Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 49056 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to SSH to any server. Even FTP/SFTP does not work.

Cyber Army

Hi all,

I've recently installed Sophos utm9 in my home lab, and these are my very first few weeks. 
I have been facing a very strange issue lately.. and hence i need your help with this.

Two days back, i was trying to transfer files from a remote server using sftp connection through filezilla, and the entire file transfer was choppy, the connection would keep disconnecting every few seconds, and then resume transfer, this went on for couple of mins, the connecrtion would terminate and then reconnect again, and transfer would resume, but after few mins, the connection completely got disconnected, and since them i am not able to ssh to that server using putty nor through filezilla (ftp client).

The remote server is online, and i have tried connecting to this server from work (a different location from home), and it works fine from home, i can file transfer without any issues.

Its only here at home where i have sophos installed.

Prior to sohos i was able to file transfer and connect to the server without issues. 

Is there something that is completely blocking the ssh connection to a remote server or even file transfer in the firewall that i need to check or enable or create a rule?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Check #1 in the Rulz by Bob. You might also need to refer Packetfilter logfiles on the UTM.

    You will discover potential blocks in the logs and information about which module is blocking it. Please show us the logs to get an idea about what might be blocking the connections.

    Cheers-

  • 0 in reply to Cyber Army

    Looking at the log line, those are default drops with fwrule= 60002, it happens when the packet is not destined for the UTM or we can say there is no firewall rule defined to forward the packet. 

    2017:05:09-00:00:01 sophos ulogd[6252]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:0e:8f:79:e3:21" dstmac="00:25:90:7c:01:af" srcip="192.168.1.100" dstip="96.44.129.13" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="60141" dstport="232" tcpflags="SYN"

    Considering the fact that the destination IP address is a public IP, I suspect the issue is a missing/misconfigured masquerading rule defined in the UTM. Also, a firewall rule to forward 192.168.1.0 network through the UTM is absent or misconfigured.

    Thank You

  • 0 in reply to Cyber Army

    You're new here, so you're not used to this editor.  You could have used Insert to add the file to your post.  We can't know if an external link is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.

    I haven't looked at your file, but the fact that it's a zip indicates that you've uploaded the entire log file.  Outside of Sachin, everyone else at Sophos is here on their own time just like those of us that don't work for Sophos.  People that help others here won't take the time to dig through a long file to find things.

    Cheers - Bob

  • 0 in reply to BAlfson

    I am sorry about my previous ignorance Bob. I will make sure i will follow proper guidelines and rules of the forum.

    I have uploaded the log file using the Insert > upload file. However it still is the log file as it directly ported from the server and truncated to 500kb file size, I have just edited out my IP address with xxx.

     

    packetfilter.log

    I have reviewed Sachin's post above, I just do not know how to interpret it and add the settings to my firewall. Few simple steps will help if its not too much of a hassle please. 

  • 0 in reply to sachingurung

    Currently I have just masquerading rule.

    Is this something i need to fix? Also do i need to add another rule?

    My computer's local ip address is 192.168.1.103 (is a part of the local domain)

    Default gateway is 192.168.1.99 (this is the firewall)

    DNS/DHCP server is 192.168.1.10

    Currently I just have 1 vlan setup on a 48 port cisco switch.

Reply
  • 0 in reply to sachingurung

    Currently I have just masquerading rule.

    Is this something i need to fix? Also do i need to add another rule?

    My computer's local ip address is 192.168.1.103 (is a part of the local domain)

    Default gateway is 192.168.1.99 (this is the firewall)

    DNS/DHCP server is 192.168.1.10

    Currently I just have 1 vlan setup on a 48 port cisco switch.

Children
  • 0 in reply to Cyber Army

    No apology necessary - I was just trying to help you get the most out of this place!

    I would have your internal users get NTP (UDP 123) from your DHCP server and set it to get NTP from the UTM.  You also need to allow your server in 'Network Services >> NTP'.  At present you have no firewall rule like '{192.168.1.100} -> NTP -> Internet : Allow', so those packets are being dropped.  You won't need that rule if you have the server get time from the UTM.

    Similarly, there is no firewall rule allowing TCP 232 to the Internet, so those packets are also being dropped out of the FORWARD chain (fwrule="60002").  This is the same for SSH on the Internet.

    I see a drop out of the INPUT chain ("60001") for someone from the Ukraine (37.229.167.134) trying to telnet into your UTM.  Unless you're in the same country, this is likely a branch of the Russian mafia, so you probably don't want to allow that traffic!

    In general, I don't log successful outbound traffic, but I do like to start a new setup with two logged allow rules after the explicit 'Internal (Network) -> {Service} -> Internet' rules:

    Internal (Network) -> {1:65535->1:1023} -> Internet : Allow
    Internal (Network) -> {1:65535->1024:65535} -> Internet : Allow

    After a month, I look back through the list of Services recorded in the logs and add new rules before these rules.  That's usually long enough to turn those rules off and wait for complaints. [;)]

    Cheers - Bob

  • 0 in reply to BAlfson

    THe issue is resolved.  helped a lot.

    His due diligence in figuring out the issue was immaculate.

    My firewall Intel NIC card was causing this disturbance. While scanning through the internet, I see that Intel NIC cards have issues with Linux distro drivers.

    After replacing the NIC card, the issue vanished.

    Thanks Sachin.

    Thanks  for standing by and giving me all sorts of wonderful tips that i have now inculcated in my regular firewall ref-check schedule.