Discussion:
[Shorewall-users] blacklist if connection attempt on unused port
Vieri Di Paola
2016-11-25 15:12:08 UTC
Permalink
Hi,

Suppose I have rules such as:

ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]

I'd like to automatically/dynamically blacklist all IP addresses of hosts that try to connect to any other unlisted port (eg. port tcp 2222 or 1234, etc.). So if a host tries to connect to port tcp 1234 (on which my site does not serve anything) I'd like the "net" SRC address to be blacklisted "globally", ie. it should not be able to connect to ANY port, not even those listed above (80,443,3389), for at least 1 hour.

I've read about shorewall events (BTW there's a missing ',-' in the example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it fits my needs.

The following doesn't seem to do what I want:

ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]
AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all

Aren't the IP addresses in ABL_BL supposed to be REJECTed regardless of where they're trying to connect to?

Maybe there's a simpler way to do this with Shorewall actions and dynamic blacklisting?

Thanks,

Vieri

------------------------------------------------------------------------------
Tom Eastep
2016-11-27 17:03:29 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...]
I'd like to automatically/dynamically blacklist all IP addresses of
hosts that try to connect to any other unlisted port (eg. port tcp
2222 or 1234, etc.). So if a host tries to connect to port tcp 1234
(on which my site does not serve anything) I'd like the "net" SRC
address to be blacklisted "globally", ie. it should not be able to
connect to ANY port, not even those listed above (80,443,3389), for
at least 1 hour.
I've read about shorewall events (BTW there's a missing ',-' in the
example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it
fits my needs.
ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...]
AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all
Aren't the IP addresses in ABL_BL supposed to be REJECTed
regardless of where they're trying to connect to?
You don't want to use AutoBL in this way. AutoBL is is intended to be
used to blacklist clients who make repeated attempts to connect to a
service which they are allowed to use. The most common use case it to
stop dictionary attacks.
Maybe there's a simpler way to do this with Shorewall actions and dynamic blacklisting?
Configure ipset-based dynamic blacklisting:

DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

then put this at the bottom of your rules:

ADD(SW_DBL4,src) net $FW

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYOxHhAAoJEJbms/JCOk0QPNYP/i1Qiai5HDWAdQPo6/Fs3en+
9PvfopqJXNXB7ISb7IPaLiKWagDcOwir3pBeV6TQ9IowbRCD6p3D2zdpLXQtEqWR
6oU6FV8a2ifqaKv83j9tXediN1/dtWcoc1qbw1MUbuTEh7fbF5THElcqlU15TlZR
0JBKy3JMx4F5/Mg9c/ibvvS5zLPcT08N3Lji3QMMw3m12YP72XreXt8idgJ2fGGD
/rwCHg6+TqVKLcQIvXKpF83mCcfq3+DHZe6IAJh/3pUKJpnyZvM7mIuIRMmnthPY
hbznPzMEoQFto70oUtyZ7aasoCFhCrWQW4SsUeymMpYRSQFBsQqUiKZ2+hgUqRTv
Ol4c+9197eerTPVJrjPVBK5iF48tNiMcI0GBrySZHOOgkfpRKXwCL/1HjuaPJ19b
Q0mumAFL9ymtkEO3zZudZ9OoCYWhZwwg4oHGTGgHhXOUEjBv7BWG3RoopAMO93O4
6XKEF2cOHsZ4TlPRfKGvGGrpL00WK3txZuPOlYWw+6uMAS2wwjWdWPilh8B3EqgM
7ru2T1Sp861ec5tkrfx/ucrQWrC0o2KZQ65EtN+TF5+eBfQ1h5bNFDU+tlaczOdy
EQMFwihBVYFnLktm4n3u/rZuCvSyD8sxFd4T7PKxlwyM/qj9IGGhA7E6HX9c2K/6
N+C3p8oKWOeycB4YSCfN
=+CzM
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Vieri Di Paola
2016-11-28 13:06:58 UTC
Permalink
________________________________
Configure ipset-based dynamic blacklisting:> > DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
ADD(SW_DBL4,src) net $FW
I believe the seperator is : instead of ,.

I have this now in rules:
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW

and this in shorewall.conf:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600

ipset list SW_DBL4 shows that the set is growing fast...

I understand there's no special flag requirement for net "interfaces", not even "blacklist" as we're using ipsets here, not files.

Thanks,

Vieri

------------------------------------------------------------------------------
Nigel Aves
2016-12-01 02:25:11 UTC
Permalink
I was trying to implement this "ipset" solution and I keep hitting a brick wall. I'm no expert on this, so I was hoping for some guidance.
I have searched and searched trying to find the solution but to no avail.

In the Shorewall dump I have the following (which from some documentation seems to be correct, and what I need):-

Ipset Match (IPSET_MATCH): Available
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available

But following this post, when I try and change "DYNAMIC_BLACKLIST" it always errors out. (Tried both solutions in email)

ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST

or

ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I'd be very grateful if someone could point me in the right direction as to what I am doing wrong.

Many Thanks - Nigel
Post by Tom Eastep
________________________________
Configure ipset-based dynamic blacklisting:> > DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
ADD(SW_DBL4,src) net $FW
I believe the seperator is : instead of ,.
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW
DYNAMIC_BLACKLIST=ipset-only,timeout=3600
ipset list SW_DBL4 shows that the set is growing fast...
I understand there's no special flag requirement for net "interfaces", not even "blacklist" as we're using ipsets here, not files.
Thanks,
Vieri
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com
Vieri Di Paola
2016-12-01 07:49:35 UTC
Permalink
----- Original Message -----
Post by Nigel Aves
But following this post, when I try and change "DYNAMIC_BLACKLIST" it always errors out. (Tried both
solutions in email)>
ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST
or
ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST
I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 5.0.14.1 now.

Vieri

------------------------------------------------------------------------------
Nigel Aves
2016-12-01 15:32:30 UTC
Permalink
Vieri,

Thank you for your help. I'm running Shorewall 5.0.8.2-1.el7, so that
explains it.

Typically I prefer to use the updates as they become "official" in the
repositories. (I'm no Linux expert :) and I use Webmin / Virtualmin to
help me keep the system running ). I'll hold off for the moment, though
I did find all the required RPMs.

Kind Regards - Nigel.
Post by Vieri Di Paola
----- Original Message -----
Post by Nigel Aves
But following this post, when I try and change "DYNAMIC_BLACKLIST" it always errors out. (Tried both
solutions in email)>
ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST
or
ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST
I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 5.0.14.1 now.
Vieri
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com
Nigel Aves
2017-01-18 15:01:14 UTC
Permalink
I've become a little stuck on setting up ipset correctly. I followed
the instructions from an email as follows:


DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src) net $FW

and after some testing everything seemed to be working all OK. Using
Shorewall 5.0.14.1

I have port 80 (web server) and 25 (Postfix server) open in my Rules
file. Internal network using 192.168.1.1 on eth1

But as soon as I tried using the browser on my local network machine web
sites, like Facebook, just stopped working.

I've tried to find a simple (I'm no IT specialist, just home hobbyist)
explanation as to what I have done wrong or missed, and seemed to have
hit a brick wall.

If someone could point me in right direction I would be very gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPT loc fw
#
#
DHCPfwd/ACCEPT $FW loc
#
# Accept for web -server
ACCEPT net $FW tcp 80
# no ssl
# ACCEPT net $FW tcp 443
#
#
# Turn FTP off when not transfering files from VideoKing
#
# FTP/ACCEPT net fw - 21
# ACCEPT net $FW tcp 6000:6100
#
###### use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips.
#
# ACCEPT net $FW tcp 1xxxx
#
#
SMTP/ACCEPT net $FW - 25
#
DNS(ACCEPT) $FW net
# Accept DNS connections from the firewall to the network
#
SSH(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
Ping(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
#
## Internal accepts
#
#Cable TV forward
DNAT net loc:192.168.1.180 udp 27177
DNAT net loc:192.168.1.180 udp 27178
DNAT net loc:192.168.1.180 tcp 27177
DNAT net loc:192.168.1.180 tcp 27178
#
ACCEPT loc $FW tcp
ACCEPT loc $FW udp
#
DNS(ACCEPT) loc $FW
SMB(ACCEPT) loc $FW
SMB(ACCEPT) $FW loc
#
DNS(ACCEPT) phone $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
ACCEPT $FW phone icmp
#
# turn on ipset to stop testing ports from outside
#
# ADD(SW_DBL4:src) net $FW
Tom Eastep
2017-01-18 17:12:52 UTC
Permalink
Post by Nigel Aves
I've become a little stuck on setting up ipset correctly. I
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
and in Rules at end
ADD(SW_DBL4:src) net $FW
and after some testing everything seemed to be working all OK.
Using Shorewall 5.0.14.1
I have port 80 (web server) and 25 (Postfix server) open in my
Rules file. Internal network using 192.168.1.1 on eth1
But as soon as I tried using the browser on my local network
machine web sites, like Facebook, just stopped working.
I've tried to find a simple (I'm no IT specialist, just home
hobbyist) explanation as to what I have done wrong or missed, and
seemed to have hit a brick wall.
If someone could point me in right direction I would be very
gratefully.
Kind Regards, Nigel Aves.
In case it helps, here is my rules file.
DHCPfwd/ACCEPT loc fw # # DHCPfwd/ACCEPT $FW loc # #
Accept for web -server ACCEPT net $FW tcp 80 # no
ssl # ACCEPT net $FW tcp 443 # # # Turn FTP off
when not transfering files from VideoKing # # FTP/ACCEPT net
fw - 21 # ACCEPT net $FW tcp 6000:6100 # ######
use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips. # # ACCEPT net $FW
tcp 1xxxx # # SMTP/ACCEPT net $FW - 25 # DNS(ACCEPT)
$FW net # Accept DNS connections from the firewall to the
network # SSH(ACCEPT) loc $FW # # Accept SSH
connections from the local network for administration #
Ping(ACCEPT) loc $FW # # Allow Ping from the local
network # # ## Internal accepts # #Cable TV forward DNAT net
loc:192.168.1.180 udp 27177 DNAT net loc:192.168.1.180
udp 27178 DNAT net loc:192.168.1.180 tcp 27177 DNAT
net loc:192.168.1.180 tcp 27178 # ACCEPT loc
$FW tcp ACCEPT loc $FW udp #
DNS(ACCEPT) loc $FW SMB(ACCEPT) loc $FW
SMB(ACCEPT) $FW loc # DNS(ACCEPT) phone
$FW # # Drop Ping from the "bad" net zone.. and prevent your log
from being flooded.. # Ping(DROP) net $FW ACCEPT
$FW loc icmp ACCEPT $FW net
icmp # ACCEPT $FW phone icmp # # turn on ipset
to stop testing ports from outside # # ADD(SW_DBL4:src) net
$FW
I suspect that you are blacklisting the upstream DNS name servers.

Try this:

#
# Filter out noise
#
Drop net $FW
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info net $FW

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Nigel Aves
2017-01-18 18:17:29 UTC
Permalink
Tom,

Just tested your fix. Everything seems to be working perfectly from the
outside and the inside.

