CentOS 5.5 - iptables keeps clearing
I had moved this from another forum... I should not have had it there, please forgive me for mis-labeling!
Version: Linux version 2.6.18-028stab093.2 (root@rhel5-build-x64) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Tue Aug 23 16:27:58 MSD 2011 CentOS release 5.5 (Final) I have root access on my VPS. I keep adding rules to iptables, I save, and everything is good for awhile. But without restarting, eventually it is cleared and I have no idea why! I am going to guide you through exactly what I am doing: 1) I log in to the VPS 2) List the iptable contents: Code:
[root@server init.d]# iptables --list Code:
[root@server init.d]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Code:
[root@server init.d] Code:
[root@server init.d]# /sbin/service iptables save Code:
[root@server init.d]# service iptables stop Code:
I wait about 10 minutes without doing ANYTHING to the server, not logging out of SSH, not restarting the container or anything. Then I type "service iptables status" and there are NO RULES anymore?: Code:
[root@server init.d]# service iptables status Code:
[root@server init.d]# iptables --list BUT if it go ahead and start the service again... Code:
[root@server init.d]# service iptables start Code:
[root@server init.d]# service iptables status Code:
[root@server init.d]# service iptables start Code:
[root@server init.d]# iptables --list now... if I wait for a little while... POOF they are gone again! I know these things are stored in memory, is there some other service that can be restarting that could be clearing iptables -t filter? This is on a web server, could I edit etc/init.d/httpd and add the line "service iptables start" somewhere to ensure if httpd restarts it restarts iptables too? There has to be something actively clearing this out |
check your crontab for something like the following....
Code:
*/10 * * * * /sbin/iptables -F I like to disable selinux too, but that's prolly not the problem. Question: Is this an OpenVZ VPS? Lemme know I'm interested in following your issue. I hope that helps :) Kindest regards, . |
No CronTabs set up right now... but yeah, I probably should do that while testing.
Code:
[root@server init.d]# crontab -l The reason I am all over this iptables thing right now is I have been getting dozens of "brute force monitor" emails from Direct Admin's new brute force monitor (control panel for my web sites). I have a script I am integrating in to direct admin to populate iptables when and IP Address goes over 20 attempts in 24 hours. (and it is not my ip of course :) ) Does this help anyone any? I am baffled here. |
Quote:
Your firewall should start long before any services like that. Do some of the following so we can see just what your setup for: Code:
# /etc/init.d/iptables stop Again, don't start your firewall from /etc/init.d/httpd!!! - it has its own startup script at /etc/init.d/iptables ;) You may also like to see what's going on in realtime (well, one second increments anyway) to see exactly when your firewall is getting hosed: Code:
# watch -n1 netstat -tulpn Code:
watch -n1 iptables -L Since your firewall should start at boot right at the point where the network services are coming up (and obviously before SSHD or HTTPD), any changes you make or need to make will be reflected in the firewall script, not some saved configuration you may not be completely sure about - but that's just me. As I mentioned before, I'm not a fan of selinux. It does have its uses at times, but I hardly ever use it and therefore completely disable it. selinux interferes with some things in weird ways, and you'll find that many install docs have you disable it before beginning your setups. If you don't know that you need it. I recommend disabling it (Yes, some RH'ers will prolly flame me for that advice but many distros don't even include it because of these reasons). A quick way to turn it off is below: Code:
# setenforce 0 I hope that helps :) Kindest regards, . |
Quote:
I know what's going on now. You're fighting yourself :) The Parallels power panel is where you should be inserting your firewall rules. doing it directly on the CLI will get wiped as there are all kinds of automated monitors and safeguards built into your VPS. So unless you disable that stuff, just use their control panel gui for your container and make your adjustments there. That includes cronjobs, etc. What's happening is since the changes aren't being made via their control panel, they're getting wiped because they're not in that firewall app in the control panel - it's annoying, but for the purposes of having a point and click management tool it's a good thing, since, if someone were to do some weird things to your machine it would get reset (ergo, the source of your frustrations). Quote:
Code:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH This will make those brute force attacks *vanish* :) Quote:
The reason being is that certain intervals like 60 seconds, 5 minutes, 60 minutes, and 24 hours are easy for a prober to ascertain, and they'll get another 20 attempts, which in the case of a weak password might be able to get cracked in a year or two of you not even knowing it's still going on. Call me paranoid, but if you do, call me secure ;) One last thing, you might want to take a gander at my article on securing SSHD at my website below. It's pretty comprehensive as a guide to disable passwords completely and use encrypted keys instead, as well as changing the port that SSHD listens on. Some people even run two SSH daemons, one which is on 22 and does nothing but waste the time of the scanners and one that is on an obscure port that you use. All in all it sounds like you're taking security seriously, which is not only commendable, but will save you from a lot of tears and hard lessons other people just don't seem to ever learn. Lemme know if this takes care of your problem okay? Kindest regards, . |
Quote:
So, really... that is what I am now on the hunt for. How to disable their iptable "wiper" because frankly, I think iptables is more secure from what I read, and I can more easily script iptables from the brute force monitor using php or a cron job. Code:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH Besides, I get goofy errors with some of the more complex rules: Code:
[root@server ~]#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH Quote:
Insert records in a mysql db automatically based on your brute force monitor's criteria for notifications Create rules on the fly, and rebuild the iptable nightly and restart the service send me a end of the week security report. send me a "high activity" sms alert anytime activity reaches a to be determined level. I am also going to integrate the same system with my web request forms, so when I or clients get spammed, it gets added from a link in the email and that dude is done for. I will keep you updated, have not found anything definitive yet. |
using "watch -n1 iptables -L" I can determine every five minutes on the 3rd second my settings are getting wiped.
I looked closer at my crontab settings in /ect/ Code:
*/5 * * * * root /etc/init.d/apf stop >> /dev/null 2>&1 Commented that out and WAHLAA! Here is the unique IP addresses and their rules the last 15k hits Code:
[root@server etc]# service iptables status Code:
[root@server ~]#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH |
Quote:
|
Quote:
I sent my hosting provider a note about this and they said: Quote:
Then I said to myself... damn, they are right, better check that out: Code:
[root@server ~]# ifconfig -a Code:
[root@server ~]# iptables -A INPUT -i venet0:0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH Code:
[root@server ~]# iptables -A INPUT -i venet0:1 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH |
I noticed someone talking about being on a "Castrated VPS" could that be my issue here? Is there any other way to add it?
|
I can see two things to try: either have a "-i lo -j ACCEPT" as first rule and in subsequent rules just don't list a real or virtual ethernet device name or use the main virtual device name "-i venet0" but specify the alias address, in your case "-i venet0 -s 216.65.1.90" or "-i venet0 -s 209.25.134.76". As for ethernet OpenVZ can be configured with a venet (Layer 3) or veth (Layer 2) virtual ethernet device (see http://wiki.openvz.org/) but that's something the Host Node user configures for a container and not something you can change from inside your VPS.
|
Alright, I will keep messing around with this.
My initial reason to open this ticket is now resolved. Does anyone want a free toy? Here you go: This piece of php code goes in to your /usr/local/directadmin/data/<username>/ directory. Edit it and give it your db name, userid, and password and it will grab you direct admin log file, and throw it in to that database: Code:
#!/usr/local/bin/php Code:
#!/usr/local/bin/php Works perfectly on my production box. Use at your own risk! But let me know if you used it! |
Run following command from root directory: [MODERATED]
|
Quote:
|
Oh hey Mark :)
Sorry I was gone for a few days, but it looks like unspawn managed to point you in the right direction :) I may have a couple of solutions for you too if you want to contact me offlist at my email below. Kindest regards, . |
All times are GMT -5. The time now is 02:39 AM. |