I have a droplet on DigitalOcean with IPv4 and IPv6 enabled. The droplet is behind a digital ocean network firewall with the following rules:
Inbound:
SSH TCP 22 All IPv4, All IPv6
HTTP TCP 80 All IPv4, All IPv6
HTTP TCP 443 All IPv4, All IPv6
Outbound:
ICMP ICMP All IPv4 All IPv6
All TCP TCP All ports All IPv4 All IPv6
All UDP UDP All ports All IPv4
My understanding and expectation is that will block all ssh attempts on ports other than port 22. However when checking the sshd unit in systemd journal. I see the following entries:
2022-12-29 03:00:32 Disconnected from invalid user antonio 43.153.179.44 port 45614 [preauth]
2022-12-29 03:00:32 Received disconnect from 43.153.179.44 port 45614:11: Bye Bye [preauth]
2022-12-29 03:00:31 Invalid user antonio from 43.153.179.44 port 45614
2022-12-29 02:58:37 Disconnected from invalid user desliga 190.129.122.3 port 1199 [preauth]
2022-12-29 02:58:37 Received disconnect from 190.129.122.3 port 1199:11: Bye Bye [preauth]
2022-12-29 02:58:37 Invalid user desliga from 190.129.122.3 port 1199
and many more of these lines, which means the firewall is not blocking ssh connections on ports other than 22.
The following graph shows the number of ssh connections to ports other than 22 in the last hour. The connections are reduced with enabling the Network Filter, but they not diminished.
Could it be that the Network Firewall of DigitalOcean is broken?
What am I missing?
Anyone is seeing the same situation on their infrastructure?
The ports being shown in the log are the remote ports that the connections are coming from on the remote IPs, and not indicating that those ports are listening on your server or through the firewall. The firewall is configured from your description to allow for any remote IP and port to connect to your droplet on local ports 22, 80, and 443.
Related
This is probably an easy one for the security experts out there, but I would like to know why the /var/log/auth.log appears to be "negotiating" connections for ports that I assume to be closed. Is this normal, or should I look at changing some security settings?
For what it's worth, I do have Fail2Ban setup for monitoring open ports, but I would assume the OS would ignore any attempts to connect to a closed port.
The log snippet below shows a few of the unauthorized failed login attempts. I have also included a list of open ports from the ss -tul command.
/var/log/auth.log Snippet
sshd[76546]: Unable to negotiate with 27.35.34.124 port 43241: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[77249]: Invalid user support from 168.194.80.108 port 16319
sshd[77249]: Connection closed by invalid user support 168.194.80.108 port 16319 [preauth]
sshd[78624]: Connection closed by authenticating user nobody 180.193.186.26 port 65118 [preauth]
sshd[78626]: Unable to negotiate with 188.247.48.198 port 58403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[79677]: Corrupted MAC on input. [preauth]
sshd[79677]: ssh_dispatch_run_fatal: Connection from 103.75.20.178 port 40688: message authentication code incorrect [preauth]
sshd[79679]: Invalid user Nobody from 85.237.57.200 port 35236
sshd[79679]: Connection closed by invalid user Nobody 85.237.57.200 port 35236 [preauth]
sshd[80022]: Unable to negotiate with 220.120.48.109 port 60939: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[80396]: Unable to negotiate with 203.251.85.160 port 42626: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81062]: Unable to negotiate with 218.148.11.5 port 61316: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81064]: Unable to negotiate with 49.48.35.209 port 51022: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81071]: Invalid user Nobody from 112.141.38.88 port 58901
sshd[81071]: Connection closed by invalid user Nobody 112.141.38.88 port 58901 [preauth]
sshd[81093]: Connection closed by 195.226.194.242 port 51412 [preauth]
sshd[81092]: Connection closed by 195.226.194.142 port 51398 [preauth]
sshd[81446]: Unable to negotiate with 113.22.92.27 port 33534: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[81449]: Unable to negotiate with 47.21.51.190 port 53329: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[82127]: error: kex_exchange_identification: Connection closed by remote host
sshd[82127]: Connection closed by 181.64.10.35 port 54550
sshd[82128]: Invalid user vpsadmin from 181.64.10.35 port 54566
sshd[82128]: Connection closed by invalid user vpsadmin 181.64.10.35 port 54566 [preauth]
sshd[82130]: fatal: Timeout before authentication for 181.64.10.35 port 54648
sshd[82138]: Unable to negotiate with 110.142.35.177 port 60903: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[82176]: Invalid user Ubnt from 98.143.104.196 port 51521
sshd[82176]: Connection closed by invalid user Ubnt 98.143.104.196 port 51521 [preauth]
Open Ports List (ss -tul)
Netid State Local Address:Port Peer Address:Port
udp UNCONN 0.0.0.0:47089 0.0.0.0:*
udp UNCONN 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN [omitted]:bootpc 0.0.0.0:*
udp UNCONN 127.0.0.1:323 0.0.0.0:*
udp UNCONN [::1]:323 [::]:*
tcp LISTEN 0.0.0.0:20202 0.0.0.0:*
tcp LISTEN 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 127.0.0.1:smtp 0.0.0.0:*
tcp LISTEN *:8009 *:*
tcp LISTEN *:20201 *:*
tcp LISTEN *:http *:*
tcp LISTEN *:http-alt *:*
tcp LISTEN [::]:ssh [::]:*
tcp LISTEN [::1]:smtp [::]:*
tcp LISTEN *:https *:*
tcp LISTEN [::ffff:127.0.0.1]:8005 *:*
Together, the IPv4 address & port identify a connection by its source. They're still connecting into your port 22 (or whatever sshd is configured to use).
