Re: [Shorewall-users] ineffective shorewall ban

Tue, 14 Feb 2023 05:16:56 -0800 

Le 2/13/23 à 3:16 PM, Simon Matter a écrit :

Hi Yassine,
Isn't it possible that all the requests you see are coming in over the
already established TCP connection? I guess only new connections will then
be blocked.



Thank you Simon for your answer.
It could have been,
yes.
Apache logs show that the IP stopped trying at 09:57,
but tried again at 14:11.
This is really weired.
Check the grep output below :

[code]
root@messagerie-principale[10.10.10.19] ~ # for file in /var/log/apache2/*; do 
grep -H 162.241.181.215 $file | tail -1; done
---> /var/log/apache2/mail.radioalgerie.dz.access.1:162.241.181.215 - - [13/Feb/2023:09:57:05 +0100] "GET 
/wp-login.php.bak HTTP/1.1" 404 5082 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36" <---
/var/log/apache2/mail.radioalgerie.dz.error.1:[Mon Feb 13 08:55:12.770692 2023] 
[:error] [pid 1508] [client 162.241.181.215:36254] script 
'/var/www/roundcubemail-1.2.4/login.php' not found or unable to stat
---> /var/log/apache2/roundcube.access.1:162.241.181.215 - - [13/Feb/2023:14:11:11 +0100] "GET 
/jwt/private.pem HTTP/1.1" 301 580 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" <---
/var/log/apache2/roundcube.error.1:[Mon Feb 13 08:56:03.854510 2023] [:error] 
[pid 1513] [client 162.241.181.215:45126] script 
'/var/www/roundcubemail-1.2.4/login.php' not found or unable to stat
root@messagerie-principale[10.10.10.19] ~ #
[/code]



I remember that I once used this tool
https://directory.fsf.org/wiki/Cutter to terminate established connections
in such a situation.


Great!
Another tool to add to my toolbox,
this is really useful.
Thanks a lot!

By the way,
the dynamic chain stats for the particular IP have significantly augmented 
since yesterday,
to it seems the ban is in place

[code]
root@messagerie-principale[10.10.10.19] ~ # shorewall show dynamic | tail
    0     0 logdrop    all  --  *      *       212.227.15.0/24      0.0.0.0/0
    0     0 reject     all  --  *      *       104.168.34.178       0.0.0.0/0
    0     0 reject     all  --  *      *       104.168.34.177       0.0.0.0/0
   11   660 reject     all  --  *      *       105.102.42.31        0.0.0.0/0
   20  1200 reject     all  --  *      *       105.96.195.57        0.0.0.0/0
    0     0 reject     all  --  *      *       41.108.14.140        0.0.0.0/0
#    * * * * * *     * * * * * *     * * * * * *     * * * * * *     * * * * * 
* #
# 4223  253K logdrop    all  --  *      *       162.241.181.215      0.0.0.0/0  
 #
#    * * * * * *     * * * * * *     * * * * * *     * * * * * *     * * * * * 
* #
 1037 62220 reject     all  --  *      *       91.103.252.239       0.0.0.0/0
  181 10860 reject     all  --  *      *       91.103.252.248       0.0.0.0/0

root@messagerie-principale[10.10.10.19] ~ #
[/code]



yesterday :
[code]
  185 11100 logdrop    all  --  *      *       162.241.181.215      0.0.0.0/0
[/code]


So the question only remains for the packet that got through at 14:11,
nearly 4 hours after the ban.



_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to