Remote ssh access

[alexghost]

Äîáàâèë â post-firewall íóæíóþ ñòðîêó (â ñîîòâåòñâèè ñ ðåêîìåíäàöèÿìè Mam(o)n), íî ïî ssh âñ¸ ðàâíî íåâîçìîæíî çàéòè íà ðóòåð ñ âíåõè... òîëüêî åñëè íàæàòü êíîïêó Update â âåá-èíòåðôåéñå ðóòåðà (IP Config-Misc-Update) Ïîëó÷àåòñÿ çàéòè îäèí ðàç. Ïîäñêàæèòå, ÷òî äåëàòü

[al37919]

Mam(o)n ñîâåòîâàë åùå ýòî:

Íó ÿ äóìàþ åùå ìîæíî ïîêàçàòü ðåçóëüòàò âûïîëíåíèÿ êîìàíä iptables -L INPUT -vn è iptables -L -vnt nat äëÿ óâåðåííîñòè, ÷òî ôàéðâîë íàñòðîåí ïðàâèëüíî.

[alexghost]

Code:

[admin@gexsrv root]$ iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                   
   46  5299 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                             state INVALID
 220K  248M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                             state RELATED,ESTABLISHED
 3013  181K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                             state NEW
19395 5868K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                             state NEW
 1007 30224 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4                   
19752   27M ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4                           udp dpt:!1900
 648K   33M SECURITY   all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0                             state NEW
    1   328 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                             udp spt:67 dpt:68
    1    48 BRUTE      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                             tcp dpt:22 flags:0x17/0x02
    0     0 BRUTE      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                             tcp dpt:21 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1                           tcp dpt:80
   10   640 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                     
 114K 8425K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Code:

[admin@gexsrv root]$ iptables -L -vnt nat
Chain PREROUTING (policy ACCEPT 811K packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination
 651K   33M VSERVER    all  --  *      *       0.0.0.0/0            10.255.165.44

Chain POSTROUTING (policy ACCEPT 10750 packets, 902K bytes)
 pkts bytes target     prot opt in     out     source               destination
 153K   16M MASQUERADE  all  --  *      vlan2  !10.255.165.44        0.0.0.0/0
  110 24521 SNAT       all  --  *      br0     192.168.1.0/24       192.168.1.0/24      to:192.168.1.1

Chain OUTPUT (policy ACCEPT 10820 packets, 922K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2    88 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.1.1:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:26578 to:192.168.1.65:26578
    1    95 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:26578 to:192.168.1.65:26578
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:19505 to:192.168.1.65:19505
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:19505 to:192.168.1.65:19505
   27  1440 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:36041 to:192.168.1.65:36041
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:36041 to:192.168.1.65:36041
    5   224 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:24500 to:192.168.1.65:24500
    1    95 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:24500 to:192.168.1.65:24500
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:36130 to:192.168.1.65:36130
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:36130 to:192.168.1.65:36130
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:29921 to:192.168.1.65:29921
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:29921 to:192.168.1.65:29921
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28992 to:192.168.1.65:28992
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:28992 to:192.168.1.65:28992
   30  3438 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:51411 to:192.168.1.65:51411

[al37919]

â äàííûé ìîìåíò âèäíî, ÷òî ïðîøèâêà ñòîèò 1.9.2.7-d, ssh ïðîêèíóò ÷åðåç âåá èíòåðôåéñ è òàì æå âêëþ÷åíà çàùèòà îò bruteforce ïóòåì ipt_recent. Âû ïûòàåòåñü ïðîêèíóòü ssh ÷åðåç post-firewall âòîðîé ðàç è åùå ðàç âêëþ÷èòü òó æå çàùèòó. Ïîëàãàþ íè÷åãî õîðîøåãî æäàòü îò ýòîãî íå ïðèõîäèòñÿ.

