[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] Fwknop doesn't open closed SSH port.
From: Tomáš Iglo <tom.iglo () gmail ! com>
Date: 2016-07-14 22:54:13
Message-ID: CAD_NjCHRcRZ9JM-d5FgN1D5QG9kZwV8WsXFt-5qMLrfjU1xHVA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Jonathan,
thanks a lot, now it works as you wrote ;)
Thank you man.
Have a nice day,
Tom
2016-07-15 0:05 GMT+02:00 Jonathan Bennett <jbscience87@gmail.com>:
> Hello,
>
> The SSH access setting in Openwrt sets which interface dropbear will bind
> to. This means that dropbear will only accept ssh connections that arriv=
e
> on that specific interface. If all you need to do is connect from inside
> your network, then binding to LAN is fine.
> If you want to access ssh from anywhere else, then you need to instruct
> dropbear to bind to all interfaces. This idea of binding to an interface
> is different from a firewall, though they do something of the same thing.
>
> What you probably want, is to tell dropbear to listen to all interfaces,
> and then make sure your firewall is configured to drop all incoming
> connections from the outside. In that case, any SSH connections will be
> dropped, and your ssh service will be invisible to the outside world.
> Fwknop comes into play here. It allows you to authenticate, and a
> temporary rule is added, allowing only your IP address to connect to the
> ssh service.
>
> So, set dropbear back to unspecified, and then look at your firewall
> settings. In the web interface, go to Network-> Firewall. Under zones,
> Input and Forward should be set to reject for the wan network. You might
> have a rule in the "Traffic Rules" tab that is allowing ssh connections.
> I suppose one other thing to check is that in Network-> Interfaces, the
> wan interface is set to use the wan firewall zone.
>
> --Jonathan
>
> On 07/14/2016 04:43 PM, Tom=C3=A1=C5=A1 Iglo wrote:
> > Hi,
> > in my OpenWRT (Chaos Calmer) if I've configured SSH Access in Dropbear
> to listening on WAN interface, SSH access is working and I can login to
> router via SSH to it, but this means, that my SSH port is open to the
> Internet.
> >
> > If I've configured SSH Access to LAN interface (as it is by default)
> fwknop2 sends SPA packet, in systemLog it shows me that port is open for
> that external IP for some time:
> >
> > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: (stanza #1) SPA Packet from IP: 46.XX.XX.XX received with
> access source match
> > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: Added access rule to FWKNOP_INPUT for 46.XX.XX.XX ->
> 0.0.0.0/0 <http://0.0.0.0/0> tcp/22, expires at 1468530367
> > Thu Jul 14 23:06:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: Removed rule 1 from FWKNOP_INPUT with expire time of
> 1468530367
> >
> > but my SSH connection fails to "Connection timeout".
> >
> > Should be SSH Access setup to the LAN, right? Is this configuration
> below wrong?
> >
> > My setup:
> > - Using ssh keys, which are mentioned in /etc/dropbear/authorized_keys
> >
> > - UCI:
> > password - OFF
> > rootLogin - OFF
> >
> > - OpenWRT - System - Administration - SSH Access - Dropbear instance -
> Interface: LAN
> >
> > - Names of interfaces:
> > WAN: eth0.1
> > LAN: br-lan
> >
> > - access.conf
> > SOURCE ANY
> > keytype Base 64 key
> > hkeytype Base 64 key
> > KEY_BASE64 xxxxxx
> > HMAC_KEY_BASE64 xxxxxxx
> > OPEN_PORTS tcp/22
> >
> > - fwknopd.conf
> > PCAP_INTF eth0.1
> > ENABLE_IPT_FORWARDING y
> >
> >
> > Thank you for your help.
