IPFW Trying to block a range of IPs

jasonhirsh · Apr 21, 2015

I am running IPFW on my FreeBSD 8.4 server. I have noticed an an unusual amount of activity against hosted web pages from a IP range in China. I am suspecting they are probing for weakness so I want to block their access.

ipfw show provides the following and shows some success with rule 00005, but a couple of the IPs get through. The truth of the matter is I can not remember why I have rules 00060 and 00070. They seem kind of open. I am sure I am messing something simple up

Code:

00005     258     16499 deny ip from 123.125.0.0/16 to any
00006       0         0 deny tcp from 123.125.0.0/16 to any
00010   70227 164631174 allow ip from any to any via lo0
00015       0         0 allow ip from any to any via tap0
00025       0         0 allow ip from any to 10.8.0.0/24 keep-state
00027       0         0 allow ip from 10.8.0.0/24 to any keep-state
00030       0         0 allow ip from any to 10.8.0.0/24 keep-state
00031       0         0 allow ip from 10.8.0.0/24 to any keep-state
00040       0         0 deny tcp from any to any frag
00041       0         0 deny ip from 221.192.199.49 to any
00042       0         0 deny ip from 81.196.166.90 to any
00043       0         0 deny ip from 61.160.215.160 to any
00044       0         0 deny udp from 123.125.0.0/16 to any
00050       0         0 check-state
00060 1068026 758906217 allow tcp from any to any established
00070   77243  14528669 allow ip from any to any out keep-state
00080     283     28346 allow icmp from any to any
00100   21228   1193978 allow log tcp from any to me dst-port 21 in setup keep-state
00105       0         0 allow log tcp from me 20,21 to any out keep-state
00110       0         0 allow log tcp from any to any dst-port 21 in
00120       0         0 allow log tcp from any to any dst-port 21 out
00130     253     14820 allow tcp from any to any dst-port 22 in
00140       0         0 allow tcp from any to any dst-port 22 out
00150   10638   3570756 allow log tcp from any to any dst-port 25 in keep-state
00160       0         0 allow log tcp from any to any dst-port 25 out keep-state
00170    2894    212704 allow udp from any to any dst-port 53 in
00175       1        40 allow tcp from any to any dst-port 53 in
00180       0         0 allow udp from any to any dst-port 53 out
00185       0         0 allow tcp from any to any dst-port 53 out
00190    6101    362356 allow tcp from any to any dst-port 80 in
00192       0         0 allow tcp from any to any dst-port 8010 in
00193       0         0 allow tcp from any to any dst-port 8010 out
00195       0         0 allow tcp from any to any dst-port 80 out
00196       0         0 allow tcp from any to any dst-port 81 in
00197       0         0 allow tcp from any to any dst-port 81 out
00198       0         0 allow udp from any to any dst-port 81 in
00199       0         0 allow udp from any to any dst-port 81 out
00200      42      2428 allow tcp from any to any dst-port 110 in
00201       0         0 allow tcp from any to any dst-port 110 out
00205       9       462 deny udp from any to any dst-port 123 in
00206       0         0 deny udp from any to any dst-port 123 out
00211   19968   1557720 allow udp from any to any dst-port 137 in
00212       0         0 allow tcp from any to any dst-port 137 in
00213       0         0 allow udp from any to any dst-port 137 out
00214       0         0 allow tcp from any to any dst-port 137 out
00215    2953    652781 allow udp from any to any dst-port 138 in
00216       0         0 allow tcp from any to any dst-port 138 in
00217       0         0 allow udp from any to any dst-port 138 out
00218       0         0 allow tcp from any to any dst-port 138 out
00223       0         0 allow udp from any to any dst-port 139 in
00224       0         0 allow udp from any to any dst-port 139 out
00225       1        48 allow tcp from any to any dst-port 139 in
00226       0         0 allow tcp from any to any dst-port 139 out
00227      24      1268 allow tcp from any to any dst-port 443 in
00228       0         0 allow tcp from any to any dst-port 443 out
00237       0         0 allow tcp from any to any dst-port 445 in
00238       0         0 allow tcp from any to any dst-port 445 out
00239       0         0 allow udp from any to any dst-port 445 in
00240       0         0 allow udp from any to any dst-port 445 out
00241     206     11708 allow ip from any to any dst-port 465 in
00242       0         0 allow ip from any to any dst-port 465 out
00243       0         0 allow ip from any to any dst-port 554 in
00244       0         0 allow ip from any to any dst-port 554 out
00246     275     14420 allow ip from any to any dst-port 587 in
00247       0         0 allow ip from any to any dst-port 587 out
00250     418     26012 allow tcp from any to any dst-port 993 in
00251       0         0 allow tcp from any to any dst-port 993 out
00260    1146     73344 allow tcp from any to any dst-port 995 in
00261       0         0 allow tcp from any to any dst-port 995 out
00270       0         0 allow ip from any to any dst-port 1194 setup
00271       0         0 allow udp from any to me dst-port 1194
00280       0         0 allow tcp from any to any dst-port 1220 in
00285       0         0 allow tcp from any to any dst-port 1220 out
00300     951     42308 allow tcp from any to any dst-port 2500 in
00301       0         0 allow tcp from any to any dst-port 2500 out
00320       5       200 allow tcp from any to any dst-port 3128 in
00322       0         0 allow tcp from any to any dst-port 3218 out
00350    1338     84454 allow tcp from any to any dst-port 3306 in keep-state
00356       0         0 allow tcp from any to any dst-port 3306 out keep-state
00370       0         0 allow ip from any to any dst-port 7070 in
00371       0         0 allow ip from any to any dst-port 7070 out
00380       0         0 allow tcp from any to any dst-port 9000 in
00381       0         0 allow tcp from any to any dst-port 9000 out
00400       0         0 allow tcp from 209.160.65.133 to any keep-state
00405       0         0 allow tcp from 209.160.68.112 to any keep-state
00410       0         0 allow udp from me to any keep-state
00500   75936  35319466 deny log ip from any to any
65535       0         0 deny ip from any to any

packetdropped · Apr 21, 2015

60 allows your established connections to pass. Assuming only valid traffic gets out then established allows responses back.

