Firewalls

cPanel WHM – Wipe cpHulk Lockouts

Posted by & filed under Firewalls, Security, Server Admin.

cPanel WHM’s cpHulk system manages iptables blocks against IP addresses that fail to authenticate repeatedly. While the settings are fairly lenient and shouldn’t result in legitimate users being blacklisted, occasionally it can happen. The following command will reset the blocklist completely. While this is akin to using a shotgun when a scalpel is required, the blocks are time based and any malicious addresses would get quickly re-blocked.

 

iptables -F cphulk && mysql -e "Delete from cphulkd.login_track;"

There is a method to remove specific addresses, but I do not have the commands handy at present, and if I remember correctly it entails connecting to the mysql console, running a query to find the IP in the block table and issuing a drop query.

Next Generation firewall port knocking

Posted by & filed under Firewalls, Networking.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports iptables on Linux, ipfw on FreeBSD and Mac OS X, and PF on OpenBSD) and libpcap. SPA is essentially next generation port knocking (more on this below). The design decisions that guide the development of fwknop can be found in the blog post “Single Packet Authorization: The fwknop Approach”.

fwknop Hone: www.cipherdyne.org/fwknop/
Tutorial: www.cipherdyne.org/blog/2012/10/tutorial…
SPA with fwknop: www.cipherdyne.org/fwknop/docs/SPA.html

IPTables Fun

Posted by & filed under Firewalls, Networking.

I had to add some rules to IPtables on a new server I built. As a refresher, IPtables like most hardware firewalls, uses stateful packet inspection. It will read the rules in order from top to bottom. This is why we put a blanket deny all (0.0.0.0/0) at the end if we want to restrict access to only specific IP addresses.

To insert a rule at the top of the chain:
iptables -I INPUT -p tcp -m tcp -s 192.168.0.254/26 –dport 22 -j ACCEPT

Insert the same rule, but at the bottom:
iptables -A INPUT -p tcp -m tcp -s 192.168.0.254/26 –dport 22 -j ACCEPT

To deny access to the world (again this should be the last rule in the chain):
iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 –dport 22 -j DROP

To determine rule order:
iptables -L INPUT -n –line-numbers

To drop a rule based on the line number acquired above:
iptables -D INPUT <>

APF Firewall — Removing Deny

Posted by & filed under APF, Firewalls, Server Admin.

Sometimes for some reason the APF is tripped, thinking the server is being hammered, when its actually not. The following command removes it from the list immediately:

/etc/apf/apf -u 10.10.10.10