use to forward its spam via.
The reports I found indicated that it was showing up as a misconfigured mail server.
I would definitely want to understand how that rule was created. Look in your logs to see if there is anything that shows when and how that rule was created in the WUI page.
Also be aware if you have been compromised then depending on the nature of the malware it might well adjust the logs to remove evidence of its presence.
@bonnietwin Thank you again, silly question, which logs would I look in to see if and when the rule was created? Apologies for the real newbie question but this really has me concerned so I would also want to know what is going on.
Change all passwords today. And redo from scratch any VPN and related account.
That is a good question. I have looked through and tried various things with changing rules and I can not find the changes logged anywhere. It might be that the page itself is the log of what was done and the user must have been admin with the admin password, because that is the only way to get to the WUI.
I agree with @pike_it to change both the root and the admin passwords and probably temporarily disable any VPN option in IPFire then when you are ready to re-enable them, best to clear the x509 root/host certificate set. It will also mean re-doing any client certificates but in this type of situation the more you can go back to a bare metal install the better.
@bonnietwin Thank you for the reply. Firstly, I do not use any VPN connections on my IPFire setup, so that is not an issue, my setup is a simple green → red configuration with a PPPoE connection, so I think I am just going to do a complete new installation. My backups will obviously be useless as the compromise will most likely be included in the backups. My issue personally is that in South Africa we have loadshedding (power outages) and that happening today from 2PM till 4PM so that messes my time up for re-install.
This gives you time to… draft the steps of the reconfiguration.
And play back and forth for debugging the sequence, optimizing at best steps, timing and… parallelism.
Consider to do after a full system sweep of your devices. Probably useless, however IMVHO worth time spending.
@pike_it Not sure what parallelism means, LOL
As regards sweep of my devices, I have already done that, on my Windows 10 laptop, only one is connected right now and all clean as far as I can determine.
Related question on all this, when I re-do my installation can I use my domain name that I own for the ipfire hostname? As in home-ipfire.gmcomputers.co.za
I am not sure if you actually mean what you have written.
You enter both a hostname and a domain name in IPFire when installing.
What you have written looks like a FQDN (Fully Qualified Domain Name), ie it has a hostname followed by a domain name.
So then you would use home-ipfire as the hostname and gmcomputers.co.za as the domain name.
I do that on my IPFire. I have a sub-domain, from my sons domain name, that he has given to me and that is what I use as the domain name on my IPFire system.
@bonnietwin Apologies, yes, what I am asking is using a REAL domain name as opposed to something like gmcomputers.local or localdomain.
Absolutely you can.
Apologies not needed. I just wanted to be certain I had understood what was wanted.
@bonnietwin Great, thank you!!
Because the FW rule mentioned is entered by human interaction likely, just don’t forget that ‘hardening’ means not only system configuration, but control of system access also.
If you haven’t opened the red interface before, the rule is defined from inside your local network.
@bbitsch I understand what you are saying, however, I am the only one that has access to the IPFire login. So it really is very strange that the rule was inserted in the first place. Regardless, I have now re-installed IPFire and changed all passwords, and currently have it set as incoming blocked and outgoing allowed. I am having a small issue with one port but I will start a new topic for that issue, thank you.