Firewall oddity

I re-installed OpenSuSE 12.3 on Aug 13 from the install DVD. Everything went real smooth. After the initial install there was a lot of patches also installed. During the install my nics were discovered and the one facing the router was configured for DHCP. The firewall was also started and began logging. All is good up to this point. The last entry in /var/log/firewall occurred at 09:57 am. On Aug. 16, while configuring apache and opening a port in the firewall, yast told me that a different firewall was running!! I check my firewall log and sure enough they had stopped at 09:57 on Aug. 13. Restarted the firewall and it immediately started logging again. I didn’t install any other firewall. I’ve done a bit of amateur poking around, been watching my logs, even watching the output of top to try and find any abnormal activity, but nothing.

Makes a guy wanna re-install again!

Does anyone know of another firewall app that may have gotten installed from one of the repositories? I did a pretty vanilla install. I did add on PHP, GTK++, a few games I enjoy, apache2, Tex, LaTex, DHCP, and DNS. A bit more than that to be honest, but I can’t recall ever even seeing another firewall in one of the repos?

Where to go from here?

Cheers, and thanks for any advice,
Terry.

One thing is sure with computers, when you repeat the same thing again and again, you will get the same results again and again. Re-installing without knowing what was done wrong and thus should be done different this time, is wasting time.

Yes, but I don’t believe anything was “done wrong”. The install went cleanly with no errors. The patches installed straight away. The firewall log was working… then?? Like I said, I did install a number of packages after the initial install and update, but I didn’t install a new firewall. At least not that I’m aware of.

UPDATE: While scouring the /var/log/zypp/history file I did notice that I started to install additional packages at 10:06 on August 13th. Only minutes after the last entry in /var/log/firewall. One of the things I installed was nagios and all/some of it’s plug-ins. It does seem beyond coincidence that the SuSEfirewall2 stopped logging at the same time as I started installing additional packages. I feel more confident that it was during this additional package installation that what ever happened happened. But it’s still a puzzle to me what exactly turned off SuSEfirewall2 and what was running in it’s place? And did it create a log somewhere? I’d expect whatever firewall was running, if it was legit, to create a log somewhere?

Just for the sake of argument hcvv, if I wrote a program in C and then compiled it, running it over and over expecting it to produce different results would probably be a waste of time. However, in an environment where the libraries may be updated by someone else, re-compiling the program may indeed produce different results. Do you see what I mean? My install “seemed” to go just fine, with no errors, and everything was operating correctly. Finding no entries in my firewall log, after a certain time, was a surprise. Being told by yast that a “different” firewall was running was another surprise. Re-installing when you think the system might have been compromised, in my humble opinion, might be the responsible thing to do. I wouldn’t want to be responsible for my machine being used to attack/infect other peoples machines. Also, OpenSuSE seems to update their repos on a daily basis. Therefor if I installed and patched my system on August 13th, and did a re-install on August 19th, I could reasonably expect different results. Packages get updated, new patches are added… things change! But all of this is merely academic, the problem was probably caused by my packages selection and not an intruder.

By the way, does anyone have a link to a “best practices” or “what to do” type document for when you fear your server may have been compromised?
I’ve found these resources: CSIRT, Publications and SANS: Intrusion Detection FAQ
Does anyone have or know of a document specifically targeted at OpenSuSE users?

Cheers all, and thanks for responding hcvv,
Terry.

First, let me go on a slight tangent.
Don’t know if you are experienced running Nagios or if you are installing for a particular purpose, but if you are either new at it or this is for a “small” local site (eg <500 hosts), then I highly recommend any of several advanced solutions that extend and build on basic Nagios. You should know that Nagios is a very old, hoary architecture which is why it is difficult to run/manage/configure, uses text files instead of a RDBMS for some fairly high load tasks.

So, for instance I would highly recommend uninstalling your current nagios and install something like the following which I’ve used for several years. It installs its own instance of nagios (likely no different than what you have now), a RDBMS to properly support web tools, notifications, User management, etc, and more. Web tools including building/managing nagios checks (a godsend, I can build stuff in hours that ordinarily takes over a week), graphical reporting, more.
http:gwos.com

Now,
Back to your firewall issue…
I’ve run into the error you describe in a number of situations, curiously Linux (or at least current error reporting) does not differentiate between whether a firewall is blocking, service unavailable or numerous reasons, conflicts, and there can be numerous filtering layers particularly if you’re running in a virtualized environment.

So, when you see the error about another firewall, “all of the above” need to be considered and investigated.

Also, recommend you inspect (and maybe post) the output from the following before you do any fixing

systemctl status SuSEfirewall2.service 

On the topic of “what to do if you think you might be compromised”
It depends.
On if this is a private machine or belonging to a company.
On what you believe might have been compromised. For example, special procedures might be required if sensitive data, particularly data subject to Regulartory bodies might have been compromeised.
What is your objective, to just fix or do you need/want to determine extent of compromise and where the data is going or who compromised your machine?

