Hello, I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze.>From time to time I have a brute force hacker trying to get access tothe pop3 accounts with generic names and passwords. I wanted to add them to a static blacklist, so I added the blacklist option to the interfaces file and added the ip to the blacklist file. But nevertheless the hacker can continue the brute force. The "iptables -L -n" commands shows the new entry: # iptables -L -n | grep 60.251.16.91 DROP all -- 60.251.16.91 The interfaces file contains: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,logmartians,nosmurfs,blacklist The blacklist file contains: #ADDRESS/SUBNET PROTOCOL PORT 60.251.16.91 - - The rules file contain #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK ACCEPT net $FW tcp pop3 Extract from the shorewall.conf: BLACKLIST_DISPOSITION=DROP The blacklist documentation describes, that the packets should be dropped at the interface from the ips mentioned in the blacklist. If I add the ip at the rules file with the action "DROP", then I dont''t get any attacks. Could anybody give me a hint, why the blacklist entry is ignored? Thanks a lot Alexander Maringer ------------------------------------------------------------------------------
On 5/30/10 5:27 PM, Alexander Maringer wrote:> > Could anybody give me a hint, why the blacklist entry is ignored?Please follow the instructions at http://www.shorewall.net/shorewall.support.htm#Guidelines and submit the output of ''shorewall dump'' collected as described in those guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 5/30/10 6:14 PM, Tom Eastep wrote:> On 5/30/10 5:27 PM, Alexander Maringer wrote: > >> >> Could anybody give me a hint, why the blacklist entry is ignored? > > Please follow the instructions at > http://www.shorewall.net/shorewall.support.htm#Guidelines and submit the > output of ''shorewall dump'' collected as described in those guidelines.Alexander, I''m interested in solving your problem but I need to see exactly what is going on with your configuration. If you would prefer, you can send the dump information to me privately. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Hello, I wrote some message about 1 month ago with the subject "Blacklist" (at beginning of june). At this time I was not able to reproduce the problem, because I didn''t have this kind of attack until now. As I wrote before, I have some IPs in the blacklist table and I have added the blacklist option to the interface. But never the less the blacklisted IP has the ability to connect to my IMAP server: Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe rhost=213.123.136.225 Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky rhost=213.123.136.225 The dump is attached. Thanks a lot for any hints Regards Alexander Maringer Am 31.05.2010 02:27, schrieb Alexander Maringer:> Hello, > > I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze. > >>From time to time I have a brute force hacker trying to get access to > the pop3 accounts with generic names and passwords. I wanted to add them > to a static blacklist, so I added the blacklist option to the interfaces > file and added the ip to the blacklist file. But nevertheless the hacker > can continue the brute force. > > The "iptables -L -n" commands shows the new entry: > # iptables -L -n | grep 60.251.16.91 > DROP all -- 60.251.16.91 > > The interfaces file contains: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > dhcp,tcpflags,logmartians,nosmurfs,blacklist > > The blacklist file contains: > #ADDRESS/SUBNET PROTOCOL PORT > 60.251.16.91 - - > > The rules file contain > #ACTION SOURCE DEST PROTO DEST > SOURCE ORIGINAL RATE USER/ MARK > ACCEPT net $FW tcp pop3 > > Extract from the shorewall.conf: > BLACKLIST_DISPOSITION=DROP > > > The blacklist documentation describes, that the packets should be > dropped at the interface from the ips mentioned in the blacklist. If I > add the ip at the rules file with the action "DROP", then I dont''t get > any attacks. > > Could anybody give me a hint, why the blacklist entry is ignored? Thanks > a lot > > Alexander Maringer------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/18/10 1:29 PM, Alexander Maringer wrote:> Hello, > > I wrote some message about 1 month ago with the subject "Blacklist" (at > beginning of june). At this time I was not able to reproduce the > problem, because I didn''t have this kind of attack until now. > > As I wrote before, I have some IPs in the blacklist table and I have > added the blacklist option to the interface. But never the less the > blacklisted IP has the ability to connect to my IMAP server: > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe > rhost=213.123.136.225 > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky > rhost=213.123.136.225 > > The dump is attached. >I don''t see any dump... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Yes, I know, I forgot the attachment ... :-( Regards Alexander Maringer Maringer IT Services Alexander Maringer Ranklhofweg 6 94034 Passau Tel.: +49-851-9669695 Fax: +49-851-9662317 http://www.maringer-it.de Am 18.07.2010 22:29, schrieb Alexander Maringer:> Hello, > > I wrote some message about 1 month ago with the subject "Blacklist" (at > beginning of june). At this time I was not able to reproduce the > problem, because I didn''t have this kind of attack until now. > > As I wrote before, I have some IPs in the blacklist table and I have > added the blacklist option to the interface. But never the less the > blacklisted IP has the ability to connect to my IMAP server: > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe > rhost=213.123.136.225 > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky > rhost=213.123.136.225 > > The dump is attached. > > Thanks a lot for any hints > > > Regards > > Alexander Maringer > > > Am 31.05.2010 02:27, schrieb Alexander Maringer: >> Hello, >> >> I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze. >> >> >From time to time I have a brute force hacker trying to get access to >> the pop3 accounts with generic names and passwords. I wanted to add them >> to a static blacklist, so I added the blacklist option to the interfaces >> file and added the ip to the blacklist file. But nevertheless the hacker >> can continue the brute force. >> >> The "iptables -L -n" commands shows the new entry: >> # iptables -L -n | grep 60.251.16.91 >> DROP all -- 60.251.16.91 >> >> The interfaces file contains: >> #ZONE INTERFACE BROADCAST OPTIONS >> net eth0 detect >> dhcp,tcpflags,logmartians,nosmurfs,blacklist >> >> The blacklist file contains: >> #ADDRESS/SUBNET PROTOCOL PORT >> 60.251.16.91 - - >> >> The rules file contain >> #ACTION SOURCE DEST PROTO DEST >> SOURCE ORIGINAL RATE USER/ MARK >> ACCEPT net $FW tcp pop3 >> >> Extract from the shorewall.conf: >> BLACKLIST_DISPOSITION=DROP >> >> >> The blacklist documentation describes, that the packets should be >> dropped at the interface from the ips mentioned in the blacklist. If I >> add the ip at the rules file with the action "DROP", then I dont''t get >> any attacks. >> >> Could anybody give me a hint, why the blacklist entry is ignored? Thanks >> a lot >> >> Alexander Maringer > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/18/10 1:29 PM, Alexander Maringer wrote:> Hello, > > I wrote some message about 1 month ago with the subject "Blacklist" (at > beginning of june). At this time I was not able to reproduce the > problem, because I didn''t have this kind of attack until now. > > As I wrote before, I have some IPs in the blacklist table and I have > added the blacklist option to the interface. But never the less the > blacklisted IP has the ability to connect to my IMAP server: > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe > rhost=213.123.136.225 > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky > rhost=213.123.136.225 > > The dump is attached. > > Thanks a lot for any hintsUnfortunately, the firewall configuration has been restarted since the dovecot messages were logged Shorewall 4.4.10.2 Dump at linsenwelt.com - So 18. Jul 22:40:07 CEST 2010 Counters reset So 18. Jul 22:40:00 CEST 2010 -------- But here is what is there now: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 22 3388 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 165 16817 net2fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0 So all traffic entering through eth1 is sent through the net2fw chain. Chain net2fw (1 references) pkts bytes target prot opt in out source destination 22 3388 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW All new connection requests (and any packets in invalid state) are sent through the blacklst chain. Chain blacklst (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 87.106.24.224 0.0.0.0/0 0 0 DROP all -- * * 193.85.18.72 0.0.0.0/0 13 624 DROP all -- * * 213.123.136.225 0.0.0.0/0 Note that in the approximately 7 seconds between the time that you reloaded the firewall and when Shorewall captured the dump, 13 connection requests from 213.123.136.225 were dropped. And there are currently no existing connections from that IP address (search for other instances of that address in the dump). If you see this happen again, please verify that the above chains/rules are all in place. With them in place, I can see no way that any connection from 213.123.136.225 could be successful. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Ah, ok, thanks ... and now I have an idea .... Could it be ... that if the attacker does not start a new connection, he is not dropped, until he starts a new connection because the connection already exists? So I have to kill all existing connections? Perhaps that was my fault ... Regards Alexander Maringer PS: Yes, I did a shorewall reset before the dump. Am 18.07.2010 23:37, schrieb Tom Eastep:> On 7/18/10 1:29 PM, Alexander Maringer wrote: >> Hello, >> >> I wrote some message about 1 month ago with the subject "Blacklist" (at >> beginning of june). At this time I was not able to reproduce the >> problem, because I didn''t have this kind of attack until now. >> >> As I wrote before, I have some IPs in the blacklist table and I have >> added the blacklist option to the interface. But never the less the >> blacklisted IP has the ability to connect to my IMAP server: >> Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): >> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe >> rhost=213.123.136.225 >> Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): >> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky >> rhost=213.123.136.225 >> >> The dump is attached. >> >> Thanks a lot for any hints > > Unfortunately, the firewall configuration has been restarted since the > dovecot messages were logged > > Shorewall 4.4.10.2 Dump at linsenwelt.com - So 18. Jul 22:40:07 CEST 2010 > > Counters reset So 18. Jul 22:40:00 CEST 2010 > -------- > > But here is what is there now: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 22 3388 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW > 165 16817 net2fw all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 > > So all traffic entering through eth1 is sent through the net2fw chain. > > Chain net2fw (1 references) > pkts bytes target prot opt in out source > destination > 22 3388 blacklst all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW > > All new connection requests (and any packets in invalid state) are sent > through the blacklst chain. > > Chain blacklst (2 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 87.106.24.224 > 0.0.0.0/0 > 0 0 DROP all -- * * 193.85.18.72 > 0.0.0.0/0 > 13 624 DROP all -- * * 213.123.136.225 > 0.0.0.0/0 > > Note that in the approximately 7 seconds between the time that you > reloaded the firewall and when Shorewall captured the dump, 13 > connection requests from 213.123.136.225 were dropped. And there are > currently no existing connections from that IP address (search for other > instances of that address in the dump). > > If you see this happen again, please verify that the above chains/rules > are all in place. With them in place, I can see no way that any > connection from 213.123.136.225 could be successful. > > -Tom > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/18/10 2:53 PM, Alexander Maringer wrote:> Ah, ok, thanks ... and now I have an idea .... Could it be ... that if > the attacker does not start a new connection, he is not dropped, until > he starts a new connection because the connection already exists? > > So I have to kill all existing connections?Yes -- unless you configure BLACKLISTNEWONLY=No in shorewall.conf, adding an IP address to the blacklist does not affect existing connections. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first