IP blocked in Rules but still accessing FTP

cdsJerry · May 6, 2015, 7:02 PM

I have an alias for IPs I want to manually block. Lets just call it "Bad Guys". My rule set has "Bad Guys" near the top of the rules. The only rules above it are other blocks and a white listed IP of mine.
So I've had this guy the past few weeks logging onto my FTP server trying to guess his way in. He hits me several times a day but stops guessing before the FTP's autoban feature kicks in. I see several IPs in the same range listed for days.

So I started adding his IPs to my "Bad guys" list. I've entered about 80 of them now but today I noticed that one of the IPs he's using in a recent attempt is an IP that's already blacklisted on the "Bad guys" alias. I checked the rule and it's active and set to block.

How can he be getting in with an IP that's blacklisted at the top of the rule set before any pass rules (other than my own IP)?

KOM · May 6, 2015, 7:17 PM

He can't if your rules are correct. Post a screencap of your WAN rules.

almabes · May 7, 2015, 1:21 AM

The only thing I can think of would be to check and make sure you don't have any floating rules that allow traffic.

johnpoz · May 7, 2015, 12:07 PM

Without your rules there is no way for us to help you - clearly your doing it wrong or it would be blocked is the simple answer.

Please post your floating tab if anything is in there and you wan tab. And your port forwards would be helpful in seeing how your forwarding ftp into your network in the first place.

cdsJerry · May 7, 2015, 6:48 PM

I've attached the two screens requested.

johnpoz · May 7, 2015, 7:21 PM

Well looks like your missing some stuff in your wan.. And what is in remote management and remotemangement ports?

cdsJerry · May 7, 2015, 7:27 PM

RemoteManagement is an alias with a couple of fixed IP addresses we use to access pfsense from outside our LAN (setup by pfSense support btw).

What's missing from the WAN? pfSense is running in transparent mode (bridge mode?) and not as a router. That may be why it looks like it's missing some things.

johnpoz · May 7, 2015, 7:41 PM

well for one rule that would even allow ftp? Looks like that is not the full rule set.. Looks like there more under that from the bottom of that screenshot.

And why would you allow to wan net?? Seems odd - shouldn't it be wan address?

cdsJerry · May 7, 2015, 7:59 PM

Yes there were more rules. I only copied the rules set down to the level that showed the block for "Badguys". The IP I'm trying to block is listed in that alias so it should stop at that point regardless of the rules below it. I was just showing that there weren't any rules above it that should have allowed it to pass. Once it hits this block the rest of the rules don't matter.

WAN net (set up by pfSense support) allows access to the pfSense settings when in transparent mode. Should it be an IP? I don't know. Since pfSense support set it up and they're smarter than I am, I left it the way they had it.

cdsJerry · May 7, 2015, 8:09 PM

From my FTP server. I get hit every few min.

(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 220-Thank you for visiting namehere ftp server.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 220 All actions are logged.
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> SSH-2.0-libssh2_1.4.1
(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> 500 Syntax error, command unrecognized.
(001914)5/7/2015 15:47:37 PM - (not logged in) (71.232.46.105)> disconnected.
(001915)5/7/2015 15:54:15 PM - (not logged in) (157.7.237.232)> Connected on port 22, sending welcome message…

And from my "badguys" alias as seen on the rules, they're blocked. So how did they get to the FTP? They should have been blocked long before they got down to the port settings for the FTP connection.

doktornotor · May 7, 2015, 8:18 PM

Dude. FTP is NOT SSH. Sigh. WTF.

(001914)5/7/2015 15:47:34 PM - (not logged in) (71.232.46.105)> SSH-2.0-libssh2_1.4.1
(001915)5/7/2015 15:54:15 PM - (not logged in) (157.7.237.232)> Connected on port 22, sending welcome message…

KOM · May 7, 2015, 8:15 PM

WAN net is the entire subnet your WAN interface is part of. WAN address is just the IP address used by your WAN.

My personal view is that you should ignore this guy or you will be playing whack-a-mole with him and other bots forever. Let them knock on your door. Just ignore them. However, the challenge in this situation is how is he getting in in the first place? We still haven't seen anything that shows the link between pfSense and your FTP server, no FTP rule, no port-forward. Are you using an IP alias or is your FTP server listening on your WAN IP address?

Dude. FTP is NOT SSH. Sigh. WTF.

Regardless, how is this IP getting past the firewall?

doktornotor · May 7, 2015, 8:19 PM

@KOM:

Dude. FTP is NOT SSH. Sigh. WTF.

Regardless, how is this IP getting past the firewall?

How? Because the "remotemanagement" allow rule is before "badguys" block. Useless.

cdsJerry · May 7, 2015, 8:20 PM

@doktornotor:

Dude. FTP is NOT SSH. Sigh. WTF.

Of course not. He's connected to my FTP server already when he's entering the SSH command. He should have never been able to connect to my FTP server if his IP was blocked. He should have never been able to get to the FTP prompt to attempt to enter the SSH command.

doktornotor · May 7, 2015, 8:23 PM

Kindly go Google the difference between SSH and FTP. You don't have any FTP server there. libssh is not FTP and port 22 is not FTP either. Also your rules ordering is wrong, as noted above.

cdsJerry · May 7, 2015, 8:26 PM

@doktornotor:

@KOM:

Dude. FTP is NOT SSH. Sigh. WTF.

Regardless, how is this IP getting past the firewall?

How? Because the "remotemanagement" allow rule is before "badguys" block. Useless.

I don't understand. Remotemanagement only lists two fixed IPs for granting access. He isn't from either of those IPs. How is that making it useless?

doktornotor · May 7, 2015, 8:27 PM

@cdsJerry:

I don't understand. Remotemanagement only lists two fixed IPs for granting access.

Apparently not. Also, those pfBlocker rules are just whacky. I really don't think you have a clue what you are doing.

cdsJerry · May 7, 2015, 8:30 PM

OK, I've attached more rules. You will see the bottom on is FTP but by being on the bottom, only access that hasn't already been blocked should get down the rule set this far. And yes, there is an FTP server, and yes, I know the difference, and yes, he's attempting to enter SSH commands on and FTP connection, and no, he shouldn't have gotten that far to do so and that's what I'm trying to figure out. How did he get to the bottom of the rule list if there's a specific block for his IP at the top of the list (right below Remotemanagement which only passes two IPs).

cdsJerry · May 7, 2015, 8:31 PM

@doktornotor:

@cdsJerry:

I don't understand. Remotemanagement only lists two fixed IPs for granting access.

Apparently not. Also, those pfBlocker rules are just whacky. I really don't think you have a clue what you are doing.

The pfBlocker rules are created by pfBlocker, not me. None of them are giving a pass to this guy's IPs. They're all blocks.

doktornotor · May 7, 2015, 8:31 PM

Let me repeat the port 22 is NOT FTP and libssh does NOT support FTP at all. What server are those logs from?

@cdsJerry:

The pfBlocker rules are created by pfBlocker, not me. None of them are giving a pass to this guy's IPs. They're all blocks.

Yeah. Based on your whacky misconfiguration that's apparently trying to block the entire world.

@cdsJerry:

OK, I've attached more rules.

Yeah. Looking at that censored mess… humble suggestion: go ditch that frenzy and restart from scratch. Or perhaps better hire someone for the job.