[K12OSN] firewall question

Sun Mar 2 00:05:45 UTC 2008

Sounds like someone is using your "server a" to do a port scan on port 22.  That means somebody logged into "server a" is trying to find out which other computers on the network (or on the internet) are accepting ssh connections.  This could be one of your legitimate local users, or it could be that someone on the internet managed to log into your "server a" (via ssh or other means).  It could be that someone is trying to break into other computers using your "server a", or it could be a legitimate use of a port scanner.  For instance, I use port scanners on my local network when DNS fails and I need to ssh into one of my other machines.  I scan the entire network for port 22, and try each machine that has that port open.

Whether you need a firewall or not is determined by your network setup.  If your server is protected from the internet by another firewall, then it might not make sense to run a local firewall on your server.  If the server's purpose is to server file shares to the entire network, then make sure NFS and/or Samba are the only services running.  If you do this, then a firewall would only block ports that aren't open anyway, which means the firewall isn't adding any protection.

-Rob

On Fri, Feb 29, 2008 at 07:58:52PM -0500, Vi Thai wrote:
> Hi everyone!  I'm the technology coordinator of a small school in
> Glenburn, Maine.  I have two separate but related issues.
> 1...
> I recently changed the firewall settings on three of my k12ltsp
> servers that are running Fedora 6.  I received this message from my
> network manager from server a: "outbound port tcp/22 (secure shell)
> scanning detected."  I'm not really sure what this meant, so I looked
> at the firewall settings on this particular server and noticed that
> one of the trusted ports was SSH, which I read uses port 22.  We only
> allow users to login from clients from within ou
> r school and no one from outside school can log in, so I didn't think
> turning off SSH would be a problem.  After turning SSH off some of the
> clients on the server could not log in.  I reset the server and
> everything was back to normal.  Is this what I should have done to
> address the message I received?  There hasn't been an update since the
> summer so should I do a "yum update" in the terminal to ensure that
> all software on the server is updated?
> 2...
> I then went to look at the firewall settings for the other two servers
> ("server b" and "server c") and noticed that neither of the firewalls
> on the servers were even on!  I quickly changed the settings so that
> the firewall was enabled with no exceptions.  I reset the server and
> everyone was able to connect after the restart.  I thought everything
> was fine until a few minutes later when a teacher called and indicated
> that she couldn't get onto the wireless airport out in her portable (I
> had put an apple wireless airport out there plugged into the WAN port
> which was plugged into a switch on "server c").  The airport was
> working fine before I turned on the firewall and even if turn the
> firewall off I still cannot get the airport to work.  Anyone have an
> thoughts on how I could solve this issue.  I really don't want to turn
> the firewall off even though it has been on since I've been here last
> October.  My suspicion is that the firewall has been disabled for over
> two years now with no apparent problems.  We have been having a
> network slow down so perhaps there has been a compromise on one of
> these servers and I have not been informed yet.  I know it's a silly
> question, but should this firewall even be turned on?  I'm new to this
> type of network and any help provided would be greatly appreciated.
> 
> Vi
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>