Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
If you want to see what ports are open from the outside use one of those firewall tester sites like http://www.hackerwatch.org/probe/ . If there is a cable/dsl firewall router between the machine and the service provider then this test will only test the router. If this is behind a router and you have more than one machine on the lan side use a port scanning tool on it to scan the linux box.
But from what I see nothing is open accept cups so one can print to local printer. It looks like the default iptables for FC*. You mention NFS but I do not see and open port 2049 for that in post #3.
But all in all the more layers of security you can add the stronger it will be.
Hi Brian, yes in the first line of my service there is port 2049. How to add more layers ?
Rgds
Daniel
Quote:
Originally posted by Brian1 If you want to see what ports are open from the outside use one of those firewall tester sites like http://www.hackerwatch.org/probe/ . If there is a cable/dsl firewall router between the machine and the service provider then this test will only test the router. If this is behind a router and you have more than one machine on the lan side use a port scanning tool on it to scan the linux box.
But from what I see nothing is open accept cups so one can print to local printer. It looks like the default iptables for FC*. You mention NFS but I do not see and open port 2049 for that in post #3.
But all in all the more layers of security you can add the stronger it will be.
Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.
how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.
What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.
Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
Hi, isn't the default firewall file is executable ? Also why need another firewall software in place ? Thanks alot
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.
how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.
What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.
Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
Hi, in your thread earlier, i saw a file "rc.local" , what does it do ?
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.
how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.
What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.
Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
Hi, isn't the default firewall file is executable?
No. In Fedora the default firewall rules are stored in /etc/sysconfig/iptables which isn't a shell script, it's the output of iptables-save. The rules are loaded from that file during boot using iptables-restore. Earlier in this thread I gave you instructions on how to use that method (basically run your script once so that it is loaded into iptables and then save the setup to /etc/sysconfig/iptables using iptables-save > /etc/sysconfig/iptables). That way Fedora will automatically load your new rules from there. Otherwise the old rules will be run at boot and you will need to have your script executed at boot.
Also why need another firewall software in place?
You only need one. The Fedora firewall is relatively mediocre and I feel there are better scripts available.
Hi, in your thread earlier, i saw a file "rc.local" , what does it do?
The contents of that file are executed as one of the final steps of the boot init process. It's handy for having scripts run automatically. However it is not ideal for running a firewall script as the network interfaces have already been brought up by init, so for a brief peroid your system would be online with live network interfaces and no firewall.
Hi, i'm a bit blur regarding rc.local, does it necessary to have it ? In total how many files do i need to have for firewall to be running ? Thanks
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman Hi, isn't the default firewall file is executable?
No. In Fedora the default firewall rules are stored in /etc/sysconfig/iptables which isn't a shell script, it's the output of iptables-save. The rules are loaded from that file during boot using iptables-restore. Earlier in this thread I gave you instructions on how to use that method (basically run your script once so that it is loaded into iptables and then save the setup to /etc/sysconfig/iptables using iptables-save > /etc/sysconfig/iptables). That way Fedora will automatically load your new rules from there. Otherwise the old rules will be run at boot and you will need to have your script executed at boot.
Also why need another firewall software in place?
You only need one. The Fedora firewall is relatively mediocre and I feel there are better scripts available.
Hi, in your thread earlier, i saw a file "rc.local" , what does it do?
The contents of that file are executed as one of the final steps of the boot init process. It's handy for having scripts run automatically. However it is not ideal for running a firewall script as the network interfaces have already been brought up by init, so for a brief peroid your system would be online with live network interfaces and no firewall.
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
I getting a little confused where this topic is going. When I mean more layers, I mean if you have a setup like this.
If you have a broadband connection, put a router whether a store bought or a linux box between the internet and your private lan. If no ports are being forward through the router then consider this first layer of defense. No ports to attack.
Next running iptables on all machines and open only the ports to be visiable to the lan network. You can run all the services on the linux box you want but unless iptables allow a connection then it is blocked. This would be the next layer of security if someone got through the router.
Use of /etc/host.allow and host.deny is another layer of defense that can be used.
Use of strong passwords and use of keys would be additional layer of security.
Keeping daemon services updated to current releases would be another layer of security. Example you have version 3.2 of something and a exploited hack has been found the devolper of the software releases a patch or a complete package version 3.3 to fix the exploit.
