Jetico and FreeSSHd

Discussion in 'other firewalls' started by JeromeC, Jun 26, 2006.

Thread Status:
Not open for further replies.
  1. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Hi,

    I had freesshd running fine with Jetico. Then I realised today that I couldn't connect to my SSH anymore from the office : once home I can see (trying from another outside machine) that it's now blocked after the "Application trusted zone" (I defined freesshd in ATZ) by the "block all not processed ip packet"...

    So somehow the rule for freesshd is not "seen" ?

    I deleted it (actually there were 2 for the same program) from the Ask user list, then I tried again, I had the question ==> I set trusted zone again, same result, freesshd never sees the incoming connection attempt (nothing in the log) and I can see the source IP bloqued in the jetico log.

    What can I do ?

    thanks
     
  2. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Mmmm good people, just to inform that after a cold night off, and thinking about it twice, Jetico decided to let it flow again, and here I am, connected via my SSH + proxy and posting to you good people from my office...
     
    Last edited: Jun 28, 2006
  3. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Well, actually NO. I'm dull, it's directly related to one of my other questions in this forum (jetico can't be run as a service) : I can only access ssh now when my home PC is on the login page, ie without Jetico running...

    So there is something with that bloody rule set that I'm not smart enough to find and that starts to make me think about changing, again.... where is that easy to use and effective firewall o_O not requiring to have universitary knowledge of TCP/IP !!
     
  4. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    And now I really don't understand, after running another check on grc shields up, I'm completely stealth ! not even my 443 SSH port that was of course open, and the 138 that was visible too (which concerned me as I asked here).

    So there's something wrong with it... only without Jetico can I connect to my machine from outside.

    Though nobody seems to be much interested by my little problems here, my questions remain unanswered :'(

    (did I do something wrong against the community here ??)
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have not used the combination of software you have, and therefore do not know what problems you may encounter. You should first remove this software from the trusted zone and create a ruleset for this, allowing only the inbound connections (local ports) that are needed.
    You mention port 138 but in your other post this was port 139,.. ports 137-139 are used for netbios (file sharing), port 139 being used for TCP connections, if this service is active it will open port 139 (are you file sharing using netbios over the internet? if not you should disable this!)
     
  6. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Hello,

    first thanks a lot for the answer !

    1. about FreeSSHd, it's a free SSH server for Windows that I've been using happily for several months now (XP Pro SP2). I used it because simple to install and easy to configure ! (and free...) When I started to use Jetico, I was able to simply add it to the Trusted Application zone, considering I don't know enough about TCP/IP and Internet to create a specific application rule set for it (actually for any app !), and also I assumed that being a SSH server it needed inbond and outbond connection? I just considered it was trustable enough to configure it like that. It was working fine. I recently upgraded my freeSSH version, Jetico asked me again (I assume by detecting a new version of the prog) and I said the same : trusted zone. But then I couldn't access it anymore, as I explained. I found that the initial setting for the first version was still in Jetico app list, so what I did was to delete both the old and the new reference, wait for Jetico to ask again and put freesshd in the trusted zone again, but still I can't go through jetico from outside...

    2. about port 139 (sorry for the typo), I had completely desactivated netbios from my network connection parameters, + file / printer sharing + anything else only letting TCP/IP active. But it was still visible via GRC port probe.

    3. As explained, now it seems that Jetico blocks anything and I'm completely stealth on shields up, not even port 443 that I expect to be open, neither 139 which I couldn't do anything to solve, nor 113 that was reported "closed" as mentioned in my other post too...

    So this is a big mistery to my limited FW knowledge, and of course I won't try to put jetico as a service since I wouldn't be able to write to you at all now : I'm at the office via my home old PC, having it turned on on the login page only...

    I don't want to run away and let it down and try "just another firewall", I've read too much good things about Jetico (and I really liked it when I started to use it) not to give it a chance, and as you can see I'm ready to put some effort to it too !!

    Thanks again for your very much appreciated help :)
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JeromeC,
    I did have a look at the website for FreeSSHd, and some sites with instructions on its use, but most was concerning the installation/setup within linux. (this was before I posted my first reply to you).

    I will install later, and see if I can set this up on my internal Lan. I will post if I have any questions concerning this. Hopefully, together, we can sort this problem out.
    If I do get this working correctly, I will post the ruleset, with explanation.

