1. Forum
  2. fsxNet
  3. FSX MYS

  • allow non root user access to ufw

    From Zylone@21:3/150 to All on Fri Aug 27 11:57:37 2021
    Hello all, I wanted to share something with everyone.

    I am running Mystic on Linux, and did not want to run it under root for obvious reasons. So, with that said.. this means the IP blocked event will not run properly because the user mystic is running under does not have permission to run ufw.

    Let's assume the user account Mystic is running under is 'bbs'. Now, we could just add user bbs to the /etc/sudoers file, but now we are practically in the same boat as running Mystic as root!

    We only want the bbs user account to have access to ufw to add blocking rules! No other superuser access!

    Here is what I did.. (on Ubuntu 20.04) I added a file in /etc/sudoers.d/ and within that file I put the following:

    bbs ALL=(root) NOPASSWD:/usr/sbin/ufw

    This states give user bbs sudo access to ONLY ufw and run it as user root, and do not prompt for a password when executing sudo ufw. Try it, you can sudo ufw, but not any other command!

    Close and save said file, and then update file permissions:

    chmod 0440 <filename>

    This gives ONLY root read access to this file. (This is a stated requirement in the README file in the same directory).

    Now, go to your IP Blocked event in mystic -cfg, and prefix the Shell command with sudo. The shell command should now look like the following:

    sudo ufw deny from @IP@


    That's it! :)

    |15Z|07ylone

    --- Mystic BBS v1.12 A47 2021/08/19 (Linux/64)
    * Origin: pLANET cARAVAN BBS (21:3/150)
  • From Zip@21:1/202 to Zylone on Fri Aug 27 19:07:42 2021
    Hello Zylone!

    On 27 Aug 2021, Zylone said the following...
    This states give user bbs sudo access to ONLY ufw and run it as user
    root, and do not prompt for a password when executing sudo ufw. Try it, you can sudo ufw, but not any other command!

    Thanks! Very nice write-up!

    I'm not using the firewall blocking functionality at present, but it could come in handy if I get enough hacking attempts and want to stop them as early as possible. =)

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/08/22 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From Zylone@21:3/150 to all on Sat Aug 28 13:52:34 2021
    Now, go to your IP Blocked event in mystic -cfg, and prefix the Shell command with sudo. The shell command should now look like the following:

    sudo ufw deny from @IP@

    Just to give a little more context around this.. Here is a snippet from my mis log just now.. normally the BBS is still processing each connection request and blocking it once an IP is on the blacklist.

    Using the IP block will allow the firewall of the server to block it, so Mystic never see's it. Also, just wanted to show proof of my previous configuration actually working ;)

    + 2021.08.28 13:47:57 TELNET 1-Closing terminal process (5)
    + 2021.08.28 13:47:57 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:57 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:57 TELNET 1-Auto banning IP 188.148.147.88
    + 2021.08.28 13:47:57 TELNET 1-Blocked connection
    + 2021.08.28 13:47:57 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:57 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:57 TELNET 1-Blocked connection
    + 2021.08.28 13:47:58 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:58 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:58 TELNET 1-Blocked connection
    + 2021.08.28 13:47:58 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:58 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:58 TELNET 1-Blocked connection
    + 2021.08.28 13:47:58 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:58 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:58 TELNET 1-Blocked connection
    + 2021.08.28 13:47:59 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:59 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:59 TELNET 1-Blocked connection
    + 2021.08.28 13:47:59 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:59 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:59 TELNET 1-Blocked connection
    + 2021.08.28 13:47:59 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:47:59 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:47:59 TELNET 1-Blocked connection
    + 2021.08.28 13:48:00 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:48:00 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:48:00 TELNET 1-Blocked connection
    + 2021.08.28 13:48:00 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:48:00 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:48:00 TELNET 1-Blocked connection
    + 2021.08.28 13:48:00 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:48:00 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:48:00 TELNET 1-Blocked connection
    + 2021.08.28 13:48:01 TELNET > Connect on slot 1/255 (188.148.147.88)
    + 2021.08.28 13:48:01 TELNET 1-HostName c188-148-147-88.bredband.tele2.se
    + 2021.08.28 13:48:01 TELNET 1-Blocked connection
    + 2021.08.28 13:48:04 EVENT Running event: Firewall Ban Linux
    + 2021.08.28 13:48:04 EVENT Cmd: sudo /usr/sbin/ufw deny from 188.148.147.88
    + 2021.08.28 13:48:04 EVENT Res: 0

    |15Z|07ylone

    --- Mystic BBS v1.12 A47 2021/08/19 (Linux/64)
    * Origin: bbs.planetcaravan.org:23 ssh:1337 (21:3/150)
  • From Zylone@21:3/150 to Zylone on Sun Aug 29 03:29:28 2021
    1-Blocked connection + 2021.08.28 13:48:01 TELNET > Connect on slot
    1/255 (188.148.147.88) + 2021.08.28 13:48:01 TELNET 1-HostName c188-148-147-88.bredband.tele2.se + 2021.08.28 13:48:01 TELNET
    1-Blocked connection + 2021.08.28 13:48:04 EVENT Running event:
    Firewall Ban Linux + 2021.08.28 13:48:04 EVENT Cmd: sudo /usr/sbin/ufw deny from 188.148.147.88 + 2021.08.28 13:48:04 EVENT Res: 0

    UPDATE.. So I thought I was being slick and everything was good to go. NO. I am used to using pf one OpenBSD, which matches firewall rules by the last matching rule. ufw applies by first match and moves on.

    SO.. what was happening was, I had default deny all inbound, and then allow the ports the BBS uses. Mystic was in fact adding deny rules, AFTER the allow rules obviously. So.. when a bot would hit me again, it would hit the allow rule and move on.

    This is really janky.. but, until I learn a more dynamic way of doing this.. this is working.. I have updated the event to the following:

    sudo ufw delete allow 22223 && sudo ufw deny from @IP@ && sudo ufw allow 22223

    What this is doing is deleting the rule to allow traffic to port 22223 (my telnet port that my main router forwards to) and then it adds a rule to deny the offending IP, and finally it adds the allow 22223 rule back in place. This ensures that the allow rule is always LAST, after the DENY rules!

    |15Z|07ylone

    --- Mystic BBS v1.12 A47 2021/08/19 (Linux/64)
    * Origin: bbs.planetcaravan.org:23 ssh:1337 (21:3/150)