UFW Firewall rules generated in ispconfig don't seem to apply

Discussion in 'Installation/Configuration' started by davine, Jan 31, 2020.

  1. davine

    davine New Member

    I'm very new to firewall and am sure I'm just doing it wrong. My problem is that I want a specific port closed but removing it from the list of open ports in ispconfig doesn't close it. Maybe that's not the way to do it, if so, please tell me.

    Basically I have a mysql database set up on a different port than 3306 and I don't want it public, however even if the port is not listed as open in the rules on ispconfig, it's still accessible from outside the local network. If possible I'd like to open that specific port only to a specific ipadress if possible. Can I create specific rules at all or is it just "open" or nothing?

    Sorry if this is a newb question and if it's already been answered before, I tried my best to find answers in the forum.
     
  2. Th0m

    Th0m Active Member HowtoForge Supporter

    davine likes this.
  3. Steini86

    Steini86 Active Member

    You do that by editing your mysql user.
    See documentation: https://dev.mysql.com/doc/refman/5.5/en/grant.html
    Code:
    grant all on db.* to 'user'@'hostname' identified by 'password';
    Grants access from hostname (can also be ip address).
    To see current users do:
    Code:
    SELECT User, Host from mysql.user;
    For more information see also:
    https://serversforhackers.com/c/mysql-network-security

    In ispc have a look at -> Websites -> Databases -> Choose Database -> Remote Access IPs
    (See also Page 163 in ispc Manual)
     
    davine and ahrasis like this.
  4. davine

    davine New Member

    Thanks for the advice! This works, but I was kind of hoping that ispconfig could do these things for me. Why do the settings I make in ispconfig firewall not work? Shouldn't they be working? The reason I want a control panel is to avoid too much command line stuff since commands never stick to my memory unfortunately..
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The UFW firewall in ISPConfig works fine on my systems. ISPConfig is doing the same thing that you did manually now, it runs the ufw command and opens/closes ports. You can use ispconfig debug mode if you want to see in detail what's going on.
     
  6. Th0m

    Th0m Active Member HowtoForge Supporter

    Perhaps it's not configured because it wasn't installed/enabled when you installed ISPC. However, I prefer using the command line. You can't run a server with only ISPC. It's a great panel, but it can't handle everything.
     
  7. davine

    davine New Member

    Ah, great, I thought these settings were supposed to be made in the firewall, but changing the user settings worked fine, thanks! On the other hand, this means my port still is open to the public right? Except only my chosen user and IP is allowed to connect to the database. Is leaving the port open without a firewall rule safe enough?
     
  8. davine

    davine New Member

    So, I just did this now and can clearly see that "fields updated" etc so it looks like it works. However, if I remove a port from open ports in ispconfig, it still stays open until I manually close it in command line.. so I guess something is wrong then?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, this indicates that something is wrong. You can use debug mode to get detailed info on the shell to see which commands are run by ispconfig when you change firewall ports: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
     
  10. Jesse Norell

    Jesse Norell Well-Known Member

    As @till said, debugging mode will show you what it's doing; that is, of course if you have the firewall plugin enabled in the first place, which you might check (/usr/local/ispconfig/server/plugins-enabled/firewall_plugin.inc.php should be a symlink to the corresponding plugins-available file).

    You can only do this via the command line. Ports you configure in the ISPConfig gui are open or closed for all clients. Fortunately with how ISPConfig runs ufw commands, you can add such a rule from cli yourself and it will not be overwritten by the gui rule management (ie. you can use both together).
    Code:
    ufw allow proto tcp from xx.xx.xx.xx to any port 3306 comment 'mysql allowed only from my ip'
    

    That's exactly right, and as you are concerned, it is not nearly as secure as blocking public access to mysql in the firewall. I don't allow public access to any mysql server; I would recommend the same for you if you can get away with it (I know some places do allow (or maybe "require" by policy) public access). Mysql has had remote vulnerabilities in the past. As with all software, it likely will in the future, too. Or maybe the vulnerability isn't even in mysql, but a library it uses; like, say the libidn2 vulnerability that was announced Friday.

    Do note: I am not claiming and I don't know if mysql is a vector for exploiting that vulnerability in libidn2 or not, but mysql is linked to that library, and of course name lookup/handling of client hostnames is exactly the type of overlap where allowing public access could make your mysql remotely exploitable, even if users are prohibited logging in via mysql.user restrictions; I'd say it's legitimate cause for concern, and for further investigation and/or immediate patching. Or ... firewalling? :)
     
  11. davine

    davine New Member

    [QUOTE="till, post: 398877[/QUOTE]
    Thanks Till, I managed to get it working, I honestly don't know what was wrong or what fixed it but after running a few commands through command line, the settings in the gui also started working. Either I'm wrong, which might be the case since I'm new to this, or something magic happened...

    [QUOTE="Jesse Norell, post: 398905[/QUOTE]
    Thanks for this, I'm using your suggested method now =)
     

Share This Page