iptables reset

azzeretti

Anyone ever come across a case of iptables flushing its rules, automatically? Just had a case of a server that seems to have flushed itself. Nothing in the auth log, syslog or bash_history to suggest it was done via a command.
Pretty worrying - not sure if it could be a bug or if the system was compromised. Debian 7.8, all up to date.

Manach

Afraid not - on my current RHEL 6.5 setup, any refreshing done as part of a manual and documented process. Perhaps someone else had access to the system and was ad-hoc testing adding IPs?

azzeretti

Manach wrote: »

Afraid not - on my current RHEL 6.5 setup, any refreshing done as part of a manual and documented process. Perhaps someone else had access to the system and was ad-hoc testing adding IPs?

Yeah, I thought that (although I am the only with access and key). But that would have shown up in the log/history file.

Checking to see if there are any questionable lines in sudoers but so far all looks good. Wonder if there was a compromise - I'd actually prefer that if it explains why it happened!

ARGINITE

Was the server rebooted anytime before you noticed the rules were flushed?

syklops

ARGINITE wrote: »

Was the server rebooted anytime before you noticed the rules were flushed?

OP didnt mention what distro they are using. Usually iptables commands are saved in memory. For them to become persistent, you must issue a save command such as iptables save.

Is it possible the iptables daemon got restarted or as arginite says the server was rebooted?

I was thinking about this last night and maybe someone, via an OS command injection vulnerability could have flushed the rules but with a vulnerability like that you often get a single chance, and I'd rather properly back door the machine than issue a single command like flushing firewall rules.

azzeretti

syklops wrote: »

OP didnt mention what distro they are using.

I did! Debian 7.8.

Usually iptables commands are saved in memory. For them to become persistent, you must issue a save command such as iptables save.
Is it possible the iptables daemon got restarted or as arginite says the server was rebooted?

It's a bespoke network device I designed. I have the rules applied from a init script on startup. Even still, the uptime of the system was months. The only way I can think that they got flushed was from either some sort of bug (extremely unlikely) or a manual direction to do so

I was thinking about this last night and maybe someone, via an OS command injection vulnerability could have flushed the rules but with a vulnerability like that you often get a single chance, and I'd rather properly back door the machine than issue a single command like flushing firewall rules.

Yeah, was thinking similar myself. Also, it's not an internet facing device. It is used to authenticate users (in a public area) onto a vlan, meaning the only way it could have been compromised was if someone in that public area did it, as opposed to someone getting lucky with a scan online. It's a noodle scratcher.

syklops

azzeretti wrote: »

I did! Debian 7.8.

Apologies.

Yeah, was thinking similar myself. Also, it's not an internet facing device. It is used to authenticate users (in a public area) onto a vlan, meaning the only way it could have been compromised was if someone in that public area did it, as opposed to someone getting lucky with a scan online. It's a noodle scratcher.

what is the nature of the public area?

It needn't be the result of, as you put it some one getting lucky with a scan. All it really needs is someone in the public area with some l33t skillz to notice something.

I'm definitely interested in this bespoke network device now. Have you had it pen tested?

azzeretti

what is the nature of the public area?

It's various public areas (Government amenities, offices etc) that provides a certain amount of internet access depending on a specific validation method - can't really say too much more except that it isn't necessarily open to all members of the public.

It needn't be the result of, as you put it some one getting lucky with a scan. All it really needs is someone in the public area with some l33t skillz to notice something.

This is true. However, the nature of the people accessing the network would lend itself to the less technical but it is a possibility.

I'm definitely interested in this bespoke network device now. Have you had it pen tested?

Yes, in it's infancy but I will certainly be spinning up my Kali laptop at some point this week to run it through it paces again.

syklops

azzeretti wrote: »

It's various public areas (Government amenities, offices etc) that provides a certain amount of internet access depending on a specific validation method - can't really say too much more except that it isn't necessarily open to all members of the public.


This is true. However, the nature of the people accessing the network would lend itself to the less technical but it is a possibility.


Yes, in it's infancy but I will certainly be spinning up my Kali laptop at some point this week to run it through it paces again.

Well let me know if you want someone to give it a glance over

liamo

@azzeretti please do come back with the source of your problem should you discover it.

I've nothing to offer in terms of a potential solution but I've put in a fair bit of time Googling and testing and to say that I'm intrigued would be putting it mildly.

jumbobreakfast

Is there a safe mode setting so that if you make a mistake on a remote firewall it will reset itself to allow you to log back in? I remember experiencing that a long time ago with a linux firewall

azzeretti

jumbobreakfast wrote: »

Is there a safe mode setting so that if you make a mistake on a remote firewall it will reset itself to allow you to log back in? I remember experiencing that a long time ago with a linux firewall

Csf does this after initial install, set testing mode to on, flushes iptables after five minutes. In this cases I've rolled my own, so there's no safe mode!