Ok, so to set up ssh, i had to get a new firewall
I found this script on the net
Is this good enough? It seems pretty simple, but I don't really know fi thats a good thing or a bad thing...
I basically just need basic internet stuff and ssh, no mail/web server etc

[code]
#!/bin/bash
# main code is from Ziegler's book "Linux Firewalls":
# "optimized code for stand-alone firewall"
#
# modified from our gateway firewall script to use it only on stand-alone Lin$
# OUTPUT chain has default policy "accept".
# So all the rules below are about allowing some input ports.
# First Date: Oct. 11th, 2002
#################################################################
# Load Modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0" # network interface to the external: 128$
LOOPBACK_INTERFACE="lo" # however your system names it
EXT_IPADDR="192.168.1.166" # static allocated IP address
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
IMAP4SSL_PORT="993"

###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Do not log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
###############################################################

# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Using Connection State to By-pass Rule Checking

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Source Address Spoofing and Other Bad Addresses
iptables -A OUTPUT -s ! $EXT_IPADDR -j DROP
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
##############################################################
# ICMP Control and Status Messages
# allow incoming pings from anywhere
iptables -A INPUT -p icmp --icmp-type echo-request -d $EXT_IPADDR \
-m state --state NEW -j ACCEPT
# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################
# Accept the following input requests and ports #
###############################################################
# reject outside AUTH request.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 113 -j REJECT --reject-w$
###############################################################
# Accept SMTP, IMAPS from outside.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 25 -m state --state NEW $
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport $IMAP4SSL_PORT -m state $
###############################################################
# accept outside ssh (TCP Port 22)
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 22 -m state --state NEW $

EDIT:
I did a web port scan, and they found that port 22 is OPEN, but this is neccesary, and can't be hidden (i learn this from the tread about it on thsi page).
but ssh is veyr secure right, so i shouldn't have to worry? Oh, and when i got my friend to ssh, he had the option of a basic or encrypted pass, can i remove the basic option? and im guessing that would be in sshd_config, i will go look around in there...

Ya, that is pretty good. If you don't run a SMTP or IMAPS server you don't need those lines in there. Besically the only thing that'll let in currently is ssh, SMTP, and IMAPS though, and it shouldn't reply to port scanning.

SMTP is only if i want it to be a mail server, right? which i dont....

so i will get rid of those lines...

also, do ./rc.firewall start|stop work?

otherwise, how would i turn it off (if i wanted to)

The following 3 commands should turn everything off.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

alright, i ran nmap..
Im worried about ftp, and X11...should i change the script?

By the way, I wouldn't disable logging martians. You want to know if some device on your network has a wrong IP address (or is trying to spoof an address, perhaps as part of a DoS attack on some remote host). You also want to know if a packet is trying to spoof it's way in from outside your firewall.

SSH is only as secure as the daemon that's running it. What version of OpenSSH are you running, and do you know if you've updated it since you installed the system? If you haven't installed at least one update for OpenSSH, chances are it's vulnerable.

Your firewall isn't protecting your loopback adaptor (which is what you ran nmap against). Try running the scan from outside your box (maybe from another box on your network?).

Edit: Oh, I should clarify that... your loopback adaptor is only available to the machine itself, not to the outside world. If you're firewalling your network card, then no one else can connect to your loopback adaptor. You need to run nmap against your NIC's IP, not against localhost (localhost will resolve to the loopback).

so i shoudl nmap my isp's ip then?

Loggin martians? what?


I can't find where by firewall put's its logs by the way....

02:14:26-~:ssh -V
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003

Also:
scp doesn't seem to work (?)
but sftp does, so if i use sftp to copy files, i guess i need that port open, eh?

In /etc/ssh/sshd_config, change the line that says either
Protocol 2,1
or
#Protocol 2,1

to:
Protocol 2
(don't forget to start and stop sshd after you save this change)

The reason is that SSHv1 has a number of flaws, which although mostly mitigated by workarounds in OpenSSH, is still not entirely safe.

You must be using scp incorrectly, because it will work as long as normal ssh does. Recheck your syntax to make sure you're doing it right. Also, make sure you're scp'ing in the correct direction. You can't open an scp connection to a host that is not running an ssh daemon.

As for the martians, I'm referring to this section:
Personally, I would take it out. Leaving it in will let you know when something weird is going on and you're getting traffic from IPs that in theory, you should not be able to get traffic from. This would indicate either spoofing, or a local devices that is misconfigured. In either case, I think you would want to know about that.

Edit: Oh, and to get the correct IP address to scan, do
ifconfig eth0
look for the address. That is the one you want to nmap. It may or may not work if you do it from the same machine, though (depending on how iptables and your NIC driver handle that sort of thing). The best solution would be to use another computer to nmap it.