Results 1 to 7 of 7

Thread: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

  1. #1
    Join Date
    Oct 2024
    Beans
    4

    Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    I've just installed an out of the box Ubuntu 24.04 LTS box. I've set the iptables OUTPUT chain to log (and drop) suspicious activity. I've noticed some.
    I look up the ip's on AbuseIPDB, and get the following report:

    Ip Address: 103.203.57.21
    {
    "data": {
    "abuseConfidenceScore": 100,
    "countryCode": "CN",
    "domain": "ipip.net",
    "hostnames": [
    "scan-57-21.security.ipip.net"
    ],
    "ipAddress": "103.203.57.21",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": false,
    "isp": "Beijing Tiantexin Tech. Co. Ltd.",
    "lastReportedAt": "2024-10-07T10:04:10+00:00",
    "numDistinctUsers": 60,
    "totalReports": 3564,
    "usageType": "Data Center/Web Hosting/Transit"
    }
    }

    There are lots more from LT, CN, GP, and DE. They seem to be hitting ports 22, 80, and 443.

    There is no corresponding traffic on INPUT, so obviously, these OUTPUT requests are internally generated.

    Obviously, these are security issues. How do I resolve them? Has someone else seen this?

  2. #2
    Join Date
    Oct 2024
    Beans
    4

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    I installed auditd to try and find who is doing this. Here are my rules
    -a always,exit -F arch=b64 -S connect -F key=network-connect
    -a always,exit -F arch=b64 -S sendto -F key=sendto-monitoring
    -a always,exit -F arch=b64 -S sendmsg -F key=sendmsg-monitoring
    -a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0x3 -F key=raw-socket-monitoring
    -a always,exit -F arch=b64 -S sendto,sendmsg -F a0=0x2 -F key=udp-out-ipv4
    -a always,exit -F arch=b64 -S sendto,sendmsg -F a0=0xA -F key=udp-out-ipv6

    The iptables
    Chain ufw-blocklist-output (1 references)
    pkts bytes target prot opt in out source destination
    249 12256 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 10 LOG flags 0 level 4 prefix "zDROP ufw-blocklist-output: "
    269 13392 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    catch the packet and kill it, but nothing shows up in auditd logs in journalctl -f

    It may be that the hack is in the kernel, as I'm monitoring user space calls. Or, they are using some RAW output I'm not catching. Any ideas?

  3. #3
    Join Date
    Jun 2024
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    It appears the host in your first post is a geolocator, which may be a library used in either the base Ubuntu build or an application you installed (perhaps extension or even website you visited) that checks where your geo location is. This outbound traffic would be indicative of expected desktop behavior. You can of course block the IP and hostname in your hosts file.

    Why would you think this is a hack?

    Example of what to write in your host file:

    127.0.0.1 x.y.z //direct lookup to localhost address

    (source) https://superuser.com/a/1193394

  4. #4
    Join Date
    Oct 2024
    Beans
    4

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    I think it's a a hack because I looked it up a number of reported addresses on AbuseIPDB.com, as I'm a subscriber.

    Look specifically for the abuseConfidenceScore. It's the percentage of badness, 100 being totall bad, and 0 being ok.

    Here's the printout of a few addresses:

