Server aholed after ASL update?

[aslus maximus]

Oh, and for port 30000, you dont need to add a rule. Just see this post which will allow you to define a access control list for the ASL web console:

https://www.atomicorp.com/forums/viewto ... f=3&t=6447

For anyone thats wondering, if you dont use the ACL feature, port 30000 should automatically be open.

I tried that and it's locked me out of port 30000. There was no /etc/asl/firewall/tortixd-access-list so I made one and added my ip but it still doesn't work.

[aslus maximus]

I think it's my iptables. I ran chkconfig --del iptables but if I run service iptables status it's still there.

[mikeshinn]

You may have borked your rules, so you'll need to flush them out.

First, dont use the iptables service. You've disabled it which is good, using the iptables service will totally bork up your firewall. Dont use it.

Now, flush out everything, reload the defaults:

rm /etc/asl/firewall/running.fw

asl -s -f

IF you have something in the /etc/asl/firewall/tortixd-access-list file, post it here. Also post the output of this command:

iptables -L -n

[aslus maximus]

[root@CGN003 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:21 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:20 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8443 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8447 state NEW
ACCEPT tcp -- 86.40.0.0/13 0.0.0.0/0 tcp dpt:24555 state NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ASL-Firewall-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-ACTIVE-RESPONSE (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-BLACKLIST (1 references)
target prot opt source destination

Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8447
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8880
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:24555
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-Firewall-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5224
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:24555
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_OUTPUT '
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain ASL-GEO-BLACKLIST (1 references)
target prot opt source destination

Chain ASL-PORTSCAN (21 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-TORTIXD-ACL (1 references)
target prot opt source destination
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:30000 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TORTIX '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 80.82.124.228 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 69.20.6.166 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.195.110 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 208.68.233.251 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.112.216 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.166.51 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 198.71.51.132 tcp dpt:443 state NEW
[root@CGN003 ~]#

The access list just has my ip in there and nothing else.

I have my custom rules setup now and I think I have most of it figured out. Only problem I have is I can't create a data connection to the ftp server, even if I allow port 20.

Also check my kernel. It's running a ASL kernel but in the web gui it says it's disabled?

[root@CGN003 ~]# uname -r
2.6.18-348.el5PAE
[root@CGN003 ~]#
It looks like a typo in the kernel maybe?

The only other thing I was wondering about is if I have customs rules do I need to get rid of the easy mode rules now? They won't conflict will they?

Thanks for all the help

[mikeshinn]

Also check my kernel. It's running a ASL kernel but in the web gui it says it's disabled?

[root@CGN003 ~]# uname -r
2.6.18-348.el5PAE

That is not an ASL kernel, so you're not running an ASL kernel. Please see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ASL_kernel

The access list just has my ip in there and nothing else.

Do you mean for port 30000? The rules look fine, what exactly is your issue I'm not sure I understand.

I have my custom rules setup now and I think I have most of it figured out. Only problem I have is I can't create a data connection to the ftp server, even if I allow port 20.

Thats because you've added your custom rules after the ASL-Firewall-INPUT rules, which are blocking everything else inbound. And thats because you have told ASL to only allow in specific ports and to block everything else. You will have to add in your custom INPUT rules before the ASL-Firewall-INPUT rules. ASL will also log this, what do you see in the ASL web console when you try to connect to FTP?

Please see this article about the importance of watching the order in which you add rules:

https://www.atomicorp.com/wiki/index.ph ... wall_works

[aslus maximus]

This is how I installed that kernel: yum install kernel-PAE-2.6.18-348.el5.i686 because it showed up with yum list | grep kernel.

I'm pretty sure it came from the atomic repo as I only have that and the centos repo.

Yes I did do the easy mode rules first. I'll do it the other way around. I didn't know that. That's probably why the ftp is cactus. Nothing showed up in the web gui about the ftp, so I guess it didn't log that. I can connect to it but not establish a transfer.