    Are you running this on XP?
     
  8. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Yes I have XP Pro SP2, on a 5 years old Toshiba laptop.

    Actually I use Freesshd mainly because I could not manage to install cygwin and openssh on my XP, so I looked for a simple to install / easy to use one. And it worked fine for several months.

    I very recently found Copssh that seems to be a much nicer install of cygwin and open ssh, with auto-configuration and all what a half wit needs : I installed it and guess what, I can't communitate with it from outside neither...

    Why are you asking for XP or unix : there is a unix version of Jetico ?

    Thanks for your time, at your disposal for any more info.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JeromeC,
    Please re-read my post, I mentioned most of the info I found was concerning Linux.
    It would be nice, but No.


    I just needed confirmation on what OS you had installed.
     
  10. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Ah ok sure, I just thought that because I initially talked about my problem of Jetico blocking freesshd, and then you asking about unix or XP for my freesshd install, it would imply that there is a unix version of jetico :p

    Am I teasing ?? ;)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    JeromeC,
    I have installed Freesshd, have allowed default installation,.. How are you logging into this remotely (command line? / software?)
     
  12. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    with putty !

    The SSH server listens on port 443 (my config) and I use putty from outside to connect to my domain name (via dyndns), forwarding a few other ports in the putty session to use the proxy and VNC servers installed on my machine too.

    You have to create a user in freesshd interface, and you can then connect from putty via classic user/pwd, or also use private / public key pair, which is what I actually do.

    :ninja:
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    On default freesshd settings, Jetico is not blocking the inbound connection. (Both Jetico and freeSSHd logs showing the inbound connection).

    From your earlier post, you mention that you had this setup o.k., and then suddenly stopped working. When you checked the logs, where there any signs of an attack? Have you made a full scan of your system for any bots/viruses etc?. (just to be on the safe side)

    Have you made a complete un-install / re-install of Jetico? (and "revert to factory settings")
     
  14. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Actually I think the fact that changed was installing last version on freesshd, like I explained. But I'm not 100% sure...

    Errrrr... resintall and revert to factory setting ?? So I'd loose all rules patiently gathered for all my apps ?

    Well, I guess I don't have much choice... :-(

    Any suggestion to restart with a more effective approach ? like using some rule sets found in this forum ? especially to deal with all system apps I don't know how to (svchost, system, etc etc) without having to guess ? Or I'll have to re-enable all progs one by one ? it has already taken me ages...

    Anyway I don't know if I can do this this week-end... busy week-ends...

    + other questions :

    - I have several XP accounts, and since jetico is "user based" I have to copy setting from one account to another ? (via saving and importing ?)

    - if I try (supposing I solve my problem) the soft to make it a service (re another post), from what XP user will it take the rule set ?

    I'm gonna let the antivir running in the night, that'll be a first step... (but I don't think I'm infected)
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I was using the latest version, so only if you did not remove the old freeSSHd version before installing the new can I see this causing problems.

    You can save your old config files (place somewhere safe). If reverting to factory settings does not help, you can reload, is reverting does help, you can reload your old settings/rules and copy/move the rules over to your new config.


    I would need to know your OS config (services running etc), but I would be willing to help you setup a correct config/ruleset for your setup.

    Each user setting/rules are saved ~/documents and settings /user_name /application data / Jetico personal firewall / 1.0,... these configs/rules can simply be copied to/from eack user

    I have never set this up, so cannot comment.
     
  16. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    I returned to factory setting, which helped me understand better a few things now, like how to create rule for srchost.exe and service.exe to reject any incoming request. It works fine, I have much less rules in my "ask user" table than I used to.

    I started testing first copssh, which is just an install of sshd server (openssh and cygwin) which I'd prefer to use instead of freesshd, but is doing exactly the same thing for the same purpose (but more powerfull). It is for the moment configured to listen on port 22 and not 443 (but I would change this in a future), since I just try to have communication enabled first.

    When I ran it, jetico asked for action, so I set it as "trusted zone" again, but it's blocking the traffic too. My first attempt to connect with a ssh client to my sshd server from outside (86.209.xxx.xxx is another ssh server of a friend from which I can connect with putty) shows :

    01/07/2006 14:54:57.549 reject Block All not Processed IP Packets 64 TCP outgoing packet 82.238.xxx.xxx 86.209.xxx.xxx 22 47535 TTL: 128; TOS: 0; ID: 8AA9; TCP flags: SYN ACK ; TCP Seq: 8EA820E0

    So the problem remains, of exact same nature, even if not with freesshd but sshd. I attached here a txt with my ask table and application view from jetico, maybe that helps.

