Ticket #843 (closed maintenance: fixed)

Opened 20 months ago

Last modified 19 months ago

8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ade Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.25

Description

Never seen this before:

Date: Tue,  7 Apr 2015 23:46:09 +0100 (BST)                                                                                                   
From: root@puffin.webarch.net                                                                                                                 
To: chris@webarchitects.co.uk                                                                                                                 
Subject: lfd on puffin.webarch.net: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning                       
                                                                                                                                              
Time:    Tue Apr  7 23:46:09 2015 +0000                                                                                                       
IP:      8.8.8.8 (US/United States/google-public-dns-a.google.com)                                                                            
Hits:    20                                                                                                                                   
Blocked: Temporary Block                                                                                                                      
                                                                                                                                              
Sample of block hits:                                                                                                                         
Apr  7 23:45:36 puffin kernel: [19823338.636822] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=8.8.8.8 DST=81.95.52.103 LEN=162 TOS=0x00 PREC=0x00 TTL=45 ID=65064 PROTO=UDP SPT=53 DPT=48825 LEN=142

I thought set the Google DNS servers for the machine via /etc/resolv.conf but that contains:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

There is /etc/resolvconf/resolv.conf.d/original containing:

nameserver 8.8.8.8
nameserver 8.8.4.4

But I don't know what DNS resolver BOA has installed and the server is using.

Change History

comment:1 Changed 20 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

Following wiki:PuffinServer#Falsepositives I have unblocked Google's DNS server:

csf -g 8.8.8.8

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           101    172 20183 DROP       all  --  !lo    *       8.8.8.8              0.0.0.0/0

Temporary Blocks: IP:8.8.8.8 Port: Dir:in TTL:3600 (lfd - *Port Scan* detected from 8.8.8.8 (US/United States/google-public-dns-a.google.com). 20 hits in the last 101 seconds)

csf -dr 8.8.8.8
csf: 8.8.8.8 not found in csf.deny

 csf -g 8.8.8.8

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           101    173 20211 DROP       all  --  !lo    *       8.8.8.8              0.0.0.0/0

Temporary Blocks: IP:8.8.8.8 Port: Dir:in TTL:3600 (lfd - *Port Scan* detected from 8.8.8.8 (US/United States/google-public-dns-a.google.com). 20 hits in the last 101 seconds)

So that didn't work... tried editing /etc/csf/csf.allow to add:

8.8.8.8 # google.com dns see /trac/ticket/843

And restarted:

csf -r

But no joy:

iptables -v -L -n --line-numbers | grep 8.8.8.8
1        0     0 ACCEPT     all  --  !lo    *       8.8.8.8              0.0.0.0/0           
1        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            8.8.8.8             
101      0     0 DROP       all  --  !lo    *       8.8.8.8              0.0.0.0/0  

iptables -D INPUT 101
iptables: Index of deletion too big.

I'm at a bit of a loss here, will see if it resolves itself to save spending too much time on this...


comment:2 Changed 20 months ago by chris

The temp block of the Google DNS server was lifted:

iptables -v -L -n --line-numbers | grep 8.8.8.8
1      142 16403 ACCEPT     all  --  !lo    *       8.8.8.8              0.0.0.0/0           
1      167 13104 ACCEPT     all  --  *      !lo     0.0.0.0/0            8.8.8.8     
 csf -g 8.8.8.8

Chain            num   pkts bytes target     prot opt in     out     source               destination         

ALLOWIN          1      142 16403 ACCEPT     all  --  !lo    *       8.8.8.8              0.0.0.0/0

ALLOWOUT         1      167 13104 ACCEPT     all  --  *      !lo     0.0.0.0/0            8.8.8.8

I still have no idea why the Google DNS server tried to connect, multiple times, to port 45 via UDP.

comment:3 Changed 20 months ago by chris

Other people have had issues with CSF/LFD and DNS servers, see https://github.com/omega8cc/boa/issues/685

comment:4 Changed 19 months ago by chris

  • Status changed from new to closed
  • Resolution set to fixed

When we upgrade to the next version of BOA, on ticket:844, then we will get a new, checked, version of csf/lfd from BOA's servers rather than configserver.com, see this diff. In anticipation of that solving this issue I'm closing this ticket.

Note: See TracTickets for help on using tickets.