Odd csf entry's by DA in csf.allow on all servers?

[Richard G]

I was just looking at my csf.allow file. We did not integrate CSF with DA but use our own scripts.

Now suddenly we found these entry's:

tcp|out|u=0 # Added by DirectAdmin - Wed Dec  8 20:32:44 2021
udp|out|u=0 # Added by DirectAdmin - Wed Dec  8 20:32:44 2021

Our other servers have this on December 9th.

What is this and why???

 

[warg]

Good question. I found these entries as well:

tcp|out|u=0 # Added by DirectAdmin - Mon Dec 20 19:08:52 2021
udp|out|u=0 # Added by DirectAdmin - Mon Dec 20 19:08:52 2021

 

[Richard G]

Yeah and that is odd right? Especially because the csf.allow file should only contain ip's and not even domain names, so certainly no codes like this.
Good to see I'm not the only one with this, maybe it's some kind of bug in the integration.

 

[warg]

I find it odd as well, yes. According to chapter 10 of https://download.configserver.com/csf/readme.txt this would mean:

u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored

Allow outgoing TCP and UDP connections where the UID of the source package is equal to zero. It's unclear to me what the purpose of this could be but I think this might be because I'm not too much into networking.

 

[Richard G]

Hmmz... uid of 0 is root. Maybe it's to allow root traffic to go through always. Not sure. Maybe @smtalk can explain this a bit.

 

[warg]

If uid is short form for user ID, it's root, yep. Then it would (and that fits to what I further found) allow any traffic from root user outgoing. That doesn't sound like something that should happen but be replaced by a concrete whitelist. Otherwise it would be good to hide malicious traffic from being blocked from the firewall/logged in logs.

 

[Richard G]

Hmmz... I don't know if that is wise to have it in there then. I'm going to remove those lines or rather comment them. If I want root to be able to do things, I will open the port for it.
I rather would see malicious traffic in the logs, even if it's from root.

IMHO these kind of sudden interference with firewall settings should be announced. Especially if you're not using the integrated CSF option like I do.

 

[warg]

Same here, I have never whitelisted by packages/services or users. I only whitelist by port and IP addresses.

 

[kristian]

Seeing these on my servers as well. I can't see any reason for why these would be needed. This should probably be reversed (i.e. removed if existing) by a future update unless there's an extremly good reason for them to be there. If there is, that reason should be in the comment behind them.

 

[smtalk]

Hmmz... uid of 0 is root. Maybe it's to allow root traffic to go through always. Not sure. Maybe @smtalk can explain this a bit.

If someone gained root access to the server, they could open whatever ports they want, cannot they? What's the protection there?

 

[Richard G]

What's the protection there?

Well if it's only a script or some malicious code with some way limited root rights and they don't have real root access...

Anyway, can you explain why it is put in there? Is it indeed to allow root all access through the firewall?

 

[warg]

If someone gained root access to the server, they could open whatever ports they want, cannot they?

Sure but I think if the attacker isn't instantly aware of that problem, it will be blocked once and thus logged. If the logs are kept on write once, read many (WORM) storage, it will trigger sooner or later someone.

 

[Active8]

Same problem here , why we dont get an answer ? @smtalk ?
Should we delete it or leave it ?
tcp|out|u=0 # Added by DirectAdmin - Mon Nov 29 19:10:17 2021
udp|out|u=0 # Added by DirectAdmin - Mon Nov 29 19:10:17 2021

 

[smtalk]

Same problem here , why we dont get an answer ? @smtalk ?
Should we delete it or leave it ?
tcp|out|u=0 # Added by DirectAdmin - Mon Nov 29 19:10:17 2021
udp|out|u=0 # Added by DirectAdmin - Mon Nov 29 19:10:17 2021

It is only outbound, not inbound, connections from root I’d say it’s totally safe to have these lines there.

 

[kristian]

It must've been added for a reason, right? Would be great to know it.

 

[Erulezz]

Maybe the new licensing system introduced in the last few versions?

The license sessions system enforces one active session per license. DA will throw errors if you try to run 2 at the same time with the same LK Hash.

So that DA always has a open connection to the licensing servers?

 

[smtalk]

It must've been added for a reason, right? Would be great to know it.

Inability to connect to remote FTP servers with the passive ports, inability to SSH to remote servers using custom ports, inability to connect to DA instances using a custom (non-2222) port and similar things

 

[Richard G]

inability to connect to

Inability of some people to just configure the correct ports to use these things so this becomes necessary.
Anyway, thanks for the explanation, that makes things clear.

However, maybe next time it's nice to be informed about sudden firewall changes.

 

[Imtek]

Inability of some people to just configure the correct ports to use these things so this becomes necessary.
Anyway, thanks for the explanation, that makes things clear.

However, maybe next time it's nice to be informed about sudden firewall changes.

Totally agree with this!

 

[BillyS]

Huh, besides these, I see a whitelisted IP address entered by DA back in November of last year too.

tcp|out|u=0 # Added by DirectAdmin - Sun Dec  5 07:43:02 2021
udp|out|u=0 # Added by DirectAdmin - Sun Dec  5 07:43:02 2021