perfsonar-user - Re: [perfsonar-user] Perfsonar ports - tracepath blocked

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Perfsonar ports - tracepath blocked

From: Andrew Lake <>
To: Brian Candler <>, "" <>
Subject: Re: [perfsonar-user] Perfsonar ports - tracepath blocked
Date: Thu, 18 Feb 2016 09:11:38 -0500

Hi,

What I think may have happened is that fail2ban changed the config file requirements at some point so we need some more directives in /etc/fail2ban/jail.local. This is updated in the forthcoming 3.5.1. Adding the following to the file along with what is already there seems to reactivate it:

#Enable ssh filtering

[sshd]

enabled = true

Thanks,

Andy

On February 18, 2016 at 8:49:50 AM, Brian Candler () wrote:

On 16/02/2016 21:54, Andrew Lake wrote:

As an FYI, the update has been pushed out. It may take the mirrors a bit to all update so give it a few hours.

The boxes here have updated:

$ sudo iptables -L -n [sudo] password for brian: Chain INPUT (policy ACCEPT) target prot opt source destination perfSONAR all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain perfSONAR (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5001:5300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5301:5600 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5601:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8760:9960 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 udp ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spt:547 dpt:546 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33634 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8001:8020 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3001:3003 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4823 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:861 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7123 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:843 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8090 RETURN all -- 0.0.0.0/0 0.0.0.0/0
(aside: the "Accept all 0.0.0.0/0 0.0.0.0/0" rule only applies to packets inbound on the 'lo' interface, as "-v" shows)

However, compared to the older boxes, the fail2ban-SSH chain and target link are not there.

I don't *think* I installed the fail2ban rules myself. But I did manually add some other rules for other services, so it's not a clean example to work from.

Maybe what happened is:
- at system installation time, the fail2ban package installed its own iptables rules
- then perfsonar overwrote them

But that's only a guess. If someone can make a fresh install of latest 3.5 ISO they can check if the fail2ban rules are there or not.

Regards,

Brian.

Re: [perfsonar-user] Perfsonar ports - tracepath blocked, (continued)

List archive

Re: [perfsonar-user] Perfsonar ports - tracepath blocked