    Thx
     

    Attached Files:

  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JeromeC,
    Ahh,... I see you have a proxy installed. This could/may pass the IP tables, which can lead to problems (I did not have a proxy installed on my test (I did not know!))

    I dont have much access to my spare PC`s untill monday to check this

    You could try to disable the proxy, if you have the time to test?
     
  18. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    The proxy is the main goal of me needing to connect with SSH : I need to be able to surf the web from my office PC via my home PC (with secured connection on SSH), since the office FW just block so many things (all webmails, etc). I've been doing this happily for a long time now.

    But to do the test as you suggest I closed it and tested again, but no change, all rejected by jetico in the log (see attached). I put sshd in debug mode log, but those rejected are outgoing packets ? I dunno what it means...
     

    Attached Files:

    • log.txt
      File size:
      2.9 KB
      Views:
      13
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JeromeC,
    Looking at your last log,.. this is allowing the inbound connection, but unable to correctly filter the outbound.
    Open Jetico,... Go to: root/ system IP table/ system internet zone/ and untick "Stateful TCP inspection"
     
  20. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Booo, things are getting worse and worse... I can't even test what you say because now I can't even connect outside with putty... which is the only way I have to test the ssh server when I'm home... from the office, the only way I have to connect here at the moment is with no Jetico...

    All this is taking you and me way too much time and effort, it's way above what a user should invert in a security product, and I really don't have enough time (and capacity ?) to become a TCP/IP expert.

    I'm reverting back to kerio that I was using (and paying) before.

    Thanks so much for all your time.
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Unfortunately, as I could not reproduce this problem, and I dont have access to your PC, it is quite difficult to try and trace a problem like you had with Jetico (that really, should not of been happening).

    Hope everything runs smooth for you with kerio.
     
  22. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Yes I have all running nice again : SSH (copssh) can be accessed, the proxy works, etc. I appear to be reasonably stealth on shields up (ie only open ports are visible).

    Better have "not that top notch but working security firewall" than "what a fantastic light and free firewall that won't let me use it"...

    Jetico is definitively a great firewall, but not intended for regular surfers like me :)

    Thanks again for all your help, this forum is lucky to have guys like you !

    :D
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JeromeC,
    I found more time to look at your problem. (Thought I would post,.. just to give you the info)
    I can see from the setup;config of CCproxy, that this is based on ICS (internet connection Sharing), and using the ICS IP (192.168.0.1)as proxy.
    This will not work correctly with Jetico due to the binding of applications/IP to the SPI. The workaround to this, is to disable the UDP/TCP SPI, and to place the ICS IP into the trusted Zone (In Jetico Config Wizard).
    I have not fully tested this (for the inbound connections) as I would have to re-enable services/setup for ICS, and I only installed CCproxy onto my Internet PC. I will try to find time to set up internally.

    [INFO: CCproxy was connecting out to IPs (internic.net (whois) / yahoo.com/ icq.com). by default.]
     
  24. JeromeC

    JeromeC Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    26
    Location:
    Paris, France
    Hi Stem,

    1. CCProxy was not the main issue, since it is first necessary to establish a SSH connection (against freesshd, of copssh's open SSH, or any other SSH server) from the outside world to the "firewalled" machine, before trying to connect to the proxy server. The SSH connection (ie putty) tunnels the proxy port on the external machine to its port.

    2. all was working fine for some time (SSH server and proxy server), with Jetico protecting the target machine, before Jetico started to block everything. As said in an earlier post, I could see the ports expected to be open (443) with shields up (which was ok), plus another few ones open when I didn't expected that (which was not ok, but not a big deal neither)

    3. Jetico started to block everything, it was really everything, all port were stealth with shields up, none of the previously open (443 + the few others) remainded.

    So whatever it was, it was tricky...
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello JeromeC,
    Just a question,.. was freesshd using the proxy? (sorry for continuing with this,..BUT,..it is an "itch I need to scratch",.. (hope you understand)

    Regards,
     
Thread Status:
Not open for further replies.