CSF does not block ports that are not listed in tcp_in in csf.conf, sshd targeted on blocked ports with user root nonetheless

E

Erik66

Verified User
Joined
Sep 21, 2016
Messages
28
Location
Zwolle, The Netherlnads
Hello, I have a mixed issue here. I have a DA 1.6.server with ssh on port 1xxxx set in csf.conf and CSF set to listen only on a number of ports < 10000 with port 1xxxx added as addiotnional portnumer to listen on. Also, root login has been disabled in sshd_config with 'PermitRootLogin no' and user root is not listed with AllowUsers. I thought I'd made not possible to login using SSH on ports > 1xxxx and with user root in general.

Yet, I do get thousands of listings daily in BFM with similar info:

"Jan 9 15:52:54 s03 sshd[9501]: Failed password for invalid user root from xxx.xxx.xxx.xxx port 54336 ssh2"

where the IP address is all over the place an d not in my allowed ip's list.

I don't get it. I should not see those alerts at all as I have set CSF to block anythin on ports > 10000, SSHD is set to listen on ip 1xxxx only. What causes SSHD to listen to seemingly random port numbers and why are these not blocked by CSF / iptables ?

Many thanks in advance for suggestions.

Erik
 
show your ipv4 ports screenshot from CSF config, maybe there are syntax error
 
I checked the config, there are no syntax errors there as far as I can see:
Schermafbeelding 2021-01-09 om 17.11.36.png
 
Did you change the port you wanted it to be 1XXXX in /etc/ssh/sshd_config? i think you did.
Did you harden your sshd_config?
So you have something like
Port 22
Port 1XXXXX
in sshd_config?

What causes ssh to listen
www.ssh.com

sshd_config - How to Configure the OpenSSH Server?

sshd_config is the OpenSSH server configuration file. How to configure and troubleshoot. Avoid getting accidentally locked out of the remote server.
www.ssh.com www.ssh.com
ListenAddress

Specifies the local addresses sshd should listen on. The following forms are allowed:

Code: 
ListenAddress host|IPv4_addr|IPv6_addr

ListenAddress host|IPv4_addr:port

ListenAddress [host|IPv6_addr]:port
 
bdacus01 said:
Did you change the port you wanted it to be 1XXXX in /etc/ssh/sshd_config? i think you did.
Did you harden your sshd_config?
So you have something like
Port 22
Port 1XXXXX
in sshd_config?

What causes ssh to listen
www.ssh.com

sshd_config - How to Configure the OpenSSH Server?

sshd_config is the OpenSSH server configuration file. How to configure and troubleshoot. Avoid getting accidentally locked out of the remote server.
www.ssh.com www.ssh.com
ListenAddress

Specifies the local addresses sshd should listen on. The following forms are allowed:

Code: 
ListenAddress host|IPv4_addr|IPv6_addr

ListenAddress host|IPv4_addr:port

ListenAddress [host|IPv6_addr]:port
Click to expand...

Thanks Brent, the IP address is already set in /etc/ssh/sshd_config as you describe, but I had not specified a ListenAddress yet. I'll set it and report back.
 
bdacus01 said:
Note I wouldn't open 3306 like that your are asking for trouble.

do something like this in /etc/csf/csf.allow
Code: 
tcp|out|d=3306|s=ip
tcp|in|d=3306|s=ip

www.knownhost.com

How To Allow An IP to Access A Closed Port - KnownHost

Need to allow access for specific IP address? In this guide we will show you how to manage IP addresses on your KnownHost server.
www.knownhost.com www.knownhost.com
Click to expand...
Thanks and you're right Brent, but I can't live without access to port 3306 on this server, unfortunately. And as DA has a nice way of granting access to port 3306 based on IP addresses only, sofar this has kept me out of problems.
 
You must log in or register to reply here.
Back
Top