Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
02-18-2015, 08:14 AM
#1
Member
Registered: Feb 2015
Posts: 40
Rep:
Best way for security of my linux PC (xubuntu 14.04)?
1)Disable sudo
2)Set-up password for grub
3)Set-up password for root
4)Set-up passphrase for all operation system for encrypt home directory and all disk.
5)Set-up iptables, for block all incoming traffic, and all outgoig traffic, except 80,443 ports and skype,icq ports.
What else needs to be done in my xubuntu system?
02-18-2015, 09:49 AM
#2
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,475
Install clamav and rkhunter and run them on a regular (daily?) basis.
02-18-2015, 09:53 AM
#3
Member
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286
Rep:
Disable boot from removable devices.
Set-up password for BIOS changes.
02-18-2015, 10:22 AM
#4
Member
Registered: Feb 2015
Posts: 40
Original Poster
Rep:
Quote:
Originally Posted by
cepheus11
Disable boot from removable devices.
Set-up password for BIOS changes.
i was do it.
What else needs to be done?
02-18-2015, 11:26 AM
#5
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
Quote:
Originally Posted by
james.brown
i was do it.
What else needs to be done?
It's a good start, but it should be noted "There is no Security without Physical Security.".
Anyone that has physical access to the storage media can bypass any such protections.
Keep updates current.
Short of a Pit Bull with a nasty caffeine withdrawal, I'd say 'check and double check', except
Quote:
Originally Posted by james.brown
5)Set-up iptables
Turn on
ufw and/or install
gufw
Last edited by Habitual; 02-18-2015 at 11:27 AM .
02-18-2015, 12:37 PM
#6
Member
Registered: Feb 2015
Posts: 40
Original Poster
Rep:
Habitual , iptables scrippt for security local PC.
Quote:
#!/bin/sh
# iptables dir
IPT="/sbin/iptables"
# interface
INET_IFACE="eth0"
# ports
UNPRIPORTS="1024:65535"
start_fw()
{
# forward traffic with kernel
echo 0 > /proc/sys/net/ipv4/ip_forward
# reset rules
$IPT -F
$IPT -X
# defaults
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# allow all traffic with localhost
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# if non-localhost traffic, then block him
$IPT -A INPUT -s 127.0.0.1/255.0.0.0 ! -i lo -j DROP
# block non-identified packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
#
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#$IPT -t nat -I PREROUTING -i $INET_IFACE -s 10.0.0.1/32 -j ACCEPT
#
# SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# UDP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A INPUT -p UDP -j RETURN
$IPT -A OUTPUT -p UDP -s 0/0 -j ACCEPT
# ICMP
$IPT -A INPUT --fragment -p ICMP -j DROP
$IPT -A OUTPUT --fragment -p ICMP -j DROP
#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type source-quench -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type source-quench -j ACCEPT
# allow ping
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type echo-reply -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type echo-request -j ACCEPT
#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type parameter-problem -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type parameter-problem -j ACCEPT
#
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 6000:6063 -j DROP --syn
# $IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports #порта
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 783
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 3310
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 10000
# DNS
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport $UNPRIPORTS --sport 53 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65353 --sport 53 -j ACCEPT
#
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 113 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 113 -j ACCEPT ! --syn
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 113 -j DROP
# SMTP client (25)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 25 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 25 -j ACCEPT ! --syn
# POP3 client (110)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 110 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 110 -j ACCEPT ! --syn
# IMAP4 client (143)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 143 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 143 -j ACCEPT ! --syn
# SSH client (22)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 22 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport 1020:1023 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1020:1023 --sport 22 -j ACCEPT ! --syn
# FPT client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 21 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 21 -j ACCEPT ! --syn
# VNC client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 5901 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 5901 -j ACCEPT ! --syn
# HTTP/HTTPS client (80, 443)
$IPT -A OUTPUT -p tcp -m tcp -m multiport -o $INET_IFACE --sport $UNPRIPORTS -j ACCEPT --dports 80,443
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE --dport $UNPRIPORTS -j ACCEPT --sports 80,443
# finger, whois, gorper, wais. Traceroute
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 20 -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 20 --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 23 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 23 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 79 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 79 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 43 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 43 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 70 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 70 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 210 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 210 -j ACCEPT ! --syn
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 33434:33523 --sport 32769:65535 -j ACCEPT
# DHCP over iptables.
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport 68 --sport 67 -j ACCEPT
# network
$IPT -A INPUT -i vboxnet0 -j ACCEPT
$IPT -A OUTPUT -o vboxnet0 -j ACCEPT
}
case "$1" in
start) echo -n "Starting firewall: iptables"
start_fw
echo "."
;;
stop) echo -n "Stopping firewall: iptables"
iptables -F
iptables -X
echo "."
;;
save) echo -n "Saving firewall: iptables"
iptables-save > /etc/rules-save
echo "."
;;
restart) echo -n "Restarting firewall: iptables"
iptables -F
iptables -X
cat /etc/rules-save | iptables-restore
echo "."
;;
reload|force-reload) echo -n "Reloading configuration files for firewall: iptables"
echo "."
;;
*) echo "Usage: /etc/init.d/rc.iptables start|stop|restart|reload|force-reload"
exit 1
;;
esac
exit 0
All times are GMT -5. The time now is 07:07 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News