LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-25-2003, 04:24 PM   #1
Ciccio
Member
 
Registered: Nov 2002
Location: Paraguay
Distribution: Mandrake 10
Posts: 573

Rep: Reputation: 30
setting up a safe and secure server/router


Ok... here is the situation:

I Just got my public/valid IP... it's NATted, but it works fine. Now, I'm a little worried about security... I have a SIMPLE firewall that I will add in another post so it's easyer to isolate. I was wandering if you could help me make it a secure server again... I'm going to run an httpd (Last apache version) and a sendmail (last version also)... aside that It's a router for my home network and it has sshd running all the time...

I also wanted to use ssh from other locations, not just from my internal network... but I don't want ROOT to log in (in case there is some scanner/sniffer watching me). Also I wanted to completely avoid the use of telnet and set an FTP server but just 'sharing' /pub. and /home and I wanted to disable samba for internet but not for the internal network...

I think that covers it... I'm posting the configuration script of my firewall next.
 
Old 04-25-2003, 04:26 PM   #2
Ciccio
Member
 
Registered: Nov 2002
Location: Paraguay
Distribution: Mandrake 10
Posts: 573

Original Poster
Rep: Reputation: 30
HERE IT IS.

Code:
#!/bin/bash
echo "## -- Iniciando Script de Firewall -- ##"
                                                                                                                                                           
#Masquerade from internal Net to External net
iptables -P FORWARD DROP
iptables -A POSTROUTING -t nat -o eth1 -s 192.168.23.0/24 -j SNAT --to-source 192.168.23.103
iptables -A FORWARD -i ! eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
                                                                                                                                                           
echo "      #---Creating Accept Chains---#"
iptables -P INPUT DROP
                                                                                                                                                           
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
iptables -N TCPACCEPT
iptables -A TCPACCEPT -p tcp --syn -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -A TCPACCEPT -p tcp ! --syn -j ACCEPT
                                                                                                                                                           
#inbound ICMP
iptables -N ICMPACCEPT
iptables -A ICMPACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMPACCEPT -p icmp --icmp-type destination-unreachable -j ACCEPT
                                                                                                                                                           
#Kill invalid packets (Not established, related or new)
iptables -A INPUT -m state --state INVALID -j DROP
                                                                                                                                                           
#Packets from internal net
iptables -A INPUT -s 192.168.23.114 -j ACCEPT
iptables -A INPUT -s 192.168.23.0/24 -j ACCEPT
                                                                                                                                                           
echo "      #---Packets from EXTERNAL net---#"
iptables -A INPUT -s 10.129.2.155 -j ACCEPT
                                                                                                                                                           
#Filter ICMP
iptables -A INPUT -i eth1 -p icmp -j ICMPACCEPT
 
#silently reject ident
iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 
echo "      #---Enabling Public Services---#"
#ftp-data
#iptables -A INPUT -i eth1 -p tcp --dport 20 -j TCPACCEPT
 
#ftp
#iptables -A INPUT -i eth1 -p tcp --dport 21 -j TCPACCEPT
 
#ssh
iptables -A INPUT -i eth1 -p tcp --dport 22 -j TCPACCEPT
 
#telnet
#iptables -A INPUT -i eth1 -p tcp --dport 23 -j TCPACCEPT
 
#smtp
#iptables -A INPUT -i eth1 -p tcp --dport 25 -j TCPACCEPT
 
#DNS
iptables -A INPUT -i eth1 -p tcp --dport 53 -j TCPACCEPT
iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
 
#HTTP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j TCPACCEPT
 
#HTTPS
iptables -A INPUT -i eth1 -p tcp --dport 443 -j TCPACCEPT
 
#POP3
#iptables -A INPUT -i eth1 -p tcp -dport 110 -j TCPACCEPT
 
echo "      #---Allowing established, related connections in---#"
 
iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
iptables -A INPUT -i eth1 -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
echo "## -- Script Loaded -- ##"
exit

Last edited by Ciccio; 04-25-2003 at 04:28 PM.
 
Old 04-25-2003, 10:38 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Re: setting up a safe and secure server/router

Quote:
Originally posted by Ciccio
I'm going to run an httpd (Last apache version) and a sendmail (last version also)... aside that It's a router for my home network and it has sshd running all the time...

I also wanted to use ssh from other locations, not just from my internal network... but I don't want ROOT to log in (in case there is some scanner/sniffer watching me). Also I wanted to completely avoid the use of telnet and set an FTP server but just 'sharing' /pub. and /home and I wanted to disable samba for internet but not for the internal network...

I think that covers it... I'm posting the configuration script of my firewall next.
Well you have a lot going on there. Heres my opinion(which is debatable).

First off if your not going to use a service then shut it off. I think everyone will agree on that.

If your going to use a service such as ssh for personal use only try to limit access to it. This can be done in a number of ways(i.e. firewall, tcpwrappers). You can disable root access to ssh in the /etc/ssh/sshd_config file(PermitRootLogin no)

Depending on what FTP program you are using, you will be able to edit the configuration file to specify what directory to use.

SAMBA can be limited to your network via tcpwrappers and a firewall.

Yeah um...thats it.
 
Old 04-25-2003, 10:46 PM   #4
Ciccio
Member
 
Registered: Nov 2002
Location: Paraguay
Distribution: Mandrake 10
Posts: 573

Original Poster
Rep: Reputation: 30
I'm running SAMBA as standalon... though my IPTABLES config avoids access to it's ports...

ssh is set up so root can't access (I rembered later... but I have done that before on another server). about the FTP... I think (I'm pretty sure) it's wu-ftpd...

the problem is the firewall... I think it's pretty weak... and the ssh server doesn't make it any stronger... in fact it's a big target for brute force attacks... I've already implemented a secure password (alphanumeric, above 16 chars)... but, as any password, it's not unbreakable...

about bugs... well. I don't care... I have both, local and remote copy of every file in the FTP and HTTP directories so I can put them again as often as necesary.... if anyone finds a way to crack my site/server...

anyway... I'm still a little worried about it... any tips??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up Server | Behind router aceMan Linux - Networking 4 09-26-2005 11:42 PM
setting up web server and D-Link router jax8 Linux - Networking 2 06-09-2004 11:54 AM
Accessing server behind router :: setting up network slackwarefan Linux - Networking 7 06-03-2004 04:14 PM
problems setting up apache and vsftp server behind a router that serves as a server xone Linux - Security 1 04-08-2004 10:46 AM
problem setting up router in linux http server mkepler1 Linux - Networking 1 12-18-2003 12:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration