iptables anomaly

Have you done a tcpdump to verify that packets from your scan destined for those ports are actually reaching your server?

This also might be of interest, though I can't say I've dealt with this personally: http://blog.nephtaliproject.com/?p=129

It might be your home network is catching these ports. Some ISPs steal ports for admin purposes. Some routers get in the way. If you provide your linode IP address then others can test to see if they see the port open or not.

(And maybe worth you getting a HE tunnelbroker.net IPv6 connection for home; it's free :-))

You can save yourself a lot of pain and agony by simplifying your iptables rules, and getting rid of your outbound rules (they don't increase security, and prevent you from using your Linode to SSH into other legitimate hosts, among other things). That said, as for your open ports, it's likely your home router is accepting connections for those ports, so that it can provide better NAT-ing for services on those ports (554 is Real-Time Streaming Protocol, which has some issues with NAT, I hear). Apple's AirPort Extreme does this: ~~[https://discussions.apple.com/thread/2047569?start=0&tstart=0" target="_blank">](https://discussions.apple.com/thread/20 … 0&tstart=0">https://discussions.apple.com/thread/2047569?start=0&tstart=0](. If you give us your IP address, we can check from other locations (or our own Linodes) to confirm.

-Doug

Hmm… Didn't know routers would interfere with nmap. I'd appreciate if someone could confirm for me. IPv4 on 97.107.128.171, IPv6 on 2600:3c03::f03c:91ff:fe69:21fa/64 (or at least, as reported by ifconfig -- I'm admittedly an IPv6 newb, so the Linode Manager's reported IPv6 looks like Ancient Egyptian to me).

Thanks.

@sweh:

(And maybe worth you getting a HE tunnelbroker.net IPv6 connection for home; it's free :-))

Google, define:paranoia :wink: I don't trust what I can't configure myself. I'll configure my Linode as my IPv6 tunnel, at least when I know enough about it :roll:

@dwfreed:

You can save yourself a lot of pain and agony by simplifying your iptables rules, and getting rid of your outbound rules (they don't increase security, and prevent you from using your Linode to SSH into other legitimate hosts, among other things).

Sure, outbound rules are useless provided the inbound rules are configured correctly. However, they do provide a safety net in the sense that, if by accident one configures iptables to allow all inbound, the ability of a hacker to send out spammy traffic will be limited – though nothing beats double-checking one's work to make sure it's configured correctly :)

Personally I don't consider it a pain to adjust iptables, it's not complicated once one understands the basics.

(edit to correct a sentence (really gotta learn to use the preview))

Here's an nmap from a Linode in the same datacenter (Newark):

Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-06 03:32 UTC
Nmap scan report for kriskrehart.com (97.107.128.171)
Host is up (0.00043s latency).
Not shown: 989 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http
143/tcp  closed imap
443/tcp  closed https
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  open   imaps
6667/tcp open   irc
8080/tcp open   http-proxy

Nmap done: 1 IP address (1 host up) scanned in 4.65 seconds

Looks like you're good.

Your IPv6 address isn't working though. Are you blocking ICMPv6? IPv6 gets extremely unhappy when you do that (it's not as forgiving as IPv4 in that regard).

@AGWA:

Your IPv6 address isn't working though. Are you blocking ICMPv6? IPv6 gets extremely unhappy when you do that (it's not as forgiving as IPv4 in that regard).

This is true. Blocking ICMPv6 via ip6tables effectively prevents the system from assigning your Linode its IPv6 address (SLAAC comes to mind here), and just overall causes more problems than its worth, so be sure you're not doing that.

@BDIkaros:

This is true. Blocking ICMPv6 via ip6tables effectively prevents the system from assigning your Linode its IPv6 address (SLAAC comes to mind here), and just overall causes more problems than its worth, so be sure you're not doing that.
Yup. Another problem is that the Neighbor Discovery Protocol (the successor to ARP) uses ICMPv6, so blocking ICMPv6 is basically equivalent to blocking ARP in IPv4.

````
Interesting ports on kriskrehart.com (97.107.128.171):
Not shown: 65525 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
53/tcp open domain
80/tcp open http
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp open imaps
6667/tcp open irc
8080/tcp open http-proxy

````

No 554 and no 7070 open.

@Piki:

I don't trust what I can't configure myself.

By that logic, you shouldn't be connecting to the Internet. Sarcasm aside, HE tunnels are easy to set up, and are no more of a security risk than connecting to the Internet in the first place. They're quite useful when you're not sure how to use your own Linode for this purpose.

