Hi
On my WAN_LOCAL, I had enabled remote ssh and while going through my firewall stats, I saw the stats counter building up. nestat showed an establised connection over port 22 from IP 157.181.28.113, although I couldn't see any actual login (using w and lastlog). I realized that I may have forgotten to set 'disable-password-authentication' although I had key based authentication in place. I terminated the connection and disabled remote ssh and password authentication all together.
I've checked /config/scripts/ and /config/scripts/post-config.d/ for any unsual scripts but couldn't find anything. How I make sure that nothing crazy is running or set up (eg a rootkit)? Sorry just being a bit paranoid here.
Here is what I have running and my latest config.
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 127.0.0.101:55523 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 192.168.1.26:33452 ESTABLISHED tcp 0 0 192.168.1.1:22 192.168.1.26:55174 ESTABLISHED tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN
IPv4 Firewall "WAN_IN": Active on (eth1,IN) (pppoe0,IN) rule action proto packets bytes ---- ------ ----- ------- ----- 1 accept all 18769 3734554 condition - state RELATED,ESTABLISHED 2 drop all 0 0 condition - state INVALID 19 drop all 0 0 condition - match-set ET-N src 20 drop all 0 0 condition - match-set ET-A src 10000 drop all 0 0 -------------------------------------------------------------------------------- IPv4 Firewall "WAN_LOCAL": Active on (eth1,LOCAL) (pppoe0,LOCAL) rule action proto packets bytes ---- ------ ----- ------- ----- 1 accept all 3232 528470 condition - state RELATED,ESTABLISHED 2 drop all 51 2060 condition - state INVALID 3 drop all 0 0 condition - match-set ET-N src 4 drop all 0 0 condition - match-set ET-A src 5 accept icmp 4 124 condition - LIMIT avg 50/min burst 1 LOG enabled 10000 drop all 368 24557 condition - LOG enabled
firewall {
all-ping enable
broadcast-ping disable
group {
address-group ET-A {
description "Emerging Threats addresses"
}
address-group ET-N {
description "Emerging Threats networks"
}
network-group SPAMHAUS_DROP {
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
rule 1 {
action accept
description "Accept related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
log disable
state {
invalid enable
}
}
rule 19 {
action drop
description "drop ET-N"
log disable
source {
group {
address-group ET-N
}
}
}
rule 20 {
action drop
description "drop ET-A"
log disable
source {
group {
address-group ET-A
}
}
}
rule 25 {
action accept
description "Allow SSH"
destination {
port 22
}
disable
log enable
protocol tcp
}
}
name WAN_LOCAL {
default-action drop
enable-default-log
rule 1 {
action accept
description "Accept related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action drop
description "drop ET-N"
source {
group {
address-group ET-N
}
}
}
rule 4 {
action drop
description "drop ET-A"
source {
group {
address-group ET-A
}
}
}
rule 5 {
action accept
description "Limit ICMP"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
rule 6 {
action accept
description "Remote SSH"
destination {
port 22
}
disable
log disable
protocol tcp
}
rule 7 {
action accept
description "Remote GUI"
destination {
port 443
}
disable
log disable
protocol tcp
}
}
options {
mss-clamp {
interface-type pppoe
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth1 {
description "Internet (PPPoE)"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password xxxx
user-id xxxx
}
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
address 192.168.3.1/24
description "Local 3"
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall disable
hairpin-nat enable
lan-interface eth2
lan-interface eth0
rule 1 {
description "Port forward to deneb:22"
forward-to {
address 192.168.1.46
port 22
}
original-port 8900
protocol tcp_udp
}
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
global-parameters "log-facility local2;"
hostfile-update disable
shared-network-name LAN1 {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.21 {
stop 192.168.1.240
}
static-mapping raspberrypi {
ip-address 192.168.1.23
mac-address b8:27:eb:4f:ba:73
}
unifi-controller 192.168.1.21
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.21 {
stop 192.168.2.240
}
}
}
}
dns {
forwarding {
blacklist {
disabled false
dns-redirect-ip 0.0.0.0
domains {
include adsrvr.org
include adtechus.net
include advertising.com
include centade.com
include doubleclick.net
include free-counter.co.uk
include intellitxt.com
include kiosked.com
include patoghee.in
source malc0de {
description "List of zones serving malicious executables observed by malc0de.com/database/"
prefix "zone "
url http://malc0de.com/bl/ZONES
}
source malwaredomains.com {
description "Just domains"
prefix ""
url http://mirror1.malwaredomains.com/files/justdomains
}
source simple_tracking {
description "Basic tracking list by Disconnect"
prefix ""
url https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
}
source zeus {
description "abuse.ch ZeuS domain blocklist"
prefix ""
url https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
}
}
exclude 1e100.net
exclude 2o7.net
exclude adobedtm.com
exclude akamai.net
exclude akamaihd.net
exclude amazon.com
exclude amazonaws.com
exclude apple.com
exclude ask.com
exclude avast.com
exclude bitdefender.com
exclude cdn.visiblemeasures.com
exclude cloudfront.net
exclude coremetrics.com
exclude edgesuite.net
exclude freedns.afraid.org
exclude github.com
exclude githubusercontent.com
exclude google.com
exclude googleadservices.com
exclude googleapis.com
exclude googletagmanager.com
exclude googleusercontent.com
exclude gstatic.com
exclude gvt1.com
exclude gvt1.net
exclude hb.disney.go.com
exclude hp.com
exclude hulu.com
exclude images-amazon.com
exclude live.com
exclude microsoft.com
exclude msdn.com
exclude msecnd.net
exclude paypal.com
exclude rackcdn.com
exclude schema.org
exclude shopify.com
exclude skype.com
exclude smacargo.com
exclude sourceforge.net
exclude ssl-on9.com
exclude ssl-on9.net
exclude sstatic.net
exclude static.chartbeat.com
exclude storage.googleapis.com
exclude windows.net
exclude xboxlive.com
exclude yimg.com
exclude ytimg.com
hosts {
include beap.gemini.yahoo.com
source openphish {
description "OpenPhish automatic phishing detection"
prefix http
url https://openphish.com/feed.txt
}
source raw.github.com {
description "This hosts file is a merged collection of hosts from reputable sources"
prefix "0.0.0.0 "
url https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
}
source sysctl.org {
description "This hosts file is a merged collection of hosts from cameleon"
prefix "127.0.0.1 "
url http://sysctl.org/cameleon/hosts
}
source volkerschatz {
description "Ad server blacklists"
prefix http
url http://www.volkerschatz.com/net/adpaths
}
source yoyo {
description "Fully Qualified Domain Names only - no prefix to strip"
prefix ""
url http://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml&showintro=1&mimetype=plaintext
}
}
}
cache-size 150
listen-on eth0
listen-on eth2
name-server 208.67.220.220
name-server 208.67.222.222
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
outbound-interface pppoe0
type masquerade
}
}
ssh {
disable-password-authentication
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user xxxx {
authentication {
public-keys xxxx {
key
type ssh-rsa
}
public-keys xxxx {
key
type ssh-rsa
}
public-keys xxx {
key
type ssh-rsa
}
public-keys xxx {
key
type ssh-rsa
}
public-keys xxx {
key
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
}
syslog {
file dhcpd {
archive {
files 5
size 5000
}
facility local2 {
level debug
}
}
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task update_blacklists {
executable {
path /config/scripts/update-dnsmasq.pl
}
interval 1d
}
}
time-zone Pacific/Auckland
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1104 */