Problem in creating jumphost by configuring iptables - centos

I have added following ip table rules to create a jumphost. I want to ssh to the following ip defined in iptables config file.
But the problem is even after defining the iptable rules I am unable to ssh to the ip defined in iptables configuration file.While doing ssh it is showing connection timeout or connection refused. Can u please tell me what I am doing wrong or missing.
changes in etc/sysconfig/iptables file:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -d 10.18.** -j ACCEPT
-A OUTPUT -d 10.18.** -j ACCEPT
-A OUTPUT -d 10.18.** -j ACCEPT
-A OUTPUT -d 10.32.** -j ACCEPT
COMMIT
Even after iptable configuration.
while doing ssh connection is refused.
ssh 10.32.**
ssh: connect to host 10.32.** port 22: Connection refused

going by the assumption that, you have given the runtime configuration of the iptables, the issue could just be the ssh daemon itself is not running.
Please verify that the config you have in the file is the actual runtime config. You can do that by doing a iptables-save > /tmp/rules.v4 and comparing with your original file.
Make sure ssh daemon is running and is reachable on the public/all interfaces. you can do that using the command, netstat -nltpe | grep 22

Related

psql: could not connect to server: Connection refused

I have access remote postgesql psql -h xxx.xxx.xxx.xxx -p 1486 postgres
It's show this error
psql: could not connect to server: Connection refused
Is the server running on host "xxx.xxx.xxx.xxx" and accepting
TCP/IP connections on port 1486?
postgresql.conf file
listen_addresses = '*'
pg_hba.conf file
host all all 0.0.0.0/0 md5
Also apply open 1486 port
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d X.X.X.X --dport 1486 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s X.X.X.X --sport 1486 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
It's return same error.
It's hard to give a canonical answer but here are a few things to try (some of them may not apply / be possible):
Ping the IP address in question - is the server up at all / reachable? Are there other services on the box that can be reached?
Connect from a local connection on the server itself, assuming you have console or ssh access
If you have local access and network based access doesn't work, is unix-domain socket access allowed and if so, does that work?
Check the port config in postgresql.conf - is it really where you think it is?
Has the config file been edited since the last server restart? The parameters you listed all require server restarts to take effect.
Is it actually using the config file you think it is? Running "SHOW config_file;" as superuser will help if you can make a local connection
What happens is you do telnet 1486? Do you get a network connection or similar error?
Get a pcap and check what's happening at the network level (wireshark or tcpdump will help)

Prevent access from outside, mongodb

Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?
Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/

Changes to iptables has no effect. What's wrong with my script?

This is my iptables script which i run in bash. The saving of the configurations is part of the script.
#!/bin/bash
#
# iptables-konfigurasjon
#
# Set default rule to ACCEPT to avoid being locked out
iptables -P INPUT ACCEPT
# Flush all excisting rules
iptables -F
# New default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# localhost:
iptables -A INPUT -i lo -j ACCEPT
# Not entirely shure what this is about....:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow http traffic for tomcat:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# Save rules:
/sbin/service iptables save
But, after testing it seems that these rules have no effect after all.
Example: If I comment out the line for allowing traffic to my tomcat server, I can still reach my tomcat server from outside.... even after a reboot.
What's wrong with my script?
BTW: I'm using CentOS 6.
after saving the newly added rules to your iptables, you have to restart the service so that changes take effect.
/sbin/service iptables restart
or
/etc/rc.d/init.d/iptables restart
You can add this in the end of script (for the CentOS):
iptables-save > /etc/sysconfig/iptables
service iptables restart
Problem
Why this happens
iptables functionalities are used by some other services like ufw or firewalld (depending on the distro you are using), which are blocking the changes made by iptables cli.
Solution
All you have to do is just remove the package firewall pkg installed on your machine
for ubuntu (debian distros) using the following command to remove the package
sudo apt purge ufw -y

Access remote Postgres server with pgAdmin

I've got pgAdmin running on my XP machine. There's a Centos machine running a Postgres server on the network. The Postgres server pg_hba.conf file has the following lines
TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.0.68/32 trust
local mydb myuser password
local all postgres ident
host mydb myuser 10.0.0.68/32 password
host all postgres 10.0.0.68/32 trust
My postgresql.conf file has the following line:
listen_address = 'localhost, 10.0.20.10'
nmap -sS 10.0.20.10 shows:
PORT STATE SERVICE
5432/tcp open postgresql
I can ssh into a bash shell on the server, but I can't connect with pgAdmin. I get the following:
could not connect to server: No route to host(0x00002751/10065) Is the
server running on host "10.0.20.10" and accepting TCP/IP connections
on port 5432?
I've no idea what the problem is.
#Aidan found the solution himself:
It was a firewall issue.
service iptables stop
enabled the connection. I'll just write a rule to allow the connection.
Suppose server's IP address is 10.0.20.10 then you could just add these iptable rules as #Dark Star1 proposed in comments:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.0.20.10 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.0.20.10 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Can't connect to MongoD / byzarre

I installed mongoDB through the official tutorial http://www.mongodb.org/display/DOCS/Building+for+Linux
The daemon starts up, a netstat-na | grep 27017 shows:
tcp 0 0 0.0.0.0:27017 0.0.0.0: * LISTEN
unix 2 [ACC] STREAM LISTENING 100949 / tmp/mongodb-27017.sock
I added these iptables rules:
-A INPUT-p tcp-m tcp - dport 27017-j ACCEPT
-A INPUT-p tcp-m tcp - dport 28017-j ACCEPT
When loading through the browser, I get well on the web management interface in 28017
If I add a remote connection on mongoHQ, I get to use the database
By cons, if I run the client locally, an error is raised:
Error: could not connect to server 127.0.0.1 shell / mongo.js: 79 except: connect failed
Same if I try to use the database on an existing project, can't connect to it.
I turn around, I do not understand, thank you in advance for your help.
Solution if you have this problem :
iptables -t filter -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
And it's ok ^^
Does the firewall need to be explicitly opened on port 27017 to allow outbound TCP connections?
iptables -A OUTPUT -p tcp --dport 27017 -j ACCEPT