@Piki:

Sure, outbound rules are useless provided the inbound rules are configured correctly. However, they do provide a safety net in the sense that, if by accident one configures iptables to allow all inbound, the ability of a hacker to send out spammy traffic will be limited – though nothing beats double-checking one's work to make sure it's configured correctly :)

Personally I don't consider it a pain to adjust iptables, it's not complicated once one understands the basics.

iptables should be thought of a supplement to your main security measures, not a replacement. You should focus on securing your applications at the application level first (key-only auth for SSH, something like fwknop to reduce logspam from brute force attempts, secure passwords for things that only accept password auth, keeping up with system and kernel updates, etc), and use iptables only when your application does not allow you to restrict access as flexibly as you'd like, and there's no other suitable alternative. One such example would be a TCP-based application that is normally only communicated with over loopback, but also needs to be accessed by a remote server, and the application provides no access control lists that allow specifying allowed hosts, or the application has a history of security issues, but no alternative exists (rare). This is one case where iptables becomes useful, and not just a hassle, to prevent unauthorized access while still allowing authorized access.

As an example of my previous point that your outbound rules do not provide increased security, based on your current rules, I see 3 ways that a malicious user that has taken advantage of a security hole in software you run or a misconfiguration of software could use your Linode for malicious purposes that would get you in trouble. Further evaluation of your ruleset shows that you're blocking all inbound ICMP not associated with existing traffic, and all outbound ICMP, unless it's an echo request. ICMP is a completely harmless protocol, and by blocking it you only cause yourself more pain and suffering (most monitoring tools would report your Linode as down, for example, and we have no way of verifying whether your Linode is down or if there's a legitimate issue within our network, or just a problem with the return route from your Linode to you). One example of a way to simplify your iptables rules would be to condense your 10 state related, established rules into 1 that doesn't have a port specified, thus catching all of them at once. Leave out protocol as well, for maximum effectiveness.

As always, these are only suggestions, and we can't force you to implement them, as it's your system, but I generally prefer less pain over more, as well as simplicity and sanity in my rulesets.

-Doug

@dwfreed:

Interesting ports on kriskrehart.com (97.107.128.171):
Not shown: 65525 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
53/tcp   open   domain
80/tcp   open   http
143/tcp  closed imap
443/tcp  closed https
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  open   imaps
6667/tcp open   irc
8080/tcp open   http-proxy

No 554 and no 7070 open.

Thanks.

@dwfreed:

@Piki:

I don't trust what I can't configure myself.

By that logic, you shouldn't be connecting to the Internet. Sarcasm aside, HE tunnels are easy to set up, and are no more of a security risk than connecting to the Internet in the first place. They're quite useful when you're not sure how to use your own Linode for this purpose.

There's only so far paranoia can go without restricting freedom, so one does have to be reasonable :wink:

I'd rather either use my Linode, or wait for my ISP to gain support

@dwfreed:

iptables should be thought of a supplement to your main security measures, not a replacement. You should focus on securing your applications at the application level first (key-only auth for SSH, something like fwknop to reduce logspam from brute force attempts, secure passwords for things that only accept password auth, keeping up with system and kernel updates, etc), and use iptables only when your application does not allow you to restrict access as flexibly as you'd like, and there's no other suitable alternative.

I'd never use it as a replacement. Before chewing me out for that, please be certain that's what I'm doing.

I believe in security at every level, including (but not only) the firewall.

@dwfreed:

As an example of my previous point that your outbound rules do not provide increased security, based on your current rules, I see 3 ways that a malicious user that has taken advantage of a security hole in software you run or a misconfiguration of software could use your Linode for malicious purposes that would get you in trouble.

Please tell. Aside from IRC, I'm unaware of any other issues in my iptables rules.

@dwfreed:

Further evaluation of your ruleset shows that you're blocking all inbound ICMP not associated with existing traffic, and all outbound ICMP, unless it's an echo request. ICMP is a completely harmless protocol, and by blocking it you only cause yourself more pain and suffering (most monitoring tools would report your Linode as down, for example, and we have no way of verifying whether your Linode is down or if there's a legitimate issue within our network, or just a problem with the return route from your Linode to you).

Sure, blocking ICMP can make troubleshooting harder, however it also makes it hard for hackers and DoS'ers to see my Linode. Sure, it can be argued that a determined hacker will try anyways, but any hacker that has no reason to target me specifically won't bother if my server appears offline.

That, plus I can easily check if my Linode is online using a service that is allowed, e.g. http or ssh. And, if I need to ask for help from Linode support, I can use Lish to temporarily enable ICMP.

@dwfreed:

One example of a way to simplify your iptables rules would be to condense your 10 state related, established rules into 1 that doesn't have a port specified, thus catching all of them at once. Leave out protocol as well, for maximum effectiveness.

Meh, I'd feel safer keep my iptables as they are.

For what it's worth, Linode colocates with HE in Fremont. (IPv6 tunnels aren't HE's only service.) You trust Linode, and Linode trusts HE, so that kind of implicitly suggests that you should, too.

If you want to be paranoid, you shouldn't trust the Internet period, which makes the ISPs packets are (supposed to be) traveling through irrelevant.

Anyway, it's up to you, of course. But HE are decent folks.