Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Folloei
Following are security policies for PCI DSS -
FTP services are not allowed from External zone to PCI zone.
TFTP services are not allowed from External zone to PCI zone.
DNS services are not allowed from External zone to PCI zone.
Mail services are not allowed from External zone to PCI zone.
HTTP services are not allowed from DMZ zone to PCI zone.
FTP services are not allowed from DMZ zone to PCI zone.
TFTP services are not allowed from DMZ zone to PCI zone.
Mail services are not allowed from DMZ zone to PCI zone.
Netbios services are not allowed from External zone to PCI zone.
Microsoft RPC services are not allowed from External zone to PCI zone.
Microsoft directory services are not allowed from External zone to PCI zone.
Netbios services are not allowed from DMZ zone to PCI zone.
Microsoft RPC services are not allowed from DMZ zone to PCI zone.
Microsoft directory services are not allowed from DMZ zone to PCI zone.
Netbios services are not allowed from PCI zone to External zone.
Microsoft RPC services are not allowed from PCI zone to External zone.
Microsoft directory services are not allowed from PCI zone to External zone.
Netbios services are not allowed from PCI zone to DMZ zone.
Microsoft RPC services are not allowed from PCI zone to DMZ zone.
Microsoft directory services are not allowed from PCI zone to DMZ zone.
Traceroute is not allowed to enter the PCI zone from the External zone.
Traceroute is not allowed to enter the PCI zone from DMZ zone.
Packets with TCP/UDP high ports are not allowed to enter the PCI zone from DMZ zone.
NFS services are not allowed from External zone to PCI zone.
X11 services are not allowed from External zone to PCI zone.
Telnet services are not allowed from External zone to PCI zone.
MSSQL services are not allowed from External zone to PCI zone.
R services are not allowed from External zone to PCI zone.
Fingers service are not allowed from External zone to PCI zone.
NFS services are not allowed from DMZ zone to PCI zone.
X11 services are not allowed from DMZ zone to PCI zone.
P2P file-sharing services are not allowed from DMZ zone to PCI zone.
Instant message services are not allowed from DMZ zone to PCI zone.
Telnet services are not allowed from DMZ zone to PCI zone.
MSSQL services are not allowed from DMZ zone to PCI zone.
R services are not allowed from DMZ zone to PCI zone.
Finger service is not allowed from DMZ zone to PCI zone.
FTP services are not allowed from PCI zone to External zone.
TFTP services are not allowed from PCI zone to External zone.
Telnet services are not allowed from PCI zone to External zone.
Instant message services are not allowed from PCI zone to External zone.
R services are not allowed from PCI zone to External zone.
NFS services are not allowed from PCI zone to External zone.
X11 services are not allowed from PCI zone to External zone.
Database services are not allowed from DMZ zone to PCI zone.
How can some of these be implemented in Debian Linux?
PCI-DSS is a complex and comprehensive subject and your question only covers a small part of it. Your above list is predominately a list of services with known port numbers, which as the list says these services should remain blocked at least between network zones. This can be accomplished using the built in Linux firewall, iptables. As a general policy one should not open ports unless the services are required and as a backup use a firewall to ensure that they don't get opened inadvertently. To answer your direct question, as to whether or not they can be implemented in Debian, the answer is yes. If you have a network set up with zones, like a PCI zone, a DMZ, and a public facing zone, with switches and routers, you should also consider partitioning into vlans and writing access control rules to only allow designated traffic from one zone/vlan to another.
Is it possible to give sample configuration for some of the services in debian Linux.especially how would you do for Netbios service,Microsoft RPS service,mail service,Microsoft directory service.Others can be configured using standard rules like
Filtering P2P network traffic with ipp2p or any other thing is required ?
Here is a link to an excellent tutorial on iptables: http://bodhizazen.net/Tutorials/iptables It will show you examples of how to perform this function. The gist of it is to keep your ports blocked by default and then write white-list rules to allow only the desired traffic. You can fine tune the rules to allow connections only from a specific host or subnet too.
To give you another example, here is part of my firewall rule set (note, I am not certifying for PCI-DSS):
Code:
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
-A INPUT -j blacklist
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -j DROP
As you can see, the final rule is DROP. If the traffic does not match one of the above rule patterns, it gets dumped. Therefore, things like Microsoft RPC services get blocked. You can also filter ICMP traffic to remove or restrict activity like PING or other error messaging. For example, I allow PING:
Code:
-A INPUT -s <my CIDR Range> -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+1 from me on the implied suggestion to abstain from writing rules for each of the listed requirements, and simply block everything while adding exceptions as needed instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.