Unwanted WebGUI access via Internet

For some obscure reason I could access the WebGUI managment console via the internet, even though the ports were not opened to the WAN side, and only set for internal abuse.
Ports 81, and 1013 had no entries in the firewall settings either, which means they should be ignored or dropped. Out of the 15 odd boxes I have running, only 3 suffered from this issue, 2 of which were fresh installs with core141 ISO from two months ago, and one of these is a VM. Not all boxes are on the same cores, so I have not figured out what has caused it.

This is how to fix this issue with ipFire when the WebGUI is accessible from the outside world.

You can test to see if you are effected as well by trying to connect to your firewall from the outside as follows, open a browser and go to:

http:// Your live IP:81

If it redirects you to the WebGUI, may moan about insecure certificate, and prompt a login, then you have a problem.
On the other had if it times out, you are fine.

First thing to do is check on the firewall what ports your server is listening on.

*ssh -p 222 root@ Your FW IP *

lsof -i -P -n | grep LISTEN

You should see something along the lines of….

httpd    1218 nobody    3u  IPv4    33056       TCP *:81 (LISTEN)
httpd    1218 nobody    4u  IPv4    33058       TCP *:444 (LISTEN)
httpd    1218 nobody    5u  IPv4    33060       TCP *:1013 (LISTEN)
sshd     4912   root    3u  IPv4    30412       TCP *:222 (LISTEN)
httpd    5024   root    3u  IPv4    33056       TCP *:81 (LISTEN)
httpd    5024   root    4u  IPv4    33058       TCP *:444 (LISTEN)
httpd    5024   root    5u  IPv4    33060       TCP *:1013 (LISTEN)
squid   13593  squid   20u  IPv4 74184535       TCP <Green0 IP>:800 (LISTEN)
squid   13593  squid   21u  IPv4 74184536       TCP <Green0 IP>:801 (LISTEN)
unbound 16531 nobody    4u  IPv4 72225765       TCP *:53 (LISTEN)
unbound 16531 nobody    5u  IPv4 72225766       TCP 127.0.0.1:8953 (LISTEN)

What we want to do is let the server listen to 81 and 444 from the internal network only, and not from *
vi /etc/httpd/conf/listen.conf

Listen <Insert LAN IP>:81
Listen <Insert LAN IP>:444

For example, if the Green0 gateway IP of your firewall is 192.168.1.1 it would look like

Listen 192.168.1.1:81
Listen 192.168.1.1:444

/etc/rc.d/init.d/apache restart

If Apache fails to restart, run the same command with stop and then again with start.

To see if the port configuration has been changed correctly do a check

lsof -i -P -n | grep LISTEN

It should now look something like this if the gateway IP was 192.168.1.1

sshd     4912   root    3u  IPv4    30412       TCP *:222 (LISTEN)
squid   13593  squid   20u  IPv4 74184535       TCP 192.168.1.1:800 (LISTEN)
squid   13593  squid   21u  IPv4 74184536       TCP 192.168.1.1:801 (LISTEN)
unbound 16531 nobody    4u  IPv4 72225765       TCP *:53 (LISTEN)
unbound 16531 nobody    5u  IPv4 72225766       TCP 127.0.0.1:8953 (LISTEN)
httpd   20470   root    3u  IPv4 74214732       TCP 192.168.1.1:81 (LISTEN)
httpd   20470   root    4u  IPv4 74214734       TCP 192.168.1.1:444 (LISTEN)
httpd   20470   root    5u  IPv4 74214736       TCP *:1013 (LISTEN)
httpd   20472 nobody    3u  IPv4 74214732       TCP 192.168.1.1:81 (LISTEN)
httpd   20472 nobody    4u  IPv4 74214734       TCP 192.168.1.1:444 (LISTEN)
httpd   20472 nobody    5u  IPv4 74214736       TCP *:1013 (LISTEN)

What I have noticed is that if your server redirected the 81 -> 444 traffic on externals, then it will also let you connect to 1013 externally. This is irrespective if you have configured or left the captive portal settings disabled. This should not be a problem, but if you are paranoid and wish to prevent connections to it, just kill the port

kill $(lsof -t -i:1013)

You may want to add that line into the /etc/sysconfig/rc.local so that it removes it at the next restart or you may sit with the same problem again.

I have not found where ipFire keeps the config for the captive portal or where it gets port tcp/1013 from, someone else may want to shed light on this. …hint, hint :slight_smile:
Then you could make a change and have it listen local (Green0) only instead of the world.

I hope this is helpful for those wondering wtf is happening, and how to fix it. Cheers!

1 Like

Hi,

You can test to see if you are effected as well by trying to connect to your firewall from the outside as follows, open a browser and go to:

http:// Your live IP:81

unfortunately, I am unable to reproduce anywhere. Port 81 is filtered if accessed from RED.

Since this sounds like it is related to the Captive Portal: Do you have it configured on all of those systems which are affected by this issue?

Thanks, and best regards,
Peter MĂĽller

grep 1013 /etc/httpd/conf/vhosts.d/captive.conf
Listen 1013
<VirtualHost *:1013>

Hi Peter

The port that I saw open was TCP/81.
When I checked on the server externally, it redirected me to TCP/444 with the login for the WebGUI. This should not be accessible form the outside world. Port TCP/81 is not open under the firewall entries, which means the servers should not be listening on it. TCP/444 is open, but only from the Green network.

Btw, another box from a friend has the same issue, I never touched it, so not my handy work :smiley:

The captive portal is disable and not configured on any of the 3 boxes. However I checked it externally just for fun, to see if that also works, and it did. There is no entry in the firewall for TCP/1013, so again it should not allow any connection to it, external nor internal.

Hi Krasnal

Thanks, that helps. So changing the entry to

Listen <Insert LAN IP>:1013

Should fix that problem as well. Definitely more elegant than my mallet and blowtorch approach.

Hi,

The port that I saw open was TCP/81.
When I checked on the server externally, it redirected me to TCP/444 with the login for the WebGUI. This should not be accessible form the outside world. Port TCP/81 is not open under the firewall entries, which means the servers should not be listening on it. TCP/444 is open, but only from the Green network.

all right, in order to find out what is going wrong here, could you please provide us

  • the output of iptables -L -n -v
  • a screenshot of the firewall rules page
  • a screenshot of the firewall options page?

Thanks, and best regards,
Peter MĂĽller

Hi Peter,

Sure… this is from the VM machine, not in full use yet, only the basics. Still working on the backend servers for the client, the rest of the fw rules will come once I am ready for test run with them.

The current iptabels in use. Changed the live IP to RED0 IP, otherwise nothing changed.

# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7412K 1656M BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  11M 2168M CUSTOMINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7722K 1891M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7722K 1891M GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7722K 1891M IPS_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
19635 2473K OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
3993K  954M IPTVINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3993K  954M ICMPINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3993K  954M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3950K  951M CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3950K  951M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 164K   13M DHCPGREENINPUT  all  --  green0 *       0.0.0.0/0            0.0.0.0/0           
2129K  105M GEOIPBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2129K  105M IPSECINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2129K  105M GUIINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2129K  105M WIRELESSINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
2129K  105M OVPNINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2128K  105M TOR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2128K  105M INPUTFW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1925K   93M REDINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1925K   93M POLICYIN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 flags:0x17/0x02 limit: avg 1/min burst 1
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:222 flags:0x17/0x02 limit: avg 1/min burst 1
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:222 flags:0x17/0x02
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  20M 1170M BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  19M  782M TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  26M 1894M CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1304K  389M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1300K  385M GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1300K  385M IPS_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1159K  376M IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
 128K   16M OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
 101K   83M OVPNBLOCK  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
1159K  376M IPTVFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1159K  376M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1159K  376M CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1159K  376M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 191K   12M GEOIPBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 191K   12M IPSECFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 191K   12M WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 191K   12M FORWARDFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 191K   12M UPNPFW     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 191K   12M REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 191K   12M POLICYFWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7535K 1209M CUSTOMOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7535K 1209M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7535K 1209M IPS_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3884K  622M IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
3884K  622M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3841K  619M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   26  1832 DHCPGREENOUTPUT  all  --  *      green0  0.0.0.0/0            0.0.0.0/0           
 594K   57M IPSECOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 594K   57M TOR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 594K   57M OUTGOINGFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 594K   57M POLICYOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BADTCP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
20750 1156K RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    4   224 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    4   208 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01
  154  7932 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    6   312 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    2   120 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
 250K   47M NEWNOTSYN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW

Chain CAPTIVE_PORTAL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CAPTIVE_PORTAL_CLIENTS (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain CONNTRACK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
4536K 1614M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
 510K   36M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 990K  123M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "sip"
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "h323"
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "ftp" tcp dpts:1024:65535
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "tftp"
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "irc"

Chain CUSTOMFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set accept_southafrica dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set sslbl dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set ssh-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_edrop dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_drop dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spambot_crawlers dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set mail-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set imap-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set feodo dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set emergingthreats dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set dshield_1d dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set cidr_report_bogons dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bruteforcelogin dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bambenek_c2 dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set apache-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set 10day-block dst

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5955  563K ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set accept_southafrica src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set sslbl src
  647 37093 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set ssh-block src
    3   120 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_edrop src
   34  1360 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_drop src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spambot_crawlers src
   67  2723 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set mail-block src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set imap-block src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set feodo src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set emergingthreats src
 1252 51300 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set dshield_1d src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set cidr_report_bogons src
    6   262 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bruteforcelogin src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bambenek_c2 src
    2    80 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set apache-block src
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set 10day-block src
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
  230 30841 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
  503 37148 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain CUSTOMOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set accept_southafrica dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set sslbl dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set ssh-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_edrop dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_drop dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set spambot_crawlers dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set mail-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set imap-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set feodo dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set emergingthreats dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set dshield_1d dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set cidr_report_bogons dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bruteforcelogin dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set bambenek_c2 dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set apache-block dst
    0     0 DROP       all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set 10day-block dst

Chain DHCPBLUEINPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPBLUEOUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPGREENINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPGREENOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPINPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:68 dpt:67

Chain DHCPOUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:67 dpt:68

Chain FORWARDFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.0.2          192.168.0.3          tcp dpt:25

Chain GEOIPBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GUARDIAN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GUIINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  green0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:444

Chain ICMPINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain INPUTFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
94329 5657K LOG        tcp  --  *      *       0.0.0.0/0            RED0 IP        tcp dpt:222 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "INPUTFW "
94329 5657K ACCEPT     tcp  --  *      *       0.0.0.0/0            RED0 IP        tcp dpt:222
    0     0 LOG        udp  --  *      *       0.0.0.0/0            RED0 IP        udp dpt:1194 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "INPUTFW "
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            RED0 IP        udp dpt:1194

Chain IPSECBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPS_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    all  --  red0   red0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:1 bypass cpu-fanout
  711 59449 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPS_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6636  464K NFQUEUE    all  --  red0   *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:1 bypass cpu-fanout
 7018  485K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPS_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5160  565K NFQUEUE    all  --  *      red0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:1 bypass cpu-fanout
 5603  615K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPTVFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPTVINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LOOPBACK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
42779 3004K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
42826 3009K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         

Chain NEWNOTSYN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 249K   47M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_NEWNOTSYN "
 250K   47M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_NEWNOTSYN */

Chain OUTGOINGFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       RED0 IP        192.168.0.2          tcp spt:25 dpt:25

Chain OVPNBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  200 12100 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain OVPNINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1004 83101 ACCEPT     udp  --  red0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain P2PBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   63  7338 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --dc  --gnu  --kazaa  --bit  --apple  --soul  --winmx  --ares 

Chain POLICYFWD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
17017 1278K ACCEPT     all  --  green0 *       192.168.0.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
  792 59939 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   92  7708 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
   95  7897 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_FORWARD */

Chain POLICYIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   197 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:514
 115K 9338K ACCEPT     all  --  green0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
   90  6028 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
 907K   40M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_INPUT "
 926K   42M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_INPUT */

Chain POLICYOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 286K   27M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_OUTPUT */

Chain PSCAN (7 references)
 pkts bytes target     prot opt in     out     source               destination         
  170  8796 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix "DROP_TCP Scan "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix "DROP_UDP Scan "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix "DROP_ICMP Scan "
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix "DROP_FRAG Scan "
  170  8796 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_PScan */

Chain REDFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain REDINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TOR_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TOR_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain UPNPFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIRELESSFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIRELESSINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination  

FW rules screenshot

The policies will change in future to blocked, with entries on what will be allowed. Unrelated to the issue though.

And lastly the FW options page

I don’t spot anything that would permit 81, 444, 1013, access over the WAN…

cheers
Andreas

http:// Your live IP:81 will work because your accessing from green0. Red0 will not, should not, work. Use https://www.grc.com/shieldsup to really scan.
Your screenshot of the firewall options page is incomplete, the bottom. According to screenshot of the firewall rules page, your allowing EVERYTHING through the firewall! Policy should be Blocked.
You don’t have to, shouldn’t have to, edit any files.
PS. Your Firewall Rule from and to the same network, 0.2 - 0.3, doesn’t do anything. ?

1 Like

Hi,

http:// Your live IP:81 will work because your accessing from green0.

ah yes, glad you caught that. This is a bit awkward, but should not be dangerous as connections from the internet will be dropped indeed. Could you please confirm this?

Use https://www.grc.com/shieldsup to really scan.

Yes, running a portscan from another host on the internet is the best method of detecting/clarifying such issues.

Further, your first firewall rule (192.168.0.2 -> 192.168.0.3) will not have any effect indeed.

You are allowing access to IPFire’s SSH server from RED. This is dangerous. Please consider using a VPN instead.

To my knowledge, you do not need to open port 1194 for OpenVPN, as this will automatically happen if OpenVPN service is enabled.

Thanks, and best regards,
Peter MĂĽller

That is correct, and that is what is happening, only stops when I make the listen changes.

I did not accessing it from green0. I am/was outside the network when I accessed via 81. After I got to the WebGUI, I got suspicions and SSH into the machine, only then did a check to see what ports it was listening on.

Regarding the GRC scan…

This is a VM machine, so will have to see how i can do the scan thing from internal. No windows workstations there. I’ll do the scan on another FW that has a few windows workstations in the network, that experienced the same problem. Will give a few open ports, but 81 should not be one of them, as I have closed it with the Listen entry. I won’t post it’s FW rule screenshot as it is long… really looooong, and has no 81 entry, policy is blocked.

Thanks for making me aware of that. It’s a work in progress and there will be more rules to come, which will lock things down completely to only the services needed.
I did this more as a reminder to myself what machine is doing what on the backend, as the config console from the DC does not always show useful information to me (still learning the new system, nothing like cpanel etc.) Work in progress more rules to still come…

True, and on other machines they are, this one is in the configuration stage. Nothing behind it that will chat to the world except on tcp/25. Everything else, at this stage, needs to be accessed via VPN.
I can post a screen shot (kms long) of a machine that is complete, and has no entry for 81, and yet still permitted external access. All policies are on Blocked.

Yip, I am aware of that. However it is secured, you need a key, the machine only accepts access from GeoIP SA, and does not respond to passwords or pass-phrases. It’s rate limited, and will automatically abuse report any brute-force attempts after blocking the aggressor.

This is an old habit of mine, adding in ports as I need them, when I need them… comes from way back when, when these ports were not auto opened. Does no harm having them :smiley:

So we are back to the original “will not, should not, work” statement… :slight_smile:

This is a VM machine, so will have to see how i can do the scan thing from internal.

Just scan the machines’ current public IP address (by using nmap, for example) and post the output here.

As requested, this is after I have added in the Listen green0:81
entries, which stops the WebGUI access… I’ll go changed it back to the original and do another scan.

# nmap -v -p1-65535 197.157.x.x
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 21:39 SAST
Initiating Ping Scan at 21:39
Scanning 197.157.x.x [4 ports]
Completed Ping Scan at 21:39, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:39
Completed Parallel DNS resolution of 1 host. at 21:39, 9.85s elapsed
Initiating SYN Stealth Scan at 21:39
Scanning 197.157.x.x [65535 ports]
Discovered open port 53/tcp on 197.157.x.x
Discovered open port 222/tcp on 197.157.x.x
SYN Stealth Scan Timing: About 20.07% done; ETC: 21:42 (0:02:03 remaining)
SYN Stealth Scan Timing: About 48.49% done; ETC: 21:41 (0:01:05 remaining)
Completed SYN Stealth Scan at 21:41, 103.91s elapsed (65535 total ports)
Nmap scan report for 197.157.x.x
Host is up (0.0073s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
222/tcp open  rsh-spx

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 113.99 seconds
           Raw packets sent: 131153 (5.771MB) | Rcvd: 130 (7.604KB)

And again after I have changed /etc/httpd/conf/listen.conf back to
Listen 81
Listen 444

# nmap -v -p1-65535 197.157.x.x
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 21:56 SAST
Initiating Ping Scan at 21:56
Scanning 197.157.x.x [4 ports]
Completed Ping Scan at 21:56, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:56
Completed Parallel DNS resolution of 1 host. at 21:56, 8.08s elapsed
Initiating SYN Stealth Scan at 21:56
Scanning 197.157.x.x [65535 ports]
Discovered open port 53/tcp on 197.157.x.x
SYN Stealth Scan Timing: About 20.61% done; ETC: 21:58 (0:01:59 remaining)
SYN Stealth Scan Timing: About 49.11% done; ETC: 21:58 (0:01:03 remaining)
Discovered open port 444/tcp on 197.157.x.x
Discovered open port 222/tcp on 197.157.x.x
Discovered open port 81/tcp on 197.157.x.x
Completed SYN Stealth Scan at 21:57, 104.25s elapsed (65535 total ports)
Nmap scan report for 197.157.x.x
Host is up (0.0066s latency).
Not shown: 65531 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
81/tcp  open  hosts2-ns
222/tcp open  rsh-spx
444/tcp open  snpp

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 112.53 seconds
           Raw packets sent: 131149 (5.771MB) | Rcvd: 108 (5.756KB)

Ok, forgot to undo the Listen instruction on TCP/1013 but that would not make any difference to the scan except add it to the list of open ports.

That should not happen indeed. Did you ran the scan from a machine located in South Africa?

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5955  563K ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0            match-set accept_southafrica src

It looks like this rule allows any traffic coming from South African IP address space, including those to port 81. (By the way: We do not recommend such modifications.)

Could you please remove this rule and check again?

Flushed the rule, removed the Listen mod, and its behaving as it’s supposed to. No WebGUI access.
Thanks Peter, that seemed to do it.

Now the question, all my machines are in SA, they all have the same base fw rules build up. Only 3 machines have shown that they permitted access to 81/444 if the httpd conf has not been edited to listen on green0, none of the others.
Why would that be, when all have the same permit SA IP access rule? The mind boggles…

Maybe I am misunderstanding the rules, looking at the whole iptables buildup…. :thinking:

That rule for SA is at the end of a whole long list of things, which is to prevent SA IPs from being added to a blacklisted, a Whitelist so to speak.
It does not give access to ports or services that have not been specifically opened already for the rest of the internet.
Not the wises things to do I agree, it does however keep the road-warriors from calling me due to their dodgy internet connection that gets them blocked for a 24hr period.
Side note, all questionable traffic I have spotted in the logs have never originated from a SA IP, with the acceptation of a few trojan infected machines that went ballistic.

