Web Server ( ): FTP, SSH, HTTP, HTTPS, SMTP, POP3, IMAP, POP3S, IMAPS, MySQL (for some local services[qmail/vpopmail])

Similar documents
Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

This material is based on work supported by the National Science Foundation under Grant No

IP Packet. Deny-everything-by-default-policy

Linux Firewalls. Frank Kuse, AfNOG / 30

To find all files on your file system that have the SUID or SGID bit set, execute:

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Stateless Firewall Implementation

Once the VM is started, the VirtualBox OS Manager window can be closed. But our Ubuntu VM is still running.

Introduction to Firewalls using IPTables

Assignment 3 Firewalls

Cisco PCP-PNR Port Usage Information

iptables and ip6tables An introduction to LINUX firewall

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Linux-Kurs, Samba-Server - Copyright 5. November 2002, Pierre Burri -Michel Bisson

Certification. Securing Networks

11 aid sheets., A non-programmable calculator.

TCP /IP Fundamentals Mr. Cantu

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Module 19 : Threats in Network What makes a Network Vulnerable?

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

IK2206 Internet Security and Privacy Firewall & IP Tables

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Dual-stack Firewalling with husk

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Contents. Preventing Brute Force Attacks. The First Method: Basic Protection. Introduction. Prerequisites

IPv6 Workshop: CRIHAN -Rouen 04-06/02/2014 Security Bernard TUY Thanh-Luu HA

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Linux System Administration, level 2

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

History Page. Barracuda NextGen Firewall F

VG422R. User s Manual. Rev , 5

How to protect from port scanning and smurf attack in Linux Server by iptables

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Firewalls, VPNs, and SSL Tunnels

:13 1/10 Traffic counting on the CCGX

Ethical Hacking Basics Course

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

INBOUND AND OUTBOUND NAT

4. The transport layer

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Definition of firewall

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Parallels Plesk Control Panel. Plesk 8.4 for Linux/Unix Firewall Module Administrator's Guide. Revision 1.0

Security and network design

IPv6. The Future of the Internet Some Day

Basics of executing a penetration test

FireHOL Manual. Firewalling with FireHOL. FireHOL Team. Release pre3 Built 28 Oct 2013

Global Information Assurance Certification Paper

Network Configuration

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

SecBlade Firewall Cards Attack Protection Configuration Example

Meet the Anti-Nmap: PSAD (EnGarde Secure Linux)

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Distributed Systems Security

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

ch02 True/False Indicate whether the statement is true or false.

Chapter 8 roadmap. Network Security

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

Linux Security & Firewall

Linux Systems Administration Getting Started with Linux

CIT 480: Securing Computer Systems

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Kernel Korner A NATural Progression

Elastix Smart Assistant

How to use IP Tables

TP5 Sécurité IPTABLE. * :sunrpc, localhost :domain,* :ssh, localhost :smtp, localhost:953,*: Tous sont des protocoles TCP

TCP/IP Fundamentals. Introduction. Practice Practice : Name. Date Period

3 Connection, Shell Serial Connection over Console Port SSH Connection Internet Connection... 5

HP High-End Firewalls

Hands-On Ethical Hacking and Network Defense

Università Ca Foscari Venezia

Building an IPS solution for inline usage during Red Teaming

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

it isn't impossible to filter most bad traffic at line rate using iptables.

Eaton Intelligent Power Manager as a Virtual Appliance Deployment s Guide

Firewall Simulation COMP620

THE INTERNET PROTOCOL/1

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Broadcast Infrastructure Cybersecurity - Part 2

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

Extended ACL Configuration Mode Commands

THE INTERNET PROTOCOL INTERFACES

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

C HAPTER 12. Port Binding Overview. This chapter describes how to configure the port binding settings.

The Internet Protocol

DFL-700 FAQ ? 6) The service I need to use is not listed in the group of pre-defined services. How do I create a custom

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Three interface Router without NAT Cisco IOS Firewall Configuration

Computer and Network Security

Filtering Trends Sorting Through FUD to get Sanity

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Time Sensitive Information!

