Enabling firewall on the ol’ webserver

This evening at work I have decided to enable the firewall on my webserver. It is ofcourse already behind my network firewall, but if one of my other devices gets hack or something, it could become a target. I have been meaning to do it for a while now, but it’s probably been tweenty years since I’ve used iptables to do anything. And Ubuntu has a handly little utility called Uncomplicated Firewall(ufw), which is just a configuration system for iptables. And in keeping with linux development over the last couple decades, this new easier configuration comes with all these lovely config files!

Since I’m doing this at work, I have to make sure I’ve got all the rules configured correctly, or I risk being blocked for the rest of the work shift, so gotta dot my t’s and cross my eye’s.

Checking current config

/etc/default/ufw only had a couple things I might need to change, which are listed below.

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

The .rules files I checked just had some common sense stuff, but I haven’t found a “Drop All” command anywhere in the files. I really need to know if this is configured for default deny or allow, because that changes the order I need to add rules. I’m assuming it’s processed last. I attempted to just enable the firewall but I got a message that it may disconnect my ssh session, so I’ve decided to enter the rules I know I need and hope I don’t get blocked when I enable it.

So, building the commands to add the rules I need, which is HTTP(S) for the webserver, SSH to configure the webserver, and I’ll add some rules for RDP and Samba later, though I’m not sure I really need to because it’s acting as client. Apache and SSH are already defined as applications in /etc/ufw/applications.d.

# add rule for SSH
sudo ufw allow from 192.168.0.0/24 to any app OpenSSH

#add rule for Apache
sudo ufw allow from any to any app "Apache Full"

Unfortunately, it doesn't all me to run the status command without enabling the firewall, so I may have 7-8 hours of boredom if this goes titts up.

Wow, I wasn’t disconnected, so I did things right, or it’s just not blocking anything at all. Time to check the log.

Nothing but this error, so I think I’m good. Not sure why my router is sending this shit, but I’m guessing it’s UNPNP or Multicast something or other. It logs this every 20 seconds.

2024-10-20T04:25:18.125010+00:00 thecweb kernel: [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:c8:7f:54:90:f5:d8:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=11284 DF PROTO=2

I’m kind of surpised neither my SSH, RDP, or Apache/Tomcat lost connection when I turned it on, but things seem to be working perfectly…

The status command certialy looks like I did what I inteneded…

cweb@thecweb:/var/log$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    192.168.0.0/24
80,443/tcp (Apache Full)   ALLOW IN    Anywhere
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)

One last setting to enable at boot and I’m done. Oh, well actually, it turns out that /etc/ufw/ufw.conf is automatically updated to start on boot with the ufw enable command. Cool.

Feeding strays

I have been seeing two cats that I believe live in my backyard for a few weeks now. I put a bowl of food and came back after several hours and it was gone. Yesterday I woke up around 3:30 am and decided to put a bowl out. This hungry little tortie was eating in less than a minute. lol

Her orange friend came buy, but I didn’t actually catch him eating anything.

No One Will Save You (2024) – Hulu

I think this is my first Hulu original movie.  It’s an interesting take on an alien abduction/invasion horror film.  Very visual.  There was only a few sentences of dialog, not counting the aliens. 

Ultracrepidarianism – learned a new word

And judging from the definition below I think everyone I’ve ever met is one…

An ultracrepidarian is a person who offers opinions beyond their own knowledge. It can also be used as an adjective describing such a person. This word is used in situations when someone is speaking as an authority on a subject that they have only limited knowledge of.

RDP with Guac

I finally decided to bite the bullet and upgrade my laptop to Windows 11 Pro, so that I could use RDP instead of VNC. The primary reason I did this is to make remote access faster. Not only is the RDP protocol much faster than VNC(prob more secure too), but I’ll be connecting to my laptop, which is much newer, with twice the RAM, some sort of i7 processor, and the wifi card seems a bit stronger.

