I will show you mine if ...
This is a discussion on I will show you mine if ... within the Linux Security forums, part of the System Security and Security Related category; ... if you show me yours. Here is mine: ================================================== ======== #!/bin/bash /sbin/iptables -N LOGDROP /sbin/iptables -A LOGDROP -j LOG --...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-02-2004
|
|||
|
|||
I will show you mine if ...
... if you show me yours. Here is mine:
================================================== ======== #!/bin/bash /sbin/iptables -N LOGDROP /sbin/iptables -A LOGDROP -j LOG --log-level 4 /sbin/iptables -A LOGDROP -j DROP # Stuff from LACNIC, RIPE and broadband /sbin/iptables -A INPUT -s 200.1.1.1/8 -j LOG --log-level 6 /sbin/iptables -A INPUT -s 201.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 4.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 12.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 24.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 80.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 81.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 82.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 83.1.1.1/8 -j LOGDROP /sbin/iptables -A INPUT -s 84.1.1.1/8 -j LOGDROP # telus hosted spammers /intopamail.com/fltn.net /sbin/iptables -A INPUT -s 207.134.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 209.89.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 64.180.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 216.232.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 137.186.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 207.81.0.0/16 -j LOGDROP # telus dynamic ranges /sbin/iptables -A INPUT -s 142.179.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 206.116.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 66.222.128.0/17 -j LOGDROP /sbin/iptables -A INPUT -s 207.6.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 209.121.0.0/16 -j LOGDROP /sbin/iptables -A INPUT -s 209.202.64.0/18 -j LOGDROP # FTP DATA /sbin/iptables -A INPUT -p TCP --dport 20 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 20 -j LOGDROP # FTP CONTROL /sbin/iptables -A INPUT -p TCP --dport 21 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 21 -j LOGDROP # SMTP /sbin/iptables -A INPUT -p TCP --dport 25 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 25 -j LOGDROP # HTTP /sbin/iptables -A INPUT -p TCP --dport 80 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 80 -j LOGDROP /sbin/iptables -A INPUT -p TCP --dport 8080 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 8080 -j LOGDROP # POP3 /sbin/iptables -A INPUT -p TCP --dport 110 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 110 -j LOGDROP # RPC Temporarily deleted May interfere with ntpdate #/sbin/iptables -A INPUT -p TCP --dport 111 -j LOGDROP #/sbin/iptables -A INPUT -p UDP --dport 111 -j LOGDROP # IMAP /sbin/iptables -A INPUT -p TCP --dport 143 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 143 -j LOGDROP /sbin/iptables -A INPUT -p TCP --dport 445 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 445 -j LOGDROP # Print spooler /sbin/iptables -A INPUT -p TCP --dport 515 -j LOGDROP /sbin/iptables -A INPUT -p UDP --dport 515 -j LOGDROP -- Felix Tilley Rank: Capt Fanatic Lartvocate FL# 555-LART 
|
|
05-02-2004
|
|||
|
|||
|
Re: I will show you mine if ...
In message <1098bj033pfimc1@news.supernews.com>,
Felix Tilley wrote: > .. if you show me yours. Here is mine: Interesting... In reading over this, I'm presuming that yours is for a single machine not running any particular servers. My setup is a bit different, so my rule set can be quite different. As I do have servers on the net, things are configured as a DMZ LAN. These rules are something of a composite of what gets seen from the outside looking in. This is in FreeBSD 4.x/5.x ipfw syntax. It should translate into iptables fairly readily. There are additional rules that are particular to the site, but this composite gives the sense of the lockdown. These rules are applied to the interface on a packet filter bridge taking traffic from and to the Internet. The bridge does not run any services, and is not addressable (console serial port monitoring only). Since the bridge filter is not addressable, it can only deny traffic. It cannot reply with any icmp error codes. That's a side effect of the LAN configuration. An IDS is monitoring the traffic in case the bridge somehow gets compromised or off-line, allowing the Internet to hit the servers (which are themselves armored. This is defense in depth.) Shell variables are defined