LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-13-2007, 03:33 PM   #1
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
Do I need a firewall?


I think I need a firewall for my one server. But thinking about it, I'd like to ask a few questions first.

I only have 3 services out there that people can see running with nmap and nessus. Those being port 22, 80, 443.

All of these ports I want open and out there. Is there any real reason why I would want to put up a firewall anymore?

The only reason I can think of would be to just drop the other packets that will get eventually sent toward my server. Better safe than sorry I guess.

Any other reasons? Is it possible for attackers to launch attacks / exploits when there isn't any other listening ports and services?

May as well ask the final question. How do I write the file to use iptables to drop all but these 3 ports?

Many thanks to any insight you guys can give.
 
Old 02-13-2007, 03:41 PM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Yes, and have a look at http://iptables-tutorial.frozentux.net/
 
Old 02-13-2007, 03:52 PM   #3
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
Quote:
Any other reasons? Is it possible for attackers to launch attacks / exploits when there isn't any other listening ports and services?
The short answer is no, if there is no listening service, there is no possibility for exploitation (beyond some sort of exploit in the actual TCP/IP stack).

So if you are running a machine that is only running one service, technically a firewall will not be blocking anything. But there is more to a firewall then simply blocking incoming traffic.

The firewall can also block outgoing traffic, to prevent against any sort of trojan being able to call out from your server. It can also be used to blacklist IPs that have been running port scans against your system, so that you can preemptively block out any possible attacks.

You can even setup your firewall to accept and slowdown packets on all ports. So that if a person attempts a port scan, it will take an extremely long time and only return them with garbage data, saying that all ports are open.

Beyond that, you can also create separate security zones with different rules and policies. That is a bit out of the scope of what you are asking about here though.

So there is a lot you can do with an IPTables firewall beyond just closing off some ports. While they might not be high on your list of priorities, a truly secure system will combine all of these small features into a formidable barrier.

As for writing the firewall rules, you basically have two options. You can research online and write your own IPTables rules and create your own firewall script, or you can use software to create it for you. Software like Firewall Builder, Firestarter, Guarddog, etc.
 
Old 02-13-2007, 04:01 PM   #4
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
I've used firewall builder before with pretty good results. But then, I had a lot more services, and more reasons to keep people out.

I just wanted to learn how to do it myself , instead of depending on the software to do it.
 
Old 02-13-2007, 04:16 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
This is something of a philosophical question, IMO. Do you need a firewall in this situation? Perhaps not. I don't think running iptables/netfilter would hurt anything, though.

Also...

I have to question the wisdom of having sshd listening to the world on a web server. Even if you're not going to run a firewall, at least restrict access using pubkey authentication (and shut off other authentication forms) and tcp_wrappers.
 
Old 02-13-2007, 04:24 PM   #6
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
I agree about the ssh listening to the world. I don't like it myself. If I COULD, I'd like to set firewall rules to accept ssh connections from only certin IP's. But for now, until we get some static IP's for the few users who login, we have to have it wide open.

I do have a very strict password policy, that you have to change passwords every 30 days or your locked out, and they have to be minimum 10 chars long, with the combo of numbers, special chars upper / lower case. I only allow specified users to login thru ssh as well. Am I missing anything else on this one?
 
Old 02-13-2007, 04:30 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
The problem with any password authentication (even strong passwords that get changed at regular intervals) is that it's single-factor and can be attacked by brute force a lot more easily.

I really recommend going with pubkey authentication -- even if it means your users will need to carry around their private keys on a usb jump drive because they work from different machines.

A physical key + passphrase makes it a hell of a lot harder to get in. Script kiddies will pass you by and even a determined attacker will have a challenge.

There are lots of tutorials on the web for setting up pubkey authentication. If you're interested, search the forum for tips or (if you'd like) start a thread on that.
 
Old 02-13-2007, 04:35 PM   #8
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Yea, that makes a lot of sense too. I'll look into that next.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
using a router with firewall, local firewall waste? Michael_aust Linux - General 1 03-26-2006 09:02 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration