Page 1 of 2
[SOLVED] APF Blocking Active FTP
Posted: Thu Apr 09, 2009 1:06 pm
by hostingguy
Hello,
Im having a problem with APF blocking Active FTP sessions, while passive works fine. Is there some setting that I need to update somewhere to get this working ?
Code: Select all
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.2 Server (ProFTPD) [10.7.31.92]
Command: USER myusername
Response: 331 Password required for myusername
Command: PASS **********
Response: 230 User myusername logged in
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PORT 10,11,2,198,13,236
Response: 200 PORT command successful
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
passive mode
Code: Select all
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.2 Server (ProFTPD) [10.7.31.92]
Command: USER myusername
Response: 331 Password required for myusername
Command: PASS ********
Response: 230 User myusername logged in
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Status: Directory listing successful
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 6:43 pm
by mikeshinn
Youre probably missing the FTP kernel modules for netfilter. FTP needs session tracking in the firewall or it wont work, and this is a classic sign of that. FTP is a wicked complicated protocol, so without those modules it will break with any firewall.
And for just $19.99 you can buy our book now which covers this!
(I really have no idea what our book goes for)
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 6:45 pm
by hostingguy
I got it to work by doing
modprobe nf_conntrack_ftp
modprobe nf_nat_ftp
which solves it for now, but do I have to do that everytime the server boots? Shouldnt APF load these modules for me - and if its not is there a way for me to tell it to do so ?
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 6:51 pm
by mikeshinn
Yep, as they say "now theres yer problem!" I don't know about APF, but yes on any linux box if you run a firewall you must load those modules. Its just the way FTP works. You have to track the ports and thats what those modules do.
And yes,it would be cool if APF loaded them for you - but maybe its just not that sophisticated. (No ding on APF, what if youre not running FTP on port 21?)
I have a script laying around that autoloads all the netfilter modules, plus we have one in the book but its a little dated. I'll see if I can find it and do some testing to make sure it loads the new module formats.
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 7:52 pm
by hostingguy
That would be appreciated.
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 10:20 pm
by mikeshinn
I added the FTP modules into our module loader (even though we don't have anything to do with it), so that if APF or anything else chooses to not load the right FTP modules we will. Its a popular enough protocol that we might as well load it.
We should be putting out an update to the forced module loaded list in a few days once we test it in QA.
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 10:57 pm
by hostingguy
Thank you sir!
Re: APF Blocking Active FTP
Posted: Thu Apr 09, 2009 11:07 pm
by mikeshinn
Any other modules, BTW, that you like us to force load? I've also added in IPv6 and all its modules, Netbios and FUSE.
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 8:36 am
by Highland
mikeshinn wrote:And for just $19.99 you can buy our book now which covers this!
(I really have no idea what our book goes for)
According to
Amazon $33.00
Sadly, the modproble commands don't work with ASL
Code: Select all
# modprobe nf_conntrack_ftp
FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.27.7-9.art.i686/kernel/net/netfilter/nf_conntrack_ftp.ko): Operation not permitted
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 9:45 am
by scott
Oh they work all right, just not after S99 when it gets locked down. You've got to set those to run before S99 and reboot
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 10:40 am
by mikeshinn
Right, ASL protects your kernel from kernel level rootkits, which means after S99 runs during init your kernel can no longer be modified - so yes you can load modules in ASL, you just have to do it before S99 when ASL tells your kernel to protect itself. Windows 64bit, for example, does the same thing, you can't modify the kernel after init to prevent rootkits.
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 1:38 pm
by hostingguy
mikeshinn wrote:Any other modules, BTW, that you like us to force load? I've also added in IPv6 and all its modules, Netbios and FUSE.
This would be nice
Code: Select all
Apr 10 08:28:44 server modprobe: FATAL: Error inserting cifs (/lib/modules/2.6.27.7-9.art.x86_64/kernel/fs/cifs/cifs.ko): Operation not permitted
But back on topic, if I set APF to not run in monolithic mode, and turn off kmod loading then I see this in messages
Code: Select all
Apr 10 08:27:09 ehost-services201 kernel: grsec: From 10.11.252.17: denied modification of module state by /sbin/modprobe[modprobe:5096] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/init.d/iptables[iptables:5057] uid/euid:0/0 gid/egid:0/0
Apr 10 08:28:44 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:5537] uid/euid:0/0 gid/egid:0/0, parent /[khelper:5536] uid/euid:0/0 gid/egid:0/0
So apf cant start - however if I run it in monolithic mode and then try and start apf i see this
Code: Select all
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting xt_TCPMSS (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_TCPMSS.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6624] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6623] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6631] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6630] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6641] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6640] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:24 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:6648] uid/euid:0/0 gid/egid:0/0, parent /[khelper:6647] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:24 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:25 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:25 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
Apr 10 08:31:28 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7567] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7566] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7572] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7571] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7575] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7574] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7580] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7579] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:7583] uid/euid:0/0 gid/egid:0/0, parent /[khelper:7582] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:35 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8320] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8319] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8323] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8322] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8328] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8327] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8331] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8330] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:8336] uid/euid:0/0 gid/egid:0/0, parent /[khelper:8335] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:45 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:55 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9099] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9098] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:55 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9267] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9266] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9271] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9270] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9275] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9274] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:9279] uid/euid:0/0 gid/egid:0/0, parent /[khelper:9278] uid/euid:0/0 gid/egid:0/0
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:31:57 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:03 ehost-services201 modprobe: FATAL: Error inserting ipt_LOG (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/ipt_LOG.ko): Operation not permitted
Apr 10 08:32:03 ehost-services201 modprobe: FATAL: Error inserting ipt_LOG (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/ipt_LOG.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10661] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10660] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10671] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10670] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10681] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10680] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10691] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10690] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:08 ehost-services201 kernel: grsec: denied modification of module state by /sbin/modprobe[modprobe:10701] uid/euid:0/0 gid/egid:0/0, parent /[khelper:10700] uid/euid:0/0 gid/egid:0/0
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:09 ehost-services201 modprobe: FATAL: Error inserting xt_multiport (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_multiport.ko): Operation not permitted
Apr 10 08:32:10 ehost-services201 modprobe: FATAL: Error inserting xt_limit (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/netfilter/xt_limit.ko): Operation not permitted
Apr 10 08:32:10 ehost-services201 modprobe: FATAL: Error inserting iptable_mangle (/lib/modules/2.6.27.7-9.art.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko): Operation not permitted
So ideally it would be great if all of those firewall modules needed are auto loaded
I know its because the kmod loading is off and I attempted to do this after boot, I just wanted to see which modules they were.
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 5:08 pm
by scott
that sounds like its running after S99 on bootup, are you loading it out of rc.local or something? The standard is to load as S40 as I recall.
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 5:26 pm
by hostingguy
The Cifs one yes, I am running on the command line trying to mount a folder. As far as APF goes, its using the installation from your repo - I didnt do anything except modify the config file.
Re: APF Blocking Active FTP
Posted: Fri Apr 10, 2009 10:32 pm
by mikeshinn
So ideally it would be great if all of those firewall modules needed are auto loaded
Done. All those added, and lots more. Will be in the next ASL update.