Secure Firewall Settings

This topic contains 1 reply, has 0 voices, and was last updated by  faximilian 3 years, 10 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #44157

    faximilian
    Member

    Dear friends,

    I am worried about my zeroshell firewall.

    1 hour ago I had a ssh connection to zeroshell on port 22 from Ukraina with a lot of traffic.

    Could someone please help me to harden my firewall.

    I have closed the http/https access from outside now, but this can be only a workaround. SSH is still open – I cannot work without it. SMTP/IMAP have to be open, too (not an open relay!).

    Here are my FW settings



    FORWARD Chain

    Chain FORWARD (policy DROP 5 packets, 300 bytes)
    pkts bytes target prot opt in out source destination
    16410 1944K ACCEPT all -- ETH00 * 0.0.0.0/0 0.0.0.0/0
    7 572 ACCEPT all -- BOND00 * 0.0.0.0/0 0.0.0.0/0
    12117 3685K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED




    INPUT Chain

    Chain INPUT (policy DROP 1429 packets, 101K bytes)
    pkts bytes target prot opt in out source destination
    63653 12M SYS_GUI all -- * * 0.0.0.0/0 0.0.0.0/0
    63653 12M SYS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
    27 1236 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    6053 922K SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    544 42776 SYS_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    15907 1686K ACCEPT all -- ETH00 * 0.0.0.0/0 0.0.0.0/0
    1 56 ACCEPT all -- BOND00 * 0.0.0.0/0 0.0.0.0/0
    8374 733K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:55559




    OUTPUT Chain

    Chain OUTPUT (policy ACCEPT 5496 packets, 1712K bytes)
    pkts bytes target prot opt in out source destination
    55505 12M SYS_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0


    Are there any open user accounts with default passwords?
    Is there any other security vulnerability I don’t know about…

    Regards,

    faximilian

    #53636

    redfive
    Participant

    Did you enabled ‘login’ and ‘login fail’ events in Monitoring ? I hope that there isn’t a bug, afaik Fulvio worked hard to solve the latest security issues, releasing the 3.2.1 which would eliminate the last known risks ….
    And about the LOG , is possible to know more about what happened ?
    Regards

    #53637

    faximilian
    Member

    Sorry for the delayed answer. The router has crashed a few days ago – actually I don’t know why. I have to wait until I have physical access.

    With the existing log file I cannot give you more information about the kind of access. All I know is that they caused about 25kbit traffic. The router has been accessed from different locations on different days.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.