Many Thanks,

Nigel.
Post by Tom Eastep
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Nigel Aves
I've become a little stuck on setting up ipset correctly. I
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
and in Rules at end
ADD(SW_DBL4:src) net $FW
and after some testing everything seemed to be working all OK.
Using Shorewall 5.0.14.1
I have port 80 (web server) and 25 (Postfix server) open in my
Rules file. Internal network using 192.168.1.1 on eth1
But as soon as I tried using the browser on my local network
machine web sites, like Facebook, just stopped working.
I've tried to find a simple (I'm no IT specialist, just home
hobbyist) explanation as to what I have done wrong or missed, and
seemed to have hit a brick wall.
If someone could point me in right direction I would be very
gratefully.
Kind Regards, Nigel Aves.
In case it helps, here is my rules file.
DHCPfwd/ACCEPT loc fw # # DHCPfwd/ACCEPT $FW loc # #
Accept for web -server ACCEPT net $FW tcp 80 # no
ssl # ACCEPT net $FW tcp 443 # # # Turn FTP off
when not transfering files from VideoKing # # FTP/ACCEPT net
fw - 21 # ACCEPT net $FW tcp 6000:6100 # ######
use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips. # # ACCEPT net $FW
tcp 1xxxx # # SMTP/ACCEPT net $FW - 25 # DNS(ACCEPT)
$FW net # Accept DNS connections from the firewall to the
network # SSH(ACCEPT) loc $FW # # Accept SSH
connections from the local network for administration #
Ping(ACCEPT) loc $FW # # Allow Ping from the local
network # # ## Internal accepts # #Cable TV forward DNAT net
loc:192.168.1.180 udp 27177 DNAT net loc:192.168.1.180
udp 27178 DNAT net loc:192.168.1.180 tcp 27177 DNAT
net loc:192.168.1.180 tcp 27178 # ACCEPT loc
$FW tcp ACCEPT loc $FW udp #
DNS(ACCEPT) loc $FW SMB(ACCEPT) loc $FW
SMB(ACCEPT) $FW loc # DNS(ACCEPT) phone
$FW # # Drop Ping from the "bad" net zone.. and prevent your log
from being flooded.. # Ping(DROP) net $FW ACCEPT
$FW loc icmp ACCEPT $FW net
icmp # ACCEPT $FW phone icmp # # turn on ipset
to stop testing ports from outside # # ADD(SW_DBL4:src) net
$FW
I suspect that you are blacklisting the upstream DNS name servers.
#
# Filter out noise
#
Drop net $FW
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info net $FW
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T
uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm
uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr
U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ
TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm
Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b
a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi
UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP
s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt
Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH
OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl
+sUjPxll2PfUOca4CW7m
=j8jw
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com
Tom Eastep
2017-01-18 21:52:15 UTC
Permalink
Post by Nigel Aves
Just tested your fix. Everything seems to be working perfectly from
the outside and the inside.
Glad to hear that it is working, Nigel. Beginning with Shorewall
5.1.1, you will be able to specify BLACKLIST as a POLICY in your
policy file and you will end up with a similar ruleset.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Vieri Di Paola
2016-11-30 11:41:53 UTC
Permalink
----- Original Message -----
Post by Tom Eastep
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
ADD(SW_DBL4,src) net $FW
I seem to have a few issues with the ipset-based solution.

The first is really not that important:

# grep IPSET /etc/shorewall/shorewall.conf
IPSET=
IPSET_WARNINGS=Yes
SAVE_IPSETS=No

After a shorewall restart I can list the ipset and it has hundreds of entries:

# ipset list SW_DBL4

Shouldn't it have been cleared out?
I actually prefer to set SAVE_IPSETS=Yes and then manually flush the ipset whenever I want to. I'm just wondering if this config variable applies to SW_* ipsets.

The second issue is described below.

The policy file contains:
net3 $FW DROP info
net3 loc DROP info
net2 $FW DROP info
net2 loc DROP info
net1 $FW DROP info
net3 loc DROP info

shorewall.conf has:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

rules file contains among many other entries:
[...]
DNAT net1 loc:10.215.144.91 tcp 25 - - 3/sec:10
DNAT net2 loc:10.215.144.91 tcp 25 - - 3/sec:10
ACCEPT net3 $FW tcp 25 - - 3/sec:10
[...]
ACCEPT net2 $FW tcp <some_other_port>
[...]
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW

In the shorewall log I can see DROP messages concerning port 25 such as:

Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2 LEN=40
TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309 DPT=25 WINDOW=0 RES=0
x00 RST URGP=0 MARK=0x2

# ipset list SW_DBL4 | grep IP1
IP1 timeout 3541 packets 1 bytes 48

Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1 was blacklisted because there's no explicit rule for traffic from net2 to $FW on port 25 so it reaches ADD(SW_DBL4:src) net2 $FW.
However, I'm not really sure about this. If the host at IP1 tried to connect for the first time to the net2 external interface, it should have succeeded and established an SMTP link to an internal server (DNAT). As I see it, it never should have reached the ADD action at the bottom of my rules file.

My third issue is that I see these entries in the log:

Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13 SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=29724 PROTO=UDP SPT=54141 DPT=53 LEN=40
Nov 30 09:12:28 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8 DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866 PROTO=UDP SPT=53 DPT=20938 LEN=56 MARK=0x3

where enp0s13 is net3's interface and 192.168.101.2 its IP address.
So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset.

I don't care if Google can connect or not but then I also see messages like these:

Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx1 DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=14686 WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x3
Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2 DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF PROTO=TCP SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0 MARK=0x3
Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx3 DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=61483 DF PROTO=TCP SPT=443 DPT=28519 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3

They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each time a client in my loc zone surfs the web, the web servers' IP addresses are bound to get blacklisted.

Another example when a client in the loc zone accesses a web server (note that there are several internet providers with load balancing):

Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 30 09:58:05 Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3087 DF PROTO=TCP SPT=64183 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Nov 30 09:58:05 Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=xxx.xxx.xxx.xx4 DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=64183 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x2
(192.168.100.2 is on net2)

So I'm wondering if I can avoid false positives in the dynamic blacklist.

I'm also looking at PSAD as suggested by Mark but the conf file is so long I'm still figuring out how to do the above...
I believe PSAD scans log messages in order to take action so that implies enabling logging in shorewall and I was actually hoping to remove logging as much as possible to reduce I/O. That's why the shorewall ipset solution is attractive.

Vieri

------------------------------------------------------------------------------
Tom Eastep
2016-11-30 16:23:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
----- Original Message ----- From: Tom Eastep
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at
ADD(SW_DBL4,src) net $FW
I seem to have a few issues with the ipset-based solution.
# grep IPSET /etc/shorewall/shorewall.conf IPSET=
IPSET_WARNINGS=Yes SAVE_IPSETS=No
# ipset list SW_DBL4
Shouldn't it have been cleared out?
No.
I actually prefer to set SAVE_IPSETS=Yes and then manually flush
the ipset whenever I want to. I'm just wondering if this config
variable applies to SW_* ipsets.
Yes, it does.
The second issue is described below.
The policy file contains: net3 $FW DROP
info net3 loc DROP info net2
$FW DROP info net2 loc
DROP info net1 $FW DROP
info net3 loc DROP info
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
rules file contains among many other entries: [...] DNAT net1
loc:10.215.144.91 tcp 25 - - 3/sec:10 DNAT
net2 loc:10.215.144.91 tcp 25 - - 3/sec:10
ACCEPT net3 $FW tcp 25 - - 3/sec:10 [...]
ACCEPT net2 $FW tcp <some_other_port> [...] ADD(SW_DBL4:src)
net1 $FW ADD(SW_DBL4:src) net2 $FW ADD(SW_DBL4:src)
net3 $FW
Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2
LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309
DPT=25 WINDOW=0 RES=0 x00 RST URGP=0 MARK=0x2
# ipset list SW_DBL4 | grep IP1 IP1 timeout 3541 packets 1 bytes
48
Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1
was blacklisted because there's no explicit rule for traffic from
net2 to $FW on port 25 so it reaches ADD(SW_DBL4:src) net2 $FW.
However, I'm not really sure about this. If the host at IP1 tried
to connect for the first time to the net2 external interface, it
should have succeeded and established an SMTP link to an internal
server (DNAT). As I see it, it never should have reached the ADD
action at the bottom of my rules file.
If IP1 tried to connect to ANY port that wasn't allowed by the
ruleset, then it gets blacklisted and subsequent attempts to connect
to port 25 will be rejected, even if those attempts are allowed by the
ruleset.
Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13
SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126
ID=29724 PROTO=UDP SPT=54141 DPT=53 LEN=40 Nov 30 09:12:28
Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8
DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866
PROTO=UDP SPT=53 DPT=20938 LEN=56 MARK=0x3
where enp0s13 is net3's interface and 192.168.101.2 its IP
address. So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset.
I don't care if Google can connect or not but then I also see
Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
SRC=xxx.xxx.xxx.xx1 DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00
TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=14686 WINDOW=28960 RES=0x00 ACK
SYN URGP=0 MARK=0x3 Nov 30 09:49:33
Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2
DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF
PROTO=TCP SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0
MARK=0x3 Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
SRC=xxx.xxx.xxx.xx3 DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00
TTL=89 ID=61483 DF PROTO=TCP SPT=443 DPT=28519 WINDOW=0 RES=0x00
RST URGP=0 MARK=0x3
They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each
time a client in my loc zone surfs the web, the web servers' IP
addresses are bound to get blacklisted.
Another example when a client in the loc zone accesses a web server
(note that there are several internet providers with load
Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11
SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00
TTL=126 ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00
SYN URGP=0 Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9
OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00
PREC=0x00 TTL=126 ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192
RES=0x00 SYN URGP=0 Nov 30 09:58:05
Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 SRC=10.215.248.190
DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3087 DF
PROTO=TCP SPT=64183 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 30 09:58:05 Shorewall:dbl_log:DROP:IN=enp0s12 OUT=
SRC=xxx.xxx.xxx.xx4 DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00
TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=64183 WINDOW=0 RES=0x00 RST
URGP=0 MARK=0x2 (192.168.100.2 is on net2)
So I'm wondering if I can avoid false positives in the dynamic
blacklist.
First, remove the ADD rules from /etc/shorewall/rules.