EDURange Student s Manual. September 14, 2015

Transcription:

The following firewall scripts will help you secure your web and db servers placed on the internet. The scenario is such that the MySQL db server is desired to receive db connections / traffic only from the web server. The following is the list of services running on each server: Web Server (200.10.20.31): FTP, SSH, HTTP, HTTPS, SMTP, POP3, IMAP, POP3S, IMAPS, MySQL (for some local services[qmail/vpopmail]) DB Server (200.10.20.32): SSH, HTTP, HTTPS, MySQL (only to receive traffic from Web Server) The following scripts are currently implemented on live servers so they are 100% tested. Still, USE THEM AT YOUR OWN RISK. Below are two scripts (create as /etc/firewall.sh), one for Web Server and one for DB server. And below them, a startup (init.d) script common for both. WebServer :- vi /etc/firewall.sh 1 / 12

!/bin/bash Author: Muhammad Kamran Azeem (kamran _at_ wbitt _dot_ com) Created: 20080410 Revision History: 20080706, 20080412 Proposed implementation: On StandAlone web servers Current Implementation: StandAlone web server Various tools: nmap -su publichost scans UDP ports The following reports total number of connections netstat -anp grep 'tcp udp' awk '{print $5}' cut -d: -f1 sort uniq -c sort -n Once system is secured, test your firewall with nmap or hping2 command: nmap -v -f FIREWALL-IP nmap -v -sx FIREWALL-IP nmap -v -sn FIREWALL-IP nmap -v -ss FIREWALL-IP hping2 -X FIREWALL-IP ping -f FIREWALL_IP ping -s 65507 192.168.0.230 User configurable parameters - START - The Public interface of this server towards Internet:- PUBLICIF=eth0 The Public IP of this server (on $PUBLICIF) visible/accessable from the Internet:- PUBLICIP=200.10.20.31 The full path to the iptables program:- IPTABLES=/sbin/iptables 2 / 12

User configurable parameters - END - Load Modules - Start Load FTP connection tracking module. Without it, FTP to this server will NOT work. Because we have DROPed all INPUT packets at the end of this firewall. modprobe ip_conntrack_ftp modprobe ip_conntrack Load Modules - End Kernel Parameters - Start Various Kernel paramters which you can (also) setup in /etc/sysctl.conf This following enables source address verification,, which is inbuilt into Linux kernel itself. net.ipv4.conf.all.rp_filter = 1 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter Kernel Parameters - End $IPTABLES -F $IPTABLES -t nat -F ports list: 22/tcp - SSH 25/tcp - SMTP 53/tcp - DNS 53/udp - DNS 80/tcp - HTTP 443/tcp - HTTPS 110/tcp - POP3 995/tcp - POP3S 143/tcp - IMAP 993/tcp - IMAPS 123/tcp - NTP 123/udp - NTP 199/tcp - SNMP 161/UDP - SNMP 3 / 12

3306/tcp - MySQL 8443/tcp - Plesk Setup default INPUT policy as DROP. This is dangerous incase of flushing the rules. Instead, look at the end of this file for other method. $IPTABLES -P INPUT DROP <---- Don't use this method. allow packets coming from the machine $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT allow outgoing traffic $IPTABLES -A OUTPUT -o $PUBLICIF -j ACCEPT Allow the following traffic only:- $IPTABLES -A INPUT -i $PUBLICIF -p tcp -m multiport --dport 21,22,25,53,80,443,110,995,143,993 -j ACCEPT $IPTABLES -A INPUT -i $PUBLICIF -p udp -m multiport --dport 53 -j ACCEPT Block spoofing $IPTABLES -A INPUT -s 127.0.0.0/8 -i! lo -j DROP More sophisticated / wide ranged method is below:- Add your IP range/ips here, Yes, I am sure that the last address has 16 bit subnet for a VALID reason SPOOFLIST="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3" for ip in $SPOOFLIST do $IPTABLES -A INPUT -i $PUBLICIF -s $ip -j DROP done Stop bad packets $IPTABLES -A INPUT -m state --state INVALID -j DROP Stop NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP Stop Xmas Tree type scanning $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL ALL -j DROP 4 / 12

