My rental server doesn't allow me to remote on via SSH, despite assuring me that everything is setup. How do I override RST packets on a Chromebook without using Python?
If I understand correctly, you want to drop TCP reset packets.
This blog post explains how to get a root shell and add an iptables rule.
Instead of the rule given in the article to get SSH access, try this rule:
iptables -I INPUT -p tcp --tcp-flags RST -j DROP
(Disclaimer: I don't know anything about chromebooks except that they run Linux.)
Related
I'm trying to block a certain IP address or range to reach my WordPress server that's configured on my Google Compute Engine server.
I know I can block it via Apache, but even if I do my access_logs will still be filled with 403 error from requests from this IP.
Is there any way to block the IP entirely and don't even let it reach Apache?
Thanks in advance for any help.
If you want to block a single IP address, but allow all other traffic, the simplest option is probably to use iptables on the host. The GCE firewall rules are designed to control which IP addresses can reach your instance, but allowing everything on the internet except one address would probably be annoying to write.
To block a single IP address with iptables:
iptables -A INPUT -s $IP_ADDRESS -j DROP
or to just drop HTTP (but not HTTPS or other protocols):
iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port 80 -j DROP
Note that you'll need to run the above command as root in either case.
By default all incoming traffic to GCE is blocked except for the ports and range of IPs that are allowed to have access. Allowing everything to connect except a specific IP or a range of IP addresses is not supported on GCE firewall. As a workaround, you can setup a Load Balancer and allow incoming traffic from the LB IP address only to the instance. You can have more information in this Help Center article.
Yes you can block it using Gcloud Firewall.
Try creating the firewall rule from the command line or by logging into Google Cloud.
Example:
gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --deny tcp:80
Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
Same can be done to block other IP Ranges over tcp and udp.
For more info check this: glcoud network config
Bitnami developer here
If you want to block a certain IP, you can use iptables as it's pointed in this post.
Also, if you want to have your iptables rules active when you reboot your machine you have to do the following:
sudo su
iptables-save > /opt/bitnami/iptables-rules
crontab -e
Now edit the file and include this line at the end:
#reboot /sbin/iptables-restore < /opt/bitnami/iptables-rules
This way, in every boot, the system will load the iptables rules and apply them.
To block offending IP, there are some methods on different levels to do it. From performance perspective, generally :
Network firewall > VM iptables > VM web server > VM application.
Google cloud has build-in firewall that no cost.
For example, this gcloud command create one firewall rule that can block 1 or more ips.
gcloud compute --project=your-project-id firewall-rules create your-firewall-rule-name --direction=INGRESS --priority=900 --network=default --action=DENY --rules=all --source-ranges=ip1,ip2,ip3…
Command parameters' reference see here https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
You can also use Google cloud console or rest api to create it, but on console it's not easy to input lots of ips.
Build-in firewall's current limit:
One project can create 100 firewall rules.
One firewall rule can block 256 ip sources.
If there are 10 other firewall rules, you can block 90x256=23040 standalone ips, that is enough for general case.
Note: Google cloud app engine firewall is separated from build-in firewall.
Linux iptables
See other answers.
Web server
Apache, Nginx can also block ip.
Application
Not recommended block ip here. But application can help analysis which ip need to block, for example login failed many times.
If you want your system to automatically block all bad ip addresses in the GCP Firewall you can check out the Gatekeeper for Google Cloud Firewall.
It analyses your network connections and WordPress/Apache logs dynamically and creates approprate rules to ward off DoS and DDoS attacks as well as spying bots.
I'm trying to set up a snort IDS from my machine(opensuse 13.1) to monitor the entire network. When I run snort I am sniffing all the packets and monitoring all computers on the network, but I am only getting alerts for my machine. I want the alert file to alert me about ALL IP's. I also tried including specific IP adressess in HOME_NET and it would still only alert me about my opensuse machine.
My snort.conf:
HOME_NET 192.168.1.0/24
EXTERNAL_NET !$HOME_NET
output alert_fast: /var/log/snort/fast_alert.txt
I am using pulledpork for my one snort.rules file.
I run snort as so:
snort -d -c /etc/snort/snort.conf -vv
also, It might be important information that I do not have eth0 as a network device option.
How can I make snort alert me for all machines/IP's on the network?
Solution was port mirroring. I was only able to get traffic from my own switch. By using a network switch and port mirroring other IP's to my switch, I am now able to alert those IP's traffic!
To test my implementation of a NAT, I want to send TCP packets from one internal host to two different external hosts, and make sure that the source port for both streams of packets that leave the NAT have the same source port. How can I control the source port? wget uses different source ports for separate TCP connections.
Maybe you want to try netcat with -p option, if you don't want to write code by yourself, example:
$ nc -p 31337 www.google.com 80
Here is the explanation for "-p" option from man page:
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.
Note though to use any port under 1024 requires root permission.
Bind the socket to a specific local port before you connect it.
I can target a client IP address on my router like:-
iptables -I INPUT -s 123.456.7.89 -j DROP
Is it possible to target the IP of the access point the client device is connecting through instead (or the SSID since each access point has it's own).
I've been looking at the match flag but can't find anything there. Thanks.
The only way is to filter by mac address, but it's not so easy.
Please spend some times with this picture:
Using the MAC module extension for iptables from here
The side effect explained here occurs when the netfilter code is
enabled in the kernel, the IP packet is routed and the out device for
that packet is a logical bridge device. The side effect is encountered
when filtering on the MAC source in the iptables FORWARD chains.
As should be clear from earlier sections, the traversal of the
iptables FORWARD chains is postponed until the packet is in the bridge
code. This is done so we can filter on the bridge port out device.
This has a side effect on the MAC source address, because the IP code
will have changed the MAC source address to the MAC address of the
bridge device.
It is therefore impossible, in the iptables FORWARD chains, to filter
on the MAC source address of the computer sending the packet in
question to the bridge/router. If you really need to filter on this
MAC source address, you should do it in the nat PREROUTING chain.
Agreed, very ugly, but making it possible to filter on the real MAC
source address in the FORWARD chains would involve a very dirty hack
and is probably not worth it.
I'm trying to test my WebSocket server in the face of an unreliable client connection.
I would like to be able, at any moment I choose, to forcefully drop a single WebSocket connection on the client side, without sending closing frames or a TCP FIN handshake. The browser itself cannot do this (right?) because it gracefully shuts down each WebSocket when a tab is closed. Other WebSocket connections from the same host (me in other browser windows) should not be affected.
My system is Ubuntu Linux 12.04; my browser is Chrome (but I could switch to any WebSocket-compatible browser to test this).
The server is using Ruby and em-websocket.
Options I've considered:
killall -9 $pid_of_tab but that's a bit rude, and the kernel apparently still closes the TCP connection
iptables firewall rules but that requires root, and it's hard to drop just one connection (from localhost) whilst keeping others alive
connecting from another machine, then unplugging the network cable or disabling the wifi
The last two would work, but it feels like there must be an easier way. Any ideas?
I suspect that you could do this pretty easily with Fiddler or WebScarab
Here's the iptables version (assuming the socket is served on localhost, port 3000):
To add a rule that drops all traffic:
$ sudo iptables -A INPUT -i lo -p tcp --dport 3000 -j DROP
To remove that rule again:
$ sudo iptables -D INPUT -i lo -p tcp --dport 3000 -j DROP