Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using gShield to generate an IPTables firewall on my Linux box. Unfortunately, even though the specific ports are blocked, I can still access the daemons on my server remotely...
IE: I have a SSH server running. I am blocking port 22. A port scan shows port 22 is open and I can connect to the SSH server.
I thought it was because I ran the firewall before I activated the daemons, but then I ran the script (which flushed all the rules and made new ones) after they were all up and running and it made no difference...
The ssh was just an example... And to prove that my firewall is not working.
I did a port scan and found a bunch of ports open by services that I never used (but I have never heard of them so I didn't know how to turn them off). I tried rebooting and then starting the firewall and when that didn't work, I just blocked the ssh port to see what would happen...
I took no offense. You are trying to help, why would I complain?
As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???
Originally posted by bfloeagle As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???
Well, I think you have the rules loaded here but the service itself is not running. I see your doing this on debian so I'm not sure about this but I think you should try:
I don't think anything in that firewall is actually blocking ssh. The only references I see to ssh send the packets to either the PUBLIC or OPENPORT tables, both of which just accept everything. I'm not familiar with gShield, but it looks to me like it isn't doing the trick.
If iptables appears to be running, you could try insterting a rule that would specifically block port 22
iptables -I 1 INPUT -p tcp --dport 22 -j DROP
That inserts a rule at the first position of the INPUT table (so it can't be missed) and should block all access to port 22. If that rule blocks ssh, then you need to revisit what gShield is doing.
Well you jump here to the OPENPORT chain and in the OPENPORT chain you allow EVERYTHING. So this is the first problem.
Quote:
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
You want to accept EVERYTHING ? Well your last INPUT CHAIN rule jumps to the STATEFUL chain and here as you accept everything (NEW). You do NOT need that. All you need is ESTABLISHED here, anything other is not required. Kick off RELATED and NEW.
I did not fully check your firewall since this is very time consuming. I just noticed these 2 things. I'm running a pretty nailed down firewall. My firewall script:
Code:
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch |
# | |
# | |
# | This firewall is not intended to be used by newbies. I give no |
# | warranty of any kind that using it protects your box. |
# | Personally I suggest using a OpenBSD box as firewall :-) |
# | |
# | If you agree to all of the above and also dislike M$ you may |
# | continue reading. Have fun ;-) |
# \------------------------------------------------------------------/
# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
IPTABLES="/sbin/iptables"
LOG_LEVEL="notice"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------
# 4.1 - LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N LOG_DROP
$IPTABLES -F LOG_DROP
$IPTABLES -A LOG_DROP -m limit --limit 5/minute \
-j LOG --log-level $LOG_LEVEL
$IPTABLES -A LOG_DROP -j DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.2 - CHECK_ICMP_ACCESS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_ICMP_ACCESS
$IPTABLES -F CHECK_ICMP_ACCESS
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type echo-reply -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type time-exceeded -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -j DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.3 - CHECK_PROBES
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_PROBES
$IPTABLES -F CHECK_PROBES
# os fingerprinting
$IPTABLES -A CHECK_PROBES -p tcp -s 0.0.0.0 --dport 0 \
-j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp -s 0.0.0.0 --dport 0 \
-j LOG_DROP
# tcpmux scanning
$IPTABLES -A CHECK_PROBES -p tcp --dport 1 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 1 -j LOG_DROP
# sscan
$IPTABLES -A CHECK_PROBES -p tcp -m multiport \
--sports 1,2,3,4,5 -j LOG_DROP
# sysstat scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 11 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 11 -j LOG_DROP
# finger scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 79 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 79 -j LOG_DROP
# linuxconf scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 98 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 98 -j LOG_DROP
# mountd scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 635 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 635 -j LOG_DROP
# proxy scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 1080 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 1080 -j LOG_DROP
# proxy scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 3128 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 3128 -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.4 - CHECK_TCP_FLAGS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_TCP_FLAGS
$IPTABLES -F CHECK_TCP_FLAGS
# stealth FIN scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL FIN \
-j LOG_DROP
# stealth NULL scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL NONE \
-j LOG_DROP
# stealth SYN/FIN (probably)
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP
# stealth SYN/RST scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,RST SYN,RST -j LOG_DROP
# stealth xmas-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN,URG,PSH -j LOG_DROP
# stealth xmas-all-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL ALL -j LOG_DROP
# stealth xmas-PSH-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.5 - EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N EXTERNAL_SERVICES_INPUT
$IPTABLES -F EXTERNAL_SERVICES_INPUT
# SSH
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 22 -j ACCEPT
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p udp \
--dport 22 -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------
# 5.1 - INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.2 - FORWARD
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.3 - OUTPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
Note: I've SSH open though (I use public key authentification with 2048 bit ... that's secure IMHO). I have 1 ethernet interface only, but it shouldn't be that much of a problem converting it to 2 interfaces. I will need to do that also soon BTW ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.