For example, 27.35.34.124 port 43241 identifies a specific connection coming from 27.35.34.124. If there were two or more ssh clients running on that machine, trying to connect to yours, they'd all have the same source IP, but all have different source ports.
Those ports are usually allocated automatically in the ephemeral port range for outgoing connections, and you rarely see them except when you need to unambiguously identify TCP connections.
I'm going to shamelessly link my own answer on SE in case you want more fine detail.
I've got CRC running on Windows 11 and I would like to connect there from a RHEL9 VM.
CRC listening on 127.0.0.1:6443
Port forwarding rule created on Win machine to fwd connections on 192.168.1.156 (local intf) to 127.0.0.1:
$ netsh interface portproxy show v4tov4
Listen on ipv4: Connect to ipv4:
Address Port Address Port
192.168.1.156 9000 127.0.0.1 6443
Added rule in firewall to allow connections to port 9000
From the VM:
[test#workstation ~]$ telnet 192.168.1.156 9000
Trying 192.168.1.156...
Connected to 192.168.1.156.
Escape character is '^]'.
Connection closed by foreign host.
[test#workstation ~]$ oc login -u developer -p developer https://192.168.1.156:9000
The server is using a certificate that does not match its hostname: x509: certificate is valid for 10.217.4.1, not 192.168.1.156
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Error from server (InternalError): Internal error occurred: unexpected response: 412
Any idea on how I can fix this and be able to connect from my VM towards CRC?
thanks
I have my Windows server 2012 which is active on production and running 2 websites of .NET. Now I want to run my wordpress site I had configured everything and my wordpress site was working fine before but all of sudden now am unable to connect to local host and even wp admin dashboard is not appearing so I deleted all that stuff uninstalled MYSQL connector MYSQL and web platform installer too. Even now I'm facing the same problem.
Whenever I try to connect 127.0.0.1 /Localhost I get the same message for both "This site can't be
reached" and if I try to connect with my public ip it says "HTTP Error 404. The requested resource is not found."
My netstat results are mentioned below:
C:\Users\Administrator>netsh http show iplisten
IP addresses present in the IP listen list:
173.208.205.34
173.208.205.35
173.208.205.36
C:\Users\Administrator>netstat -ano
Active Connections
1. Proto Local Address Foreign Address State
PID TCP 0.0.0.0:135 0.0.0.0:0
LISTENING
1192 TCP 0.0.0.0:180 0.0.0.0:0
LISTENING 1388 TCP 0.0.0.0:445 0.0.0.0:0
LISTENING 4 TCP 0.0.0.0:1433 0.0.0.0:0
LISTENING 2812 TCP 0.0.0.0:1443 0.0.0.0:0
LISTENING 1388 TCP 173.208.205.34:80 0.0.0.0:0
LISTENING 4 TCP 173.208.205.34:139 0.0.0.0:0
LISTENING 4 TCP 173.208.205.34:443 0.0.0.0:0
LISTENING 4 TCP 173.208.205.34:443
160.153.147.141:35160 TIME_WAIT 0
TCP 173.208.205.34:1433 122.176.28.110:2048 ESTABLISHED 28
Additionally, I have checked the etc/hosts file it have 127.0.0.1 localhost uncommented there.
I have also disabled the firewall that make no change.
Can anyone tell what is wrong with this ?
I notice that there is no 0.0.0.0:80 in the IP listen list. Does your site bind to localhost:80?
The correct IP address in list should include
0.0.0.0:80 (ipv4) and [::]:80 (ipv6)
I think you can add 127.0.0.1 to IP listen list.
netsh http add iplisten ipaddress=127.0.0.1
Then check whether it is in list.
I have an application running on Windows machine. the application related alerts are to be e-mailed to administrator,for which an e-mail needs to be sent by Java program. The SMTP server is configured on a remote Linux machine in network.
The Java Mail program works fine and sends out an email, when run on the Linux machine. However if the same program is run on Windows it fails to connect to the SMTP server.
Note:
Ping to the Linux Machine (having SMTP server) is successful from Remote windows server.
Telnet < SMTP server hostname > 25 fails from remote machine as well from the machine where SMTP is running
Telnet localhost 25 is sucessful from SMTP server (Linux server).
The email by Java program is sucessfull, if run on SMTP server when hostname is specified as localhost.It fails if you give actual hostname.
/etc/hosts file on SMTP server lists 127.0.0.1 localhost.
How can i use the SMTP server to send an email from remote Windows machine?
I can paste the errors coming up on windows machine but the problem is not with the program; its the way the SMTP server is configured. I am new to SMTP so feel free to correct me if i am wrong.
The objective is to send a java e-mail from remote windows machine using the SMTP server on the Linux machine.
Adding the Output of netstat -ant|grep :25 as requested in the comment below:
[root#XXXXXXXXXXX]# netstat -ant | grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 ::ffff:10.207.70.71:1521 ::ffff:10.207.70.71:25481 ESTABLISHED
tcp 0 0 ::ffff:10.207.70.71:25481 ::ffff:10.207.70.71:1521 ESTABLISHED
tcp 0 0 ::ffff:10.207.70.71:25202 ::ffff:10.207.70.71:3001 TIME_WAIT
tcp 0 0 ::ffff:10.207.70.71:25127 ::ffff:10.207.70.71:3001 TIME_WAIT
tcp 0 0 ::ffff:10.207.70.71:25289 ::ffff:10.207.70.71:3001 ESTABLISHED
tcp 0 0 ::1:51432 ::1:25580 ESTABLISHED
tcp 0 0 ::1:25580 ::1:51432 ESTABLISHED
tcp 0 0 ::ffff:10.207.70.71:25233 ::ffff:10.207.70.71:3001 TIME_WAIT
tcp 0 0 ::ffff:10.207.70.71:3001 ::ffff:10.207.70.71:25289 ESTABLISHED
[root#XXXXXXXXXXX]#
Postfix: Accepting SMTP connections on ALL IP interrfaces
Your SMTP server (postfix) accepts incoming SMTP connection only on loopback interface(s)
[IPv4=127.0.0.1 and IPv6=::1].
Make your postfix listen on all available IP interfaces -> in main.cf configuration file restore default setting inet_interfaces = all
http://www.postfix.org/postconf.5.html#inet_interfaces
Why "loopback only" configuration is used?
Limiting SMTP server to accept only local SMTP connections is pretty common default configuration on "workstations". It allows sending emails (e.g. system warnings/notifications) without accepting any incoming spam.
I have a process that I'm running on my local machine which is listening on TCP port 9000. I would like to consume on another computer of my network. Here is my configuration:
I would like to see it when I run nmap 10.18.12.12 but I don't know how.
nmap localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-20 13:49 ART
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00037s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
3306/tcp open mysql
5432/tcp open postgresql
8000/tcp open http-alt
**9000/tcp open cslistener**
9001/tcp open tor-orport
9999/tcp open abyss
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-20 13:45 ART
Nmap scan report for 10.18.12.12
Host is up (0.00073s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
The service is bound to 127.0.0.1. You can see this without using Nmap; use netstat instead: netstat -tln will show all listening TCP ports. You should see something like this:
$ netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
In this example, the service on port 21 (FTP) is listening on the special address 0.0.0.0 which means "any available address," but the service on port 9000 is bound to 127.0.0.1, which is a special address ("localhost" or "loopback") not accessible from the network.
Most services will have a way to specify which addresses or interfaces to listen on. Read the manual for the service you are interested in to determine how to change this.