$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP Stop null scanning $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL NONE -j DROP Stop SYN/RST $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP Stop SYN/FIN $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP If the incoming SYN packets are not NEW, we need to DROP them:- $IPTABLES -A INPUT -p tcp! --syn -m state --state NEW -j DROP Stop ping flood attack DROP ICMP packets size larger than 56(84) bytes iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85: -j REJECT --reject-with icmp-host-prohibited The above works! See two outputs below: [kamran@kworkhorse ~]$ ping www.yourdomain.com -s 56 PING yourdomain.com (1.2.3.4) 56(84) bytes of data. 64 bytes from www.yourdomain.com (1.2.3.4): icmp_seq=1 ttl=42 time=1140 ms 64 bytes from www.yourdomain.com (1.2.3.4): icmp_seq=2 ttl=42 time=799 ms... Just by increasing one byte in the packet size has resulted in packet DROPs. Alhumdulillah. [kamran@kworkhorse ~]$ ping www.yourdomain.com -s 57 PING yourdomain.com (1.2.3.4) 57(85) bytes of data. From www.yourdomain.com (1.2.3.4) icmp_seq=1 Destination Host Prohibited From www.yourdomain.com (1.2.3.4) icmp_seq=2 Destination Host Prohibited... Allow maximum two incoming ICMP packets per second iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT Hopefuly spamassassin, NTP, Razor, DNS, DCCIFD, etc will keep working properly, because of the following two rules. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 5 / 12

Setup the default INPUT policy as DROP. Note that -P for POLICY is NOT used below. Instead, since all desired traffic is allowed before these lines, we will just drop all of the other packets coming on $PUBLICIF $IPTABLES -A INPUT -i eth0 -j DROP exit 0 DB Server :- vi /etc/firewall.sh!/bin/bash Author: Muhammad Kamran Azeem (kamran _at_ wbitt _dot_ com) Created: 20080410 Revision History: 20080706, 20080513 Implemented on this server: 20080513 Proposed implementation: On db servers Current implementation: Customized for this DB server Various tools: nmap -su PUBLIChost scans UDP ports The following reports total number of connections netstat -anp grep 'tcp udp' awk '{print $5}' cut -d: -f1 sort uniq -c sort -n Once system is secured, test your firewall with nmap or hping2 command: nmap -v -f FIREWALL-IP nmap -v -sx FIREWALL-IP nmap -v -sn FIREWALL-IP nmap -v -ss FIREWALL-IP 6 / 12

hping2 -X FIREWALL-IP ping -f FIREWALL_IP ping -s 65507 FIREWALL_IP User configurable parameters - START - The Public interface of this server towards Internet:- PUBLICIF=eth0 The Public IP of this server (on $PUBLICIF) visible/accessable from the Internet. (Use ifconfig to find out):- PUBLICIP=200.10.20.32 The IP of WebServer accessing this machine/db server WEBSERVERIP=200.10.20.31 The full path to the iptables program:- IPTABLES=/sbin/iptables User configurable parameters - END - Load Modules - Start Load FTP connection tracking module. Witihout it, FTP to this server will NOT work. Because we have DROPed all INPUT packets at the end of this firewall. modprobe ip_conntrack_ftp modprobe ip_conntrack Load Modules - End Kernel Parameters - Start 7 / 12

Various Kernel paramters which you can (also) setup in /etc/sysctl.conf This following enables source address verification,, which is inbuilt into Linux kernel itself. net.ipv4.conf.all.rp_filter = 1 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter Kernel Parameters - End $IPTABLES -F $IPTABLES -t nat -F ports list: 22/tcp - SSH 25/tcp - SMTP 80/tcp - HTTP 443/tcp - HTTPS 110/tcp - POP3 995/tcp - POP3S 143/tcp - IMAP 993/tcp - IMAPS 123/tcp - NTP 123/udp - NTP 199/tcp - SNMP 161/UDP - SNMP 3306/tcp - MySQL Setup default INPUT policy as DROP. This is dangerous incase of flushing the rules. Instead, look at the end of this file for other method. $IPTABLES -P INPUT DROP <---- Don't use this method. allow packets coming from the machine $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT allow outgoing traffic $IPTABLES -A OUTPUT -o $PUBLICIF -j ACCEPT Allow the following traffic only:- The following are allowed to get traffic from all over the world:- $IPTABLES -A INPUT -i $PUBLICIF -p tcp -m multiport --dport 21,22,80,443 -j ACCEPT 8 / 12