You can then copy action.Drop to /etc/shorewall/ and then add this to
the copy as the last line:

ADD(SW_DBL4:src)

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYPvzmAAoJEJbms/JCOk0QyWwP/15ajF21acbNbMqVyd+WpHDu
r6xuU6DZaqyYIg0yYKM7OHwqFnHQ37NCKcBGfFjiofV1Y59DVZ7baGOtbA5MOjfF
gG35Hwmr6utXR+W3raxb9wYPYos3cFUqlNRlAkgVQghFogMlza3Eck2GTRbAQF0F
hwfRMG52WFO703Bc33X1tJLAUHnaTzbsYv76zB+6iZL1WTPKtCPi2gA+QaqoGKM6
rWf4gKE7EIs4JJjunjS1VE3g0Wg5Wn/OGk2EGA5/DKPJZcITlllRlXyHKyrmY3WX
77nUtqzRobcWD6CHaP3edwZZuAxfzvpy47tNrSTQJdUFbYK3HlcINz6GoLaDKFDL
8WbK/jj+FlPxGnxYQyeTIZGMo8mmwFtJtbVPYR6gVg/MHD1YguYC34UzW3mXY0JL
vSk71y2vE+H8c4sONIf05V5dlzdzU9aAprKkKsTpd3EF0uSVmIvnkJb6H0AFTaaN
gwglS7DewNYTExu6svqYInekQCDEe/+DeZLAprQwnJxIkT5ZmFb5k7dA/rGyIWDv
obHxfyllc6KyjouUdYZpyEXO0BzFuCODDbH1M5UAFYBD1t6HvpvXCHlb0Z23qMD0
CWmg9gYF3guLXWl8p3J9ErpqFn6GFhypvVT3RHnVbteImlIlm2rb109uxrSnqeyz
61uJZhZZLqnMqyMycvLw
=A2eb
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Vieri Di Paola
2016-11-30 22:38:38 UTC
Permalink
----- Original Message -----
Post by Tom Eastep
First, remove the ADD rules from /etc/shorewall/rules.
You can then copy action.Drop to /etc/shorewall/ and then add this to
the copy as the last line:>
ADD(SW_DBL4:src)
Unfortunately, private IP addresses from my dmz zone were also put into SW_DBL4 for some reason.

So I thought I should create a custom DROP action.

# cat /etc/shorewall/actions
DROPBL # drop and blacklist

Created a copy of the standard DROP action and added the line at the bottom:
# tail -n 2 /etc/shorewall/action.DROPBL
DropDNSrep(@5)
ADD(SW_DBL4:src)

# tail -n 3 rules
DROPBL net1 $FW
DROPBL net2 $FW
DROPBL net3 $FW

This overrides the net*2fw "policy" because I cannot specify custom actions in the POLICY column of /etc/shorewall/policy, right?

Vieri

------------------------------------------------------------------------------
Mark D. Montgomery II
2016-11-27 23:11:49 UTC
Permalink
Post by Vieri Di Paola
Hi,
ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]
I'd like to automatically/dynamically blacklist all IP addresses of
hosts that try to connect to any other unlisted port (eg. port tcp
2222 or 1234, etc.). So if a host tries to connect to port tcp 1234
(on which my site does not serve anything) I'd like the "net" SRC
address to be blacklisted "globally", ie. it should not be able to
connect to ANY port, not even those listed above (80,443,3389), for
at least 1 hour.
Personally I use PSAD for this, it works nicely with Shorewall.
I'm a little more obnoxious and set it to a 24 hr block. ;)
Post by Vieri Di Paola
I've read about shorewall events (BTW there's a missing ',-' in the
example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it fits
my needs.
ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]
AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all
Aren't the IP addresses in ABL_BL supposed to be REJECTed regardless
of where they're trying to connect to?
Maybe there's a simpler way to do this with Shorewall actions and dynamic blacklisting?
Thanks,
Vieri
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Mark D. Montgomery II
http://www.techiem2.net
Loading...