Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

In Progress [CPANEL-28146] iptables rules automatically overwritten

Discussion in 'Security' started by CreateChange, Jun 18, 2019.

  1. CreateChange

    CreateChange Registered

    Joined:
    Apr 30, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Denver, CO
    cPanel Access Level:
    Root Administrator
    Hey there, we caught this new iptables chain (cP-Firewall-1-INPUT) that was added last night, opening us up to the internet via WHM interface, SSH, etc.

    Checked lastlog, bash histories, etc., but am seeing no sign of anyone changing it through a specified command.

    None of our administrators added this chain - curious if this is something that cPanel would have done through a cPanel automated task?

    # iptables -S cP-Firewall-1-INPUT
    -N cP-Firewall-1-INPUT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 579 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2079 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

    Thanks for any insight that can be provided.
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,484
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    I would guess that was cphulk, but someone from cpanel or elsewhere might confirm, we normally disable cphulk when usinf CSF/LFD.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. CreateChange

    CreateChange Registered

    Joined:
    Apr 30, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Denver, CO
    cPanel Access Level:
    Root Administrator

    Thanks for the response. I have been at this company for over a year, and this is the first time I have seen it happen - we do have cphulk and csf running in tandem.

    We simply removed the rule that references to that chain (which was top of the iptables list of rules, so would have effectively bypassed all existing rules), but would like to avoid having to do that again in the future.
     
  4. CreateChange

    CreateChange Registered

    Joined:
    Apr 30, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Denver, CO
    cPanel Access Level:
    Root Administrator
    Have been digging a bit more, but not making too much progress...

    Found a cronjob that updates csf daily (/usr/sbin/csf -u), but from what I can find that doesn't call any sort of standard config to be dropped in.

    However, I found the following script (/scripts/configure_firewall_for_cpanel), which calls the below function from this file: /usr/local/cpanel/Cpanel/Services/Firewall.pm

    Code:
    sub _setup_with_iptables {
        my ( $service, $cmd ) = @_;
    
        my $iptables_cmd = $cmd->{'iptables'};
        my $iptables_save_cmd = $cmd->{'iptables-save'};
    
        # TCP ports
        my @allow_tcp_ports = Cpanel::Services::Ports::Authorized::allowed_tcp_ports();
    
        # UDP ports
        my @allow_udp_ports = Cpanel::Services::Ports::Authorized::allowed_udp_ports();
    
        my ( @temp_tcp, @temp_udp );
    
        my @lines_to_insert = (
            "INPUT -j cP-Firewall-1-INPUT",
            "FORWARD -j cP-Firewall-1-INPUT",
        );
    
        # Don't save if it looks like the current ruleset hasn't been loaded.
        my @current_rules = grep { /^\-A/ } split /\n/, Cpanel::SafeRun::Simple::saferunnoerror( $iptables_cmd, '-S' );
        my $conf_file = $iptables_cmd eq 'ip6tables' ? '/etc/sysconfig/ip6tables' : '/etc/sysconfig/iptables';
        my $read_only = ( !-z $conf_file && $#current_rules == -1 ) ? 1 : 0;
    
        Cpanel::SafeRun::Dynamic::livesaferun(
            'prog' => [$iptables_save_cmd],
            'formatter' => sub {
                my ($line) = @_;
                chomp $line;
    
                return if ( $line !~ /^-A/ );
                if ( $line =~ m/-A OUTPUT -j \Q$port_authority_name\E/ ) {
                    $has_port_authority_chain++;
                }
    
                # If we already have an entry matching this line, remove it from the # list of lines to insert so we don't insert a duplicate.
                foreach my $insert_line (@lines_to_insert) {
                    if ( index( $line, "-A $insert_line" ) != -1 ) {
                        @lines_to_insert = grep { $_ ne $insert_line } @lines_to_insert;
                        return;
                    }
                }
    
                foreach my $port (@allow_tcp_ports) {
                    if ( $line =~ /^-A (?:cP-Firewall-1-)?INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT/ ) {
                        push @temp_tcp, $port;
                    }
                }
    
                foreach my $udp_port (@allow_udp_ports) {
                    if ( $line =~ /^-A (?:cP-Firewall-1-)?INPUT -p udp -m state --state NEW -m udp --dport $udp_port -j ACCEPT/ ) {
                        push @temp_udp, $udp_port;
                    }
                }
    
                return;
            }
        );
    
        # Remove ports from @allow_tcp_ports that exist in @temp_tcp (ports already configured w/ iptables).
        my %tcp_diff;
        @tcp_diff{@allow_tcp_ports} = @allow_tcp_ports;
        delete @tcp_diff{@temp_tcp};
        @allow_tcp_ports = ( keys %tcp_diff );
        # Same for UDP ports.
        my %udp_diff;
        @udp_diff{@allow_udp_ports} = @allow_udp_ports;
        delete @udp_diff{@temp_udp};
        @allow_udp_ports = ( keys %udp_diff );
    
        # Rules for iptables
        my $iptables_rules = [
            "-N cP-Firewall-1-INPUT",
            ( map { /^(\S+)\s+(.*)$/; "-I $1 1 $2" } @lines_to_insert ),
            ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $_ -j ACCEPT" } @allow_tcp_ports ),
            ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport $_ -j ACCEPT" } @allow_udp_ports ),
            _get_port_authority_rules(),
        ];
    Appears that this would be the source of the rules being updated (see chain name), though I am unsure 1. how this might be invoked and 2. how to stop this without breaking something else. Any insight into how we can stop this chain from being added to the ruleset would be appreciated. :)
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @CreateChange,

    My initial thought is the firewall rules were added as part of the Calendar and Contacts plugin installation process, however I'm not reproducing the addition of the same rules reported in your first post upon testing this on a server running cPanel & WHM version 80.0.18. Can you open a support ticket so we can take a closer look at your system to determine exactly how those rules were added? Let me know the ticket number and I'll update this thread with the outcome once the ticket is closed.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. roliboli

    roliboli Active Member

    Joined:
    Sep 3, 2003
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Switzerland
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @roliboli,

    We are tracking reports of this issue as part of case CPANEL-28146.

    The current case replication steps center around modifying an account's username, however we are seeking access to affected systems to confirm other potential causes. I encourage you to submit a support ticket and reference this post so we can take a look at an affected system and rule out additional causes.

    I'll update this thread as soon as more information on the status of this case is available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice