Re: [Astlinux-users] Wierd firewall / DHCP interaction

Lonnie Abelbeck Sun, 15 Sep 2013 16:38:34 -0700

Hi David,

Great documentation...


Notice your drop log is denoted with "AIF:Blocked host(s)" which is not from 
the adaptive ban plugin, if it were it would read "AIF:Adaptive-Ban host: "

I did your same test, without any issues...

$ iptables -nvL ADAPTIVE_BAN_CHAIN
--
Chain ADAPTIVE_BAN_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination 
        
  366 34009 RETURN     all  --  *      *       192.168.101.0/24     0.0.0.0/0   
        
    0     0 ADAPTIVE_BAN_DROP_CHAIN  all  --  *      *       192.168.101.13     
  0.0.0.0/0           
--
Sep 15 18:16:34 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPDISCOVER(eth1) 
00:23:32:xx:xx:xx 
Sep 15 18:16:34 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPOFFER(eth1) 
192.168.101.13 00:23:32:xx:xx:xx 
Sep 15 18:16:35 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPREQUEST(eth1) 
192.168.101.13 00:23:32:xx:xx:xx 
Sep 15 18:16:35 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPACK(eth1) 
192.168.101.13 00:23:32:xx:xx:xx mb13

All I can assume is your "/mnt/kd/blocked-hosts" file contains something in 
192.168.17.0/24 or your Firewall -> Block Host/CIDR contains something like it.

Double check those and report back.

Lonnie


On Sep 15, 2013, at 12:02 PM, David Kerr wrote:

> Last night I ran into a problem where one of my MacBook's could not obtain a 
> IP address from DHCP server... it would use a self assigned IP address.  
> After some investigation I stumbled upon the reason which prompts me to write 
> here.
> 
> The laptop in question must at some time have attempted to login to the 
> astlinux admin console with the wrong password a number of times, and 
> adaptive-ban triggered.  I deliberately reproduced this today...
> 
> Sep 15 12:34:03 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password 
> doesn't match for /admin/status.php username: admin, IP: 192.168.17.171 
> Sep 15 12:34:07 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password 
> doesn't match for /admin/status.php username: admin, IP: 192.168.17.171 
> Sep 15 12:34:25 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password 
> doesn't match for /admin/status.php username: admin, IP: 192.168.17.171 
> Sep 15 12:34:27 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password 
> doesn't match for /admin/status.php username: admin, IP: 192.168.17.171 
> Sep 15 12:34:30 pbx daemon.err lighttpd[3002]: (http_auth.c.885) password 
> doesn't match for /admin/status.php username: admin, IP: 192.168.17.171 
> Sep 15 12:34:31 pbx user.info firewall: adaptive-ban: Banned IPv4 Host: 
> 192.168.17.171  Filter Type: lighttpd
> 
> 
> 
> Then in the status page I see the following.  Note the whitelist as well as 
> the banned host.
> 
> Banned Hosts:
> ==============================
> 192.168.17.171
> ------------------------------
> Whitelisted Hosts:
> ==============================
> 192.168.17.0/24
> ------------------------------
> 
> 
> 
> Now if the MacBook has already got a IP address and just "renews" the IP, 
> then everything is fine...
> Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> 
> 
> 
> However, if the MacBook has not already got a IP address (it thinks it is on 
> a new network, whatever) then rather than requesting renewal of the current 
> IP, it seeks a new one with a DHCPDISCOVER... and it fails.
> 
> Sep 15 09:39:52 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1 
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
> PROTO=ICMP TYPE=8 CODE=0 ID=62695 SEQ=0 
> Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:41:58 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1 
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
> PROTO=ICMP TYPE=8 CODE=0 ID=28247 SEQ=0 
> Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:30 pbx user.info firewall: ** Restarting Arno's Iptables 
> Firewall v2.0.1d **
> Sep 15 09:42:32 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1 
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
> PROTO=ICMP TYPE=8 CODE=0 ID=28189 SEQ=0 
> Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37
> 
> 
> 
> However, if I configure the MacBook to use a manual IP address but with DHCP 
> to discover the gateway, dns, etc. Then it works...
> Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1) 
> 192.168.17.30 70:56:81:ba:5f:37 
> Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1) 
> 192.168.17.30 70:56:81:ba:5f:37 
> Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1) 
> 192.168.17.30 70:56:81:ba:5f:37 
> Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1) 
> 192.168.17.30 70:56:81:ba:5f:37
> 
> 
> 
> If I remove the 192.168.17.171 from banned hosts list and restart the 
> firewall then it works.
> Sep 15 09:42:41 pbx user.info firewall: ** All firewall rules applied **
> Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1) 
> 70:56:81:ba:5f:37 
> Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 
> Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1) 
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> 
> 
> Any suggestions what is going on and why the whitelist is not working?
> 
> Thanks
> David
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> [email protected].


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
[email protected].

Re: [Astlinux-users] Wierd firewall / DHCP interaction

Reply via email to