I am getting a lot of unwanted access to my virtualmin web server: Operating system Debian Linux 9, Webmin version 1.881, Virtualmin version 6.02.gpl, Kernel and CPU Linux 4.9.0-6-686-pae on i686
Here is a cleaned-up list of some of the accesses using 'pktstat -i eth0 -nt'
152.6k 6% udp <not my address>:22473 <-> <my address>:53
146.5k 5% udp <not my address>:18575 <-> <my address>:53
122.1k 4% udp <not my address>:52275 <-> <my address>:53
...
13.5k 0% arp
...
4.6k 0% udp 0.0.0.0:68 <-> 255.255.255.255:67
...
569.6 0% llc 802.1d -> 802.1d
417.7 0% udp <not my address>:5353 <-> 224.0.0.251:5353
291.1 0% udp <not my address>:137 <-> 209.160.27.255:137
224.7 0% udp <not my address>:5678 <-> 255.255.255.255:5678
148.7 0% udp <not my address>:1985 <-> 224.0.0.102:1985
...
My IP is not any of those above.
1- I would need something to prevent port 53 from getting so much query.
2- Not sure what to do about 'arp' and 802.1d?
3- I did not enable 5353, 137, 5678 or 1985 but they seem to pass through. By default all should be dropped, no? See bottom of my post for more complete iptables.
# Set default chain policies
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
4- I thought I already blocked port 0.0.0.0 and 255.255.255.255 using these?
# Reject spoofed packets
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP
# RFC 3330
-A INPUT -s 192.0.2.0/24 -j DROP
# TEST-NET rfc3330
#-A INPUT -s 198.18.0/25 -j DROP
# testnet2 from rfc2544
#-A INPUT -s 198.51.100/24 -j DROP
# testnet3 RFC 5736, RFC 5737
#-A INPUT -s 203.0.113/24 -j DROP
# protocol assignment(192.0.0.0/24)
-A INPUT -s 192.0.0.0/24 -j DROP
# carrier grade nat from rfc6598
#-A INPUT -s 100.64/10 -j DROP
5- I tried blocking port 1985 and also IP 224.0.0.102 using this but it does not seem to work either:
# Reject HSRP
-A INPUT -p udp --dport 1985 -j DROP
-A OUTPUT -p udp --dport 1985 -j DROP
-A OUTPUT -s 224.0.0.102 -j DROP
# Drop multicast
-A INPUT -m pkttype --pkt-type multicast -j DROP
Here is a strip down version of my iptables.up.rules:
Each of the 'allow' below is like this but with a different port:
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow previously accepted
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming SSH
# Allow Virtualmin
# Allow incoming HTTP
# Allow incoming HTTPS
# MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
# Allow outgoing HTTP
# Allow outgoing HTTPS
# Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Ping from outside to inside
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that doesn't use lo0
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
# Allow inbound DNS
# Allow outbound DNS
# Allow SMTP
# Allow SMTP SSL
# Allow POP3S
# Allow FTP
# to investigate?
-A INPUT -p tcp -m tcp -m limit --tcp-flags FIN,SYN,RST,ACK SYN --limit 5/sec -j ACCEPT
# Prevent http DoS attack
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Drop null packets
# Block fragmented Packet
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block fragmented Packet
-A INPUT -f -j DROP
# Force SYN Packet Check
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Frop XMAS Packet
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Reject spoofed packets
see '4-' above
# Log dropped packets
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 6/min -j LOG --log-prefix "iptables packet dropped: " --log-level 7
-A LOGGING -j DROP
-A FORWARD -j DROP
COMMIT
1- I would need something to prevent port 53 from getting so much query.
If your Virtualmin server is one of the name servers that external hosts query to find your services (mail/web/etc), then you should expect to get regular traffic on port 53 UDP (this is DNS traffic).
2 - ARP is completely normal - it is used to resolve your IP address to your hardware MAC address on the local link (between the NIC, switch, router, other machines on the LAN). 802.1d is just some chatter from your switch.
3 - iptables rules are assessed in order. It's hard to make any kind of call about your rules as you have posted them piecemeal.
1- If your Virtualmin server is one of the name servers that external hosts query to find your services (mail/web/etc), then you should expect to get regular traffic on port 53 UDP (this is DNS traffic).
I agree, but not >100kbs from one IP or more IPs continuously.
2 - ARP is completely normal - it is used to resolve your IP address to your hardware MAC address on the local link (between the NIC, switch, router, other machines on the LAN). 802.1d is just some chatter from your switch.
I am no expert but I sometimes get 70% of my bandwidth in arp so it looks abnormal to me.
The machine is a dedicated server connected to the internet in a data center.
So 802.1d is normal in that setup?
3 - iptables rules are assessed in order. It's hard to make any kind of call about your rules as you have posted them piecemeal.
Thanks, I will try to move them up to see if it helps.Re: 1. It's possible that those IPs are using your server as a recursive DNS server. Generally this is undesirable. I don't think the default Virtualmin BIND config prevents this. You can change the behavior as follows:-
In Webmin -> Servers -> BIND DNS Server -> Edit Config File -> /etc/bind/named.conf.options
You will see
options {
directory "/var/cache/bind";
at the top.
Change it to look like
options {
directory "/var/cache/bind";
allow-query {
any;
};
allow-recursion {
a.b.c.d;
v.w.x.y;
localhost;
};
The a.b.c.d and v.w.x.y are optional. Replace them with IPs you would like to be able to use your DNS for recursive lookups, or just remove them if you only want your server to be able to do that. Don't forget to save the file and restart BIND afterwards.
Thanks for the info.
I had checked with this free web site tool and it turned out ok: http://www.openresolver.com