Well… I guess I could change the SA rule to limit it to specific ports only….
from

# Accept Country CIDR ipset lists
#
/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set accept_southafrica dst -j ACCEPT
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set accept_southafrica src -j ACCEPT
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set accept_southafrica dst -j ACCEPT

to something like this

# Accept Country CIDR ipset lists
#
/sbin/iptables -A CUSTOMFORWARD -p tcp --dport443,465,993 -i red0 -m set --match-set accept_southafrica dst -j ACCEPT
/sbin/iptables -A CUSTOMINPUT -p tcp --dport443,465,993 -i red0 -m set --match-set accept_southafrica src -j ACCEPT
/sbin/iptables -A CUSTOMOUTPUT -p tcp --dport443,465,993 -i red0 -m set --match-set accept_southafrica dst -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p udp --dport1194 -i red0 -m set --match-set accept_southafrica dst -j ACCEPT
/sbin/iptables -A CUSTOMINPUT -p udp --dport1194 -i red0 -m set --match-set accept_southafrica src -j ACCEPT
/sbin/iptables -A CUSTOMOUTPUT -p udp --dport1194 -i red0 -m set --match-set accept_southafrica dst -j ACCEPT

Will have to brush up on that and see which ports are actually the crucial ones.

Solution…

This was a problem of my own making. It seems that adding a firewall Accept rule for a GeoIP location caused this weird behaviour.
Why only 3 out of 20 fw responded this way is still unknown…. but its fair to say I was the muppet that caused it. :smirk:

Whilst editing the files /etc/httpd/conf/listen.conf and /etc/httpd/conf/vhosts.d/captive.conf
to include your Green0 IP, i.e. Listen 192.168.1.1:81, would be good security practice, it has repercussions. Should you decide to change your IP range within the LAN, for whatever obscure reason, you would not be able to gain access to the WebGUI until you have changed it accordingly in console.

Wish you all a wonderful day.
Cheers

Hi,

That rule for SA is at the end of a whole long list of things, which is to prevent SA IPs from being added to a blacklisted, a Whitelist so to speak.

this and the iptables output you have posted suggest you were making custom changes to your system (blacklist patch by Tim FitzGeorge?), which we do not consider to be safe for production, yet.

Not the wises things to do I agree, it does however keep the road-warriors from calling me due to their dodgy internet connection that gets them blocked for a 24hr period.

Hm, if you know where they are coming from, you might want to whitelist CIDR(s) rather than a whole country, but this is often impossible or at least unpractical. Why can’t they use a VPN? Opening a VPN service to the whole internet causes a smaller attack vector rather than exposing (mail) services.

Anyway, glad this issue has been solved by itself and we do not have a security problem in IPFire. :slight_smile:

Thanks, and best regards,
Peter MĂĽller

moin Peter

Actually the saga started with me discovering IPSET a few years ago
https://forum.ipfire.org/viewtopic.php?f=27&t=18021
Erik provided valuable assistance…

I just thought if the blacklist (drop) works, then I should be able to change it to permit access from certain countries instead. Clearly my idea was not followed through to completion and needs some serious rethinking.

Will check up on Tim’s stuff thanks for the that hint :slight_smile:

Yeah I could do that but that would be too easy… just kidding, unfortunately the users are not on fixed IPs. The VPN option sounds good, but with the amount of devices used (and exchanged without talking to IT) it would be a logistical nightmare…nope, not going to happen. I have enough grey hairs from my kids, don’t need to add them from the work kids.

:grin: sorry for the shock-therapy…good for the blood circulation though, blow out some cobwebs.

Cheers, and have a lekker weekend
Andi

Hi,

just kidding, unfortunately the users are not on fixed IPs.

yes, this makes things more complicated as most ISPs are not just using a /16 or so for their dial-up assignments.

The VPN option sounds good, but with the amount of devices used (and exchanged without talking to IT) it would be a logistical nightmare…nope, not going to happen. I have enough grey hairs from my kids, don’t need to add them from the work kids.

Although I got the point, you might want to successively migrate your clients to VPN anyway. That way, you are dealing with authenticated connections, which, for example, makes it more easy to track down abuse to one specific client.

:grin: sorry for the shock-therapy…good for the blood circulation though, blow out some cobwebs.

No worries, we just take security serious here (surprise! :wink: ).

Thanks, and best regards,
Peter MĂĽller