[alexghost]

Îòêëþ÷èë â âåá-èíòåðôåéñå çàùèòó îò áðóò-ôîðñà. Äîñòóï ïî ssh èç WAN ïîÿâèëñÿ,íî ðàáîòàåò ïî÷åìó-òî íå âñåãäà(ðàçà 3 èç 5, â 2 ñëó÷àÿõ âîçíèêàåò îøèáêà connection refusd). Ìîæåò áûòü ïðîáëåìà â íåäîñòóïíîñòè DynDNS èë ðóòåð ÷åì-òî î÷åíü ñèëüíî çàíÿò?
Íà âñÿêèé ñëó÷àé:

Code:

[admin@gexsrv root]$ iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   26  2008 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 837K 1092M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 3179  191K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
18268 6082K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  657 18920 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4
   64  9408 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp dpt:!1900
 349K   18M SECURITY   all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           state NEW
    4  1312 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1         tcp dpt:80
    7   448 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
81854 5800K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Code:

[admin@gexsrv root]$ iptables -L -vnt nat
Chain PREROUTING (policy ACCEPT 409K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination
 354K   18M VSERVER    all  --  *      *       0.0.0.0/0            10.255.165.44

Chain POSTROUTING (policy ACCEPT 12496 packets, 1050K bytes)
 pkts bytes target     prot opt in     out     source               destination
51085 5128K MASQUERADE  all  --  *      vlan2  !10.255.165.44        0.0.0.0/0
  143 31868 SNAT       all  --  *      br0     192.168.1.0/24       192.168.1.0/24      to:192.168.1.1

Chain OUTPUT (policy ACCEPT 12572 packets, 1074K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.1.1:80
   40  1816 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:26578 to:192.168.1.65:26578
    1    95 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:26578 to:192.168.1.65:26578
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:19505 to:192.168.1.65:19505
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:19505 to:192.168.1.65:19505
   27  1452 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:36041 to:192.168.1.65:36041
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:36041 to:192.168.1.65:36041
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:24500 to:192.168.1.65:24500
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:24500 to:192.168.1.65:24500
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:36130 to:192.168.1.65:36130
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:36130 to:192.168.1.65:36130
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:29921 to:192.168.1.65:29921
    1    95 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:29921 to:192.168.1.65:29921
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28992 to:192.168.1.65:28992
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:28992 to:192.168.1.65:28992
   35  4045 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:51411 to:192.168.1.65:51411

[al37919]

âîçìîæíî, ïî êðàéíåé ìåðå ñ òî÷êè çðåíèÿ ôàéðâîëëà ïðîêèíóòî âñå îê.

[alexghost]

 ÷åì æå äåëî?
Ïðÿìî ùàñ ñ ðàáîòû ïðîâåðÿþ è ïîëó÷àþ Connection Refused
Õîòÿ íà âåá èíòåðôåéñ çàõîäèò...
Ðàäè èíòåðåñà ïîêàïàëñÿ â ëîãàõ è âîò, ÷òî îáíàðóæèë

Code:

Jan  1 05:00:10 ddns update: connected to members.dyndns.org (204.13.248.112) on port 80.
Jan  1 05:00:11 ddns update: authentication failure
Jan  1 05:00:11 ddns update: failure to update vlan2->10.255.165.44 (gex45.ath.cx)
Jan  1 05:00:11 ddns update: shutting down updater for gex45.ath.cx due to fatal error

Ïîõîæå, ÷òî íåâîçìîæíî ïðîéòè àóòåíòèôèêàöèþ, õîòÿ íèêàêèå íàñòðîéêè íå ìåíÿë è ðàíüøå ïåðèîäè÷åñêè ìîæíî áûëî çàõîäèòü ïî ssh.

UPD. Îòòóäà æå èç ëîãà

Code:

Jan  1 05:00:09 dropbear[131]: Failed listening on '22': Error listening: Address already in use
Jan  1 05:00:10 dropbear[131]: premature exit: No listening ports available.
Jan  1 05:00:10 ddns update: connected to members.dyndns.org (204.13.248.112) on port 80.
Jan  1 05:00:11 ddns update: request successful
Jan  1 05:00:11 ddns update: successful update for vlan2->10.255.165.44 (gex45.ath.cx)

Õì, ïî÷åìó æå 22 ïîðò in use?

[al37919]

Õì, ïî÷åìó æå 22 ïîðò in use?

çíà÷èò dropbear óæå çàïóùåí.

