[SOLVED] APF Blocking Active FTP

hostingguy · Unread post by **hostingguy** » Thu Apr 09, 2009 1:06 pm

Hello,

Im having a problem with APF blocking Active FTP sessions, while passive works fine. Is there some setting that I need to update somewhere to get this working ?

Code: Select all

Status:	Connection established, waiting for welcome message...
Response:	220 ProFTPD 1.3.2 Server (ProFTPD) [10.7.31.92]
Command:	USER myusername
Response:	331 Password required for myusername 
Command:	PASS **********
Response:	230 User myusername logged in
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is the current directory
Command:	TYPE I
Response:	200 Type set to I
Command:	PORT 10,11,2,198,13,236
Response:	200 PORT command successful
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

passive mode

Code: Select all

Status:	Connection established, waiting for welcome message...
Response:	220 ProFTPD 1.3.2 Server (ProFTPD) [10.7.31.92]
Command:	USER myusername 
Response:	331 Password required for myusername 
Command:	PASS ********
Response:	230 User myusername logged in
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is the current directory
Status:	Directory listing successful

Unread post by **mikeshinn** » Thu Apr 09, 2009 6:43 pm

Youre probably missing the FTP kernel modules for netfilter. FTP needs session tracking in the firewall or it wont work, and this is a classic sign of that. FTP is a wicked complicated protocol, so without those modules it will break with any firewall.

And for just $19.99 you can buy our book now which covers this!

(I really have no idea what our book goes for)

hostingguy · Unread post by **hostingguy** » Thu Apr 09, 2009 6:45 pm

I got it to work by doing

modprobe nf_conntrack_ftp
modprobe nf_nat_ftp

which solves it for now, but do I have to do that everytime the server boots? Shouldnt APF load these modules for me - and if its not is there a way for me to tell it to do so ?

Unread post by **mikeshinn** » Thu Apr 09, 2009 6:51 pm

Yep, as they say "now theres yer problem!" I don't know about APF, but yes on any linux box if you run a firewall you must load those modules. Its just the way FTP works. You have to track the ports and thats what those modules do.

And yes,it would be cool if APF loaded them for you - but maybe its just not that sophisticated. (No ding on APF, what if youre not running FTP on port 21?)

I have a script laying around that autoloads all the netfilter modules, plus we have one in the book but its a little dated. I'll see if I can find it and do some testing to make sure it loads the new module formats.

hostingguy · Unread post by **hostingguy** » Thu Apr 09, 2009 7:52 pm

That would be appreciated.

Unread post by **mikeshinn** » Thu Apr 09, 2009 10:20 pm

I added the FTP modules into our module loader (even though we don't have anything to do with it), so that if APF or anything else chooses to not load the right FTP modules we will. Its a popular enough protocol that we might as well load it.

We should be putting out an update to the forced module loaded list in a few days once we test it in QA.

hostingguy · Unread post by **hostingguy** » Thu Apr 09, 2009 10:57 pm

Thank you sir!

Unread post by **mikeshinn** » Thu Apr 09, 2009 11:07 pm

Any other modules, BTW, that you like us to force load? I've also added in IPv6 and all its modules, Netbios and FUSE.

Highland · Unread post by **Highland** » Fri Apr 10, 2009 8:36 am

mikeshinn wrote:And for just $19.99 you can buy our book now which covers this!

(I really have no idea what our book goes for)

According to Amazon $33.00

Sadly, the modproble commands don't work with ASL

Code: Select all

# modprobe nf_conntrack_ftp
FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.27.7-9.art.i686/kernel/net/netfilter/nf_conntrack_ftp.ko): Operation not permitted

Unread post by **scott** » Fri Apr 10, 2009 9:45 am

Oh they work all right, just not after S99 when it gets locked down. You've got to set those to run before S99 and reboot

Unread post by **mikeshinn** » Fri Apr 10, 2009 10:40 am

Right, ASL protects your kernel from kernel level rootkits, which means after S99 runs during init your kernel can no longer be modified - so yes you can load modules in ASL, you just have to do it before S99 when ASL tells your kernel to protect itself. Windows 64bit, for example, does the same thing, you can't modify the kernel after init to prevent rootkits.

hostingguy · Unread post by **hostingguy** » Fri Apr 10, 2009 1:38 pm

mikeshinn wrote:Any other modules, BTW, that you like us to force load? I've also added in IPv6 and all its modules, Netbios and FUSE.

This would be nice

Code: Select all

Apr 10 08:28:44 server modprobe: FATAL: Error inserting cifs (/lib/modules/2.6.27.7-9.art.x86_64/kernel/fs/cifs/cifs.ko): Operation not permitted

But back on topic, if I set APF to not run in monolithic mode, and turn off kmod loading then I see this in messages

Code: Select all

Apr 10 08:27:09 ehost-services201 kernel: grsec: From 10.11.252.17: denied modification of module state by /sbin/modprobe[modprobe:5096] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/init.d/iptables[iptables:5057] uid/euid:0/0 gid/egid:0/0
Apr 10 08:28:44 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:5537] uid/euid:0/0 gid/egid:0/0, parent /[khelper:5536] uid/euid:0/0 gid/egid:0/0

So apf cant start - however if I run it in monolithic mode and then try and start apf i see this

Code: Select all

Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting xt_TCPMSS (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_TCPMSS.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6624] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6623] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6631] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6630] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6641] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6640] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6648] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6647] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:25 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:25 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:28 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7567] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7566] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7572] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7571] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7575] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7574] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7580] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7579] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7583] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7582] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8320] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8319] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8323] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8322] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8328] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8327] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8331] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8330] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8336] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8335] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:55 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9099] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9098] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:55 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9267] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9266] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9271] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9270] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9275] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9274] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9279] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9278] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:03 ehost-services201 modprobe: FATAL: Error inserting ipt_LOG (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/ipt_LOG.ko): Operation not permitted
Apr 10 08:32:03 ehost-services201 modprobe: FATAL: Error inserting ipt_LOG (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/ipt_LOG.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10661] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10660] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10671] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10670] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10681] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10680] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10691] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10690] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10701] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10700] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_multiport (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_multiport.ko): Operation not permitted
Apr 10 08:32:10 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:10 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted

So ideally it would be great if all of those firewall modules needed are auto loaded
I know its because the kmod loading is off and I attempted to do this after boot, I just wanted to see which modules they were.

Unread post by **scott** » Fri Apr 10, 2009 5:08 pm

that sounds like its running after S99 on bootup, are you loading it out of rc.local or something? The standard is to load as S40 as I recall.

hostingguy · Unread post by **hostingguy** » Fri Apr 10, 2009 5:26 pm

The Cifs one yes, I am running on the command line trying to mount a folder. As far as APF goes, its using the installation from your repo - I didnt do anything except modify the config file.

Unread post by **mikeshinn** » Fri Apr 10, 2009 10:32 pm

So ideally it would be great if all of those firewall modules needed are auto loaded

Done. All those added, and lots more. Will be in the next ASL update.

Atomicorp

[SOLVED] APF Blocking Active FTP

[SOLVED] APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP

Re: APF Blocking Active FTP