blocklist shows local???

DarkF@der · Unread post by **DarkF@der** » Sun Oct 05, 2014 8:45 am

Hello,

Local get blocked?

Time Source Country Rule Event Options
00:59:08 87.195.107.73 nl 4151 view -++
00:57:40 146.0.79.23 nl 330131 view -++
00:26:52 87.195.107.73 nl 4151 view -++
17:35:50 (local) ?? 4151 view

I can't unblock the local.....

and yes i have read https://www.atomicorp.com/wiki/index.ph ... P_SERVICES
And yes i have:

FW_INBOUND_UDP_SERVICES: 53,67,68,123

and still get blocks:

Code: Select all

DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10218 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:35:32 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10217 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:35:27 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10216 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:34:49 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10215 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:34:45 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:b2:11:d3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=22490 PROTO=UDP SPT=68 DPT=67 LEN=308 Oct 3 17:34:32 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10214 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:34:28 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:b2:11:d3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=22489 PROTO=UDP SPT=68 DPT=67 LEN=308 Oct 3 17:34:24 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10213 PROTO=UDP SPT=68 DPT=67 LEN=262 Oct 3 17:34:20 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:b2:11:d3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=22487 PROTO=UDP SPT=68 DPT=67 LEN=308 Oct 3 17:34:19 server06 kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:f2:98:2a:16:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=282 TOS=0x00 PREC=0x00 TTL=64 ID=10212 PROTO=UDP SPT=68 DPT=67 LEN=262

How to get local unblocked?

See tread https://www.atomicorp.com/forum/viewtop ... f=3&t=7793

This affects all new installed machines i really like a good solution for this.
All these machines are updated and running.

Code: Select all

Atomic Secured Linux, version 4.0.6-17.el6.art: CentOS 6 (SUPPORTED)
Copyright Atomicorp 2005-2014
All Rights Reserved.

Extended Version Information:

        ASL_VERSION                   4.0.6-16
        APPINV_VERSION                201402101531
        CLAMAV_VERSION                201410041734
        GEOMAP_VERSION                201410041635
        GRSEC_VERSION                 0
        KERNEL_VERSION                0
        MODSEC_VERSION                201410041734
        OSSEC_VERSION                 201410041719
        WAF_DELAYED_VERSION           0

Greetz

Unread post by **mikeshinn** » Sun Oct 05, 2014 3:17 pm

Can you post the output of:

iptables -L -n

If not, if you could let support have access we'd like to see the firewall rules, and we can also log into the system and get this information.

DarkF@der · Unread post by **DarkF@der** » Sun Oct 05, 2014 4:02 pm

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ASL-ACTIVE-RESPONSE  all  --  146.0.74.208         0.0.0.0/0
ASL-ACTIVE-RESPONSE  all  --  87.195.107.116       0.0.0.0/0
ASL-WHITELIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-GEO-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-ACTIVE-RESPONSE  all  --  87.195.107.73        0.0.0.0/0           /* 1412377148.4742 */
ASL-ACTIVE-RESPONSE  all  --  146.0.79.23          0.0.0.0/0           /* 1412377060.3590 */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ASL-ACTIVE-RESPONSE  all  --  87.195.107.73        0.0.0.0/0
ASL-ACTIVE-RESPONSE  all  --  146.0.79.23          0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-TORTIXD-ACL  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-Firewall-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ASL-ACTIVE-RESPONSE  all  --  146.0.74.208         0.0.0.0/0
ASL-ACTIVE-RESPONSE  all  --  87.195.107.116       0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ASL-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-GEO-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ASL-PLESK-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5224 state NEW
ASL-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
ASL-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ASL-SPAMASSASSIN-UPDATES  all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-ACTIVE-RESPONSE (8 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_AR_DROP '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BLACKLIST (2 references)
target     prot opt source               destination
ASL-BLACKLIST-DROP-LOG  all  --  0.0.0.0/0            0.0.0.0/0           match-set ASL-BLACKLIST src

Chain ASL-BLACKLIST-DROP-LOG (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-Firewall-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:106
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:990
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6308
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8447
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8880
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9080
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:68
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-GEO-BLACKLIST (2 references)
target     prot opt source               destination
ASL-GEO-BLACKLIST-LOG  all  --  0.0.0.0/0            0.0.0.0/0           match-set ASL-GEO-BLACKLIST src

Chain ASL-GEO-BLACKLIST-LOG (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-PLESK-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            77.245.23.80        tcp dpt:5224 state NEW

Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:6277 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:6277 state NEW

Chain ASL-TORTIXD-ACL (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TORTIX '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-UPDATES (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            80.82.124.228       tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            80.82.124.228       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            173.203.184.213     tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            173.203.184.213     tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.172.195      tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.172.195      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.112.216      tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.112.216      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.173.236      tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.173.236      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            198.71.51.132       tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            198.71.51.132       tcp dpt:443 state NEW

Chain ASL-WHITELIST (1 references)
target     prot opt source               destination
ASL-WHITELIST-LOG  all  --  87.195.xxx.xxx       0.0.0.0/0
ASL-WHITELIST-LOG  all  --  83.163.xxx.xxx       0.0.0.0/0
ASL-WHITELIST-LOG  all  --  212.45.45.45         0.0.0.0/0
ASL-WHITELIST-LOG  all  --  212.45.32.3          0.0.0.0/0
ASL-WHITELIST-LOG  all  --  127.0.0.1            0.0.0.0/0

Chain ASL-WHITELIST-LOG (5 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Unread post by **mikeshinn** » Sun Oct 05, 2014 4:24 pm

The rules appear correct, would it be possible for us to log in and see whats happening on the system?

DarkF@der · Unread post by **DarkF@der** » Mon Oct 06, 2014 9:49 am

To fixed this issue je need asl -ub 0.0.0.0 and the machine needs to reboot to aply it.
service asl-firewall restart is not enough. But we don't like reboots

Unread post by **mikeshinn** » Mon Oct 06, 2014 1:24 pm

To fixed this issue je need asl -ub 0.0.0.0 and the machine needs to reboot to aply it.
service asl-firewall restart is not enough. But we don't like reboots

OK, so that tells me something else is wrong with the system. That wont actually do anything about your firewall policy, plus 0.0.0.0 cant be shunned. I dont see any shun logs in your post though, so thats not being shunned, your firewall policy is blocking the inbound port.

Atomicorp

blocklist shows local???

blocklist shows local???

Re: blocklist shows local???

Re: blocklist shows local???

Re: blocklist shows local???

Re: blocklist shows local???

Re: blocklist shows local???