Shorewall users - Nov 2008 - Blacklisted addresses (range) get through anyway]

I''ve blocked an IP-range in my blacklist-file. The row in the file
looks
like this:
88.191.0.0/16

This should block any and all traffic from addresses in the range
88.191.0.0-88.191.255.255 but they still get through to perform brute
force attacks on my SSH server.

Here''s an example from my auth.log for yesterday:
Nov  4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69
Nov  4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf
from 88.191.99.69 port 37898 ssh2

Why is this, and how can I fix it?

Best Wishes

Linda


shorewall version: 4.2.1

ip addr show:
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::208:a1ff:fe3c:12f3/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 1000
    link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

ip route show:
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.102
default via 192.168.0.1 dev eth1



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

We certainly would need a shorewall dump to figure this out.

Prasanna.

On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com>
wrote:
> I''ve blocked an IP-range in my blacklist-file. The row in the file
looks
> like this:
> 88.191.0.0/16
>
> This should block any and all traffic from addresses in the range
> 88.191.0.0-88.191.255.255 but they still get through to perform brute
> force attacks on my SSH server.
>
> Here''s an example from my auth.log for yesterday:
> Nov  4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69
> Nov  4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf
> from 88.191.99.69 port 37898 ssh2
>
> Why is this, and how can I fix it?
>
> Best Wishes
>
> Linda
>
>
> shorewall version: 4.2.1
>
> ip addr show:
> 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 scope host lo
>    inet6 ::1/128 scope host
>       valid_lft forever preferred_lft forever
> 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast
qlen 1000
>    link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1
>    inet6 fe80::208:a1ff:fe3c:12f3/64 scope link
>       valid_lft forever preferred_lft forever
> 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast
> qlen 1000
>    link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff
> 4: sit0: <NOARP> mtu 1480 qdisc noop
>    link/sit 0.0.0.0 brd 0.0.0.0
>
> ip route show:
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.102
> default via 192.168.0.1 dev eth1
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Want to manage multiple office networks?
Want to securely connect all your locations?
Want to do it in a budget?
www.elinanetworks.com

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

I''ve attached the dump as a text file.

Best Wishes

Linda
> We certainly would need a shorewall dump to figure this out.
>
> Prasanna.
>
> On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com> wrote:
>> I''ve blocked an IP-range in my blacklist-file. The row in the
file looks
>> like this:
>> 88.191.0.0/16
>>
>> This should block any and all traffic from addresses in the range
>> 88.191.0.0-88.191.255.255 but they still get through to perform brute
>> force attacks on my SSH server.
>>
>> Here''s an example from my auth.log for yesterday:
>> Nov  4 20:14:39 dolly sshd[3532]: Invalid user ttf from 88.191.99.69
>> Nov  4 20:14:41 dolly sshd[3532]: Failed password for invalid user ttf
>> from 88.191.99.69 port 37898 ssh2
>>
>> Why is this, and how can I fix it?
>>
>> Best Wishes
>>
>> Linda
>>
>>
>> shorewall version: 4.2.1
>>
>> ip addr show:
>> 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
>>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>    inet 127.0.0.1/8 scope host lo
>>    inet6 ::1/128 scope host
>>       valid_lft forever preferred_lft forever
>> 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast
qlen
>> 1000
>>    link/ether 00:08:a1:3c:12:f3 brd ff:ff:ff:ff:ff:ff
>>    inet 192.168.0.102/24 brd 192.168.0.255 scope global eth1
>>    inet6 fe80::208:a1ff:fe3c:12f3/64 scope link
>>       valid_lft forever preferred_lft forever
>> 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast
>> qlen 1000
>>    link/ether 00:0e:a6:b0:fc:42 brd ff:ff:ff:ff:ff:ff
>> 4: sit0: <NOARP> mtu 1480 qdisc noop
>>    link/sit 0.0.0.0 brd 0.0.0.0
>>
>> ip route show:
>> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.102
>> default via 192.168.0.1 dev eth1
>>
>>
>>
>>
-------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>
> --
> Want to manage multiple office networks?
> Want to securely connect all your locations?
> Want to do it in a budget?
> www.elinanetworks.com
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

On Fri, Nov 7, 2008 at 2:00 PM,  <linda@heksebua.com>
wrote:
>> On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com> wrote:
>>> I''ve blocked an IP-range in my blacklist-file. The row in
the file looks
>>> like this:
>>> 88.191.0.0/16
>>>
Do you have blacklist in the interfaces file for the WAN interface?

Prasanna.
-- 
Want to manage multiple office networks?
Want to securely connect all your locations?
Want to do it in a budget?
www.elinanetworks.com

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Yes. All the regular entries work.


> On Fri, Nov 7, 2008 at 2:00 PM,  <linda@heksebua.com> wrote:
>>> On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com> wrote:
>>>> I''ve blocked an IP-range in my blacklist-file. The row
in the file
>>>> looks
>>>> like this:
>>>> 88.191.0.0/16
>>>>
>
> Do you have blacklist in the interfaces file for the WAN interface?
>
> Prasanna.
> --
> Want to manage multiple office networks?
> Want to securely connect all your locations?
> Want to do it in a budget?
> www.elinanetworks.com
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Weird,

There''s no blacklist chain in your dump. I have 4.0 and
there''s a
blacklist chain created with a drop from this subnet.