And the following ports are only allowed to get traffic from $WEBSERVERIP $IPTABLES -A INPUT -i $PUBLICIF -p tcp -s $WEBSERVERIP --dport 3306 -j ACCEPT Block spoofing $IPTABLES -A INPUT -s 127.0.0.0/8 -i! lo -j DROP OR more sophisticated / wide ranged method is below:- Add your IP range/ips here, Yes I am sure that the last address has 16 bit subnet for a VALID reason SPOOFLIST="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3" for ip in $SPOOFLIST do $IPTABLES -A INPUT -i $PUBLICIF -s $ip -j DROP done Stop bad packets $IPTABLES -A INPUT -m state --state INVALID -j DROP Stop NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP Stop Xmas Tree type scanning $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP Stop null scanning $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL NONE -j DROP Stop SYN/RST $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP Stop SYN/FIN $IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP If the incoming SYN packets are not NEW, we need to DROP them:- $IPTABLES -A INPUT -p tcp! --syn -m state --state NEW -j DROP Stop ping flood attack 9 / 12

DROP ICMP packets size larger than 56(84) bytes :- iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85: -j REJECT --reject-with icmp-host-prohibited The above works! See two outputs below: [kamran@kworkhorse ~]$ ping www.yourdomain.com -s 56 PING yourdomain.com (1.2.3.4) 56(84) bytes of data. 64 bytes from www.yourdomain.com (1.2.3.4): icmp_seq=1 ttl=42 time=1140 ms 64 bytes from www.yourdomain.com (1.2.3.4): icmp_seq=2 ttl=42 time=799 ms... Just by increasing one byte in the packet size has resulted in packet DROPs. Alhumdulillah. [kamran@kworkhorse ~]$ ping www.yourdomain.com -s 57 PING yourdomain.com (1.2.3.4) 57(85) bytes of data. From www.yourdomain.com (1.2.3.4) icmp_seq=1 Destination Host Prohibited From www.yourdomain.com (1.2.3.4) icmp_seq=2 Destination Host Prohibited... Allow maximum two incoming ICMP packets per second iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT Hopefuly spamassassin, NTP, Razor, DNS, DCCIFD, etc will keep working properly, because of the following two rules. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Setup the default INPUT policy as DROP. Note that -P for POLICY is NOT used below. Instead, since all desired traffic is allowed before these lines, we will just drop all of the other packets coming on $PUBLICIF $IPTABLES -A INPUT -i eth0 -j DROP exit 0 And now the startup (init.d) script to be used on both servers:- 10 / 12

Create as /etc/init.d/firewall vi /etc/init.d/firewall!/bin/bash firewall Startup script for our personal firewall chkconfig: - 01 99 description: Our own custom built firewall setup processname: firewall Source function library.. /etc/rc.d/init.d/functions prog=/etc/firewall.sh lockfile=/var/lock/subsys/firewall RETVAL=0 start() { echo -n "Starting $prog: ". /etc/firewall.sh RETVAL=$? echo [ $RETVAL = 0 ] && touch ${lockfile} return $RETVAL } stop() { echo -n $"Stopping $prog: " /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} } See how we were called. case "$1" in start) start ;; stop) 11 / 12

stop ;; status) /sbin/iptables -L ;; restart) stop start ;; *) echo $"Usage: $prog {start stop status restart}" RETVAL=3 esac exit $RETVAL Final steps:- Make the three scripts executable by: chmod +x /etc/firewall.sh /etc/init.d/firewall.sh chkconfig --level 35 firewall on That should be all. 12 / 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback