Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-13-2007, 03:33 PM
|
#1
|
Member
Registered: Jul 2005
Posts: 273
Rep:
|
Do I need a firewall?
I think I need a firewall for my one server. But thinking about it, I'd like to ask a few questions first.
I only have 3 services out there that people can see running with nmap and nessus. Those being port 22, 80, 443.
All of these ports I want open and out there. Is there any real reason why I would want to put up a firewall anymore?
The only reason I can think of would be to just drop the other packets that will get eventually sent toward my server. Better safe than sorry I guess.
Any other reasons? Is it possible for attackers to launch attacks / exploits when there isn't any other listening ports and services?
May as well ask the final question. How do I write the file to use iptables to drop all but these 3 ports?
Many thanks to any insight you guys can give.
|
|
|
02-13-2007, 03:41 PM
|
#2
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
|
|
|
02-13-2007, 03:52 PM
|
#3
|
LQ Guru
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852
|
Quote:
Any other reasons? Is it possible for attackers to launch attacks / exploits when there isn't any other listening ports and services?
|
The short answer is no, if there is no listening service, there is no possibility for exploitation (beyond some sort of exploit in the actual TCP/IP stack).
So if you are running a machine that is only running one service, technically a firewall will not be blocking anything. But there is more to a firewall then simply blocking incoming traffic.
The firewall can also block outgoing traffic, to prevent against any sort of trojan being able to call out from your server. It can also be used to blacklist IPs that have been running port scans against your system, so that you can preemptively block out any possible attacks.
You can even setup your firewall to accept and slowdown packets on all ports. So that if a person attempts a port scan, it will take an extremely long time and only return them with garbage data, saying that all ports are open.
Beyond that, you can also create separate security zones with different rules and policies. That is a bit out of the scope of what you are asking about here though.
So there is a lot you can do with an IPTables firewall beyond just closing off some ports. While they might not be high on your list of priorities, a truly secure system will combine all of these small features into a formidable barrier.
As for writing the firewall rules, you basically have two options. You can research online and write your own IPTables rules and create your own firewall script, or you can use software to create it for you. Software like Firewall Builder, Firestarter, Guarddog, etc.
|
|
|
02-13-2007, 04:01 PM
|
#4
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
I've used firewall builder before with pretty good results. But then, I had a lot more services, and more reasons to keep people out.
I just wanted to learn how to do it myself , instead of depending on the software to do it.
|
|
|
02-13-2007, 04:16 PM
|
#5
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
This is something of a philosophical question, IMO. Do you need a firewall in this situation? Perhaps not. I don't think running iptables/netfilter would hurt anything, though.
Also...
I have to question the wisdom of having sshd listening to the world on a web server. Even if you're not going to run a firewall, at least restrict access using pubkey authentication (and shut off other authentication forms) and tcp_wrappers.
|
|
|
02-13-2007, 04:24 PM
|
#6
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
I agree about the ssh listening to the world. I don't like it myself. If I COULD, I'd like to set firewall rules to accept ssh connections from only certin IP's. But for now, until we get some static IP's for the few users who login, we have to have it wide open.
I do have a very strict password policy, that you have to change passwords every 30 days or your locked out, and they have to be minimum 10 chars long, with the combo of numbers, special chars upper / lower case. I only allow specified users to login thru ssh as well. Am I missing anything else on this one?
|
|
|
02-13-2007, 04:30 PM
|
#7
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
The problem with any password authentication (even strong passwords that get changed at regular intervals) is that it's single-factor and can be attacked by brute force a lot more easily.
I really recommend going with pubkey authentication -- even if it means your users will need to carry around their private keys on a usb jump drive because they work from different machines.
A physical key + passphrase makes it a hell of a lot harder to get in. Script kiddies will pass you by and even a determined attacker will have a challenge.
There are lots of tutorials on the web for setting up pubkey authentication. If you're interested, search the forum for tips or (if you'd like) start a thread on that.
|
|
|
02-13-2007, 04:35 PM
|
#8
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Yea, that makes a lot of sense too. I'll look into that next.
|
|
|
All times are GMT -5. The time now is 03:32 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|