linda@heksebua.com
2008-Nov-07 07:03 UTC
Blacklisted addresses (range) get through anyway]
I''ve blocked an IP-range in my blacklist-file. The row in the file looks like this: 88.191.0.0/16 This should block any and all traffic from addresses in the range 88.191.0.0-88.191.255.255 but they still get through to perform brute force attacks on my SSH server. Here''s an example from my auth.log for yesterday: Nov 4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69 Nov 4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf from 88.191.99.69 port 37898 ssh2 Why is this, and how can I fix it? Best Wishes Linda shorewall version: 4.2.1 ip addr show: 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1 inet6 fe80::208:a1ff:fe3c:12f3/64 scope link valid_lft forever preferred_lft forever 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 ip route show: 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.102 default via 192.168.0.1 dev eth1 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Prasanna Krishnamoorthy
2008-Nov-07 08:11 UTC
Re: Blacklisted addresses (range) get through anyway]
We certainly would need a shorewall dump to figure this out. Prasanna. On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote:> I''ve blocked an IP-range in my blacklist-file. The row in the file looks > like this: > 88.191.0.0/16 > > This should block any and all traffic from addresses in the range > 88.191.0.0-88.191.255.255 but they still get through to perform brute > force attacks on my SSH server. > > Here''s an example from my auth.log for yesterday: > Nov 4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69 > Nov 4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf > from 88.191.99.69 port 37898 ssh2 > > Why is this, and how can I fix it? > > Best Wishes > > Linda > > > shorewall version: 4.2.1 > > ip addr show: > 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::208:a1ff:fe3c:12f3/64 scope link > valid_lft forever preferred_lft forever > 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > ip route show: > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.102 > default via 192.168.0.1 dev eth1 > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Want to manage multiple office networks? Want to securely connect all your locations? Want to do it in a budget? www.elinanetworks.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com
2008-Nov-07 08:30 UTC
Re: Blacklisted addresses (range) get through anyway]
I''ve attached the dump as a text file. Best Wishes Linda> We certainly would need a shorewall dump to figure this out. > > Prasanna. > > On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >> I''ve blocked an IP-range in my blacklist-file. The row in the file looks >> like this: >> 88.191.0.0/16 >> >> This should block any and all traffic from addresses in the range >> 88.191.0.0-88.191.255.255 but they still get through to perform brute >> force attacks on my SSH server. >> >> Here''s an example from my auth.log for yesterday: >> Nov 4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69 >> Nov 4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf >> from 88.191.99.69 port 37898 ssh2 >> >> Why is this, and how can I fix it? >> >> Best Wishes >> >> Linda >> >> >> shorewall version: 4.2.1 >> >> ip addr show: >> 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen >> 1000 >> link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff >> inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1 >> inet6 fe80::208:a1ff:fe3c:12f3/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast >> qlen 1000 >> link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff >> 4: sit0: <NOARP> mtu 1480 qdisc noop >> link/sit 0.0.0.0 brd 0.0.0.0 >> >> ip route show: >> 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.102 >> default via 192.168.0.1 dev eth1 >> >> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > -- > Want to manage multiple office networks? > Want to securely connect all your locations? > Want to do it in a budget? > www.elinanetworks.com > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Prasanna Krishnamoorthy
2008-Nov-07 08:49 UTC
Re: Blacklisted addresses (range) get through anyway]
On Fri, Nov 7, 2008 at 2:00 PM, <linda@heksebua.com> wrote:>> On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >>> I''ve blocked an IP-range in my blacklist-file. The row in the file looks >>> like this: >>> 88.191.0.0/16 >>>Do you have blacklist in the interfaces file for the WAN interface? Prasanna. -- Want to manage multiple office networks? Want to securely connect all your locations? Want to do it in a budget? www.elinanetworks.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com
2008-Nov-07 08:57 UTC
Re: Blacklisted addresses (range) get through anyway]
Yes. All the regular entries work.> On Fri, Nov 7, 2008 at 2:00 PM, <linda@heksebua.com> wrote: >>> On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >>>> I''ve blocked an IP-range in my blacklist-file. The row in the file >>>> looks >>>> like this: >>>> 88.191.0.0/16 >>>> > > Do you have blacklist in the interfaces file for the WAN interface? > > Prasanna. > -- > Want to manage multiple office networks? > Want to securely connect all your locations? > Want to do it in a budget? > www.elinanetworks.com > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Prasanna Krishnamoorthy
2008-Nov-07 09:23 UTC
Re: Blacklisted addresses (range) get through anyway]
Weird, There''s no blacklist chain in your dump. I have 4.0 and there''s a blacklist chain created with a drop from this subnet. Not sure if this is a regression in 4.2.x that you''re using. Prasanna. On Fri, Nov 7, 2008 at 2:27 PM, <linda@heksebua.com> wrote:> Yes. All the regular entries work. > > > >> On Fri, Nov 7, 2008 at 2:00 PM, <linda@heksebua.com> wrote: >>>> On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >>>>> I''ve blocked an IP-range in my blacklist-file. The row in the file >>>>> looks >>>>> like this: >>>>> 88.191.0.0/16 >>>>> >> >> Do you have blacklist in the interfaces file for the WAN interface? >> >> Prasanna. >> -- >> Want to manage multiple office networks? >> Want to securely connect all your locations? >> Want to do it in a budget? >> www.elinanetworks.com >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Want to manage multiple office networks? Want to securely connect all your locations? Want to do it in a budget? www.elinanetworks.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Prasanna Krishnamoorthy wrote:> Weird, > > There''s no blacklist chain in your dump. I have 4.0 and there''s a > blacklist chain created with a drop from this subnet. > > Not sure if this is a regression in 4.2.x that you''re using.I''m betting that the ''blacklist'' option is not specified on the external interface in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com
2008-Nov-07 18:36 UTC
Re: Blacklisted addresses (range) get through anyway]
Apparently I was wrong, and when I put the blacklist option in there,the whole thing went haywire. It said something about not finding blacklog.so I can''t seem to find the error message in my logs. I had to remove the blacklist option again to get shorewall to start. I hope you can help me with this config problem. Linda> Yes. All the regular entries work. > > > >> On Fri, Nov 7, 2008 at 2:00 PM, <linda@heksebua.com> wrote: >>>> On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >>>>> I''ve blocked an IP-range in my blacklist-file. The row in the file >>>>> looks >>>>> like this: >>>>> 88.191.0.0/16 >>>>> >> >> Do you have blacklist in the interfaces file for the WAN interface? >> >> Prasanna. >> -- >> Want to manage multiple office networks? >> Want to securely connect all your locations? >> Want to do it in a budget? >> www.elinanetworks.com >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com wrote:> Apparently I was wrong, and when I put the blacklist option in there,the > whole thing went haywire. It said something about not finding blacklog.so > I can''t seem to find the error message in my logs. I had to remove the > blacklist option again to get shorewall to start. I hope you can help me > with this config problem.Please see http://www.shorewall.net/troubleshoot.htm#Start for tips about troubleshooting start errors. And http://www.shorewall.net/support.htm#Guidelines if you can''t determine what is wrong. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com
2008-Nov-07 20:03 UTC
Re: Blacklisted addresses (range) get through anyway]
I was wrong, and when I put it there, shorewall refused to start saying something about ipables and blacklog. I had to remove it again. Linda> Prasanna Krishnamoorthy wrote: >> Weird, >> >> There''s no blacklist chain in your dump. I have 4.0 and there''s a >> blacklist chain created with a drop from this subnet. >> >> Not sure if this is a regression in 4.2.x that you''re using. > > I''m betting that the ''blacklist'' option is not specified on the external > interface in /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
linda@heksebua.com
2008-Nov-07 20:08 UTC
Re: Blacklisted addresses (range) get through anyway]
Weird. I just added the blacklist option again and restarted shorewall. And this time everything worked fine. If they continue to get through, I''ll contact the list again. But for now, it''s solved. Linda> Apparently I was wrong, and when I put the blacklist option in there,the > whole thing went haywire. It said something about not finding blacklog.so > I can''t seem to find the error message in my logs. I had to remove the > blacklist option again to get shorewall to start. I hope you can help me > with this config problem. > > Linda > >> Yes. All the regular entries work. >> >> >> >>> On Fri, Nov 7, 2008 at 2:00 PM, <linda@heksebua.com> wrote: >>>>> On Fri, Nov 7, 2008 at 12:33 PM, <linda@heksebua.com> wrote: >>>>>> I''ve blocked an IP-range in my blacklist-file. The row in the file >>>>>> looks >>>>>> like this: >>>>>> 88.191.0.0/16 >>>>>> >>> >>> Do you have blacklist in the interfaces file for the WAN interface? >>> >>> Prasanna. >>> -- >>> Want to manage multiple office networks? >>> Want to securely connect all your locations? >>> Want to do it in a budget? >>> www.elinanetworks.com >>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer''s >>> challenge >>> Build the coolest Linux based applications with Moblin SDK & win great >>> prizes >>> Grand prize is a trip for two to an Open Source event anywhere in the >>> world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >> >> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/