Topic: [SOLVED] Would this code disable/drop ICMP requests on WAN?

[Lum-chan]

I searched the forums but couldn't find a clear solution. The only thing I found was thee code below. It was meant for SME 5.2 iirc but I don't know if it will b0rk my fresh SME 7.2 install.

After installing a fresh copy of SME 7.2 and swapping eth0 to WAN in stead of LAN and installing the SME-Fetchmail contrib from smeserver-fetchmail-1.3.5-01.noarch.rpm I have some ports open. I double checked the setting for Private Server & Gateway. Only thing which could mess this up is the swap of ETH0/ETH1.

a) The install responds to ICMP requests
b) port 25, 80, 443 and 465 are all fully opened
c) port 113 is closed

Results come from grc.com

Oke, now I can add forwards to a nonexistent local ip for these ports on TCP/UDP but that's not a neat solution but it will do the trick. Maybe there's a better solution? I couldn't find it when searching of I have overlooked it (sorry)

The ICMP request could be blocked/dropped with the code listed below but it meant for 5.2. Will this work for 7.2?

Code: [Select]

From console:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn
pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

[Remove the line that says "echo-request" and "echo-reply"]
[Save]

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart


Hope this helped,
Nathan

I hope I can use these without any hassle and have my machine stealthier.

I had the same problem when using a fresh install of SME 6.01 but only port 465 didn't show up on grc.com
If you need more info, I'll gladly provide these.

Thanks in advance.

[update]
Ok, I searched a little further and found these three lines somewhere around here.

Code: [Select]

/sbin/e-smith/db configuration setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
service masq restart

These savely disables the ICMP (echo) on the WAN interface.
It's looks like a sort of hack but does the trick nicely.

 - Then I swapped eth0 to internal and eth1 to external.
 - Did a reboot
 - Swapped back eth0 to external and eth1 to internal.
 - Applied these 3 lines again just to be sure
 - Then I removed the portforwarding for port 25, 80, 113, 443 and 465
 - Did a full service port scan and the result was a full steathed system. Only ports forwarded to internal machines worked as they should be.

Thought I'd share this with you all.

[Lum-chan]

Well, just reinstalled SME 7.3 on the same box.
All is left on default settings.
Installed Fetchmail from the Contribs section and followed all the information provided. No swapping for ETH1(WAN) to ETH0(WAN), just default and selected Private Server and Gateway mode.

SME is fully updated with all availabe updates upt to today 08/15/2008 via the server-manager/yum.

I ran the earlier mentioned lines of code (masq stealth yes) again, but thos ports stay open/closed, not stealthed. Even a new port has been opened: 465.
After adding portforwarding for TCP and UDP to 192.168.1.254 (which is non-existent in my local lan) the ports stay open acording to GRC.COM. I cannot fix this. Box isn't answering on ping on ETH1(WAN) so that part is working.

Any suggestion is very welcome to get these ports closed/stealthed: 25, 80, 113, 443, 465. Port 113 is closed and the others are open.
Other firewalltests say all common ports are unvisible/stealthed. What can be the problem? Is GRC.COM not as good as it used to be, because every test is different, but any of the above mentioned port is open and a next test closed/stealthed and vice versa. Quite unreliable results imho.

I posted the above as a bug in the tracker

[janet]

Lum-chan

Any suggestion is very welcome to get these ports closed/stealthed: 25, 80, 113, 443, 465. Port 113 is closed and the others are open.

Disable services associated with those ports or set access=private for those services, using db commands. If you disable the service then the system will automatically close associated ports.

eg
config show |more

for required services change the access=public setting to private

I posted the above as a bug in the tracker

Please quote the bug number here for future reference.

[Lum-chan]

Bug reference number 4505

I have deinstalled all contrinbs except the SysMon Contrib.
After disableling all mail services from the Server-manager and reconfigure/reboot the server all those ports remain open.
I'll try your suggestions after I have received more info on this bug in the tracker.
Currently no mail available locally Ah, there's always still the webmail function @ ISP for the time being.

Fetchmail-utf8 contrib is only used on the local network. Not accessible/disabled from the wan (ETH1)

config show |more -> gives all mentioned ports as access=public even with all services disabled, should be access=private, odd...
Server is in private gateway/server modus.

What is the correct sytaxis for changing the db entries for these ports?

I'll keep you posted

[janet]

Lum-chan

config show |more -> gives all mentioned ports as access=public even with all services disabled, should be access=private, odd...
Server is in private gateway/server modus.
What is the correct sytaxis for changing the db entries for these ports?

to see usage syntax at the command prompt type

db

to do what you want try (replace servicename of course) for each service in question

db configuration setprop servicename access private
signal-event post-upgrade
reboot

[Lum-chan]

Thanks mary,

I wrote this script together with all the info I could find. Maybe a bit overdone, but should this do the complete trick?

Code: [Select]

/sbin/e-smith/db configuration setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/service masq restart
/sbin/e-smith/signal-event remoteaccess-update

/sbin/e-smith/db configuration setprop ftp access private
/sbin/e-smith/db configuration setprop smtpd access private
/sbin/e-smith/db configuration setprop dnscache access private
/sbin/e-smith/db configuration setprop httpd-e-smith access private
/sbin/e-smith/db configuration setprop oidentd access private
/sbin/e-smith/db configuration setprop modSSL access private
/sbin/e-smith/db configuration setprop ssmtpd access private
/sbin/e-smith/db configuration setprop sshd access private
/sbin/e-smith/db configuration setprop imaps access private
/sbin/e-smith/db configuration setprop ldap access private
/sbin/e-smith/db configuration setprop pop3 access private
/sbin/e-smith/db configuration setprop pop3s access private
/sbin/e-smith/db configuration setprop nmbd access private
/sbin/e-smith/db configuration setprop smbd access private

/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

[edit]
I just ran this script om my SME box and found no errors. After the intended reboot I went to GRC.COM and ran the full test op 1054 ports. All ports are stealthed except for port 113 which is closed but not stealthed.
Seems like this service is disabled?

Code: [Select]

[root@gateway ~]# config show oidentd
oidentd=service
    TCPPort=113
    access=private
    status=disabled


Code: [Select]

service oidentd status
down: /service/oidentd: 1222s; run: log: (pid 2428) 1220s

I added a portforward for 113 to 192.168.1.254 which is not in use. Restarted the test on GRC.COM and now it's stealthed. It will work but it's not a neat way to work around this 'problem'.

Did some searching and found this:

Code: [Select]

         /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
         --destination $OUTERNET \
        --jump REJECT \
        --reject-with tcp-reset

As far as I can see this is posted in 2007 and would apply for SME 7.1 of SME 7.2 but would this apply to SME 7.3 as well? I haven't tried this because I'm afraid to break the box on this part. If this applies to SME 7.3, would this close port 113 and make it stealth as it looks to me it's reject-ing but not drop-ping the incoming request. Or am I making a thinking error?

Anyone any idea on how to solve this in a save 'SME-correctly' way?

[janet]

Lum-chan

Anyone any idea on how to solve this in a save 'SME-correctly' way?

Look at the masq template fragments in

/etc/e-smith/templates/etc/rc.d/init.d/masq/...

Find the fragment you want to change and copy it to
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/...

Make the required changes to the custom template fragment
then (not the original fragment)
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

See Developers guide for more info re custom templates etc

http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual

http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual#Configuration_file_templates

http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual#Managing_the_firewall

[Lum-chan]

I have followed your instructions and make the needed directories for the masq section. Copied the (hopefully) correct template but now I'm stuck:

This is the copied fragment in /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
fragment name is 90InboundTCP05RejectIDENT

Code: [Select]

{
    return "" if $oidentd{status} eq "enabled";

    return <<'END_REJECT_IDENT';

     /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
         --destination $OUTERNET \
        --jump REJECT \
        --reject-with tcp-reset

END_REJECT_IDENT
}


As I'm a bit of a noob in this material I was looking through the pointed documentation.
If I change it to this below, should this work when I'n regenerating te templates?

Code: [Select]

{
    return "" if $oidentd{status} eq "enabled";

    return <<'END_REJECT_IDENT';

     /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
         --destination $OUTERNET \
        --jump denylog \
        --drop-with tcp-reset

END_REJECT_IDENT
}

I've kept the fragment name the same to prevent duplicates which might conflicht with each other.
Am I on the good way of am I making a mess out of it?

[arne]

But SME server has tree setup modes, "server only", "gateway" and "private server and gateway". The last option will close all port for external access. Don't know if it will stop answering to ping, but that should eventually be only one additionally line with iptables. It should be just to log on shell or console as admin and reconfigure as "private server and gateway", and then do a new test with the external scanner. ??

See the last screen shot: http://news.softpedia.com/news/Installing-SME-Server-7-2-60923.shtml

[Lum-chan]

During setup I have chosen the private one. I have raised a bug @ bugzilla with lots of info. It seems more people have the same problem.
Bug reference number 4505 -> http://bugs.contribs.org/show_bug.cgi?id=4505

Even a fresh install in Server/gateway Private mode and didicated will open ports for 25, 80, 113, 443 and 465.
At that point no contribs are installed at all.

[arne]

OK. I see.

Because of old (unsecure), but still usable php applications, etc, I don't like to have port 80/443 open myself, and I like to have the full control of which service is open to which source ip.

Once I used to flush out the existing sme firewall and replace it with a new one, but this procedure was not much popular in this forum. (But it worked quite well.)

The way that I do it now, without any tchnical problems, or negative feedback  , is to run a virtual installation of the sme server, and then a virtual smoothwall gateway on a Centos64/Vmware host system. This works very well. No bugs, no problems and the full control.

[CharlieBrady]

But SME server has tree setup modes, "server only", "gateway" and "private server and gateway". The last option will close all port for external access.

No, that is not true. The last option will leave http/https/smtp/smtps set to public access (as they are used by a "server' on the Internet). From the command line they can be changed from public to private, if you do not wish to have these 'server' functions visible on the Internet.