Transition Technology: Ticket #843: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning http://localhost:8080/trac/ticket/843 <p> Never seen this before: </p> <pre class="wiki">Date: Tue, 7 Apr 2015 23:46:09 +0100 (BST) From: root@puffin.webarch.net To: chris@webarchitects.co.uk Subject: lfd on puffin.webarch.net: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning Time: Tue Apr 7 23:46:09 2015 +0000 IP: 8.8.8.8 (US/United States/google-public-dns-a.google.com) Hits: 20 Blocked: Temporary Block Sample of block hits: Apr 7 23:45:36 puffin kernel: [19823338.636822] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=8.8.8.8 DST=81.95.52.103 LEN=162 TOS=0x00 PREC=0x00 TTL=45 ID=65064 PROTO=UDP SPT=53 DPT=48825 LEN=142 </pre><p> I thought set the Google DNS servers for the machine via /etc/resolv.conf but that contains: </p> <pre class="wiki"># Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 </pre><p> There is /etc/resolvconf/resolv.conf.d/original containing: </p> <pre class="wiki">nameserver 8.8.8.8 nameserver 8.8.4.4 </pre><p> But I don't know what DNS resolver BOA has installed and the server is using. </p> en-us Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/843 Trac 0.12.5 chris Tue, 07 Apr 2015 23:24:18 GMT hours, totalhours changed http://localhost:8080/trac/ticket/843#comment:1 http://localhost:8080/trac/ticket/843#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> </ul> <p> Following <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer#Falsepositives">wiki:PuffinServer#Falsepositives</a> I have unblocked Google's DNS server: </p> <pre class="wiki">csf -g 8.8.8.8 Chain num pkts bytes target prot opt in out source destination DENYIN 101 172 20183 DROP all -- !lo * 8.8.8.8 0.0.0.0/0 Temporary Blocks: IP:8.8.8.8 Port: Dir:in TTL:3600 (lfd - *Port Scan* detected from 8.8.8.8 (US/United States/google-public-dns-a.google.com). 20 hits in the last 101 seconds) csf -dr 8.8.8.8 csf: 8.8.8.8 not found in csf.deny csf -g 8.8.8.8 Chain num pkts bytes target prot opt in out source destination DENYIN 101 173 20211 DROP all -- !lo * 8.8.8.8 0.0.0.0/0 Temporary Blocks: IP:8.8.8.8 Port: Dir:in TTL:3600 (lfd - *Port Scan* detected from 8.8.8.8 (US/United States/google-public-dns-a.google.com). 20 hits in the last 101 seconds) </pre><p> So that didn't work... tried editing /etc/csf/csf.allow to add: </p> <pre class="wiki">8.8.8.8 # google.com dns see https://trac.transitionnetwork.org/trac/ticket/843 </pre><p> And restarted: </p> <pre class="wiki">csf -r </pre><p> But no joy: </p> <pre class="wiki">iptables -v -L -n --line-numbers | grep 8.8.8.8 1 0 0 ACCEPT all -- !lo * 8.8.8.8 0.0.0.0/0 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 8.8.8.8 101 0 0 DROP all -- !lo * 8.8.8.8 0.0.0.0/0 iptables -D INPUT 101 iptables: Index of deletion too big. </pre><p> I'm at a bit of a loss here, will see if it resolves itself to save spending too much time on this... </p> <p> </p> Ticket chris Thu, 09 Apr 2015 10:13:02 GMT http://localhost:8080/trac/ticket/843#comment:2 http://localhost:8080/trac/ticket/843#comment:2 <p> The temp block of the Google DNS server was lifted: </p> <pre class="wiki">iptables -v -L -n --line-numbers | grep 8.8.8.8 1 142 16403 ACCEPT all -- !lo * 8.8.8.8 0.0.0.0/0 1 167 13104 ACCEPT all -- * !lo 0.0.0.0/0 8.8.8.8 </pre><pre class="wiki"> csf -g 8.8.8.8 Chain num pkts bytes target prot opt in out source destination ALLOWIN 1 142 16403 ACCEPT all -- !lo * 8.8.8.8 0.0.0.0/0 ALLOWOUT 1 167 13104 ACCEPT all -- * !lo 0.0.0.0/0 8.8.8.8 </pre><p> I still have no idea why the Google DNS server tried to connect, multiple times, to port 45 via UDP. </p> Ticket chris Wed, 15 Apr 2015 13:42:13 GMT http://localhost:8080/trac/ticket/843#comment:3 http://localhost:8080/trac/ticket/843#comment:3 <p> Other people have had issues with CSF/LFD and DNS servers, see <a class="ext-link" href="https://github.com/omega8cc/boa/issues/685"><span class="icon">​</span>https://github.com/omega8cc/boa/issues/685</a> </p> Ticket chris Thu, 16 Apr 2015 12:28:10 GMT status changed; resolution set http://localhost:8080/trac/ticket/843#comment:4 http://localhost:8080/trac/ticket/843#comment:4 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> <p> When we upgrade to the next version of BOA, on <a class="closed ticket" href="http://localhost:8080/trac/ticket/844" title="maintenance: Stable BOA 2.4.2 Release (closed: fixed)">ticket:844</a>, then we will get a new, checked, version of csf/lfd from BOA's servers rather than <a class="ext-link" href="http://www.configserver.com/cp/csf.html"><span class="icon">​</span>configserver.com</a>, see <a class="ext-link" href="https://github.com/omega8cc/boa/commit/66ee7236e835363440f4dec98eb7b884eb425fee"><span class="icon">​</span>this diff</a>. In anticipation of that solving this issue I'm closing this ticket. </p> Ticket