[kodmis]

À åñëè ñîâñåì ïî òåìå, òî òàáëèöà ïîñòåïåííî çàïîëíÿåòñÿ. Ýòà øòóêà ðàáîòàåò ÷àñà 4, à â SSH_ATTACKER óæå 3 çàïèñè âêëþ÷àÿ ìîé òåñò. Àïòàéì ê äàííîìó ìîìåíòó 11 äíåé è íàäåþñü, ÷òî äî ñâîåãî âîçâðàùåíèÿ èç êîìàíäèðîâêè îí äîéäåò ãäå-íèáóäü äíåé äî 40. Ñêîëüêî æå çàïèñåé áóäåò â ýòîé òàáëèöå è ïî÷åìó íå óäàëÿþòñÿ áåñïîëåçíûå çàïèñè (òå, ñðîê äàâíîñòè ïî êîòîðûì óæå âûøåë). Âåäü åñëè ãîñòü ñ ýòîãî æå àäðåñà çàãëÿíåò åùå ðàçîê, òî îí áóäåò äîáàâëåí ñ íóëÿ áåç ïðîáëåì. À âåäü ãäå-òî ýòî äîëæíî õðàíèòüñÿ, äà è ïðîâåðêà èäòè ïî âñåì àäðåñàì --- ëèøíèå íàêëàäíûå ðàñõîäû. Íåò ëè òàì âàðèàíòà ñàìîî÷èñòêè îò áåñïîëåçíîé èíôîðìàöèè. Èëè ýòà òàáëèöà èç ñåáÿ ÷òî òî âðîäå ëîãà ïðåäñòàâëÿåò?

P.S. Íó äà ÿ ïîíÿë, ïî êðàéíåé ìåðå äëÿ ADSL ñîåäèíåíèÿ òàêàÿ ïðîáëåìà íå ñóùåñòâóåò, ò.ê. ïðè åæåñóòî÷íîì ðàçðûâå ñîåäèíåíèÿ iptables ïåðåçàïóñêàþòñÿ.

Òîæå ýòîò âîïðîñ çàèíòåðåñîâàë
Àâòîð ìîäóëÿ âîò ÷òî ïèøåò:

The module itself accepts parameters, defaults shown:
ip_list_tot=100 ; Number of addresses remembered per table
ip_pkt_list_tot=20 ; Number of packets per address remembered
ip_list_hash_size=0 ; Hash table size
0 means to calculate it based on ip_list_tot, default: 512
ip_list_perms=0644 ; Permissions for /proc/net/ipt_recent/* files
debug=0 ; Set to 1 to get lots of debugging info

Ïàðàìåòðû ìåíÿþòñÿ íàâåðíîå òàê:

Code:

modprobe ipt_recent ip_list_tot=1000

[igor77777]

Ïûòàëñÿ íàñòðîèòü áåçîïàñíûé äîñòóï ê ssh. Íî ÷òî-òî ñàì çàïóòàëñÿ.
ssh ðàáîòàåò íà ñòàíäàðòíîì ïîðòó (22).
Íî äîñòóï ñ ðàáîòû ÿ ìîãó èìåòü òîëüêî ïî 80 èëè 443 ïîðòàì.
Ïîýòîìó äåëàþ ïðîêèäûâàíèå 443 íà ëîêàëüíûé 22.
Ñåé÷àñ ýòîò êóñîê â ïîñò-ôàéðâîëë âûãëÿäèò òàê:

Code:

# Ëîâèì àòàêóþùèõ íà shh (22)  ïîðò
#   - ñîçäàëè òàáëèöó äëÿ ïàêåòîâ íà 22 ïîðò
iptables -N SSH_EVAL
#   - Óäàëÿþ çàïðåùàþùåå ïðàâèëî
iptables -D INPUT -j DROP
#   - âñå, ÷òî ïðèõîä íà 22 ïîðò îòïðàâëÿåì â íàøó òàáëèöó
iptables -A INPUT -p tcp --dport $SSH_PORT -j SSH_EVAL
#   - ôèëüòðóåì âñå, ÷òî íå ïðèøëî ñ âíóòðåííåãî èíòåðôåéñà br0
iptables -A SSH_EVAL -i ! $BR0IF -p tcp -m state --state NEW --dport $SSH_PORT -m recent --set --name SSH_ATTACKER --rsource
iptables -A SSH_EVAL -i ! $BR0IF -p tcp -m state --state NEW --dport $SSH_PORT -m recent --update --seconds 600 --hitcount 4 --name SSH_ATTACKER --rsource -j DROP
#   - óñòàíîâëåííûå ñîåäèíåíèÿ ðàçðåøàþ
iptables -A SSH_EVAL -p tcp --syn --dport $SSH_PORT -j ACCEPT
#   - Âîçâðàùàþ íàçàä çàïðåùàþùåå ïðàâèëî
iptables -A INPUT -j DROP
#   - ïðîáðàñûâàåì âíåøíèé ïîðò íà 22 âíóòðåííèé
iptables -t nat -I PREROUTING -i $PPP0IF -p tcp --dport $PPP0_SSH_PORT -j DNAT --to-destination $BR0IP:$SSH_PORT

ãäå

Code:

PPP0IP=$2
VLAN1IP=$6
BR0IP=$4

PPP0IF=$1
VLAN1IF=$5
BR0IF=$3

SSH_PORT=22
PPP0_SSH_PORT=443

 ðåçóëüòàòå ïîëó÷àþòñÿ îòêðûòûìè â èíòåðíåò îáà ïîðòà è 22 è 443.
Êàê ñäåëàòü òàê ÷òîáû îñòàëñÿ îòêðûòûì ñíàðóæè òîëüêî 443, à âíóòðè îñòàëñÿ 22 ?

[vectorm]

Ïûòàëñÿ íàñòðîèòü áåçîïàñíûé äîñòóï ê ssh. Íî ÷òî-òî ñàì çàïóòàëñÿ.
ssh ðàáîòàåò íà ñòàíäàðòíîì ïîðòó (22).
Íî äîñòóï ñ ðàáîòû ÿ ìîãó èìåòü òîëüêî ïî 80 èëè 443 ïîðòàì.
Ïîýòîìó äåëàþ ïðîêèäûâàíèå 443 íà ëîêàëüíûé 22.

À åñëè ñäåëàòü ÒÎËÜÊÎ äîñòóï ïî 443 ïîðòó âåçäå?  âåá ìîðäå. È íå çàìîðà÷èâàòüñÿ ñ ïðîáðîñàìè?

[igor77777]

À åñëè ñäåëàòü ÒÎËÜÊÎ äîñòóï ïî 443 ïîðòó âåçäå?  âåá ìîðäå. È íå çàìîðà÷èâàòüñÿ ñ ïðîáðîñàìè?

Ýòî òîæå âàðèàíò, íî ÿ êàæåòñÿ ðåøèë ïðîáëåìó.
Ïåðå÷èòàâ man ïî iptables â ÷àñòíîñòè ïî DNAT, ïîíÿë ÷òî òàì ïðîèñõîäèò ñ àäðåñàìè.
Êîðî÷å.  ïðàâèëî, îòêðûâàþùåå äîñòóï ê 22 ïîðòó äîáàâèë ïðîâåðêó ïî öåëåâîìó ip.
Òåïåðü ýòî ïðàâèëî âûãëÿäèò òàê:

Code:

#   - âñå, ÷òî ïðèõîä íà 22 ïîðò îòïðàâëÿåì â íàøó òàáëèöó
iptables -A INPUT -d $BR0IP -p tcp --dport $SSH_PORT -j SSH_EVAL

à áûëî òàê:

Code:

#   - âñå, ÷òî ïðèõîä íà 22 ïîðò îòïðàâëÿåì â íàøó òàáëèöó
iptables -A INPUT -p tcp --dport $SSH_PORT -j SSH_EVAL

[Wadson]

Òàêàÿ âîò ïðîáëåìà æèòü ìåøàåò.

Ðîóòåð WL-700gE, ïðîøèâêà îò KFurge.

×åðåç êàêîå-òî âðåìÿ ðàáîòû ïåðåñòàåò ïóñêàòü ê ñåáå ïî ssh.
Ò.å. ñíà÷àëà ìîãó íîðìàëüíî çàëîãèíèòüñÿ ÷åðåç PuTTy è nTorrent c ÁÁ èëè ëþáîãî íîóòà.
×åðåç êàêîå-òî âðåìÿ nTorrent ïèøåò disconnected. Ïðè ïîïûòêå çàïóñòèòü åãî ïî íîâîé (îïÿòü æå íà ëþáîì êîìïå) ïèøåò Auth fail.
Ïðè ïîïûòêå çàõîäà ÷åðåç PuTTy ïîñëå ââîäà ïàðîëÿ ïèøåò Access denied.
Ïî òåëíåòó ïðè ýòîì ïóñêàåò áåç ïðîáëåì.

 ÷åì ìîæåò áûòü ïðè÷èíà è êàê åå ïîáîðîòü?

[vectorm]

Òàêàÿ âîò ïðîáëåìà æèòü ìåøàåò.
 ÷åì ìîæåò áûòü ïðè÷èíà è êàê åå ïîáîðîòü?

Ñìîòðåòü ëîãè.

[Wadson]

Ñìîòðåòü ëîãè.

Ëîãè ÷åãî è ãäå?