Friday, March 27, 2015

ufw deny network rule not working

Someone keeps trying to login in my dovecot server. I have added a ufw deny rule for a network since he keeps picking different addresses from the same small network, but these deny rules don’t seam to have any effect. It’s only when I specify an IP address that the rule has apparently an effect.



I changed the listening port of the dovecot server, but he finds the new port and keeps trying to login.



The network that I want to filter is 185.211.245.128 - 185.211.245.255.



I have postfix and ssh ports open, but he focus on dovecot.



These are the rules I have set in ufw





Anywhere DENY 185.211.245.128/25
Anywhere DENY 185.211.245.0/24
Anywhere DENY 185.211.245.170
996 DENY 185.211.245.170
996/tcp ALLOW Anywhere


Only the last deny had effect. I have now connection attempts from another address from this network.




I added the network deny rules with the following command:




# ufw deny from 185.211.245.128/25


Why is ufw not taking these deny rules into account ?



Update 1: I rebooted and got an hour relief, but I get connection attempts again. iptables look correct:





Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxx
32 1672 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
19 1092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
22 1268 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
7 424 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465

0 0 DROP all -- * * 141.98.80.16 0.0.0.0/0
0 0 DROP all -- * * 5.79.252.176 0.0.0.0/0
0 0 DROP all -- * * 5.53.119.178 0.0.0.0/0
5 200 DROP all -- * * 185.211.245.128/25 0.0.0.0/0
0 0 DROP all -- * * 185.211.245.0/24 0.0.0.0/0
0 0 DROP all -- * * 185.211.245.170 0.0.0.0/0
0 0 DROP tcp -- * * 185.211.245.170 0.0.0.0/0 tcp dpt:996
0 0 DROP udp -- * * 185.211.245.170 0.0.0.0/0 udp dpt:996
0 0 DROP all -- * * 168.228.151.234 0.0.0.0/0
0 0 DROP all -- * * 185.211.245.198 0.0.0.0/0

34 2160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:996


Apparently 5 packets were rejected by rule deny 185.211.245.128/25. But I now have again connections from 185.211.245.170.



This is what I see in auth.log. I rebooted before 12:00.




Feb 18 12:37:28 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 12:37:31 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170

Feb 18 12:37:58 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 12:38:00 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:12 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:14 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:33 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170
Feb 18 13:11:36 srv01 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=185.211.245.170


It looks like iptables is not properly working or could be circumvented.




The dovecot process is listening on 0.0.0.0:996 and :::996.



Update 2: even stranger. Looking in the ufw.log, I see that connection attempts from my home to the server at port 996 were rejected during this night. But I did manage to access my imap server at that same port yesterday evening. Something is really fishy.



Update 3: I had fail2ban running. Since I stopped fail2ban, which result in removing the rules in iptables, no more failed connection attempts are reported in auth.log. It might be fail2ban who generated them, while I thought it was dovecot. In iptables, I see a slowly increasing number of packet drops for rule 185.211.245.128/25. Which is what I expect. It seam that fail2ban interfered with iptables, or just that the logging was incorrect. But after 4 hours, and just after posting this update, I got four new connection attempts.



Update4: I made some progress. The login attempts are blocked when the drop rules are put before all allow rule. It looks as if the attacker benefit from other allow rules to circumvent the deny rule. How this is possible is still unclear. If this interpretation is correct, ufw has a hole which is a security problem !



The deny rules, must apparently come first. I can ensure it myself, but a naive use of ufw could expose the host. I would suggest that ufw always insert the deny rules in front of any allow rules as a precaution measure.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...