> >
> > Have a nice day,
> >
> > Tomas
> >
> >
> >
> -------------------------------------------------------------------------=
-----
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> > patterns at an interface-level. Reveals which users, apps, and protocol=
s
> are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow=
,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> > reports.http://sdm.link/zohodev2dev
> >
> >
> >
> > _______________________________________________
> > Fwknop-discuss mailing list
> > Fwknop-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
> >
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Jonathan,<div><br></div><div>thanks a lot, now it works as you \
wrote ;)</div><div><br></div><div>Thank you man.</div><div><br></div><div>Have a nice \
day,</div><div><br></div><div>Tom</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">2016-07-15 0:05 GMT+02:00 Jonathan Bennett <span dir="ltr"><<a \
href="mailto:jbscience87@gmail.com" \
target="_blank">jbscience87@gmail.com</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hello,<br> <br>
The SSH access setting in Openwrt sets which interface dropbear will bind to. This \
means that dropbear will only accept ssh connections that arrive on that specific \
interface. If all you need to do is connect from inside your network, then binding \
to LAN is fine.<br> If you want to access ssh from anywhere else, then you need to \
instruct dropbear to bind to all interfaces. This idea of binding to an interface \
is different from a firewall, though they do something of the same thing.<br> <br>
What you probably want, is to tell dropbear to listen to all interfaces, and then \
make sure your firewall is configured to drop all incoming connections from the \
outside. In that case, any SSH connections will be dropped, and your ssh service \
will be invisible to the outside world.<br> Fwknop comes into play here. It allows \
you to authenticate, and a temporary rule is added, allowing only your IP address to \
connect to the ssh service.<br> <br>
So, set dropbear back to unspecified, and then look at your firewall settings. In \
the web interface, go to Network-> Firewall. Under zones, Input and Forward \
should be set to reject for the wan network. You might have a rule in the \
"Traffic Rules" tab that is allowing ssh connections.<br> I suppose one \
other thing to check is that in Network-> Interfaces, the wan interface is set to \
use the wan firewall zone.<br> <br>
--Jonathan<br>
<span class=""><br>
On 07/14/2016 04:43 PM, Tomáš Iglo wrote:<br>
> Hi,<br>
> in my OpenWRT (Chaos Calmer) if I've configured SSH Access in Dropbear to \
listening on WAN interface, SSH access is working and I can login to router via SSH \
to it, but this means, that my SSH port is open to the Internet.<br> ><br>
> If I've configured SSH Access to LAN interface (as it is by default) fwknop2 \
sends SPA packet, in systemLog it shows me that port is open for that external IP for \
some time:<br> ><br>
</span>> Thu Jul 14 23:05:07 2016 <a href="http://daemon.info" rel="noreferrer" \
target="_blank">daemon.info</a> <<a href="http://daemon.info" rel="noreferrer" \
target="_blank">http://daemon.info</a>> fwknopd[7244]: (stanza #1) SPA Packet from \
IP: 46.XX.XX.XX received with access source match<br> > Thu Jul 14 23:05:07 2016 \
<a href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a \
href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> \
fwknopd[7244]: Added access rule to FWKNOP_INPUT for 46.XX.XX.XX -> <a \
href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a \
href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> \
tcp/22, expires at 1468530367<br> > Thu Jul 14 23:06:07 2016 <a \
href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a \
href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> \
fwknopd[7244]: Removed rule 1 from FWKNOP_INPUT with expire time of 1468530367<br> \
<span class="">><br> > but my SSH connection fails to "Connection \
timeout".<br> ><br>
> Should be SSH Access setup to the LAN, right? Is this configuration below \
wrong?<br> ><br>
> My setup:<br>
> - Using ssh keys, which are mentioned in /etc/dropbear/authorized_keys<br>
><br>
> - UCI:<br>
> password - OFF<br>
> rootLogin - OFF<br>
><br>
> - OpenWRT - System - Administration - SSH Access - Dropbear instance - \
Interface: LAN<br> ><br>
> - Names of interfaces:<br>
> WAN: eth0.1<br>
> LAN: br-lan<br>
><br>
> - access.conf<br>
> SOURCE ANY<br>
> keytype Base 64 key<br>
> hkeytype Base 64 key<br>
> KEY_BASE64 xxxxxx<br>
> HMAC_KEY_BASE64 xxxxxxx<br>
> OPEN_PORTS tcp/22<br>
><br>
> - fwknopd.conf<br>
> PCAP_INTF eth0.1<br>
> ENABLE_IPT_FORWARDING y<br>
><br>
><br>
> Thank you for your help.<br>
><br>
> Have a nice day,<br>
><br>
> Tomas<br>
><br>
><br>
</span>> ------------------------------------------------------------------------------<br>
> What NetFlow Analyzer can do for you? Monitors network bandwidth and \
traffic<br> > patterns at an interface-level. Reveals which users, apps, and \
protocols are<br> > consuming the most bandwidth. Provides multi-vendor support \
for NetFlow,<br> > J-Flow, sFlow and other flows. Make informed decisions using \
capacity planning<br> > reports.<a href="http://sdm.link/zohodev2dev" \
rel="noreferrer" target="_blank">http://sdm.link/zohodev2dev</a><br> ><br>
><br>
><br>
> _______________________________________________<br>
> Fwknop-discuss mailing list<br>
> <a href="mailto:Fwknop-discuss@lists.sourceforge.net">Fwknop-discuss@lists.sourceforge.net</a><br>
> <a href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/fwknop-discuss</a><br>
><br>
<br>
<br>
</blockquote></div><br></div>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic