IP blocked in Rules but still accessing FTP
-
Sigh. No, SFTP is NOT FTP. It's a completely different protocol. Terminology wrong, aliases confusing like hell, totally atypical configuration with NAT completely disabled or god knows what and probably some public subnet on LAN, messy rules, most information censored. How on earth you expect people to debug this? We don't have crystall balls. WTH is FTP doing the this thread's subject?! You know, you are confusing people that were trying to help and are wasting their time with this.
Look, dude, you are getting targetted exactly because "Port 22, while used for SSH is used for other things as well". When you open port 22 to the world, you'll get shitload of hits on it with people trying to bruteforce your SSH server. DUH! Move that Filezilla or god knows what shit where it belongs, as already suggested above.
-
Now, pretty damn convinced that your "WAN Net" rule (already mentioned), combined with the "wonderful" idea of putting FTP server on SSH port and your managenetports alias allows the traffic which you see. Fix that, or stick to WAN address, or move your pfSense SSH out of 22 and fix the alias.
-
When I posted it I really didn't expect anyone to need the full rules or aliases since the one rule should be blocking the traffic and that rule is before any pass rules other than the remotemanagement rule (put in by Chris). I didn't think the rest of the rules would matter since that traffic should never be getting past the block. It's one specific blacklisted IP I'm asking about, not all IPs accessing port 22.
FTP is in the subject because it's an FTP server. It also accepts SFTP and FTPS connections since there are a lot of file transfer clients that only support one or the other and many still use port 22 to create an SSH tunnel for the file transmission. Port 22 is the proper port for such connections and while technically an SSH connection the intent is to transfer a file in the secure tunnel rather than for command line access. But certainly if I close port 22 I will stop SSH command attempts, but I will also block some customers who need the SSL connection but have clients that do not support FTPS.
And doing so still wouldn't answer the question.. how did that specific blacklisted IP get past the block?
-
Now, pretty damn convinced that your "WAN Net" rule (already mentioned), combined with the "wonderful" idea of putting FTP server on SSH port and your managenetports alias allows the traffic which you see. Fix that, or stick to WAN address, or move your pfSense SSH out of 22 and fix the alias.
Chris put in the WAN net rule. You're right in that I don't know what it does, but Chris put it there so I left it there. In the notes he only put "Allow remote administration".
-
Fsking hell. When you write FTP, people look for port 21. Drop this ball already. You've wasted everyone's time with this nonsense, end of story.
You don't block anyone by closing port 22, you can use any port for SFTP, or SSH, or FTP. But mainly, the suggestions were
- to move the "badguys" block rule above the "remotemanagement" one - ignored
- move the FTP server where it belongs - ignored
- move the pfSense SSH port somewhere else and change the alias accordingly - ignored
- change the destination in the "remotemanagement" rule to WAN address instead of WAN net - ignored.
Come back with your findings after you've tested those suggestions. Absolutely no interest in discussing FTP vs. SFTP and Filezilla crap further.
-
As dok has so eloquently stated over and over that is a MESS.. And your full of shit that Chris did that mess. If he did he was drunk or stoned or both..
So your telling me Chris put in all those any any rule on your wan? For employees to access what? So your not doing any sort of nat on this system?
Why would cloudflare need a any any rule into your network???
And then you have a ipv4 alllow rule but don't even show what it is you have dest and port blocked out? How do you expect anyone to help you with that mess and no explanation of your network.. That any any rule public ports sure looks like it would let anything in that wanted to get in for example to anything listening on those ports whatever they might be.
-
BTW, I definitely don't exclude the possibility that there's a bug somewhere related to the "transparent" firewall and the "WAN net" destination in particular - esp. since it's something extremely rarely used. Anyway, to confirm, you need that freaking mess reduced to absolute minimum ruleset that can reproduce the issue.
And on generic note:
- similar mess is extremely error prone and giant PITA to use. Very easy to insert inadvertent rule that totally exposes things that never should be exposed. And very easy to lock yourself out by mistake as well.
- just think about the poor guys that are gonna inherit this when you leave. There's no way they'd understand this. What are they supposed to do? Tell customers "sorry, no network services, closed for business for a couple of days, since we don't understand our own setup at all and need to redo it from scratch"?
-
I never said Chris set up all the rules. He did not. But he did set up some of them including the ones I said he did (he and Stephen both worked on this). Those are some of the rules I've been bashed for in the thread.
I haven't ignored what was said. I have made some changes based on those comments but again, the question was how can an IP get past the block rule when there is only one pass rule above the blocks and it's for two specific IPs? The rest of the rules, while they may need some work, should have never been reached due to the block rule above it. I didn't provide details on those following rules because it should have never gotten to them. The lack of information on those rules that should have never been reached seems to be the basis for much of the flaming.
