OVH Community, your new community space.

Firewall (Anti-DDOS) via the manager


heise
05-12-2014, 02:09
U welcome. But to his defense I may add, that he just recently helped resolve a problem for another customer with misconfigured Fail-over IP. It turned out to be Avast sending out unnecessary ARP packages. That was pretty clever.

Kathos
05-12-2014, 01:42
Thank you Heise for that helpful insight.
It would be helpful if of course there was better documentation or if there is links to it in the manager.
It's a pity Neil couldn't be the one to point this out, after all he is the one who works for OVH, so considering you don't use this firewall, and he works in a CS role, I work expect him to know it a little better than yourself.
Either way, I do know how to fix it now.

heise
04-12-2014, 20:25
Hi, I never used OVH firewall, but it seems, that you have a configuration problem. You are only blocking logins with your firewall that come from port 22 and go to port 22. That is not the way ssh traffic works. If I am logged in as normal user, I cannot access in linux ports below 1024, hence if I want to ssh to a server on port 22, I have to use as source port a port beyond 1024, e.g. 53123, and that is actually what is happening. My server chooses a random port and connect to your server on port 22. Hence if you want to block traffic to your server on port 22, leave source port open and destination port on 22. That should block your login attempts via ssh to your server.

Kathos
04-12-2014, 19:27
That does not explain, why it seems, I can't use your firewall, to reject any connection to port 22, except ones by my IP address (and a few other ip blocks).
The way I'm seeing it, you just admitted it, it's not really a bug, but a intended feature, your firewall, has an open ports, we can't reject/block even if we put rules in place specifically in place for it. If so, I'd like to know what they are.

Neil
04-12-2014, 17:43
Hi

Port 22 is the default port for SSH and it is used for you to manage the server, afterwards it is up to you to manage the server, moving the SSH is a good way to resolve this issue you have, attempted logins are common and happen on all servers.

Kathos
04-12-2014, 15:59
Be aware I will be blanking out my IP address and I have changed it a little since the original post, as described and I also added so my backup server wouldn't be blocked by these rules.
I have noticed no more SSH login attempts since the change in default port for SSH access, but that is hardly surprising, that alone, often reduces ssh login attempts.
Before CSF had 20-40 perma-blocks a day (mostly ssh login attempts), with 5 temp blocks being normal in CSF, due to frequent port scanning, I think it's more likely that this change, just avoided a bug, which meant certain ports were not being rejected as asked for.

I suspect port 22 is left open by default, so it didn't matter If I told it to reject that port, it would leave it open. I don't have the time to investigate this, nor should I, I've got a business to operate. I understand you like having port 22 open, so you can assist us, if needs be, but that should not be at the expense of port being open to all.

I've provided a screenshot:
https://www.dropbox.com/s/o6vb9pwjb2...nager.png?dl=0

Neil
04-12-2014, 13:37
Hi

Please can you send a screenshot of the firewall rules in your OVH Manager?

Kathos
04-12-2014, 02:12
Since I don't seem to be getting an answer on this, I'm going to be taking advice I got elsewhere. Changing my default port for SSH.

This should work, I shouldn't be needing to take this action. It's should count as a bug, if it's not, why am I getting a lot of ssh login errors on port 22, if only my IP address is allowed?

Kathos
02-12-2014, 23:36
I tried to setup a few simple rules in the Firewall (https://www.ovh.co.uk/anti-ddos/firewall-network.xml), assigned to my new server, but it's not working as I expected.
(for context the intent was to reject any traffic to ftp ports, ssh ports, whm ports, then authorise with a lower priority number, my IP, so it was one of the few that could access them.

At first I thought it was working, but even though I have the same firewall configuration on every IP address (5) assigned to the server, I'm still getting a lot of users whom are trying to access my server via the ssh port, when they shouldn't even have access, because my CSF firewall had to block it instead.

So is there a guide (or can someone hint) on how to use this, as I thought this simple usage of the firewall would work, as I usually rely on CSF, if I can block secure access ports to a singular or small number of IP address' it massively limit my chances of my server being compromised via this method.

I've replaced my Ip with # obviously
Code:
0	Authorise	IPv4	#.#.#.#/32
10	Refuse	TCP	all	20	20		
11	Refuse	UDP	all	20	20			
12	Refuse	TCP	all	21	21			
13	Refuse	TCP	all	22	22			
14	Refuse	UDP	all	22	22			
15	Refuse	TCP	all	2083	2083		
16	Refuse	TCP	all	2087	2087