Help needed to setup Haas

Hi,

I am trying to set up Haas on a Turris Omnia (Turris OS 5.3.11).

I think the part with the registration on haas.nic.cz is ok and I have used a token to create a device. The thing is I don’t see any session there and I guess that after 3 days I should.

I think (I’m no expert) that it’s more a firewall related issue. Here is a description of my internal network:

Internet ---- ISP router (1) ------ Turris Omnia (2) ------ Internal network (and a ssh server running on my linux server (3)).

On (1), all traffic is forwarded to (2).

On (2), I created a port forward rule so that all incoming ssh traffic goes to (3). I did that before trying to setup Haas. Traffic to port 22 of Turris goes to port 7777 to linux server. Works from outside as expected.

Now I created another rule on Turris in order to be able to connect to it via ssh from internal network. I need to do this since Haas listens on port 22 (right?). I tried setting external port of Turris to 22222 form source zone WAN to internal port 22 to destination zone lan. Restarted firewall. Now I can connect from internal network with -P 22 or -P 22222, which is strange.

That’s what I tried and is clearly not correct. Thinking about this, how can a traffic on port 22 go to Haas with the port forward rule to my linux server on port 7777 instead of going to the Haas honeypot? I’m doing something wrong but do not see what (again, no network expert here).

Could someone help me here?

Thanks a lot!

He describes the situation a bit, for my head :-), complicated and unintelligible

HaaS monitors ports 21, 22, 23, 25, 80 and 587. If any of your applications use one of these ports, HaaS will not monitor and forward them. If you want and your application allows it, you can redirect its traffic so that it does not conflict with the ports used for HaaS.

image873×309 12.1 KB

Choosing a new port is arbitrary, but we should still avoid common ports (which are used by common services and applications), i.e. in the range 0-1023. It is recommended to skip these. Other so-called registered ports have a range of 1024-49151. We can use them, but it is possible that problems could occur in some networks - so it is better to avoid them and use free (dynamic) ports in the range 49152-62535. (That’s why we used port 53033 as an example above, but of course you can use another one if it’s available.)

For example, for port 22: Incoming from wan TCP port 53022 - Forward to lan IP 192.168.1.110 (linux server) port 22

I don’t understand your redirection “On (1), all traffic is forwarded to (2)” … do you direct all traffic from the WAN to your router only? Why ??
In your case, it probably depends on the order of the rules whether the forward rule for SSH is higher or lower than the one mentioned (meaningless forward wan all to lan router 192.168.1.1).

Hi,

Thanks for your answer and sorry if my description was a bit erratic

All traffic goes through my ISP modem/router to the Turris router. From there, it is dispatched to my internal networks (wifi and rj45 lan). So the ISP modem/router is acting like a kind of bridge between Wan and Lan. I tried several different network configurations and it was the only one which let me access my ssh server from Wan. Maybe there exists other ones, I don’t know.

Am I on a good track?

Why are you writing forward when it is in gateway mode?

The logical assembly is:

• ISP modem/router as gateway
• The Turris Omnia router assigns IP addresses and has a port forward set to enable HaaS and other honeypot functions

The internal network is not logically affected by the redirection between WAN and LAN and therefore to access SSH

• from the LAN you use port 22 and
• from the WAN “zum Beispiel” - occasionally used phrases in the German language in the Czech language, which means … for example via port 53022.

If the setup works and serves the intended purpose, you’ve done it right

I am not sure of the exact terms in English I guess.

Anyway, I have given a fixed address to the Turris Omnia router from the ISP modem/router GUI and changed the port redirection from 22222 to 22222 on the Turris Omnia on which I changed SSH port to 22222 and created a port forward rule to my linux server port 7777.

Restarted ssh server and firewall on Turris Omnia and now I get the same REDIRECT rules shown on your image.

Crossing fingers to see if HaaS catches any traffic.

Thanks for your swift and clear answer!

Hi,

No session recorded today. Is this an expected behaviour after 24h?

Thank

Try SSH access to your own external IP address to see if you get any results

Tried but nothing.

I cannot access my ssh server anymore. I think I screwed up the different port forwarding…

I also did a scan with nmap and the only result was mentioning kdm, which rather strange.

Nothing means what? Your information is too general. Please describe your HW setup and settings again.

I suppose, that:

• your provider modem is in bridge mode
• do you have your own port forward rules - write what exactly !!!
• the necessary settings in reForis are enabled
  1- Package Management (Advanced security & analytics - Turris Sentinel),
  2 - Sentinel Components and HaaS Proxy Settings

Do you check the HaaS function at https://haas.nic.cz/devices/ and after inserting the HaaS token?
Do you know your external IP address?
At GRC | ShieldsUP! — Internet Vulnerability Profiling   check that ports 21,22,23,25,80,587 are open ? Youre ext IP si

Sorry. Nothing means that the ssh command doesn’t return anything, the cursor just blinked. I have to Ctrl-C to get back control.

Correct

Entry port: 22222
Target port: 22
Target IP: 192.168.1.5 (that’s Turris)

But I guess entry port is wrong, should be 22, right?

1 is ok. For 2, all components are installed and loaded.

ps aux | grep haas gives:

root 7252 0.0 1.2 29408 25912 ? S Jul25 0:02 python3 -m haas_proxy --pidfile=/var/run/haas-proxy.pid --nodaemon haas_proxy --log-level=warning --device-token=XXXXX-me --port=2525

Yes I checked Haas function et have inserted token. And yes I know my external IP, that’s what I entered from outside to try to connect via ssh. Last point, open ports, is where things goes wrong. Only one was open, the kdm thing… So it’s back to setting port forwarding correctly

In fact, this is not correct. There is no bridge mode on the ISP’s modem/router. What I did is attribute a fixed IP to the Omnia from the ISP’s modem/router. So I have:

Internet ------ ISP modem/routeur (192.168.1.2) ------ Turris Omnia (192.168.1.5)

There is s “Static route” fonction on the ISP modem/router. I have defined:

Target network: 192.168.2.0
Network mask: 255.255.255.0
Transmit to device: 192.168.1.5 (Turris Omnia)

I have port forwarding like 192.168.1.2:22 → 192.168.1.5:22 and from there I redirect ssh traffic to my Linux ssh server on port 7777.

I can then Reforis or Luci on 2 IP: 192.168.1.5 and 192.168.2.1. The network 192.168.2.0/24 is my home network.

I think this network setup is not very “casher” because there is no bridge mode on the ISP modem/router.

After some investigation, I fell on a post saying that I might be able to remove the ISP modem/router in a plug this sfp module ( Turris RTROM01-RTSF-10G, SFP+ Copper module, 10 Gbps, RJ45) in Omnia.

Is this right? That would probably simplify my setup right?

Thanks

I’m not a fully qualified expert, but I think that the modem-router that is upstream of the Turris Omnia should be in gateway mode … if it is not, problems may result. I feel that “removing” the modem-router of your ISp provider would simplify the whole setup a lot.
You must not believe my statement 100%.

It would be good if someone more knowledgeable entered the discussion.

Hi,

Just for info, it started working last night, without any other changes. There has been no updates and I haven’t touch the config at all.
I’m seeing a lot of sessions now. Very interesting.

Thanks for your help.