Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Sat Oct 05, 2013 3:38 pm 
Offline
Sysop

Joined: Sat Nov 27, 2010 3:32 am
Posts: 180
Website: https://blog.timheckman.net/
Location: San Francisco, CA
What exactly are you trying to do? What commands are you running?

Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:

Code:
iptables-save


My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:

- http://en.wikipedia.org/wiki/Privilege_(computing)#Unix

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch


Top
   
PostPosted: Sat Oct 05, 2013 4:06 pm 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
theckman wrote:
What exactly are you trying to do? What commands are you running?

Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:

Code:
iptables-save


My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:

- http://en.wikipedia.org/wiki/Privilege_(computing)#Unix

-Tim


thanks for the answer:
Code:
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-Squid - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-dovecot-pop3imap - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-roundcube - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-roundcube
-A INPUT -p tcp -m tcp --dport 3128 -j fail2ban-Squid
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 41414 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443,1080 -j fail2ban-squirrelmail
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-Squid -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*security
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*raw
:PREROUTING ACCEPT [387:59380]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*nat
:PREROUTING ACCEPT [13:2474]
:POSTROUTING ACCEPT [58:3890]
:OUTPUT ACCEPT [58:3890]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*mangle
:PREROUTING ACCEPT [387:59380]
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [294:216695]
:POSTROUTING ACCEPT [352:229872]
:SSLH - [0:0]
-A OUTPUT -o eth0 -p tcp -m tcp --sport 41414 -j SSLH
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8443 -j SSLH
-A SSLH -j MARK --set-xmark 0x1/0xffffffff
-A SSLH -j ACCEPT
COMMIT
# Completed on Sat Oct  5 21:24:10 2013



I have non standard ports for ssh and https


Top
   
PostPosted: Sat Oct 05, 2013 4:09 pm 
Offline
Sysop

Joined: Sat Nov 27, 2010 3:32 am
Posts: 180
Website: https://blog.timheckman.net/
Location: San Francisco, CA
Those firewall rules seem a bit ridiculous, and may get in the way of things you try to do in the future...so yeah.

What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch


Top
   
PostPosted: Sat Oct 05, 2013 4:15 pm 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
theckman wrote:
Those firewall rules seem a bit ridiculous, but have fun with that...

What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.


why ridiculous?
have you got some some better rules? can you share it?

I'm starting sslh as a service in CentOS, the purpose is to connect to ssh and https using port 443.
It works fine if the /etc/rc.d/init.d/sslh
contains this lines:
OPTIONS="--user nobody --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"

In this way every logs does not contain any valid ip address because everyone who connect to https or ssh is logged as MYLINODEIP.
To solve this problem sslh gives the --transparent option but this options doesn't work on my linode if not used as root.
OPTIONS="--user root --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"


Last edited by sblantipodi on Sat Oct 05, 2013 5:05 pm, edited 1 time in total.

Top
   
PostPosted: Sat Oct 05, 2013 4:52 pm 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
PS: I've done the commands in the readme too:
https://github.com/yrutschle/sslh/blob/ ... EADME#L185
Quote:
# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100


Top
   
PostPosted: Sat Oct 05, 2013 8:40 pm 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
I'm going mad but this time I get a step forward.
Quote:
sslh --transparent --user MYEXISTING USER --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:42424

plus
Quote:
iptables -t mangle -N SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 42424--jump SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;
iptables -t mangle -A SSLH --jump ACCEPT;
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;


works like a charm.

If I try to start it like a service with the
service sslh start
it doesn't work. Operation not permitted.

Have you got any suggestion on starting it as a service?

Thanks.


Top
   
PostPosted: Sun Oct 06, 2013 2:09 am 
Offline
Sysop

Joined: Sat Nov 27, 2010 3:32 am
Posts: 180
Website: https://blog.timheckman.net/
Location: San Francisco, CA
The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system.

Are you trying to start sslh as root?

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch


Top
   
PostPosted: Sun Oct 06, 2013 6:44 am 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
theckman wrote:
The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system.

Are you trying to start sslh as root?

-Tim


If I start it as root it works like a charm,
If I start it as normal user it works like a charm,

if I start it at boot with
chkconfig sslh on

when I reboot I get the
setsockopt: Operation not permitted
error when I try to use the SSLH port to connect.

It seems that the sslh command looses the capabilities
(setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh)
when it starts like a service and I don't want this.


Top
   
PostPosted: Sun Oct 06, 2013 7:53 am 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
on the mailing list they say:
http://rutschle.net/pipermail/sslh/2013 ... 00443.html
make sure it's changed to the final user *before* calling
sslh, if using --transparent.


Ok, but how can I change to final user *before* calling sslh?


Top
   
PostPosted: Sun Oct 06, 2013 10:14 am 
Offline
Senior Member

Joined: Wed May 13, 2009 1:32 pm
Posts: 737
Location: Italy
Ok, I solved by adding --user to the daemon

Quote:

OPTIONS="--transparent -- MYUSERNAM --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:NONSTANDARDPORT"
PIDFILE="/tmp/sslh"

start() {
echo -n "Starting SSL-SSH-Switch: "
if [ -f $PIDFILE ]; then
PID=`cat $PIDFILE`
echo sslh already running: $PID
exit 2;
else
daemon --user MYUSERNAME $SSLH $OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $PIDFILE
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;

return $RETVAL
fi

}
stop() {
echo -n "Shutting down SSL-SSH-Switch: "
echo
killproc sslh
echo
rm -f $PIDFILE
ip rule del fwmark 0x1 lookup 100;
ip route del local 0.0.0.0/0 dev lo table 100;

return 0
}

I also added the ip route del/add and ip rule add/del in order to not type this command at every boot.

In the /etc/ssh/sshd_config
I enabled the
ListenAddress MYPUBLICIP

than I added this rule
Code:
iptables -t mangle -N SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport NONSTANDARDPORT --jump SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;
iptables -t mangle -A SSLH --jump ACCEPT;
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;


Problem solved!

Now fail2ban works again with the multiplexer running and I can trace the IP of the user connecting to multiplexed port correctly.

[/code]


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group