Also check for firmware updates for store bought routers.
Now if the router also provides wireless access and not using wireless cards, and if the router has the feature, one can turn the antenna off. If using wireless is being used enable wep and or wpa security and or mac filtering and or IP filtering. Each item here can be considered a layer of security here.
Pretty much for the home user as long as there is a router in place with no open ports this usually enough.
Now as for rc.local it is used to put addition scripts or apps you want to run on the machine. It can be used to load addition modules, reset files, restore settings, start a service. Anything you want with an easy neiether empty file to use. Adding to the rc file would not be the best because of the size and contents already in there. Here is example of my rc.local file:
Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
# Start DMZ Firewall for wan, lan and dmz networks
echo "Starting up DMZ Firewall...."
/etc/dmz.firewall
# Load modules for sensors
echo "Starting up LM Sensors modules...."
modprobe i2c-amd756
modprobe w83781d
modprobe eeprom
sensors -s
# Pause to allow modules to finsh loading before continuing
ping -c3 127.0.0.1 > /dev/null
# Startup of the gkrellm daemon for remote monitoring of nics
echo "Starting up gkrellmd daemon...."
/usr/bin/gkrellmd &
touch /var/lock/subsys/local
When the system starts up, the last step of the boot process is to execute the contents of rc.local. So any files you put in the rc.local file will be run (note that rc.local contains paths to the files you want run, similar to a link).
In total how many files do i need to have for firewall to be running?
Technically you do not need any files. You could start the system and enter your rules manually with iptables every time you boot. However, the easiest way is to use 2 files. One is the actual shell script containing your firewall rules. The second is the /etc/sysconfig/iptables file which is used to store your firewall rules in a special format so that they can be automatically reloaded for you when the system boots. To do it that way you need to do the following:
1. Open a text file and paste/type the firewall rules
2. Make the file executable with chmod u+x filename
3. Execute the file as root to load the firewall rules
4. Verify that the rules were loaded by running iptables -vnL
5. Save the loaded rules using iptables-save > /etc/sysconfig/iptables
Your firewall rules will now get automatically loaded at boot. You can delete the script containing the firewall rules if you like, as the rules are now stored in /etc/sysconfig/iptables.
I would still recommend making a backup copy of your original set of rules first before you start. Anytime you modify *ANY* config file in linux you should *ALWAYS* make a backup copy. If you make a mistake editing it or somehow screw up, then you can always revert to the backup. If you don't have the backup copy then you're in trouble.
Hi, can you please explain this line and which IP is bogons ? Does prevent those bogon and bad packets increase the network traffic ? Thanks
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.
MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.
Hi, i did reconfigure my firewall and now my FC3 hangs during firewall init. Even before i restart, it hangs on shutdown. i did backup my old firewall config but not the new config. Pls advise. Thanks
Regards
Daniel
Quote:
Originally posted by Capt_Caveman When the system starts up, the last step of the boot process is to execute the contents of rc.local. So any files you put in the rc.local file will be run (note that rc.local contains paths to the files you want run, similar to a link).
In total how many files do i need to have for firewall to be running?
Technically you do not need any files. You could start the system and enter your rules manually with iptables every time you boot. However, the easiest way is to use 2 files. One is the actual shell script containing your firewall rules. The second is the /etc/sysconfig/iptables file which is used to store your firewall rules in a special format so that they can be automatically reloaded for you when the system boots. To do it that way you need to do the following:
1. Open a text file and paste/type the firewall rules
2. Make the file executable with chmod u+x filename
3. Execute the file as root to load the firewall rules
4. Verify that the rules were loaded by running iptables -vnL
5. Save the loaded rules using iptables-save > /etc/sysconfig/iptables
Your firewall rules will now get automatically loaded at boot. You can delete the script containing the firewall rules if you like, as the rules are now stored in /etc/sysconfig/iptables.
I would still recommend making a backup copy of your original set of rules first before you start. Anytime you modify *ANY* config file in linux you should *ALWAYS* make a backup copy. If you make a mistake editing it or somehow screw up, then you can always revert to the backup. If you don't have the backup copy then you're in trouble.
Brian, i did modify my firewall rules on FC3 and now it hangs on firewall init during startup. Any idea how to sole this problem ? i did make a backup of the old config.
Regards
Daniel
Quote:
Originally posted by Brian1 I getting a little confused where this topic is going. When I mean more layers, I mean if you have a setup like this.
If you have a broadband connection, put a router whether a store bought or a linux box between the internet and your private lan. If no ports are being forward through the router then consider this first layer of defense. No ports to attack.
Next running iptables on all machines and open only the ports to be visiable to the lan network. You can run all the services on the linux box you want but unless iptables allow a connection then it is blocked. This would be the next layer of security if someone got through the router.
Use of /etc/host.allow and host.deny is another layer of defense that can be used.
Use of strong passwords and use of keys would be additional layer of security.
Keeping daemon services updated to current releases would be another layer of security. Example you have version 3.2 of something and a exploited hack has been found the devolper of the software releases a patch or a complete package version 3.3 to fix the exploit.
Also check for firmware updates for store bought routers.
Now if the router also provides wireless access and not using wireless cards, and if the router has the feature, one can turn the antenna off. If using wireless is being used enable wep and or wpa security and or mac filtering and or IP filtering. Each item here can be considered a layer of security here.
Pretty much for the home user as long as there is a router in place with no open ports this usually enough.
Now as for rc.local it is used to put addition scripts or apps you want to run on the machine. It can be used to load addition modules, reset files, restore settings, start a service. Anything you want with an easy neiether empty file to use. Adding to the rc file would not be the best because of the size and contents already in there. Here is example of my rc.local file:
Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
# Start DMZ Firewall for wan, lan and dmz networks
echo "Starting up DMZ Firewall...."
/etc/dmz.firewall
# Load modules for sensors
echo "Starting up LM Sensors modules...."
modprobe i2c-amd756
modprobe w83781d
modprobe eeprom
sensors -s
# Pause to allow modules to finsh loading before continuing
ping -c3 127.0.0.1 > /dev/null
# Startup of the gkrellm daemon for remote monitoring of nics
echo "Starting up gkrellmd daemon...."
/usr/bin/gkrellmd &
touch /var/lock/subsys/local
Originally posted by DanielTan Hi, i did reconfigure my firewall and now my FC3 hangs during firewall init. Even before i restart, it hangs on shutdown. i did backup my old firewall config but not the new config. Pls advise. Thanks
Please describe *EXACTLY* what modifications you've made, the entire firewall script you are trying to run and post the output of iptables -vnL
Hi, first i make backup of the old configuration. Below is result of "cat" from iptables. Btw how to boot into linux again by bypass the firewall ? Thanks
*filter
:input drop [0:0]
:forward drop [0:0] utput accept [0:0]
:RH-firewall-1-input-[0:0]
-A input -m state --state invalid -j drop
-A input -p tcp -m tcp ! --tcp-flags syn,rst,ack,syn -m state --state new -j drop
-A input -p tcp -m tcp --tcp-flags fin, syn fin, syn -j drop
-A input -p tcp -m tcp --tcp-flags syn,rst syn,rst -j drop
-A input -p tcp -m tcp --tcp-flags fin, syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j drop
-A forward -m state --state invalid -j drop
-A output -m state --state invalid -j drop
-A RH-firewall-1-input -i lo -j accept
-A RH-firewall-1-input-i eth0 -p icmp -m icmp --icmp-type 8 - m limit -- limit 10/s -j accept
-A RH-firewall-1-input-i eth0 -p tcp -m tcp --tcp-flags syn,rst,ack syn -m limit --limit 5/sec -j accept
-A RH-firewall-1-input -d 224.0.0.251 -p udp --dport 5353 -j accept
-A Rh-firewall-1-input -p udp -m udp --dport 631 -j accept
-A Rh-firewall-1-input -m state --state related, established -j accept
-A RH-firewall-1-input -p tcp -m state --state new -m multiport --dport 80,443 -j accept
-A RH-firewall-1-input -j reject --reject-with icmp host-prohibited
Commit
Quote:
Originally posted by Capt_Caveman Please describe *EXACTLY* what modifications you've made, the entire firewall script you are trying to run and post the output of iptables -vnL
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
utput accept [0:0]
