Following the discovery of an http scanning attempt on a port on my firewall that I intended dedicated to ssh access use, I''ve come to realise that I didn''t know how to use Shorewall to constraint port access to specific application of my choice. A quick search on the Internet did not provide me with hints enough to let me be self reliant in my learning, hence my request for help in order to plug the hole as soon as possible. First of all (a) is there such a feature in Shorewall and (b) if yes, is there a manual that teach how to use it? Alternatively, what other options are left to me? Thanks for advising me. Costa ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
OK, let me provide more info. As I discovered, using a rule like the following: DNAT net fw:$FW_LAN_side:22 tcp 7805 did not prevent an attacker from going through my Shorewall firewall by issuing a command equivalent to the following: wget "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3 D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_incl ude%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/pa sswd%00%20-n HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) libcurl/7.19.4 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18" as I could discover in the /var/log/access.log log file. Hence my question about whether there is a feature that allows to associate a port to a specific process running on the firewall. In this case, for instance, dedicating port 7805 to process sshd. Thanks for your help, Costa From: Costantino [mailto:watchshor@yahoo.co.uk] Sent: 08 January 2013 12:03 To: ''Shorewall Users'' Subject: [Shorewall-users] constraint port access to specific application Following the discovery of an http scanning attempt on a port on my firewall that I intended dedicated to ssh access use, I''ve come to realise that I didn''t know how to use Shorewall to constraint port access to specific application of my choice. A quick search on the Internet did not provide me with hints enough to let me be self reliant in my learning, hence my request for help in order to plug the hole as soon as possible. First of all (a) is there such a feature in Shorewall and (b) if yes, is there a manual that teach how to use it? Alternatively, what other options are left to me? Thanks for advising me. Costa ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
On 01/09/2013 02:04 AM, Costantino wrote:> OK, let me provide more info. > > > > As I discovered, using a rule like the following: > > > > DNAT net fw:$FW_LAN_side:22 tcp 7805 > > > > did not prevent an attacker from going through my Shorewall firewall by > issuing a command equivalent to the following: > > > > wget > "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n > HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) > libcurl/7.19.4 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18" > > > > as I could discover in the /var/log/access.log log file. > > Hence my question about whether there is a feature that allows to > associate a port to a specific process running on the firewall. > > In this case, for instance, dedicating port 7805 to process sshd. >No -- A packet filter like Netfilter only deals with packet headers, not the application payload. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
"Costantino" wrote:> OK, let me provide more info.> As I discovered, using a rule like the following:> DNAT net fw:$FW_LAN_side:22 tcp 7805> did not prevent an attacker from going through my Shorewall firewall by issuing a command equivalent to the following:> wget "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../.../../../../../etc/passwd%00%20-n HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) libcurl/7.19.4 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18"> as I could discover in the /var/log/access.log log file. > Hence my question about whether there is a feature that allows to associate a port to a specific process running on the firewall. > In this case, for instance, dedicating port 7805 to process sshd.In the rule you've given, the packet will be delivered to the service listening on port 22 (ie your SSH server) - it will not be delivered to any other service. SSH should simply discard the packet and "not making sense". ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Simon, I''m afraid that''s not the case, unless you have SELINUX enabled, or other equivalent security modules installed like, for instance, AppArmor, ModSecurity, Systrace or even Zorp. You can test whether that''s the case or not by launching the command that I''ve provided. Type it on a linux box addressing another linux box on the Internet you have access to (the target) where Shorewall runs and replacing the port and the target IP address according to your configuration. Now check the /var/log/httpd/access.log on the target for the presence or not of a copy of the command. If it is in your log, than you can be sure that it was the Apache process who received it, no matter what port was used in the end within the target machine. -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: 09 January 2013 21:01 To: Shorewall Users Subject: Re: [Shorewall-users] constraint port access to specific application "Costantino" wrote:> OK, let me provide more info.> As I discovered, using a rule like the following:> DNAT net fw:$FW_LAN_side:22 tcp 7805> did not prevent an attacker from going through my Shorewall firewall by issuing a command equivalent to the following:> wget "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../.../../../../../etc/passwd%00%20-n HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) libcurl/7.19.4 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18"> as I could discover in the /var/log/access.log log file. > Hence my question about whether there is a feature that allows to associate a port to a specific process running on the firewall. > In this case, for instance, dedicating port 7805 to process sshd.In the rule you''ve given, the packet will be delivered to the service listening on port 22 (ie your SSH server) - it will not be delivered to any other service. SSH should simply discard the packet and "not making sense". ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712
Costantino wrote:>You can test whether that''s the case or not by launching the command that I''ve provided.Actually I can''t as my firewall doesn''t have any web server installed - in fact it has no outside accessible services on it. I did try using another box on my network as a target (rather than the firewall local IP address) and it worked correctly - firing an HTTP request at the SSH server resulted in the SSH server effectively saying WTF ? $ wget -O - http://patsy.thehobsons.co.uk:2222 Connecting to xxxx|xxxx|:2222... connected. HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9Length: unspecified SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 Read error at byte 36 (Connection reset by peer).Retrying. If I do target SSH on the firewall, then I get the same "WTF?" response. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712