#StackBounty: #networking #server #firewall #traffic #nethogs NetHogs showing suspicious (outgoing) traffic to random ports from root o…

Bounty: 100

Using NetHogs on an Ubuntu 16.04 (web) server, i.e. on a machine where no consumer applications or web browsers are installed, besides traffic that is to be expected (HTTP and SSH)

 PID USER     PROGRAM                                           DEV        SENT      RECEIVED       
5266 www-data /usr/sbin/apache2                                 eth0      15.142       2.924 KB/sec
4698 <ME>     sshd: <ME>@pts/0                                  eth0       0.899       0.071 KB/sec

I’m also seeing quite a few suspicious connections that look like this:

 PID USER     PROGRAM                                           DEV        SENT      RECEIVED       
   ? root     <SERVER_IP_V4>:515-122.228.XXX.XXX:43652                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:4946-92.118.XXX.XXX:44243                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:1703-94.177.XXX.XXX:51820                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:1433-123.207.XXX.XXX:45628                    0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:34568-223.71.XXX.XXX:40922                    0.000       0.011 KB/sec
   ? root     <SERVER_IP_V4>:9444-51.91.XXX.XXX:46170                      0.000       0.000 KB/sec
   ? root     unknown TCP                                                  0.000       0.000 KB/sec

So they have no associated process ID [1], are all run by root, seem to be outgoing connections from random-looking ports to other random-looking ports (i.e. no outgoing HTTP requests [2] [3]), have no associated device, and all have little to no traffic [4].

The geographic origins of the destination addresses seem to be China, Russian Federation and Seychelles, among others, as per whois.

My firewall rules, as per ufw status verbose, should actually block any incoming traffic except for SSH and HTTP(S). So these outgoing connections would have to be caused by malicious programs running on the host, right?

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  

Is this indeed suspicious or perhaps even evidence of malicious traffic, or are these some false positives (for some reason I may not be seeing)?

Or is the order of the two IP addresses in each pair not relevant [5] [6], so that these might in fact be incoming connections? If so, how can this happen if UFW has been configured to block such connections, and how can one of these connections even have data transferred?


Get this bounty!!!

#StackBounty: #networking #windows-10 #vpn #firewall #l2tp L2TP VPN on Windows 10 only connects with Firewall disabled

Bounty: 100

I have configured an L2TP VPN on Windows 10.
To get it working in the first place I have had to add the "AssumeUDPEncapsulationContextOnSendRule" registry Key, and when the Windows Firewall is totally disabled, the VPN connects perfectly.

I cannot get the VPN to connect with the Windows Firewall enabled at all.
I have allowed protocol 50 (ESP) in and out, I’ve also allowed UDP 1701, 4500, 500 in and out, however the VPN will still only connect if I totally disable the windows firewall.

Has anyone else come across this issue?`


Get this bounty!!!

#StackBounty: #firewall #hyper-v #anti-virus #windows-subsystem-for-linux #avast Which exceptions should I add for WSL and Hyper-V in A…

Bounty: 50

Summary:

I have my firewall blocking the WSL server (Ubuntu 18.04) only when running on Visual Studio Code. It is also preventing my Hyper-V VM (Ubuntu 19.04) to establish almost every connection to internet, for example sudo apt update or browsing (for some reason I can ping successfully though but I would’t focus on this as of now).

Details:

After many trail and error efforts I have isolated and concluded that my firewall (Avast Premier) is the only culprit for this. Disabling the firewall for 10 mins allows me to do these two different operations, connect to WSL server from Visual Studio Code and also to navigate and update packages in my virtualized Ubuntu from Hyper-V.

What I have done so far:

I have checked that VSCode has all connections allowed in all ports (inbound and outbound):

enter image description here

Allowing rules seem to be in place:

enter image description here

And also added VSCode to the antivirus exceptions list:

enter image description here

None of the actions above worked, only disabling the firewall.

Question:

What rules should I add to the firewall for allowing:

  1. WSL server (Ubuntu 18.04.2) from VSCode
  2. Internet connection on Ubuntu 19.04 from Hyper-V.

Notes:
WSL works perfectly outside VSCode. I can even start a batch terminal from it (the connection from the left of status bar is what is the issue).


UPDATE:

This is the output I get from WSL terminal in VSCode:

Failed to connect to the remote extension host server (Error: connect ETIMEDOUT 127.0.0.1:62388)

Failed to connect to the remote extension host server (Error: connect ETIMEDOUT 127.0.0.1:62388)


Get this bounty!!!

#StackBounty: #firewall #google-app-engine Trouble restricting access to app engine flexible service using VPC

Bounty: 100

I am trying to restrict access to a specific App Engine Flex service in a project with multiple services using VPC firewall rules. I created a VPC network called “vpc” using automatic subnet creation and global dynamic routing. Next, I deployed my App with the following yaml file (names slightly changed):

runtime: custom
env: flex
service: someservice
manual_scaling:
    instances: 1
resources:
    cpu: 1
    memory_gb: 4.0
    disk_size_gb: 10
beta_settings:
    cloud_sql_instances: cloud
network:
    name: vpc

As you can see, I specified a network in the yaml file to run the app in vpc. Then, I created two firewall rules in VPC to allow access to only specific IPs. I first created a firewall rule called “deny” to deny access to the vpc network for all IP ranges:

gcloud compute firewall-rules create deny 
    --network vpc 
    --action deny 
    --direction ingress 
    --rules tcp 
    --source-ranges 0.0.0.0/0 
    --priority 5000

Finally, I created another rule named “allow” to allow a single IP address (e.g. 192.00.00.11):

gcloud compute firewall-rules create allow 
    --network vpc 
    --action allow 
    --direction ingress 
    --rules tcp 
    --source-ranges 192.00.00.11 
    --priority 1000

However, after performing the above I am still able to access the app engine service from pretty much any IP I tested (used my phone’s data and also asked friends for sanity check). What am I doing wrong? Any help is greatly appreciated!

