Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: EEK! An Open Port! Is security compromised? Is it really open?

  1. #11
    Join Date
    Nov 2007
    Beans
    139

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    Ok, I think I may have figured out what is happening. Apparently the ipaddress for my laptop is a private one, so when it goes outside to the network my desktop is on, it gets rewritten. The rewritten ipaddress *does* appear in my denyhosts ipaddress bad list. Not really sure why, because I doubt I tried to guess my password 3 or more times, but maybe denyhosts was counting failed connection attempts. Now, just to verify that someone isn't somehow running a man in the middle attack.

    Anyway, whew!

  2. #12
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    SSH will tell you the host key has changed and display a warning if you are being man-in-the-middle'd.

    In any case, you would have to allow the public IP of the machine you are connecting from thru the firewall in order to connect.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #13
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    @slowtrain. I have to ask, are you connected to the internet through an educational institute, or from work, because the results from your nmap scan, don't look like a home router.

  4. #14
    Join Date
    Nov 2007
    Beans
    139

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    CharlesA: Thanks! I now have several reasons to think the address is legit.

    cariboo907: You're right, the desktop is a personal research machine at my workplace.

    All: Looks like the fun isn't over yet! Yes, I was right that denyhosts was the source of the problem and taking the rewritten ipaddress of my laptop out of hosts.deny would fix the issue. But, that ipaddress appears magically back in the list every time I connect.

    The basic problem looks like this: Reboot the machine. Completely remove and then reinstall denyhosts. Remove the laptop (external) address from hosts.deny. Connect from the laptop to the desktop using ssh. And, without doing anything else, look back in my hosts.deny file and my laptop's (external) ipaddress has reappeared in it!

    My best guess as to what is happening is that ssh is shifting from port 22 to some other port once the connection is formed and denyhosts then treats the connection as illegitimate and adds the ipaddress to hosts.deny. The auth.log entry for my ssh connection looks like this: Accepted password for slowtrain from myLaptopIPaddress port 55379 ssh2 . I'm just using standard ssh syntax and the firewall won't accept anything coming in other than on port 22, so I can only imagine ssh is moving the connection to this other port. It probably has to in case there's more than one ssh connection. This probably means I can only connect once from home as well.

    But, before putting UFW on my machine I didn't have this problem and could connect w/ SSH as much as I liked. On the other hand, I don't know that this is causal. I've now shut down UFW and reinstalled Firestarter, but the problem persists. On the other hand, maybe something UFW did to some configuration file that remains is making this happen? Thoughts?

    I wonder if I should start a new thread with this problem.

  5. #15
    Join Date
    Nov 2007
    Beans
    139

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    Ok, I'll bump my new problem to a new thread.

  6. #16
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,605
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    The port listed in your logs is the source port. The destination port on the server is port 22. This does not change after the connection is made. The source port however may change between different logins as usually a high random port number is chosen as the source port.

    I'm sure you know for example you can whitelist certain IP addresses or certain blocks of addresses with the firewall, and not just filter by port number.

    Just a personal opinion -- and take it only as this -- but since this is a "research" computer, ditch ufw/gufw and just communicate directly to netfilter through iptables directly. Its not very difficult to do, and it gives you very granular control.

  7. #17
    Join Date
    Nov 2007
    Beans
    139

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    Hi KevDog:

    Thanks for your input! You were right that the port bumping in ssh did not cause my problem. The problem, as I mention in another thread, was due to the difficulty of de-banning oneself once denyhosts decides your other computer's ipaddress is a bad one. I did solve the problem eventually.

    By 'research' I mean statistics, not computer science. I'm not sure I have the time to learn how iptables works, though am increasingly thinking it may be worth it. Looking through iptables -L, it almost looks like the organization for which I work has hacked my machine--probably to maintain security and check if I've put banned material on the machine, but still disconcerting given this is supposed to be a personal research machine.

  8. #18
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: EEK! An Open Port! Is security compromised? Is it really open?

    iptables is pretty easy to deal with. I use it without using ufw or gufw.

    See here for a good intro:

    http://bodhizazen.net/Tutorials/iptables
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •