[SOLVED] connection | FWCloud Forum

[SOLVED] connection

ukro

Member
Hi,
so i reinstalled fwcloud,recover old backup. Because the update didn't worked correctly(didn't updated for a long time) and now when i have setup ssh
PermitRootLogin prohibit-password
PubkeyAuthentication yes
How can i compile and install all the rules?
Do i need to change to password everytime.
P.S. If i dont want to use openvpn :>
I have limited the 3030 UI to my IP
 

ukro

Member
Just of out curiosity, when its compiling/installing and putting some logs in the textbox is it possible that it show atleast the ssh fingerprint? Then i can remember atleast few letters/numbers and be aware if its my machine and not some MIB? I have been asking last time, but i'm thinking if just to put on the log it might be easy no? :>
P.S. And not need to use any vpn's
 

ukro

Member
FIY i was setting up on the next server and the import wizard i think made a mistake. pls see screenshotsScreenshot from 2021-04-18 15-46-00.png1.png

Is it possible to somehow ignore fail2ban rules? let it be operational by its own?
 

Carles Munyoz

Administrator
Staff member
Hello,
I'm going yo answer all your questions ...

How can i compile and install all the rules?
You have to specify the firewall install interface and IP address.
In this video tutorial you can see how to do it:

In the FWCloud-UI documentation we have a video tutorials section with lot of helpful videos:
https://fwcloud.net/en/documentation/user-interface/


Do i need to change to password everytime.
Sorry me, but I don't understand this question ...
What password are you talking about?


P.S. If i dont want to use openvpn :>
I have limited the 3030 UI to my IP
This is up to you.
If the firewalls you are managing are outside of your you local networks, someplace in Internet, it is interesting the use of a management VPN for improve security. With FWCloud is very simple and easy to create this management VPNs, but as I have already said, it is up to you.


is it possible that it show at least the ssh fingerprint?
I think that it is possible.
We are going to study it and decide if we include in the next release.


FIY i was setting up on the next server and the import wizard i think made a mistake. pls see screenshots
Your are right, it seems a bug in the FWCloud import wizard.
We will solve in the next release, thank you very much for the report.


Is it possible to somehow ignore fail2ban rules? let it be operational by its own?
If fail2ban puts its rules after the FWCloud policy load, no problem. But every time you reload FWCloud policy the fail2ban rules will be removed.
We have an issue for solve this. It it is possible, the solution will be part of the next release.
 

ukro

Member
Greetings !
Thank you for reply, sure let me rephrase.

1.
-------------------
Do i need to change to password everytime.
-Sorry me, but I don't understand this question ...
-What password are you talking about?
-------------------

So when i initially install fwcloud i had ssh password authentication.
Now i moved to :
PermitRootLogin prohibit-password
PubkeyAuthentication yes
Because of this i cant install rules from fwcloud as it doesn know how to work with that.
And trully i dont even know how would it be possible to implement securely. Save the id_rsa localy and let specific GUI user access it?!
For now i just remove the pubkeyauthentication



2.
-------------------
is it possible that it show at least the ssh fingerprint?
-I think that it is possible.
-We are going to study it and decide if we include in the next release.
-------------------

That is awesome as for me its important as i am not using and dont need to use VPN for GUI, as i said i just limited the IP.

3.
-------------------
Is it possible to somehow ignore fail2ban rules? let it be operational by its own?
-If fail2ban puts its rules after the FWCloud policy load, no problem. But every time you reload FWCloud policy the fail2ban rules will be removed.
-We have an issue for solve this. It it is possible, the solution will be part of the next release.
-------------------
So you are saying that i should stop the fail2ban service, compile->install the fwcloud rules and then start fail2ban service. I have no problem with that. Or maybe that i need some pre and post run script in fwcloud for that? :> maybe in next release :D <3

waiting for the next release :> cheers
 

ukro

Member
This is up to you.
If the firewalls you are managing are outside of your you local networks, someplace in Internet, it is interesting the use of a management VPN for improve security. With FWCloud is very simple and easy to create this management VPNs, but as I have already said, it is up to you.

The thing is that i don't want to add any more layers.
Lets imagine that one have arround 20emails, 3xprivateVPN, 3xworkVPN, 10x servers and 5 different OS that is worked on.
So after all of that the easies thing is just forbit root login, put some random username with password ssh, fail2ban and GO.
But for this to work correctly i need to see the fingerprint in LOGs when i'm installing the rules, so if fingerprint would change, i can just go to VPS admin panel and shut it off :> <3
 

Carles Munyoz

Administrator
Staff member
Hi,
Regarding the SSH access for firewall management, the use of id_rsa keys it is not supported yet.
At this moment a user with sudo privileges is required.
You can store this user in FWCloud for avoid entering it every time you change something on the destination firewall.