The config was quite simple after I learned to interpret this gobbledygook below:

Oct 01 19:45:13 thecweb.com guacd[1382772]: Creating new client for protocol "rdp"
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO:        Creating new client for protocol "rdp"
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO:        Connection ID is "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a"
Oct 01 19:45:13 thecweb.com guacd[1382772]: Connection ID is "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a"
Oct 01 19:45:13 thecweb.com guacd[1382975]: FreeRDP initialization may fail: The current user's home directory ("/usr/sbin") is not writable, but FreeRDP generally requires a writable home directory for storage of configura>
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: WARNING:        FreeRDP initialization may fail: The current user's home directory ("/usr/sbin") is not writable, but FreeRDP generally requires a writable home di>
Oct 01 19:45:13 thecweb.com guacd[1382975]: No security mode specified. Defaulting to security mode negotiation with server.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        No security mode specified. Defaulting to security mode negotiation with server.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        Resize method: none
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" joined connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" (1 users now present)
Oct 01 19:45:13 thecweb.com guacd[1382975]: Resize method: none
Oct 01 19:45:13 thecweb.com tomcat9[1382777]: 19:45:13.459 [http-nio-8080-exec-8] INFO  o.a.g.tunnel.TunnelRequestService - User "cweb" connected to connection "RDP on hp360".
Oct 01 19:45:13 thecweb.com guacd[1382975]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
Oct 01 19:45:13 thecweb.com guacd[1382975]: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" joined connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" (1 users now present)
Oct 01 19:45:13 thecweb.com guacd[1382975]: Loading keymap "base"
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        Loading keymap "base"
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        Loading keymap "en-us-qwerty"
Oct 01 19:45:13 thecweb.com guacd[1382975]: Loading keymap "en-us-qwerty"
Oct 01 19:45:13 thecweb.com guacd[1382975]: Certificate validation failed
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        Certificate validation failed
Oct 01 19:45:13 thecweb.com guacd[1382975]: RDP server closed/refused connection: SSL/TLS connection failed (untrusted/self-signed certificate?)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        RDP server closed/refused connection: SSL/TLS connection failed (untrusted/self-signed certificate?)
Oct 01 19:45:13 thecweb.com guacd[1382975]: User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" disconnected (0 users remain)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        User "@f96cd9fe-6e30-495b-8b36-dbd32578750f" disconnected (0 users remain)
Oct 01 19:45:13 thecweb.com guacd[1382975]: guacd[1382975]: INFO:        Last user of connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" disconnected
Oct 01 19:45:13 thecweb.com guacd[1382975]: Last user of connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" disconnected
Oct 01 19:45:13 thecweb.com tomcat9[1382777]: 19:45:13.855 [http-nio-8080-exec-3] INFO  o.a.g.tunnel.TunnelRequestService - User "cweb" disconnected from connection "RDP on hp360". Duration: 396 milliseconds
Oct 01 19:45:13 thecweb.com guacd[1382772]: Connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" removed.
Oct 01 19:45:13 thecweb.com guacd[1382772]: guacd[1382772]: INFO:        Connection "$7bea9685-1e55-4f4e-b0bf-7fc3f5fd0a5a" removed.

The bolded lines are what I needed to figure this out. Really it was quite obvious where that error was coming from once I decided to try to connect from a Windows PC. Seasoned admins should be familiar with the message below:

And it turns out that Guacamole has not way of dealing with this at login. So I added the bolded param to the config file and restarted things and boom goes the dynamite.

            <connection name="RDP on hp360">
                <protocol>rdp</protocol>
                <param name="hostname">hp360</param>
                <param name="port">3389</param>
                <param name="ignore-cert">true</param>
                </connection>

Now, I did spend a little bit more time on an error above the one about issues writing to /usr/sbin. A red herring to be sure. Maybe I should have paid more attention to the fact that the error says it may cause issues, not that it will cause issues. After I changed permissions to /usr/sbin/.config so that the Freerdp client could write there, the error persists, but it is still writing config files there, so not sure. I only mention it because it wasted like 30 minutes of my time.

Twitter

Twitter suspended my account for posting the link to the Vance dossier. I just had to delete the tweets with the links in them. So this post is just so I can post it on twitter, then tweet the link, and see if my account gets banned again. I’m curious if they are just looking for the original URLs or doing some more extensive filtering.

I figure I’ll try the direct link first, and then just host the file directly on the site if that doesn’t work.

Scroll down and there is a download link for the full PDF.

https://www.kenklippenstein.com/p/read-the-jd-vance-dossier