Friday, March 27, 2015

ufw deny network rule not working

Someone keeps trying to login in my dovecot server. I have added a ufw deny rule for a network since he keeps picking different addresses from the same small network, but these deny rules don’t seam to have any effect. It’s only when I specify an IP address that the rule has apparently an effect.



I changed the listening port of the dovecot server, but he finds the new port and keeps trying to login.



The network that I want to filter is 185.211.245.128 - 185.211.245.255.



I have postfix and ssh ports open, but he focus on dovecot.



These are the rules I have set in ufw





Anywhere                   DENY        185.211.245.128/25
Anywhere                   DENY        185.211.245.0/24
Anywhere                   DENY        185.211.245.170
996                        DENY        185.211.245.170
996/tcp                    ALLOW       Anywhere


Only the last deny had effect. I have now connection attempts from another address from this network.




I added the network deny rules with the following command:




# ufw deny from 185.211.245.128/25


Why is ufw not taking these deny rules into account ?



Update 1: I rebooted and got an hour relief, but I get connection attempts again. iptables look correct:





Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:xxx
   32  1672 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   19  1092 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
   22  1268 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    7   424 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465

    0     0 DROP       all  --  *      *       141.98.80.16         0.0.0.0/0           
    0     0 DROP       all  --  *      *       5.79.252.176         0.0.0.0/0           
    0     0 DROP       all  --  *      *       5.53.119.178         0.0.0.0/0           
    5   200 DROP       all  --  *      *       185.211.245.128/25   0.0.0.0/0           
    0     0 DROP       all  --  *      *       185.211.245.0/24     0.0.0.0/0           
    0     0 DROP       all  --  *      *       185.211.245.170      0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       185.211.245.170      0.0.0.0/0            tcp dpt:996
    0     0 DROP       udp  --  *      *       185.211.245.170      0.0.0.0/0            udp dpt:996
    0     0 DROP       all  --  *      *       168.228.151.234      0.0.0.0/0           
    0     0 DROP       all  --  *      *       185.211.245.198      0.0.0.0/0           

   34  2160 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:996


Apparently 5 packets were rejected by rule deny 185.211.245.128/25. But I now have again connections from 185.211.245.170.



This is what I see in auth.log. I rebooted before 12:00. 




Feb 18 12:37:28 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 12:37:31 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170

Feb 18 12:37:58 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 12:38:00 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:12 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:14 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:33 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:36 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170


It looks like iptables is not properly working or could be circumvented.




The dovecot process is listening on 0.0.0.0:996 and :::996.



Update 2: even stranger. Looking in the ufw.log, I see that connection attempts from my home to the server at port 996 were rejected during this night. But I did manage to access my imap server at that same port yesterday evening. Something is really fishy.



Update 3: I had fail2ban running. Since I stopped fail2ban, which result in removing the rules in iptables, no more failed connection attempts are reported in auth.log. It might be fail2ban who generated them, while I thought it was dovecot. In iptables, I see a slowly increasing number of packet drops for rule 185.211.245.128/25. Which is what I expect. It seam that fail2ban interfered with iptables, or just that the logging was incorrect. But after 4 hours, and just after posting this update, I got four new connection attempts.



Update4: I made some progress. The login attempts are blocked when the drop rules are put before all allow rule. It looks as if the attacker benefit from other allow rules to circumvent the deny rule. How this is possible is still unclear. If this interpretation is correct, ufw has a hole which is a security problem !



The deny rules, must apparently come first. I can ensure it myself, but a naive use of ufw could expose the host. I would suggest that ufw always insert the deny rules in front of any allow rules as a precaution measure.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...