I really do listen, but I admit that I hear better when the attack is not against me but rather the focus is on building a better rule set. I have made no claim to be the keeper of all knowledge. It is not required to point out that I don't know everything because I have never made such a claim and never will. I'm not an expert. I'm just a small business owner struggling to make ends meet as best I can with what I have. I am far from rich but I'm happy to be able to provide jobs for the other four people who work here. None of us are getting rich, but we have jobs.
I came here for help with something I don't have a great knowledge of, but or which I'm the best person I have to do the job. I have paid for support and received it. I think Chris and Stephen did a good job but maybe not based on the criticisms of their rules. I'm not in a position to say as both you and they are far smarter than I am. I had hoped for assistance rather than assassination. I thought that's what this forum was for.
As for the other rules, I'll explain them and listen to comments even though I don't understand why they matter if the higher placed rule should have blocked the specific IP in question.
All the pfb rules at the top were added automatically by pfBlocker. As our tiny company only deals with customers and vendors in the USA. Using pfBlocker reduces the attacks on all our servers thus lowing the chance of someone being successful. I'm aware of the debate questioning the value of the pfBlocker package but it certainly lessens the load on my mail server.
RemoteManagement is a rule put in high so that we could be assured we have access to pfSense in case we do something stupid lower that would lock us out of our own firewall. Because the firewall is in transparent mode it can not be reached from a LAN address inside our network, only by the WAN IP.
Badguys is a list of IPs I manually enter when I've noticed someone is pesky and keeps hitting my servers. If everything is working the way it should this block isn't needed. It just feels better to know I've stopped them before they reach the servers. It's an alias.
PHillOffice is a pass for a router located behind pfsense. We had some problems with valid traffic being blocked between pfsense and the router. I don't remember the specifics any more as that's been several years ago now.
ServerIPs was added by the person hired to set up pfSense the first time. It's an alias which sets a pass for traffic to our public IPs and allows only IPv4 traffic into the network since that's all we're set up for. An Alias lists the IP addresses used.
The next rule, WAN address, was put in by Chris to stop a DNS attack.
Employee is for a handicapped employee who often can only work from home. I installed an internet connection at her house just for company use. We had problems with her not being able to access some items such as phones until we added this rule. She still has to connect via a VPN (rule later) to get into the router that's located behind pfSense. There's surely a better way than a . pass here but my limited knowledge of the VOIP traffic limited me and since I already allow her access to this information it didn't seem like an additional risk to add this liberal rule which is limited to her IP address in the alias which is only gives access to a router.
Cloudflare, this rule might not be needed. Cloudflare had said we need to whitelist their IPs but I'm not sure we actually would as they're only hitting port 80 anyway. I will disable that rule now and delete it later if there are no problems. We were having issues with Cloudflare not caching our pages and this was done in an effort to see if it was an issue at the pfSense level while talking to their tech support.
The next rule is the VPN that passes the port I use for our VPN to the internal router that builds the VPN tunnel. Since we're in transparent mode this isn't done on pfSense.
The next rule is also is part of our VPN limiting traffic to a specific IP to a specific protocol in an effort to lower the chances of someone breaking into that router. I forget who set it it up, but it was one of the three experts I'd hired to help me so it was Chris, Stephen, or Glenn.
The next rule is Public ports. It's an alias of the ports used by the various servers we have behind pfsense including ports for mail servers, web servers etc. except for the ports used by the FTP server.
Finally there's the Filezilla ports for FTP, SFTP, FTPS. These ports are only used on that specific machine so it's listed as a separate rule so that only traffic on that one IP with those ports passes. No need to expose those ports on any other server IPs.
In the floating rules there's a rule that allows only SIP traffic from our providers IP to pass. A second rule allow outbound traffic to the same IP. The rules were put in by the setup wizard. All the other rules in the floating list were put in by the QoS wizard. I blocked out the ports rather than post them because it seemed safer, but I know what each of them is used for.
-
TL;DR.
I wanted you to test 4 simple things and post the result, and even explained the reasoning. So yes, again completely ignored.
The giant mess is your problem to deal with, and since apparently you are not going to move an inch further from the frickin' mess, just outta here.
All the pfb rules at the top were added automatically by pfBlocker. As our tiny company only deals with customers and vendors in the USA. Using pfBlocker reduces the attacks on all our servers thus lowing the chance of someone being successful. I'm aware of the debate questioning the value of the pfBlocker package but it certainly lessens the load on my mail server.