as: DMZ=IP address block for the site ( x.0/size ) DMZNET=the x.0 IP address of the DMZ DMZBCAST=the x.255 IP address of the DMZ DMZMAIL=IP address of the mail server DMZWEB=IP address of the web server DMZFTP=IP address of the ftp server DMZDNS=IP address of the nameserver DMZNTP=IP address of the time server Port definitions, as a range lowport-highport SAFE="1024-65535" FTPHIGH="49152-65535" ================================================== ==================== # nobody talks to my x.0 or my x.255 IP addresses /sbin/ipfw add deny all from any to $DMZNET /sbin/ipfw add deny all from any to $DMZBCAST # Kill off the RFC 3330 IP spaces # these are never legit source addresses to be received here /sbin/ipfw add deny all from 0.0.0.0/8 to any /sbin/ipfw add deny all from 10.0.0.0/8 to any /sbin/ipfw add deny all from 127.0.0.0/8 to any /sbin/ipfw add deny all from 169.254.0.0/16 to any /sbin/ipfw add deny all from 172.16.0.0/12 to any /sbin/ipfw add deny all from 192.0.2.0/24 to any /sbin/ipfw add deny all from 192.168.0.0/16 to any /sbin/ipfw add deny all from 198.18.0.0/15 to any # yes /15 /sbin/ipfw add deny all from 224.0.0.0/4 to any /sbin/ipfw add deny all from 240.0.0.0/4 to any # no source routing, if somebody tries something weird /sbin/ipfw add deny all from any to any ipoptions ssrr /sbin/ipfw add deny all from any to any ipoptions lsrr # servers never initiate traffic # it's amazing how much stuff tries to come under the wire # thru the 0,20,21,22,23,25,53,80,443 ports as source ports # /sbin/ipfw add deny tcp from any 1-1023 to any setup # but the port range limits block such things anyhow # anybody wanting to talk to the DMZ servers must use high ports # the mail server /sbin/ipfw add allow tcp from any $SAFE to $DMZMAIL 25,113 /sbin/ipfw add deny tcp from any to $DMZMAIL # the web server /sbin/ipfw add allow tcp from any $SAFE to $DMZWEB 80,443 /sbin/ipfw add deny tcp from any to $DMZWEB # the ftp server /sbin/ipfw add allow tcp from any $SAFE to $DMZFTP $FTPHIGH,20,21 /sbin/ipfw add deny tcp from any to $DMZFTP # time of day /sbin/ipfw add allow udp from $NTPSERVER1 123 to $DMZNTP $SAFE /sbin/ipfw add allow udp from $NTPSERVER2 123 to $DMZNTP $SAFE /sbin/ipfw add allow udp from $NTPSERVER3 123 to $DMZNTP $SAFE /sbin/ipfw add allow udp from $NTPSERVER4 123 to $DMZNTP $SAFE # ping, errors, and company /sbin/ipfw add allow icmp from any to $DMZ icmptypes 0,3,4,8,11,12 # the dynamic rules are set in the outbound filter # that expect DNS traffic in response to a query /sbin/ipfw add check-state /sbin/ipfw deny all from any to any ================================================== =================== And now the outbound rules. A side effect of these rules is that only the site IP addresses will be allowed as source addresses. No outbound spoofing allowed. Also, outbound snort rules alert for traffic attempts that aren't allowed, which would indicate a compromised machine. ================================================== =================== # the DMZ machines can give icmp error codes and ping things /sbin/ipfw allow icmp from $DMZ to any icmptypes 0,3,4,8,11,12 # keep state to allow only answers to queries to come back /sbin/ipfw allow udp from $DMZDNS $SAFE to any 53 keep-state /sbin/ipfw allow tcp from $DMZMAIL $SAFE to any 25,113 # could do these as dynamic rules, but if DMZNTP got compromised # then the rules wouldn't help in trapping the crack /sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER1 123 /sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER2 123 /sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER3 123 /sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER4 123 # the web server will NEVER initiate outbound traffic # if it tries, it is a compromised machine... # a snort alert rule can trap that also /sbin/ipfw deny tcp from $DMZWEB to any setup /sbin/ipfw allow tcp from $DMZWEB 80,443 to any $SAFE established /sbin/ipfw allow tcp from $DMZFTP $FTPHIGH,20,21 to any $SAFE /sbin/ipfw deny all from any to any ================================================== =================== -- Randall Raemon shikahrsoho.com, email to usenet200405 - userid expires 31 May 2004
|
|
05-02-2004
|
|||
|
|||
|
Re: I will show you mine if ...
"Felix Tilley" <ftilley@localhost.localdomain> writes:
> .. if you show me yours. Here is mine: > > ================================================== ======== Safer to allow the stuff you want, LOGDROP what you want to know about and DROP the stuff you don't care about. (Except I REJECT instead of DROP.) -- James Riden / j.riden@massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 08:03 PM.
