LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to secure an open port in iptables (https://www.linuxquestions.org/questions/linux-security-4/how-to-secure-an-open-port-in-iptables-720735/)

jefn 04-21-2009 02:42 PM

How to secure an open port in iptables
 
Hi folks,

I need your experience and suggestions. I have a firewall (iptabels) and I have to open the port 2811 (gridftp service) for the public. How can I make it secure against attacks ?


Thank you all in advance,
Jefn

win32sux 04-21-2009 03:05 PM

Quote:

Originally Posted by jefn (Post 3516533)
How can I make it secure against attacks ?

What kind of attacks?

jefn 04-22-2009 01:42 AM

Quote:

Originally Posted by win32sux (Post 3516560)
What kind of attacks?

all kind of attack if I keep this port open to the public ?
all attacks in general ?

win32sux 04-22-2009 02:30 AM

Quote:

Originally Posted by jefn (Post 3516937)
all kind of attack if I keep this port open to the public ?
all attacks in general ?

If you could make yourself secure against "all attacks in general" then forums like this one wouldn't need to exist. It's like asking how you can protect your house from all attacks in general - there's simply no way you can do that. Resources are scarce, and you're gonna have to pick certain threats to defend against, and others to live with. Ideally, the ones you defend against will be those that represent the highest risk to you.

I'm not gonna pretend I know what GridFTP is (I don't have a clue), and without that knowledge it's simply unrealistic for me to offer any special suggestions as to how you can harden it. This is even more true considering you haven't specified what you want to harden it against. The most generic recommendation I could give you is to use mandatory access control, since that's a really good idea for any service connected to the Internet. Of course, as I said before, nothing will protect you against everything.

jefn 04-23-2009 03:40 AM

Quote:

Originally Posted by win32sux (Post 3516974)
If you could make yourself secure against "all attacks in general" then forums like this one wouldn't need to exist. It's like asking how you can protect your house from all attacks in general - there's simply no way you can do that. Resources are scarce, and you're gonna have to pick certain threats to defend against, and others to live with. Ideally, the ones you defend against will be those that represent the highest risk to you.

I'm not gonna pretend I know what GridFTP is (I don't have a clue), and without that knowledge it's simply unrealistic for me to offer any special suggestions as to how you can harden it. This is even more true considering you haven't specified what you want to harden it against. The most generic recommendation I could give you is to use mandatory access control, since that's a really good idea for any service connected to the Internet. Of course, as I said before, nothing will protect you against everything.

Thanks mate for your sincerely help. I know that it is difficult to secure a firewall (iptables) against attack but I meant the general practice to secure my gateway. But like spoofing, Dos, ...are meant in my question.in other words, imagine that you have a linux workstation running as a gateway and you have to open port 2811. Now, what kind of attacks might be there?


Thanks again,
Jefn

unixfool 04-23-2009 09:32 AM

Quote:

Originally Posted by jefn (Post 3518100)
Thanks mate for your sincerely help. I know that it is difficult to secure a firewall (iptables) against attack but I meant the general practice to secure my gateway. But like spoofing, Dos, ...are meant in my question.in other words, imagine that you have a linux workstation running as a gateway and you have to open port 2811. Now, what kind of attacks might be there?


Thanks again,
Jefn

Since you've a gridftp service running, I'd imagine any type of attack related to that service is what you'd have to worry about, plus anything ftp-related (such as brute-force attempts). Sounds like a job for snort and/or denyhosts/fail2ban, and maybe others. How open is this service? Do you intend for the service to be publicly accessible or are you going to give access to a select few? If its just a few, then you can limit those few and not allow anyone else by use of tcpwrappers or even the firewall itself (or both).

jefn 04-24-2009 02:36 AM

Quote:

Originally Posted by unixfool (Post 3518462)
Since you've a gridftp service running, I'd imagine any type of attack related to that service is what you'd have to worry about, plus anything ftp-related (such as brute-force attempts). Sounds like a job for snort and/or denyhosts/fail2ban, and maybe others. How open is this service? Do you intend for the service to be publicly accessible or are you going to give access to a select few? If its just a few, then you can limit those few and not allow anyone else by use of tcpwrappers or even the firewall itself (or both).


The service should be running all the time and publicly accessible. I want to use just the iptables to secure the port against any related attack. Sorry my friends that I am not expert in security but I want to provide this service for the public but I am afraid that someone can attack my iptables easily. I know that no 100% guarantee of security but I want to set the maximum measures of security. Now, how can I implement some of these measures like what you sirs said, brute-force attempts, ...etc. Can you please provide me with examples to implement on the iptables or good websites that have these examples?


Thanks all for your help.

win32sux 04-24-2009 04:12 AM

Quote:

Originally Posted by jefn (Post 3519303)
The service should be running all the time and publicly accessible.

Which is why you need to focus your energy on that instead of iptables.

Quote:

I want to use just the iptables to secure the port against any related attack. Sorry my friends that I am not expert in security but I want to provide this service for the public but I am afraid that someone can attack my iptables easily. I know that no 100% guarantee of security but I want to set the maximum measures of security. Now, how can I implement some of these measures like what you sirs said, brute-force attempts, ...etc. Can you please provide me with examples to implement on the iptables or good websites that have these examples?
You've got your priorities out of order IMHO. You need to focus on securing the service you are providing. Iptables is just a precautionary measure against unwanted transport/network layer traffic. Most of the threat nowadays lies at the application layer, however. Ideally, you'd want your service to be reasonably secure with or without iptables. In summary, you don't secure "the port", you secure "the service that is listening on the port".

unixfool 04-24-2009 10:25 AM

That's what I should've said first. Harden the service first, then other apply layers of security.

jefn 04-25-2009 01:57 AM

Quote:

Originally Posted by win32sux (Post 3519350)
Which is why you need to focus your energy on that instead of iptables.

You've got your priorities out of order IMHO. You need to focus on securing the service you are providing. Iptables is just a precautionary measure against unwanted transport/network layer traffic. Most of the threat nowadays lies at the application layer, however. Ideally, you'd want your service to be reasonably secure with or without iptables. In summary, you don't secure "the port", you secure "the service that is listening on the port".

securing the service, how can I do that?

jefn 04-25-2009 01:59 AM

Quote:

Originally Posted by unixfool (Post 3519666)
That's what I should've said first. Harden the service first, then other apply layers of security.

but how I do that practically?. A friend told me that I can add some security using the iptables using "connlimit" and threshold. Can I use them?

unixfool 04-25-2009 10:29 AM

I've no experience with GridFTP, but if its like any other service, you should be able to manipulate who can access what files, who can write to certain directories, who can delete directories, turn on/off anonymous access, turn off root access...all of these things.

I'd also check on the recent bug reports for that software, check what version you have and mitigate any risks that are exposed by the bug reports.

jefn 04-26-2009 03:37 AM

Quote:

Originally Posted by unixfool (Post 3520546)
I've no experience with GridFTP, but if its like any other service, you should be able to manipulate who can access what files, who can write to certain directories, who can delete directories, turn on/off anonymous access, turn off root access...all of these things.

I'd also check on the recent bug reports for that software, check what version you have and mitigate any risks that are exposed by the bug reports.


Yeah, this is what I would like to do:
- users only can write to a specific directory.
- users cannot read or copy any file from that directory.
- users can only access that directory.

Could please help to do that?

Sorry that my experience is not that good in linux :(.

Thanks in advance,
Jefn

win32sux 04-26-2009 04:02 AM

Quote:

Originally Posted by jefn (Post 3521154)
Yeah, this is what I would like to do:
- users only can write to a specific directory.
- users cannot read or copy any file from that directory.
- users can only access that directory.

Could please help to do that?

Sorry that my experience is not that good in linux :(.

Thanks in advance,
Jefn

Does GridFTP come with any built-in chroot functionality? That would be specified in the GridFTP documentation, and although it wouldn't be the solution to all the goals you mentioned it would certainly help you move in that direction.

jefn 04-27-2009 04:31 AM

Quote:

Originally Posted by win32sux (Post 3521171)
Does GridFTP come with any built-in chroot functionality? That would be specified in the GridFTP documentation, and although it wouldn't be the solution to all the goals you mentioned it would certainly help you move in that direction.

Yeah, GridFTP is a secure file transfer protocol which needs a certificate. The service is a little bit secure but I think I need to secure the firewall itself. I think I need how to limit users to only access a specific folder on the firewall. and how can I check if a user is trying to deny a service with sending high traffic.


Thanks alot,
J


All times are GMT -5. The time now is 02:23 AM.