The Planet Forums > I block IP in APF but it still trying to telnet me!

Full Version: I block IP in APF but it still trying to telnet me!

The Planet Forums > Security > Firewalls

AlexAT

Apr 2 2004, 12:32 AM

31-th of March I add 195.66.204.51 to deny_hosts.rules APF file and restarted APF.

But today I recieve logwatch for 1-st April where I get

CODE

From 195.66.204.51 - 10 packets

To MyIP - 10 packets

Service: telnet (tcp/23) (** TELNET **,eth0,none) - 10 packets

How it can be ?

eddy2099

Apr 2 2004, 01:14 AM

Actually it shows that your firewall is effective since the intrusion is detected and blocked.

It is like if you put a bouncer at your door and say do not let Mr B in. There is no stopping from having Mr B appear right at your door. It is just that he would not be permitted in.

The Logwatch just indicates all suspicious access which appears to want to enter your server but are prevented from doing so.

AlexAT

Apr 2 2004, 02:56 AM

QUOTE

Actually it shows that your firewall is effective since the intrusion is detected and blocked.

I do not think so

How can I determine that IP was not logged?
Where can I find that info?

Logwatch have 2 sections:

Dropped XXX packets on interface eth0
Logged YYY packets on interface eth0

I found that IP only in "logged" section.
That IP was not dropped.

Matt Brown

Apr 2 2004, 10:15 AM

You should have telnet disabled anyways if you don't disable it now and then there isn't anything to worry about.

AlexAT

Apr 2 2004, 10:26 AM

QUOTE

You should have telnet disabled

I have the following in the conf.apf:

CODE

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,993,

2082,2083,2086,2087,2095,2096,3306,30000_35000"

so telnet port 23 not enabled.

Matt Brown

Apr 2 2004, 10:49 AM

Then that should do it, but also make sure the service at whole is disabled, there are a couple tutorials around here that will tell you how to do so.

AlexAT

Apr 2 2004, 10:53 AM

ok, thank you!

btw - strange, I thought that blocking port within the firewall is fully enough to completely block access to this port from outside.

Matt Brown

Apr 2 2004, 10:58 AM

It is, but you never know what could happen, it's just safer to disable the service all together, you will still see those entries in your logwatch though as people will still try to connect via telnet which won't work but logwatch will still report it, it's the programs job

AlexAT

Apr 2 2004, 11:09 AM

but is there any way to tune logwatch (or any tool) to get something like:
"IP tried to connect to port 23 without success"
"IP tried to connect to port 23 with success"
?

clearsignal

Apr 2 2004, 12:12 PM

Not sure about 'with success'...but your APF's prelog rules is where you find the telnet message you are worried about

CODE

$IPT -N TELNET_LOG

$IPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 23 -m state --state NEW -j TELNET_LOG

$IPT -A TELNET_LOG -j LOG --log-prefix "** TELNET ** "

You can pretty much copy/paste and alter that piece to inform you of other 'specific' ports (like you're real ssh port assuming you've changed it)

AlexAT

Apr 2 2004, 12:36 PM

Yes, I see such kind of information in the result logwatch email.

But as I've said I found 0 occurance for telnet access of that IP.

I.e. it seems that user were logged in via telnet when telnet port was blocked and when access for that IP was blocked at all!

Maybe this is my mistake but I thought before that I understood how apf works but now I'm not so sure.

Anybody knows tool (maybe other firewall) that can tell you exactly what happens?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.