jasonhirsh · Apr 21, 2015

That's what I THOUGHT it was doing. I am just lost for how IPs in range in 05 and 06 are getting to port 80 as the are showing on my web stats.

packetdropped · Apr 22, 2015

jasonhirsh said:
That's what I THOUGHT it was doing. I am just lost for how IPs in range in 05 and 06 are getting to port 80 as the are showing on my web stats.

Not long-running (ie already established) connections? You are saying a packet from 123.125.0.0/16 gets past ipfw? I'd restart the server process to make sure nothing is already established. Also is the ip number listed in http access logs? Not a dns-resolved name.

Why is 5 & 6 rule order ip then tcp...cause shouldn't ip take all packets udp/tcp/etc .. ie rule 6 will never matched.

jasonhirsh · Apr 22, 2015

I reboot the server when I have changed the rules, which have been at least once a day, so I presume I would have broken the connections. Looking through the access logs it gets a little strange. I see no access by this IP in 4 months. No access by the DNS-resolved name. Rule 6 came about as in my perhaps misguided attempt to tighten down further on this range I really wasn't sure if the firewall treated protocol different from the IP. The hits are reported by an external web tracking service called stat counter.

packetdropped · Apr 22, 2015

jasonhirsh said:
I reboot the server ..SNIP..The hits are reported by an external web tracking service called stat counter.

Rebooting would definitely do it. How does the web track service get your server logs?

jasonhirsh · Apr 22, 2015

Doesn't use the server logs they use a Javascript that i embed in the pages. Hm, it would appear that the problem is there One of their reported hits uses the URL of one of my virtual host's name server and page from another virtual host on my server....really strange.

packetdropped · Apr 22, 2015

Name based virtual host uses the same IP? Do you configure the scripts that pass stats to sort out the name-based sites? If it can be due to a typo or mis-config you can recursively grep maybe (grep -r) to identify a page.

jasonhirsh · Apr 22, 2015

Well the IPFW should be blocking ALL traffic to my server from the blocked IPs shouldn't it? In that case they should never get to the web page to execute the script. The script does differentiate between hosts. That is one of my concerns as I see hits on quite a number of my hosts.

packetdropped · Apr 22, 2015

jasonhirsh said:
Well the IPFW should be blocking ALL traffic to my server from the blocked IPs shouldn't it?

That's the point... if you block those IP numbers with ipfw and log address with your web server and those IP addresses don't show up in your web logs... how come the stats say they are getting through? Either the stat service is reporting IP numbers from prior history or your scripts are reporting bad IP numbers to the stat service.

Search the web logs if you have that turned on for the right domains or to be extra sure you can tcpdump (or whatever tool) to see if something comes in from a bad source network real time. Like:

tcpdump -n src net 123.125.0.0/16 and port 80

Let it run for a day and see if your web stats have those IP numbers but not the tcpdump output.

jasonhirsh · Apr 22, 2015

I started a tcpdump using tcpdump -n src net 123.125.0.0/16 and I got this in the first hour

Code:

11:39:59.678822 IP 123.125.71.16.16802 > 209.160.65.133.80: Flags , seq 3071546671, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 8], length 0
11:42:57.567220 IP 123.125.71.102.17909 > 209.160.65.133.53: 38840 A? ns1.camantonewfashion.com. (43)
11:43:02.532467 IP 123.125.71.76.34181 > 209.160.68.112.53: 18188 A? ns1.camantonewfashion.com. (43)
11:52:44.332495 IP 123.125.71.45.29306 > 209.160.68.112.80: Flags , seq 3146907890, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 8], length 0
11:52:45.332408 IP 123.125.71.45.29306 > 209.160.68.112.80: Flags , seq 3146907890, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 8], length 0
11:53:44.685184 IP 123.125.71.113.18577 > 209.160.65.133.53: 62132 A? bowmansair.com. (32)
11:53:49.716355 IP 123.125.71.113.18578 > 209.160.65.133.53: 37034 A? bowmansair.com. (32)

The one to 80 did not show in http-access
~~tcpdump -n src net 123.125.0.0/16 and port 80~~

results in

Code:

11:52:44.332495 IP 123.125.71.45.29306 > 209.160.68.112.80: Flags , seq 3146907890, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 8], length 0
11:52:45.332408 IP 123.125.71.45.29306 > 209.160.68.112.80: Flags , seq 3146907890, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 8], length 0

packetdropped · Apr 22, 2015

You never mentioned your physical setup. What is your topology? IE is ipfw running on a dedicated firewall host with one point of internet access and the other side screened DMZ (or inside net)? No content (multilayer) switch? No backup LAN or anything like that? I once worked in a huge shop running an enormous Sun box. There were many admins around doing support. Some of the admins kept hooking a spare interface up to their backup network..allowing multiple routes in to my host.

If running Apache, was the IP address in the error file? You can block via Apache with:

Code:

Require not ip 123.125.0.0/16

Is the packet count for rule 5 increasing?

jasonhirsh · Apr 22, 2015

Single machine with single interface with two assigned IPs. Its a leased server. This IP range does not show up in the error log or the access log. While the web interaction alerted me, my intent is now to block all access. Yes the rule 5 count is increasing. I modified rule 005 to log its actions to see that the deny is occurring