Not sure if this is a regression in 4.2.x that you''re using.

Prasanna.

On Fri, Nov 7, 2008 at 2:27 PM,  <linda@heksebua.com>
wrote:
> Yes. All the regular entries work.
>
>
>
>> On Fri, Nov 7, 2008 at 2:00 PM,  <linda@heksebua.com> wrote:
>>>> On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com>
wrote:
>>>>> I''ve blocked an IP-range in my blacklist-file. The
row in the file
>>>>> looks
>>>>> like this:
>>>>> 88.191.0.0/16
>>>>>
>>
>> Do you have blacklist in the interfaces file for the WAN interface?
>>
>> Prasanna.
>> --
>> Want to manage multiple office networks?
>> Want to securely connect all your locations?
>> Want to do it in a budget?
>> www.elinanetworks.com
>>
>>
-------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Want to manage multiple office networks?
Want to securely connect all your locations?
Want to do it in a budget?
www.elinanetworks.com

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Prasanna Krishnamoorthy wrote:
> Weird,
> 
> There''s no blacklist chain in your dump. I have 4.0 and
there''s a
> blacklist chain created with a drop from this subnet.
> 
> Not sure if this is a regression in 4.2.x that you''re using.
I''m betting that the ''blacklist'' option is not
specified on the external
interface in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Apparently I was wrong, and when I put the blacklist option in there,the
whole thing went haywire. It said something about not finding blacklog.so
I can''t seem to find the error message in my logs. I had to remove the
blacklist option again to get shorewall to start. I hope you can help me
with this config problem.

Linda
> Yes. All the regular entries work.
>
>
>
>> On Fri, Nov 7, 2008 at 2:00 PM,  <linda@heksebua.com> wrote:
>>>> On Fri, Nov 7, 2008 at 12:33 PM,  <linda@heksebua.com>
wrote:
>>>>> I''ve blocked an IP-range in my blacklist-file. The
row in the file
>>>>> looks
>>>>> like this:
>>>>> 88.191.0.0/16
>>>>>
>>
>> Do you have blacklist in the interfaces file for the WAN interface?
>>
>> Prasanna.
>> --
>> Want to manage multiple office networks?
>> Want to securely connect all your locations?
>> Want to do it in a budget?
>> www.elinanetworks.com
>>
>>
-------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

linda@heksebua.com wrote:
> Apparently I was wrong, and when I put the blacklist option in there,the
> whole thing went haywire. It said something about not finding blacklog.so
> I can''t seem to find the error message in my logs. I had to remove
the
> blacklist option again to get shorewall to start. I hope you can help me
> with this config problem.
Please see http://www.shorewall.net/troubleshoot.htm#Start for tips
about troubleshooting start errors. And
http://www.shorewall.net/support.htm#Guidelines if you can''t determine
what is wrong.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

I was wrong, and when I put it there, shorewall refused to start saying
something about ipables and blacklog. I had to remove it again.

Linda
> Prasanna Krishnamoorthy wrote:
>> Weird,
>>
>> There''s no blacklist chain in your dump. I have 4.0 and
there''s a
>> blacklist chain created with a drop from this subnet.
>>
>> Not sure if this is a regression in 4.2.x that you''re using.
>
> I''m betting that the ''blacklist'' option is not
specified on the external
> interface in /etc/shorewall/interfaces.
>
> -Tom
> --
> Tom Eastep        \ The ultimate result of shielding men from the
> Shoreline,         \ effects of folly is to fill the world with fools.
> Washington, USA     \                                 -Herbert Spencer
> http://shorewall.net \________________________________________________
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
>
http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Weird. I just added the blacklist option again and restarted shorewall.
And this time everything worked fine. If they continue to get through,
I''ll contact the list again. But for now, it''s solved.

Linda
> Apparently I was wrong, and when I put the blacklist option in there,the
> whole thing went haywire. It said something about not finding blacklog.so
> I can''t seem to find the error message in my logs. I had to remove
the
> blacklist option again to get shorewall to start. I hope you can help me
> with this config problem.
>
> Linda
>
>> Yes. All the regular entries work.
>>
>>
>>
>>> On Fri, Nov 7, 2008 at 2:00 PM,  <linda@heksebua.com> wrote:
>>>>> On Fri, Nov 7, 2008 at 12:33 PM, 
<linda@heksebua.com> wrote:
>>>>>> I''ve blocked an IP-range in my blacklist-file.
The row in the file
>>>>>> looks
>>>>>> like this:
>>>>>> 88.191.0.0/16
>>>>>>
>>>
>>> Do you have blacklist in the interfaces file for the WAN interface?
>>>
>>> Prasanna.
>>> --
>>> Want to manage multiple office networks?
>>> Want to securely connect all your locations?
>>> Want to do it in a budget?
>>> www.elinanetworks.com
>>>
>>>
-------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK &
win great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in
the
>>> world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>
>>
>>
>>
-------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/