No. This does nothing to reduce attacks. Unless you have some service accessible to the whole world and want limit access to those, your rules are just absolutely pointless overhead and those packets would just get droppped exactly the same by the default deny rule, just without creating giant tables with hundreds of thousands of CIDR ranges. So even then, you'd be a whole LOT better off with whitelist instead of blaclist of the entire world minus a few. If you deal with US only, then whitelist US only, do not blacklist the rest of the world minus US. As an example.
Kindly read the pfBlockerNG thread. It's explained there in detail by the author of pfBlockerNG himself.
-
As dok has stated, remove that mess. And then we have a limited set of rules to deal with. If you send me the IP of this server that is getting login attempts to I can test that myself. If you log all the rules then I can give you the IP I am coming from and validate what rule is letting it in.
If you let the world into your serves port 80 (http) to the world - then there would be no reason for a specific all rule. Its possible your mess of blocks was blocking cloudflare, your using aliases that you don't even know the full listing of ips with?
As stated already it is much cleaner to just whitelist what you want to allow access into.
"It's an alias of the ports used by the various servers"
What specific ports are those - since its a any rule for dest IP, if a port is in there you could hit server 2 even if you only want someone to hit server 1 with the rule, etc. Then you have the other any any rule that is completely censored and have no idea what is the dest or ports, etc..
Clear out all those pfblocker rules, now you have smaller set of rules to work with - log them all, and then do a test from out side to this server your seeing logins with and we can see which rule is letting it in. Again if you pm me this IP I would be happy to test it for you and let you now what IP I am coming from so you can filter your logs for it and validate the problem in the rules that is letting that in.
-
First part was funny, but then things went out of control. As usually lately in this forum.
@Dok and @John, in which part of the civilized world is this the way to communicate with peers asking for help with a problem significant to them?
I have a suspicion, but in my opinion even kids in worst case countries are hardly treated worse the grown-ups in this forum.
A little more respect and a little more cultivated style of discussion would be extremely helpful.
Kind regards
chemlud
-
This is the internet - who said anything about the civilized world? ;)
And I have been nothing but straight forward and blunt.. I have offered help and advice. But can not help those that wouldn't give info and blacks out info that could be useful in figuring out his mess.
-
Thank you 2chemlud. A person certainly needs a fire suit before posting. As John said, who said, This is the Internet. I've been online since 1976 and have seen things come and go but the ability to hurt people from behind the keyboard has never been used so much as the past 10-15 years. The Internet is a two edged sword. Both sides cut.
I've sent John a PM to accept his kind offer.
-
So did a quick scan of the Ip cdsJerry sent me - see attached lots of PORTS open.. That was just a quick scan of the top 1000..
I could hit his ftp server via tls.. And I get start of connection from ssh.. But not a real prompt or anything.. Still looking into that - but clearly 22 open along with other ports.
I would really suggest you lock this down.. if its suppose to be a ftp server than the only port allowed to it should be ftp..
edit: Ok I figured out the port 22 thing.. Why are you running ftp on port 22? That is not a good idea.. And you also have it on 21 and ftps, etc. etc.
-
I'd highly suggest rewriting the rules in their entirety. What you have is not easily maintainable.
I suspect its a floating rule somewhere that's biting you.
I'm not big on floaters, but I suspect they have their place.
If you're not up for dumping the rule set, and rebuilding it from scratch, have you tried rewriting that budguys rule to be a floater and place it at the top of the list? -
Per you pm - your rules should not be open like that. If you have server that is ftp then the rule should be to that IP to ftp. If the same server is running ssh, then sure that could be in the same rule or even a different rule.
But when you create a any any sort of rule with ports you now open up all your server on all the ports you put in your alias - that public for example. Exposing services that machine might be running that you don't want open.
And for the life of me I can not figure out what your doing on 22, that is not sftp - that is ftp over port 22. Who in using that?? They are different protocols..
-
On Filezilla's wiki…. "Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default." That's why the port is mapped to that service.
When you run the setup wizard from Filezilla, it automatically sets port 22 as an SFTP port and starts to listen on that port.
-
But when you create a any any sort of rule with ports you now open up all your server on all the ports you put in your alias - that public for example. Exposing services that machine might be running that you don't want open.
And for the life of me I can not figure out what your doing on 22, that is not sftp - that is ftp over port 22. Who in using that?? They are different protocols..
All the ports on your scan are in use by that physical machine for the services running on it. None of those ports could be closed from the public without causing problems with the programs listening on those ports.
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?
-
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?
Round and around and around and around we go… Ridiculous. As you can see, no outsider can get a clue from the mess you are doing on your firewall. Why on earth are you asking other people such questions? Absolutely noone hjere on this thread can make any sense from what you are doing there. And absolutely everyone told you that you have unmaintainable incomprehensible mess there.
Still no lesson learnt?
:( >:( >:(
-
…
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?Because already granted ? The "badguys" are not-top-of-the list ?