[aslus maximus]

Sorry the access list just has 86.40.237.233. No port numbers. Do I need to add 30000 in there as well?

[mikeshinn]

This is how I installed that kernel: yum install kernel-PAE-2.6.18-348.el5.i686 because it showed up with yum list | grep kernel.

That is not an ASL you installed. Please see this article again which I have pasted below for your convenience to tell if you are using an ASL kernel. Aside form the GUI telling you are not using the ASL kernel, you can also tell by running this process from the command line. And I can assure you that you are not using an ASL kernel. All ASL kernels have "art" in the kernel, as explained in the article I previous linked to. Heres the article again:

https://www.atomicorp.com/wiki/index.ph ... ASL_kernel
You can tell if you are running an ASL kernel with this command:

uname -a

If you are running the ASL kernel, you should see a kernel name with "art" in the title, for example:

Linux http://www.example.com 2.6.32.21-3.art.x86_64 #1 SMP Tue Sep 7 16:57:34 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

If you do not see a kernel name with "art" in the title then you are not running the ASL kernel. If you see "art" in the title, then you are running the ASL kernel.

Your kernels name is:

2.6.18-348.el5PAE

There is no "art" in that kernels name, so that is not an ASL kernel. Also, we have never put a kernel that old. So its not a typo, its not an ASL kernel.

To install the ASL kernel, if it was not installed by the ASL installer, please follow the process at the URL below:

https://www.atomicorp.com/wiki/index.ph ... ASL_kernel

[mikeshinn]

Sorry the access list just has 86.40.237.233. No port numbers. Do I need to add 30000 in there as well?

No. The tortixd ACL list will automatically figure that out (which is important if tortixd has been moved to a different port).

[aslus maximus]

[root@CGN003 ~]# uname -a
Linux CGN003.local 2.6.18-348.el5PAE #1 SMP Tue Jan 8 18:39:56 EST 2013 i686 i686 i386 GNU/Linux


Well wt? is that kernel then? The newest kernel wont run on my box. So I installed an older one. There was a .art one that worked a few weeks ago but can't I find it anymore. If I run the latest one it just panics and I have not figured out how to recompile it.

[aslus maximus]

I figured out the firewall so that's the main thing. Also I found some clam scan commands in the wiki a few hours ago but I can't find them anymore. It was a whole bunch of them with nice at the start? Do you know where they are? I'll google it again.

Thanks,
Damon

[breun]

[root@CGN003 ~]# uname -a
Linux CGN003.local 2.6.18-348.el5PAE #1 SMP Tue Jan 8 18:39:56 EST 2013 i686 i686 i386 GNU/Linux


Well wt? is that kernel then?

It's a stock CentOS 5 kernel with PAE support. And not the most recent version.

[mikeshinn]

I figured out the firewall so that's the main thing. Also I found some clam scan commands in the wiki a few hours ago but I can't find them anymore. It was a whole bunch of them with nice at the start? Do you know where they are? I'll google it again.

Here you go:

https://www.atomicorp.com/wiki/index.ph ... malware.3F

The newest kernel wont run on my box.

Is this a virtual machine or a dedicated box?

[aslus maximus]

Dedicated.

I thought PAE was you guys as well as art. The kernel that worked before had a 27 in it I think. It was the one before the last update 348 or the one before that.

[mikeshinn]

I thought PAE was you guys as well as art.

PAE is a type of hack for 32bit system to sort of use more than 4GB of memory. You'll see that label on some kernels names if they support PAE. There ASL 32-bit kernels support PAE:

https://www.atomicorp.com/wiki/index.ph ... ASL_kernel

PAE is not an ideal way to access more than 4GB of memory, to say the least. Think of it as a "last resort" work around if you absolutely can not use a 64bit OS. If you want to use more than 4GB of memory use a 64bit CPU and OS instead.

https://en.wikipedia.org/wiki/Physical_ ... _Extension