    Ip Address: 103.203.57.21
    {
    "data": {
    "abuseConfidenceScore": 100,
    "countryCode": "CN",
    "domain": "ipip.net",
    "hostnames": [
    "scan-57-21.security.ipip.net"
    ],
    "ipAddress": "103.203.57.21",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": false,
    "isp": "Beijing Tiantexin Tech. Co. Ltd.",
    "lastReportedAt": "2024-10-07T16:09:46+00:00",
    "numDistinctUsers": 60,
    "totalReports": 3567,
    "usageType": "Data Center/Web Hosting/Transit"
    }
    }
    Ip Address: 141.98.11.79
    {
    "data": {
    "abuseConfidenceScore": 100,
    "countryCode": "LT",
    "domain": "serveroffer.lt",
    "hostnames": [
    "eletrire.halffail.com"
    ],
    "ipAddress": "141.98.11.79",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": false,
    "isp": "UAB Host Baltic",
    "lastReportedAt": "2024-10-07T16:03:54+00:00",
    "numDistinctUsers": 167,
    "totalReports": 2555,
    "usageType": "Data Center/Web Hosting/Transit"
    }
    }
    Ip Address: 78.153.140.78
    {
    "data": {
    "abuseConfidenceScore": 0,
    "countryCode": "GB",
    "domain": "interlan.ru",
    "hostnames": [
    "hostglobal.plus"
    ],
    "ipAddress": "78.153.140.78",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": null,
    "isp": "LLC Company Interlan Communications",
    "lastReportedAt": null,
    "numDistinctUsers": 0,
    "totalReports": 0,
    "usageType": "Fixed Line ISP"
    }
    }
    Ip Address: 154.213.184.15
    {
    "data": {
    "abuseConfidenceScore": 100,
    "countryCode": "DE",
    "domain": "pfcloud.io",
    "hostnames": [],
    "ipAddress": "154.213.184.15",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": false,
    "isp": "PFCloud UG",
    "lastReportedAt": "2024-10-07T16:16:05+00:00",
    "numDistinctUsers": 873,
    "totalReports": 15493,
    "usageType": "Data Center/Web Hosting/Transit"
    }
    }
    Ip Address: 93.123.85.155
    {
    "data": {
    "abuseConfidenceScore": 42,
    "countryCode": "GB",
    "domain": "mortalsoft.online",
    "hostnames": [],
    "ipAddress": "93.123.85.155",
    "ipVersion": 4,
    "isPublic": true,
    "isTor": false,
    "isWhitelisted": false,
    "isp": "MortalSoft Ltd.",
    "lastReportedAt": "2024-10-07T11:14:12+00:00",
    "numDistinctUsers": 7,
    "totalReports": 13,
    "usageType": "Data Center/Web Hosting/Transit"
    }
    }

  5. #5
    Join Date
    Jun 2024
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    Oh, I'm confused then by your question. Because you specified this is going "out," but in reality, you're talking about IPs hitting your ports. This is very common on the Internet. You shouldn't have your box exposed directly to the Internet, otherwise you should expect to get hit with bots trying to figure out if you're vulnerable to common attacks. With a patched system you will be okay, but you should also harden your OS to prevent attacks.

  6. #6
    Join Date
    Oct 2024
    Beans
    4

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    IP's don't hit the INPUT port, only OUTPUT - that's the point. I have the same iptables rules for INPUT, OUTPUT, and FORWARD. Nobody should ever be able to hit the OUTPUT port if they
    were stopped by INPUT. Further, after installing tool auditd, and setting it up as above, I don't see anyone from user space hitting connect, sendto, sendmsg, or the raw interefaces.
    The tool does report legitimate users from my box, but nothing happens around the time when the OUTPUT port is hit.

    Another data point: Iget the same violations on 22.04-Ubuntu LTS, and on another box with a later revision 24.04 Ubuntu LTS. To keep the boxes up-to-date, I subscribe to https://ubuntu.com/aws/pro.

    It could be the aws builds I'm using, so I'd like to hear from the greater Ubuntu community on this. If you want to recreate the problem:

    1. curl down - curl -sS -f --compressed -o ../control/ipsum.3.ctl 'https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt'
    2. grep out your boxes IP
    3. load the above file into ipset
    3. setup ip firewall rules to block and report (and drop) based on the ipset you create.

    I can publish a python3 program that does these steps if the community is interested. One point though, you can't be sitting on a home WiFi, but rather out there in the wild west internet.

  7. #7
    Join Date
    Jun 2024
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Out of the box uBuntu 24.04 iptables OUTPUT reports security issues

    IP's don't hit the INPUT port, only OUTPUT - that's the point.
    That is incorrect. Public IPs when talking to your device will go the input port. They won't use the output port. Your device uses the output port.

    https://sudamtm.medium.com/iptables-...e-276b8604eff1

    Further, after installing tool auditd, and setting it up as above, I don't see anyone from user space hitting connect, sendto, sendmsg, or the raw interefaces.
    I think wireshark would be a better tool.

    I can publish a python3 program that does these steps if the community is interested. One point though, you can't be sitting on a home WiFi, but rather out there in the wild west internet.
    It is very normal for random public IPs to connect to your device when it's on the public routeable Internet. They can do a port knock or other methods to check which port is open. The most common is 22 as you mentioned above.

    As I said, I think this is pretty normal. You shouldn't rely on host firewall to protect your machine but a T3 router or a virtual router if on AWS like VPC firewall.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •