Can't close some ports in firewall

griffin · 22 October 2024 15:30

These days I've been testing my PC on several sites for opened ports. Found several opened; for example the 8899 port. After that I've added rules in uwf and iptables to reject in and out connection with this port. But when I check again this port online, it is still indicated as 'open'. And what's more annoying, I was not able to determine which software or service is using this particular port in my system.

Here is the result of the sudo ufw status command:

Status: active

To Action From
-- ------ ----
*8899 DENY Anywhere *
*53 REJECT Anywhere *
*631 REJECT Anywhere *
*54500 REJECT Anywhere *
*56200 REJECT Anywhere *
*54657 REJECT Anywhere *
*8899 (v6) DENY Anywhere (v6) *
*53 (v6) REJECT Anywhere (v6) *
*631 (v6) REJECT Anywhere (v6) *
*54500 (v6) REJECT Anywhere (v6) *
*56200 (v6) REJECT Anywhere (v6) *
*54657 (v6) REJECT Anywhere (v6) *

8899 REJECT OUT Anywhere (log-all)
*631 REJECT OUT Anywhere *
*54500 REJECT OUT Anywhere *
*56200 REJECT OUT Anywhere *
*54657 REJECT OUT Anywhere *
8899 (v6) REJECT OUT Anywhere (v6) (log-all)
*631 (v6) REJECT OUT Anywhere (v6) *
*54500 (v6) REJECT OUT Anywhere (v6) *
*56200 (v6) REJECT OUT Anywhere (v6) *
54657 (v6) REJECT OUT Anywhere (v6)

And here is the output of the iptables -L -n command:

Chain INPUT (policy DROP)
*target prot opt source destination *
*ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 *

Chain FORWARD (policy DROP)
*target prot opt source destination *
*ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0 *

Chain OUTPUT (policy ACCEPT)
*target prot opt source destination *
*ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0 *
*ACCEPT all -- 0.0.0.0/0 127.0.0.1 *
*ACCEPT all -- 0.0.0.0/0 192.168.0.0/16 *
*ACCEPT all -- 0.0.0.0/0 10.0.0.0/8 *
*ACCEPT all -- 0.0.0.0/0 172.16.0.0/12 *

Chain ufw-after-forward (1 references)
*target prot opt source destination *

Chain ufw-after-input (1 references)
*target prot opt source destination *
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-after-output (1 references)
*target prot opt source destination *

Chain ufw-before-forward (1 references)
*target prot opt source destination *
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
*ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-before-input (1 references)
*target prot opt source destination *
*ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 *
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
*ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0 *
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
*ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-before-logging-forward (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-input (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-output (1 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-output (1 references)
*target prot opt source destination *
*ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 *
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
*ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-logging-allow (0 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
*target prot opt source destination *
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
*DROP all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-reject-forward (1 references)
*target prot opt source destination *

Chain ufw-reject-input (1 references)
*target prot opt source destination *

Chain ufw-reject-output (1 references)
*target prot opt source destination *

Chain ufw-skip-to-policy-forward (0 references)
*target prot opt source destination *
*DROP all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-skip-to-policy-input (7 references)
*target prot opt source destination *
*DROP all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-skip-to-policy-output (0 references)
*target prot opt source destination *
*ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-track-forward (1 references)
*target prot opt source destination *

Chain ufw-track-input (1 references)
*target prot opt source destination *

Chain ufw-track-output (1 references)
*target prot opt source destination *
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
*target prot opt source destination *

Chain ufw-user-input (1 references)
*target prot opt source destination *
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8899
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:54500 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:54500 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:56200 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:56200 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:54657 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:54657 reject-with icmp-port-unreachable

Chain ufw-user-limit (0 references)
*target prot opt source destination *
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
*target prot opt source destination *
*ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 *

Chain ufw-user-logging-forward (0 references)
*target prot opt source destination *

Chain ufw-user-logging-input (0 references)
*target prot opt source destination *

Chain ufw-user-logging-output (2 references)
*target prot opt source destination *
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8899 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8899

Chain ufw-user-output (1 references)
*target prot opt source destination *
ufw-user-logging-output tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899 reject-with tcp-reset
ufw-user-logging-output udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8899
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8899 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:54500 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:54500 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:56200 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:56200 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:54657 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:54657 reject-with icmp-port-unreachable

And these are sites which I've used for checking:

pavlos_kairis · 22 October 2024 16:08

sudo netstat -nlp | grep 8899

find the process (pid) and kill the pid.

griffin · 22 October 2024 16:14

I don't have netstat installed. Is there any alternative to this command?

pavlos_kairis · 22 October 2024 16:19

try ss -nlp | grep :8899

(ss=socket statistics)

griffin · 22 October 2024 16:32

Thanks for replies. But unfortunately this command (with sudo) does not return any output. I've also redirected it into a text file - also nothing.

pavlos_kairis · 22 October 2024 16:37

use nmap -p- [target_ip] to scan all 65K ports. Example:

user@cw:~$ nmap -p- 10.0.0.41
Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-22 09:36 MST
Nmap scan report for cw.lan (10.0.0.41)
Host is up (0.00014s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
514/tcp  open  shell
4000/tcp open  remoteanything

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

ugnvs · 22 October 2024 18:02

Part one
A typical home network looks like

(computer, smartphones, 'clever' devices) => (home router) => (Internet provider)

A public Internet address which is seen by Internet site can belong to the home router or to the provider's equipment. Do you see? An opened port which is detected by Internet site/scanner does necessarily belong to the computer. It can be opened by smartphone or 'clever' device. It can reside on the home router or even on the provider's equipment.

Part two
As @pavlos_kairis has pointed out, netstat command is the tool. It belongs to net-tools package and can be installed as sudo apt install net-tools. Sample output follows

:~$ sudo netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      521140/cupsd        
tcp6       0      0 ::1:631                 :::*                    LISTEN      521140/cupsd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           727/avahi-daemon: r 
udp        0      0 0.0.0.0:46686           0.0.0.0:*                           727/avahi-daemon: r 
udp        0      0 192.168.100.8:123       0.0.0.0:*                           914/ntpd            
udp        0      0 127.0.0.1:123           0.0.0.0:*                           914/ntpd            
... and so on

Now you can definitely see which program opens which port on your computer. Just one remark: not necessarily every of open ports is accessible from the Internet, i.e. is forwarded to the computer by home router.

By the way, lsof -i can be of interest too.

:~$ sudo lsof -i
COMMAND      PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
avahi-dae    727 avahi   12u  IPv4   26069      0t0  UDP *:mdns 
avahi-dae    727 avahi   13u  IPv6   26070      0t0  UDP *:mdns 
avahi-dae    727 avahi   14u  IPv4   26071      0t0  UDP *:46686

Hopefully, this helps.

griffin · 22 October 2024 18:49

OK, I've tried sudo nmap -p- with localhost and also with my local IP and the IP address on the internet, and only one port was detected:

631/tcp open ipp

I've also tried sudo lsof -i -P -n which gave this output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
*systemd-r 463 systemd-resolve 13u IPv4 23108 0t0 UDP 127.0.0.53:53 *
systemd-r 463 systemd-resolve 14u IPv4 23109 0t0 TCP 127.0.0.53:53 (LISTEN)
*avahi-dae 866 avahi 12u IPv4 26974 0t0 UDP *:5353 *
*avahi-dae 866 avahi 13u IPv6 26975 0t0 UDP *:5353 *
*avahi-dae 866 avahi 14u IPv4 26976 0t0 UDP *:36117 *
*avahi-dae 866 avahi 15u IPv6 26977 0t0 UDP *:57530 *
*NetworkMa 869 root 25u IPv4 279105 0t0 UDP 192.168.1.142:68->192.168.1.20:67 *
cupsd 973 root 7u IPv6 27708 0t0 TCP [::1]:631 (LISTEN)
cupsd 973 root 8u IPv4 27709 0t0 TCP 127.0.0.1:631 (LISTEN)
brave 6289 user1 34u IPv4 1252086 0t0 TCP 192.168.1.142:39448->178.154.206.151:443 (ESTABLISHED)
brave 6289 user1 47u IPv4 1252797 0t0 TCP 192.168.1.142:34916->172.64.155.29:443 (ESTABLISHED)
brave 6289 user1 57u IPv4 1244256 0t0 TCP 192.168.1.142:52342->104.26.6.214:443 (ESTABLISHED)
brave 6289 user1 80u IPv4 986578 0t0 TCP x.x.x.x:56206->172.64.152.233:443 (ESTABLISHED)
brave 6289 user1 109u IPv4 539892 0t0 TCP x.x.x.x:41310->104.18.35.23:443 (ESTABLISHED)

The sudo ss -tulw command gave this result:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process *
??? UNCONN 0 0 0.0.0.0:ipproto-255 0.0.0.0: *
udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0: *
udp UNCONN 0 0 0.0.0.0:36117 0.0.0.0: *
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0: *
udp UNCONN 0 0 [::]:mdns [::]: *
udp UNCONN 0 0 [::]:57530 [::]: *
tcp LISTEN 0 128 127.0.0.1:ipp 0.0.0.0: *
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0: *
tcp LISTEN 0 128 [::1]:ipp [::]:

griffin · 22 October 2024 18:53

Thank you for the reply. I am not using a router. For now I have just a wifi access point. But I'll add a router also. And I'll install net-tools and try netsat as well.

pavlos_kairis · 22 October 2024 19:20

port 631 is cups admin for printers.

so you scan the full range and 8899 does not show up?
who tells you this port is open?

I'd like to know what you're trying to do since this port can be used for malicious attacks. I will not help if this is the case.

griffin · 22 October 2024 19:30

No, the 8899 port doesn't show in my command-line scan results.
But that port is showed as 'open' on all websites which I've linked in the first post.

pavlos_kairis · 22 October 2024 19:59

I tried GRC (Gibson Research Corp) Shields up!! on my IP and it shows all ports are green (stealth). I do not have any ports open to WAN.

ericmarceau · 22 October 2024 19:59

Please provide a snapshot of the screen segment showing port 8899 as open. We might be able to decipher more from that.

pavlos_kairis · 22 October 2024 20:01

Or it could be a false alarm hoping that the victim will open that port.

Please be very careful with services open to the Internet.

If you get rooted, disconnect and re-image laptop asap.

pavlos_kairis · 22 October 2024 20:08

if you laptop is directly connected to the Internet (not a good idea, you should be behind a router or firewall), disable ufw so that nobody from the outside can come in.

You seem to be avoiding my question ... what are you trying to do?

griffin · 22 October 2024 20:08

portcheckers dot com and ipfingerprints dot com (SYN stealth advanced scan) are showing that the port is open.

griffin · 22 October 2024 20:10

In gufw the profile is set to 'public' with incoming set to 'deny' and outgoing set to 'allow'.

ericmarceau · 22 October 2024 20:19

Would updating "/etc/security/access.conf" to show

#############################################################################
#
###	Permit root login from local			### Look at /etc/hosts for host IP aliases
+:root:LOCAL localhost yourhostname
#
###     Permit designated users to access from local
+:yourusername:LOCAL localhost yourhostname
#
###     Permit all local services/users to access from local
#+:ALL:LOCAL localhost yourhostname
+:ALL:LOCAL ALL
#
###	Deny access to all from any remote
-:ALL:ALL

help to block that kind of access ?

Or would the adding these to "/etc/ssh/ssh_config" cover it ?

########################################################################
###
###     Custom settings for yourhostname
###
########################################################################

###     Group 1 - Restrictive
    PermitRootLogin no
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted no
    DenyUsers root
    DenyGroups root

###     Group 2 - Permissive
    AllowUsers nonexistent
    AllowGroups nonexistent

###     Deploy any modifications using:  systemctl restart sshd

griffin · 22 October 2024 20:24

Hm... it seems that nothing is 'uncommented' here:

/etc/security/access.conf:

# Login access control table.
#
# Comment line must start with "#", no space at front.
# Order of lines is important.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
# permission:users:origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
#
# You can use @netgroupname in host or user patterns; this even works
# for @usergroup@@hostgroup patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
# To avoid problems with accounts, which have the same name as a group,
# you can use brackets around group names '(group)' to differentiate.
# In this case, you should also set the "nodefgroup" option.
#
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
# "/dev" (e.g. tty1 or vc/1)
#
##############################################################################
#
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# Same, but make sure that really the group wheel and not the user
# wheel is used (use nodefgroup argument, too):
#
#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.
#
##############################################################################
# All lines from here up to the end are building a more complex example.
##############################################################################
#
# User "root" should be allowed to get access via cron .. tty5 tty6.
#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
#
# User "root" should be allowed to get access from hosts with ip addresses.
#+:root:192.168.200.1 192.168.200.4 192.168.200.9
#+:root:127.0.0.1
#
# User "root" should get access from network 192.168.201.
# This term will be evaluated by string matching.
# comment: It might be better to use network/netmask instead.
# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
#+:root:192.168.201.
#
# User "root" should be able to have access from domain.
# Uses string matching also.
#+:root:.foo.bar.org
#
# User "root" should be denied to get access from all other sources.
#-:root:ALL
#
# User "foo" and members of netgroup "nis_group" should be
# allowed to get access from all sources.
# This will only work if netgroup service is available.
#+:@nis_group foo:ALL
#
# User "john" should get access from ipv4 net/mask
#+:john:127.0.0.0/24
#
# User "john" should get access from ipv4 as ipv6 net/mask
#+:john:::ffff:127.0.0.0/127
#
# User "john" should get access from ipv6 host address
#+:john:2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
#-:ALL:ALL

griffin · 22 October 2024 20:28

/etc/ssh/ssh_config:

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Include /etc/ssh/ssh_config.d/.conf*

*Host **
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k

SendEnv LANG LC_*

HashKnownHosts yes*

GSSAPIAuthentication yes*