I have read, discussed and listened to “experts” and “not so expert” on this topic ad nauseum over the years without an answer consistent not only with each/any of the above objectives or even over time.

TSU

Well, we differ a bit in opinion here. I would say that a re-install because something has gone wrong is not a good approach, Analysing as you do above is.

Also the OSS and non-OSS repos are still the same as when openSUSE 12.3 was released. Thus after a re-installation (and before installing patches and additional software) you will be at the same point.

The main reason I wrote this is that I often see people who, in short, say: I have a problem, thus I re-installed everyting, the problem is still there. Not a good approach to bug finding imho.

In any case, I now suppose/suggest that you go experimenting with installing and de-installing nagaios to see what happens to the firewall.

The alternative is to wait say 24 hours if anybody here has the same sort of experience, or is a nagaios user without firewall problems.

I am afraid that I am of no use here, not using nagaios, nor SuseFirewall2.

Thanks for responding.

hcvv - Well, we differ a bit in opinion here. I would say that a re-install because something has gone wrong is not a good approach, Analysing as you do above is.
Actually, I think I agree with you you on that hcvv. If I just suspected a simple problem, I’d try to analyze the situation and fix what was broke… the best way to learn how things work! I was worried that the box was compromised and was thinking out loud about the best way to cleanse the system.

For tsu2:

starlock:~ # systemctl status SuSEfirewall2.service
SuSEfirewall2.service - SuSEfirewall2 phase 2
          Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
          Active: active (exited) since Sun, 2013-08-18 11:27:24 CDT; 1 day and 1h ago
        Main PID: 28753 (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/SuSEfirewall2.service

Aug 18 11:27:24 starlock.silicon.penguin systemd[1]: Started SuSEfirewall2 phase 2.
Aug 18 11:27:24 starlock.silicon.penguin SuSEfirewall2[28763]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Aug 18 11:27:25 starlock.silicon.penguin SuSEfirewall2[28916]: Firewall rules successfully set

Since my last post I installed chkrootkit and ran it. got the following:

--SNIP--
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
--SNIP--

of course I’ve deleted all the other lines as they were all “…nothing found”.
I searched on the net and this is a common “false positive”. Found this forum answer: Gentoo Forums :: View topic - Diagnose SucKit

So, where to go from here?
The original problem was I discovered that the firewall hadn’t logged anything for almost three days, so I don’t/didn’t think it was a temporary blocking issue… but your still right tsu2, it could have been an “ordinary” issue I guess.

The machine in question is on a small home network. It’s connected to the router(to the net, eth0) and the internal network(to the hub, eth1). The machine runs the firewall, provides ip addresses to the internal network via DHCP, runs dnsmasq, runs a web server exposed to both networks, and provides file and print services to the internal network. I also use this machine as my personal workstation(programming, web surfing, gaming, email…).

There isn’t to much data of an overly sensitive nature on the entire network. Bills do get paid from various machines though…

As to what my wants/needs are:

1. I don’t want my machine used to compromise any others.
2. If my machine was compromised, I’d also want to disinfect it.
3. Don’t care too much “where” the problem came from except to further the first two points.
4. I’d kinda like figuring out what originally happened. If that’s even possible!

hcvv - In any case, I now suppose/suggest that you go experimenting with installing and de-installing nagaios to see what happens to the firewall.

I think this is what I’ll do first, just to see if this caused the original problem or not.

tsu2 - So, for instance I would highly recommend uninstalling your current nagios and install something like the following which I’ve used for several years. It installs its own instance of nagios (likely no different than what you have now), a RDBMS to properly support web tools, notifications, User management, etc, and more. Web tools including building/managing nagios checks (a godsend, I can build stuff in hours that ordinarily takes over a week), graphical reporting, more.
http:gwos.com
This is probably what I’ll do second.

Thank You hcvv & tsu2!
Cheers,
Terry.

  	 				hcvv - In any case, I now suppose/suggest that you go experimenting  with  installing and de-installing nagaios to see what happens to the   firewall. 

silicon_penguin67 - I think this is what I’ll do first, just to see if this caused the original problem or not.

I uninstalled nagaios and all of it’s plugins.
Rebooted.
Check the logs, etc. All is good.
Re-install nagaios and plugins.
Checked everything out and all seems to be functioning as expected. Firewall is logging as normal, etc.
Uninstall nagaios and all the plugins.
Again, everything seemed fine. But wait, nagaios does not clean up after itself very well!!
Nagaios modifies /etc/sysconfig/apache2 as well as /etc/apache2/httpd.conf. When you unistall nagaios, it doesn’t restore these files to their previous states.
Not nice.
Of course, this had nothing to do with the firewall, but I thought I’d mention it.

Cheers,
Terry.

Yes, you are right. That is an incorrect nagaios uninstall precedure. You could try to file a bug with the package builder and/or the nagaios people.

I can figure out how to file a bug report with the nagaios people, but how do I figure out who the package builder is? Can you point me in the right direction?

Thanks and Cheers!
Terry.

I think you installed it from the official OSS repo. In that case you can go here: openSUSE:Submitting bug reports - openSUSE