Note: similar problem: https://stackoverflow.com/questions/49296666/google-app-engine-firewall-restrict-access-to-all-services-but-the-default-one


Get this bounty!!!

#StackBounty: #ubuntu #firewall #android #port #kde-connect KDE Connect Not Working [Ubuntu 16.04] : KDE Connect is not discovering pho…

Bounty: 50

I have installed the KDE Connect application on my desktop and also on my phone [Xiaomi Redmi 3S Prime]. But the desktop application would not detect my phone and vice versa.
I have checked the ports. They are open. There is no firewall installed. I have also tried adding my PC manually by entering the IP address in the Android App and that did not work. I also tried restarting the kdeconnectd daemon but that also didn’t work for me.

EDIT:
Here are the things that I have tried.

  1. Check if the kdeconnectd daemon is running.
    enter image description here

  2. Check if I have the ports blocked and if firewall is enabled.
    enter image description hereenter image description here

  3. Check if KDE Connect is listening on the port.
    enter image description here

Please help with all the solutions you can.

PS. It might seem like a duplicate but I have tried almost all the solutions out there but none of it seems to work for me. Hence, I am here.


Get this bounty!!!

#StackBounty: #networking #18.04 #iptables #firewall iptables match error "No chain/target/match by that name"

Bounty: 100

This is a fresh copy of ubuntu on my nVidia Jetson Nano, and I am trying to add the following rule to block network access for user 1001.

sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner 1001 -j DROP

I get the following error:

iptables: No chain/target/match by that name.

Here is what I tried that works(YES) and does not work(NOT)

  1. YES – Remove the match criteria and replace with some other condition like source or target
  2. YES – On another similar installation on raspberry pi
  3. NOT – Change chain or target to INPUT or ACCEPT etc..
  4. NOT – Use a different user
  5. NOT – Try using user names instead of user ID
  6. NOT – Try a different match like –gid-owner
  7. NOT – Flushing the tables, restarting the PC etc
  8. NOT – Removed the ! -o lo from the command above

This is beyond me, I really have tried a lot of things and read through a number of posts with the same error – most of the times they are trying to do something complex – yet this is simple (and works on my other installation!). Any thoughts on how to understand this would be appreciated. Thanks!

EDIT: Based on comment below, here are the outputs:

grep CONFIG_NETFILTER_XT_MATCH /boot/config-$(uname -r)

grep: /boot/config-4.9.140-tegra: No such file or directory

I manually checked for the file and there’s no file that starts with config-XX in the boot folder. Additionally:

iptables -m owner --help

Could not determine whether revision 1 is supported, assuming it is.

….

owner match options:

[!] –uid-owner userid[-userid] Match local UID

[!] –gid-owner groupid[-groupid] Match local GID

[!] –socket-exists Match if socket exists


Get this bounty!!!

#StackBounty: #networking #server #firewall Shorewall – Allow Client to Ping Internet but Not Use the Browser or Port 80

Bounty: 50

My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from using port 80 or the browser? Below is my /etc/shorewall/policy file :

SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

loc       net     ACCEPT

net       all     DROP      info

/etc/shorewall/rules file:

DROP    loc    fw    tcp   80

/etc/shorewall/interfaces file :

net   eth0
loc   eth1

Host Interfaces:

eth0 - Connection to the internet
eth1 - Local Network Connection

Please tell me, if I still have to provide more details. Using the configuration above, my client is unable to ping any internet website and at the same time cant access any site from the browser.


Get this bounty!!!

#StackBounty: #firewall #rules #slackware #policy #shorewall Shorewall – Allow Client to Ping Internet but Not Use the Browser or Port 80

Bounty: 50

My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. How will I enable my client to ping the internet through the terminal but restrict it from accesing port 80 or the browser? Below is my /etc/shorewall/policy file :

SOURCE    DEST    POLICY    LOGLEVEL   RATE    CONNLIMIT

loc       net     ACCEPT

net       all     DROP      info

/etc/shorewall/rules file:

DROP    loc    fw    tcp   80

/etc/shorewall/interfaces file :

net   eth0
loc   eth1

Host Interfaces:

eth0 - Connection to the internet
eth1 - Local Network Connection


Get this bounty!!!

#StackBounty: #firewall #bridge #mikrotik #filter How to debug Mikrotik bridge filter forward rules not having any effect?

Bounty: 50

As part of diagnosing a different problem were trying to add a bridge filter rule that will stop all traffic from forwarding between two interfaces on a bridge.

The router has two interfaces ether1 and ether2 on a bridge.

we then added a rule with this

/interface bridge filter
add action=drop chain=forward in-interface=ether1

i had expected this to stop all traffic that arrived on ether1 from being forwarded across the bridge and going out ether2. However traffic continues to flow and this rule has no effect.


Get this bounty!!!