Ticket #843 (closed maintenance: fixed)
8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Live server | Keywords: | |
| Cc: | ade | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.25 |
Description
Never seen this before:
Date: Tue, 7 Apr 2015 23:46:09 +0100 (BST)
From: root@puffin.webarch.net
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning
Time: Tue Apr 7 23:46:09 2015 +0000
IP: 8.8.8.8 (US/United States/google-public-dns-a.google.com)
Hits: 20
Blocked: Temporary Block
Sample of block hits:
Apr 7 23:45:36 puffin kernel: [19823338.636822] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=8.8.8.8 DST=81.95.52.103 LEN=162 TOS=0x00 PREC=0x00 TTL=45 ID=65064 PROTO=UDP SPT=53 DPT=48825 LEN=142
I thought set the Google DNS servers for the machine via /etc/resolv.conf but that contains:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1
There is /etc/resolvconf/resolv.conf.d/original containing:
nameserver 8.8.8.8 nameserver 8.8.4.4
But I don't know what DNS resolver BOA has installed and the server is using.
Change History
comment:1 Changed 20 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
comment:2 Changed 20 months ago by chris
The temp block of the Google DNS server was lifted:
iptables -v -L -n --line-numbers | grep 8.8.8.8 1 142 16403 ACCEPT all -- !lo * 8.8.8.8 0.0.0.0/0 1 167 13104 ACCEPT all -- * !lo 0.0.0.0/0 8.8.8.8
csf -g 8.8.8.8 Chain num pkts bytes target prot opt in out source destination ALLOWIN 1 142 16403 ACCEPT all -- !lo * 8.8.8.8 0.0.0.0/0 ALLOWOUT 1 167 13104 ACCEPT all -- * !lo 0.0.0.0/0 8.8.8.8
I still have no idea why the Google DNS server tried to connect, multiple times, to port 45 via UDP.
comment:3 Changed 20 months ago by chris
Other people have had issues with CSF/LFD and DNS servers, see https://github.com/omega8cc/boa/issues/685
comment:4 Changed 19 months ago by chris
- Status changed from new to closed
- Resolution set to fixed
When we upgrade to the next version of BOA, on ticket:844, then we will get a new, checked, version of csf/lfd from BOA's servers rather than configserver.com, see this diff. In anticipation of that solving this issue I'm closing this ticket.
Following wiki:PuffinServer#Falsepositives I have unblocked Google's DNS server:
So that didn't work... tried editing /etc/csf/csf.allow to add:
And restarted:
But no joy:
I'm at a bit of a loss here, will see if it resolves itself to save spending too much time on this...