So you are saying that i should stop the fail2ban service, compile->install the fwcloud rules and then start fail2ban service. I have no problem with that. Or maybe that i need some pre and post run script in fwcloud for that? :> maybe in next release :D <3

We have in our todo map the `hook scripts feature` that will allow put your own code into the script generated as a result of the policy compilation process. This feature will allow not only to put your own code before of after the policy load, even before or after a rule has been loaded.
 

ukro

Member
Hi,
Regarding the SSH access for firewall management, the use of id_rsa keys it is not supported yet.
At this moment a user with sudo privileges is required.
You can store this user in FWCloud for avoid entering it every time you change something on the destination firewall.




We have in our todo map the `hook scripts feature` that will allow put your own code into the script generated as a result of the policy compilation process. This feature will allow not only to put your own code before of after the policy load, even before or after a rule has been loaded.

Now this is awesome!!!!
So if it will be possible to put a reply from the script to the logs window that are in front of me when im compiling/installing i can put a script to show the SSH fingerprint and no need to make any additional changes.
That would be perfect.
Looking forward :>
Thank you!
 

Carles Munyoz

Administrator
Staff member
I'm glad to announce that the 'hook scripts' feature that will allow add code before and/or after a policy rule load is nearly complete and will be included in the next release.

This next release will be available this or next week at te latest.
 

Carles Munyoz

Administrator
Staff member
Hello,
Regarding this firewall import wizard bug reported by you, we have tried to reproduce it but in our tests all goes fine.
Please, may you send us your iptables-save exit in order to make tests wit it ?

FIY i was setting up on the next server and the import wizard i think made a mistake. pls see screenshots
Screenshot from 2021-04-18 15-46-00.png
1.png


Is it possible to somehow ignore fail2ban rules? let it be operational by its own?
 

ukro

Member
Hello,
Regarding this firewall import wizard bug reported by you, we have tried to reproduce it but in our tests all goes fine.
Please, may you send us your iptables-save exit in order to make tests wit it ?
Sure will do, i need to just unblock the port so somebody can try to hackin. Will reply asap


'm glad to announce that the 'hook scripts' feature that will allow add code before and/or after a policy rule load is nearly complete and will be included in the next release.

This next release will be available this or next week at te latest.
Nice!!!
 

ukro

Member
That was fast xD opened for few minutes
```
# Generated by xtables-save v1.8.2 on Wed Apr 21 15:52:10 2021
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -s 59.63.212.100/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 120.131.3.191/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 101.89.138.113/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 65.151.188.94/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 123.130.112.6/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 121.4.93.238/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 218.78.43.195/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 36.91.119.221/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 152.136.252.237/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 103.244.232.110/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 111.231.18.208/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 193.239.178.44/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 152.32.186.240/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 177.104.124.235/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 59.36.178.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
COMMIT
# Completed on Wed Apr 21 15:52:10 2021

```
Let me try to import i will make a screenshot
 

ukro

Member
Screenshot from 2021-04-21 21-56-58.png

Yeah i don't know what to say :X If its working on your end, i'm pretty sure its because of the fail2ban.
if you can export a separate script in (iptables-save) / out (echo shell) for that i can try to run it purely from shell and you can debug my logs.
 

ukro

Member
Maybe this is important but in the export i deleted one rule where it have my IP with accept
-A INPUT -s xxxxx/32 -i ens32 -p tcp -m multiport --dports 22,23,3306,33060 -j ACCEPT
It was right above the fail2ban. Maybe the variable doest change per each line ? oO



real export:
# Generated by xtables-save v1.8.2 on Wed Apr 21 15:52:10 2021
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -s xxxxx/32 -i ens32 -p tcp -m multiport --dports 22,23,3306,33060 -j ACCEPT
-A f2b-sshd -s 59.63.212.100/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 120.131.3.191/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 101.89.138.113/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 65.151.188.94/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 123.130.112.6/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 121.4.93.238/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 218.78.43.195/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 36.91.119.221/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 152.136.252.237/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 103.244.232.110/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 111.231.18.208/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 193.239.178.44/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 152.32.186.240/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 177.104.124.235/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 59.36.178.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
COMMIT
# Completed on Wed Apr 21 15:52:10 2021

```
 

Carles Munyoz

Administrator
Staff member
Ok, thank you for the detailed information.
We are going to debug the firewall importer with this iptables-save output.
I'll contact you again shortly.
 

Carles Munyoz

Administrator
Staff member
The problems is in this line:
-A f2b-sshd -j RETURN
If you remove it the FWCloud iptables-save import process goes fine.

This line is useless, but Fail2ban includes it in its iptables generated rules.
We are going to ignore it in the FWCloud iptables-save importer.

This bug will be solved in the next FWCloud release.
Thank you very much for your report! :)
 

Carles Munyoz

Administrator
Staff member
We have just published a new FWCloud release with the iptables-save import problem solved, and wit the new feature hook scripts that will allow you the execution of shell script code before and/or after a policy rule load.
 
Top