SOLVED [CPANEL-28146] iptables rules automatically overwritten

CreateChange

Member
Apr 30, 2019
8
1
3
Denver, CO
cPanel Access Level
Root Administrator
Hey there, we caught this new iptables chain (cP-Firewall-1-INPUT) that was added last night, opening us up to the internet via WHM interface, SSH, etc.

Checked lastlog, bash histories, etc., but am seeing no sign of anyone changing it through a specified command.

None of our administrators added this chain - curious if this is something that cPanel would have done through a cPanel automated task?

# iptables -S cP-Firewall-1-INPUT
-N cP-Firewall-1-INPUT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 579 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2079 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

Thanks for any insight that can be provided.
 

CreateChange

Member
Apr 30, 2019
8
1
3
Denver, CO
cPanel Access Level
Root Administrator
I would guess that was cphulk, but someone from cpanel or elsewhere might confirm, we normally disable cphulk when usinf CSF/LFD.

Thanks for the response. I have been at this company for over a year, and this is the first time I have seen it happen - we do have cphulk and csf running in tandem.

We simply removed the rule that references to that chain (which was top of the iptables list of rules, so would have effectively bypassed all existing rules), but would like to avoid having to do that again in the future.
 

CreateChange

Member
Apr 30, 2019
8
1
3
Denver, CO
cPanel Access Level
Root Administrator
Have been digging a bit more, but not making too much progress...

Found a cronjob that updates csf daily (/usr/sbin/csf -u), but from what I can find that doesn't call any sort of standard config to be dropped in.

However, I found the following script (/scripts/configure_firewall_for_cpanel), which calls the below function from this file: /usr/local/cpanel/Cpanel/Services/Firewall.pm

Code:
sub _setup_with_iptables {
    my ( $service, $cmd ) = @_;

    my $iptables_cmd = $cmd->{'iptables'};
    my $iptables_save_cmd = $cmd->{'iptables-save'};

    # TCP ports
    my @allow_tcp_ports = Cpanel::Services::Ports::Authorized::allowed_tcp_ports();

    # UDP ports
    my @allow_udp_ports = Cpanel::Services::Ports::Authorized::allowed_udp_ports();

    my ( @temp_tcp, @temp_udp );

    my @lines_to_insert = (
        "INPUT -j cP-Firewall-1-INPUT",
        "FORWARD -j cP-Firewall-1-INPUT",
    );

    # Don't save if it looks like the current ruleset hasn't been loaded.
    my @current_rules = grep { /^\-A/ } split /\n/, Cpanel::SafeRun::Simple::saferunnoerror( $iptables_cmd, '-S' );
    my $conf_file = $iptables_cmd eq 'ip6tables' ? '/etc/sysconfig/ip6tables' : '/etc/sysconfig/iptables';
    my $read_only = ( !-z $conf_file && $#current_rules == -1 ) ? 1 : 0;

    Cpanel::SafeRun::Dynamic::livesaferun(
        'prog' => [$iptables_save_cmd],
        'formatter' => sub {
            my ($line) = @_;
            chomp $line;

            return if ( $line !~ /^-A/ );
            if ( $line =~ m/-A OUTPUT -j \Q$port_authority_name\E/ ) {
                $has_port_authority_chain++;
            }

            # If we already have an entry matching this line, remove it from the # list of lines to insert so we don't insert a duplicate.
            foreach my $insert_line (@lines_to_insert) {
                if ( index( $line, "-A $insert_line" ) != -1 ) {
                    @lines_to_insert = grep { $_ ne $insert_line } @lines_to_insert;
                    return;
                }
            }

            foreach my $port (@allow_tcp_ports) {
                if ( $line =~ /^-A (?:cP-Firewall-1-)?INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT/ ) {
                    push @temp_tcp, $port;
                }
            }

            foreach my $udp_port (@allow_udp_ports) {
                if ( $line =~ /^-A (?:cP-Firewall-1-)?INPUT -p udp -m state --state NEW -m udp --dport $udp_port -j ACCEPT/ ) {
                    push @temp_udp, $udp_port;
                }
            }

            return;
        }
    );

    # Remove ports from @allow_tcp_ports that exist in @temp_tcp (ports already configured w/ iptables).
    my %tcp_diff;
    @tcp_diff{@allow_tcp_ports} = @allow_tcp_ports;
    delete @tcp_diff{@temp_tcp};
    @allow_tcp_ports = ( keys %tcp_diff );
    # Same for UDP ports.
    my %udp_diff;
    @udp_diff{@allow_udp_ports} = @allow_udp_ports;
    delete @udp_diff{@temp_udp};
    @allow_udp_ports = ( keys %udp_diff );

    # Rules for iptables
    my $iptables_rules = [
        "-N cP-Firewall-1-INPUT",
        ( map { /^(\S+)\s+(.*)$/; "-I $1 1 $2" } @lines_to_insert ),
        ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $_ -j ACCEPT" } @allow_tcp_ports ),
        ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport $_ -j ACCEPT" } @allow_udp_ports ),
        _get_port_authority_rules(),
    ];
Appears that this would be the source of the rules being updated (see chain name), though I am unsure 1. how this might be invoked and 2. how to stop this without breaking something else. Any insight into how we can stop this chain from being added to the ruleset would be appreciated. :)
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,206
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @CreateChange,

My initial thought is the firewall rules were added as part of the Calendar and Contacts plugin installation process, however I'm not reproducing the addition of the same rules reported in your first post upon testing this on a server running cPanel & WHM version 80.0.18. Can you open a support ticket so we can take a closer look at your system to determine exactly how those rules were added? Let me know the ticket number and I'll update this thread with the outcome once the ticket is closed.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,206
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @roliboli,

We are tracking reports of this issue as part of case CPANEL-28146.

The current case replication steps center around modifying an account's username, however we are seeking access to affected systems to confirm other potential causes. I encourage you to submit a support ticket and reference this post so we can take a look at an affected system and rule out additional causes.

I'll update this thread as soon as more information on the status of this case is available.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,206
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

This is fixed in cPanel & WHM version 82.0.4:

Fixed case CPANEL-28146: Avoid overwriting existing firewall settings.
Notes:
1. This fix only takes effect when the cPanel-Firewall-1-INPUT iptables chain is missing. It does not take effect if the cPanel-Firewall-1-INPUT iptables chain is already added. If a new iptables addition includes whitelisted cPanel ports, then those same ports must be removed from the cPanel-Firewall-1-INPUT chain.
2. This fix does not take effect if the firewalld service is active.

Long term, an internal improvement case is open to discuss refactoring /usr/local/cpanel/Cpanel/Services/Firewall.pm to better consider the use of custom firewalld and iptables rules on cPanel & WHM servers.

Thank you.
 

CreateChange

Member
Apr 30, 2019
8
1
3
Denver, CO
cPanel Access Level
Root Administrator
Hello Everyone,

This is fixed in cPanel & WHM version 82.0.4:



Notes:
1. This fix only takes effect when the cPanel-Firewall-1-INPUT iptables chain is missing. It does not take effect if the cPanel-Firewall-1-INPUT iptables chain is already added. If a new iptables addition includes whitelisted cPanel ports, then those same ports must be removed from the cPanel-Firewall-1-INPUT chain.
2. This fix does not take effect if the firewalld service is active.

Long term, an internal improvement case is open to discuss refactoring /usr/local/cpanel/Cpanel/Services/Firewall.pm to better consider the use of custom firewalld and iptables rules on cPanel & WHM servers.

Thank you.
Thank you for the update, Michael. Will start getting our servers updated to at least that release.

Appreciate the followup. Have a good weekend. :)