Re: [Astlinux-users] Wierd firewall / DHCP interaction

David Kerr Sun, 15 Sep 2013 17:59:34 -0700

Lonnie,
  Thanks for testing.  Yes my mnt/kd/blocked-hosts had 192.168.17.171 in
it.  I had to delete that to get it to work, but I did not add that
manually, I assumed that it had been added by adaptive-ban.  I need to do
some further investigation because if you remember a while back we had a
discussion on persisting banned IP's across reboot with a history file. I
have that implemented, so each time the firewall starts it looks for the
history file and re-ban's IPs that have not aged past a certain number of
days.  It is possible that this was causing the IP to get added to the
banned-hosts file.  I also of course had to remove that history file to get
things working.


David


On Sun, Sep 15, 2013 at 7:36 PM, Lonnie Abelbeck
<[email protected]>wrote:

> Hi David,
>
> Great documentation...
>
> Notice your drop log is denoted with "AIF:Blocked host(s)" which is not
> from the adaptive ban plugin, if it were it would read "AIF:Adaptive-Ban
> host: "
>
> I did your same test, without any issues...
>
> $ iptables -nvL ADAPTIVE_BAN_CHAIN
> --
> Chain ADAPTIVE_BAN_CHAIN (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   366 34009 RETURN     all  --  *      *       192.168.101.0/24
> 0.0.0.0/0
>     0     0 ADAPTIVE_BAN_DROP_CHAIN  all  --  *      *
> 192.168.101.13       0.0.0.0/0
> --
> Sep 15 18:16:34 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPDISCOVER(eth1)
> 00:23:32:xx:xx:xx
> Sep 15 18:16:34 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPOFFER(eth1)
> 192.168.101.13 00:23:32:xx:xx:xx
> Sep 15 18:16:35 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPREQUEST(eth1)
> 192.168.101.13 00:23:32:xx:xx:xx
> Sep 15 18:16:35 pbx3 daemon.info dnsmasq-dhcp[2527]: DHCPACK(eth1)
> 192.168.101.13 00:23:32:xx:xx:xx mb13
>
> All I can assume is your "/mnt/kd/blocked-hosts" file contains something
> in 192.168.17.0/24 or your Firewall -> Block Host/CIDR contains something
> like it.
>
> Double check those and report back.
>
> Lonnie
>
>
> On Sep 15, 2013, at 12:02 PM, David Kerr wrote:
>
> > Last night I ran into a problem where one of my MacBook's could not
> obtain a IP address from DHCP server... it would use a self assigned IP
> address.  After some investigation I stumbled upon the reason which prompts
> me to write here.
> >
> > The laptop in question must at some time have attempted to login to the
> astlinux admin console with the wrong password a number of times, and
> adaptive-ban triggered.  I deliberately reproduced this today...
> >
> > Sep 15 12:34:03 pbx daemon.err lighttpd[3002]: (http_auth.c.885)
> password doesn't match for /admin/status.php username: admin, IP:
> 192.168.17.171
> > Sep 15 12:34:07 pbx daemon.err lighttpd[3002]: (http_auth.c.885)
> password doesn't match for /admin/status.php username: admin, IP:
> 192.168.17.171
> > Sep 15 12:34:25 pbx daemon.err lighttpd[3002]: (http_auth.c.885)
> password doesn't match for /admin/status.php username: admin, IP:
> 192.168.17.171
> > Sep 15 12:34:27 pbx daemon.err lighttpd[3002]: (http_auth.c.885)
> password doesn't match for /admin/status.php username: admin, IP:
> 192.168.17.171
> > Sep 15 12:34:30 pbx daemon.err lighttpd[3002]: (http_auth.c.885)
> password doesn't match for /admin/status.php username: admin, IP:
> 192.168.17.171
> > Sep 15 12:34:31 pbx user.info firewall: adaptive-ban: Banned IPv4 Host:
> 192.168.17.171  Filter Type: lighttpd
> >
> >
> >
> > Then in the status page I see the following.  Note the whitelist as well
> as the banned host.
> >
> > Banned Hosts:
> > ==============================
> > 192.168.17.171
> > ------------------------------
> > Whitelisted Hosts:
> > ==============================
> > 192.168.17.0/24
> > ------------------------------
> >
> >
> >
> > Now if the MacBook has already got a IP address and just "renews" the
> IP, then everything is fine...
> > Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 12:35:10 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> > Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 12:35:56 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> >
> >
> >
> > However, if the MacBook has not already got a IP address (it thinks it
> is on a new network, whatever) then rather than requesting renewal of the
> current IP, it seeks a new one with a DHCPDISCOVER... and it fails.
> >
> > Sep 15 09:39:52 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=ICMP TYPE=8 CODE=0 ID=62695 SEQ=0
> > Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:39:55 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:39:59 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:16 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:27 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:33 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:40:50 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:41:58 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=ICMP TYPE=8 CODE=0 ID=28247 SEQ=0
> > Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:01 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:02 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:07 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:15 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:24 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:30 pbx user.info firewall: ** Restarting Arno's Iptables
> Firewall v2.0.1d **
> > Sep 15 09:42:32 pbx user.info kernel: AIF:Blocked host(s): IN= OUT=br1
> SRC=192.168.17.1 DST=192.168.17.171 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=ICMP TYPE=8 CODE=0 ID=28189 SEQ=0
> > Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:35 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> >
> >
> >
> > However, if I configure the MacBook to use a manual IP address but with
> DHCP to discover the gateway, dns, etc. Then it works...
> > Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1)
> 192.168.17.30 70:56:81:ba:5f:37
> > Sep 14 23:09:21 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
> 192.168.17.30 70:56:81:ba:5f:37
> > Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPINFORM(br1)
> 192.168.17.30 70:56:81:ba:5f:37
> > Sep 14 23:09:45 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
> 192.168.17.30 70:56:81:ba:5f:37
> >
> >
> >
> > If I remove the 192.168.17.171 from banned hosts list and restart the
> firewall then it works.
> > Sep 15 09:42:41 pbx user.info firewall: ** All firewall rules applied **
> > Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPDISCOVER(br1)
> 70:56:81:ba:5f:37
> > Sep 15 09:42:41 pbx daemon.info dnsmasq-dhcp[8578]: DHCPOFFER(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPREQUEST(br1)
> 192.168.17.171 70:56:81:ba:5f:37
> > Sep 15 09:42:42 pbx daemon.info dnsmasq-dhcp[8578]: DHCPACK(br1)
> 192.168.17.171 70:56:81:ba:5f:37 MacBookAir13
> >
> >
> > Any suggestions what is going on and why the whitelist is not working?
> >
> > Thanks
> > David
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
[email protected].

Re: [Astlinux-users] Wierd firewall / DHCP interaction

Reply via email to