LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-21-2009, 02:42 PM   #1
jefn
Member
 
Registered: Mar 2009
Posts: 37

Rep: Reputation: 15
How to secure an open port in iptables


Hi folks,

I need your experience and suggestions. I have a firewall (iptabels) and I have to open the port 2811 (gridftp service) for the public. How can I make it secure against attacks ?


Thank you all in advance,
Jefn
 
Old 04-21-2009, 03:05 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jefn View Post
How can I make it secure against attacks ?
What kind of attacks?
 
Old 04-22-2009, 01:42 AM   #3
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
What kind of attacks?
all kind of attack if I keep this port open to the public ?
all attacks in general ?
 
Old 04-22-2009, 02:30 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jefn View Post
all kind of attack if I keep this port open to the public ?
all attacks in general ?
If you could make yourself secure against "all attacks in general" then forums like this one wouldn't need to exist. It's like asking how you can protect your house from all attacks in general - there's simply no way you can do that. Resources are scarce, and you're gonna have to pick certain threats to defend against, and others to live with. Ideally, the ones you defend against will be those that represent the highest risk to you.

I'm not gonna pretend I know what GridFTP is (I don't have a clue), and without that knowledge it's simply unrealistic for me to offer any special suggestions as to how you can harden it. This is even more true considering you haven't specified what you want to harden it against. The most generic recommendation I could give you is to use mandatory access control, since that's a really good idea for any service connected to the Internet. Of course, as I said before, nothing will protect you against everything.

Last edited by win32sux; 04-22-2009 at 02:33 AM.
 
Old 04-23-2009, 03:40 AM   #5
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
If you could make yourself secure against "all attacks in general" then forums like this one wouldn't need to exist. It's like asking how you can protect your house from all attacks in general - there's simply no way you can do that. Resources are scarce, and you're gonna have to pick certain threats to defend against, and others to live with. Ideally, the ones you defend against will be those that represent the highest risk to you.

I'm not gonna pretend I know what GridFTP is (I don't have a clue), and without that knowledge it's simply unrealistic for me to offer any special suggestions as to how you can harden it. This is even more true considering you haven't specified what you want to harden it against. The most generic recommendation I could give you is to use mandatory access control, since that's a really good idea for any service connected to the Internet. Of course, as I said before, nothing will protect you against everything.
Thanks mate for your sincerely help. I know that it is difficult to secure a firewall (iptables) against attack but I meant the general practice to secure my gateway. But like spoofing, Dos, ...are meant in my question.in other words, imagine that you have a linux workstation running as a gateway and you have to open port 2811. Now, what kind of attacks might be there?


Thanks again,
Jefn
 
Old 04-23-2009, 09:32 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by jefn View Post
Thanks mate for your sincerely help. I know that it is difficult to secure a firewall (iptables) against attack but I meant the general practice to secure my gateway. But like spoofing, Dos, ...are meant in my question.in other words, imagine that you have a linux workstation running as a gateway and you have to open port 2811. Now, what kind of attacks might be there?


Thanks again,
Jefn
Since you've a gridftp service running, I'd imagine any type of attack related to that service is what you'd have to worry about, plus anything ftp-related (such as brute-force attempts). Sounds like a job for snort and/or denyhosts/fail2ban, and maybe others. How open is this service? Do you intend for the service to be publicly accessible or are you going to give access to a select few? If its just a few, then you can limit those few and not allow anyone else by use of tcpwrappers or even the firewall itself (or both).
 
Old 04-24-2009, 02:36 AM   #7
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unixfool View Post
Since you've a gridftp service running, I'd imagine any type of attack related to that service is what you'd have to worry about, plus anything ftp-related (such as brute-force attempts). Sounds like a job for snort and/or denyhosts/fail2ban, and maybe others. How open is this service? Do you intend for the service to be publicly accessible or are you going to give access to a select few? If its just a few, then you can limit those few and not allow anyone else by use of tcpwrappers or even the firewall itself (or both).

The service should be running all the time and publicly accessible. I want to use just the iptables to secure the port against any related attack. Sorry my friends that I am not expert in security but I want to provide this service for the public but I am afraid that someone can attack my iptables easily. I know that no 100% guarantee of security but I want to set the maximum measures of security. Now, how can I implement some of these measures like what you sirs said, brute-force attempts, ...etc. Can you please provide me with examples to implement on the iptables or good websites that have these examples?


Thanks all for your help.
 
Old 04-24-2009, 04:12 AM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jefn View Post
The service should be running all the time and publicly accessible.
Which is why you need to focus your energy on that instead of iptables.

Quote:
I want to use just the iptables to secure the port against any related attack. Sorry my friends that I am not expert in security but I want to provide this service for the public but I am afraid that someone can attack my iptables easily. I know that no 100% guarantee of security but I want to set the maximum measures of security. Now, how can I implement some of these measures like what you sirs said, brute-force attempts, ...etc. Can you please provide me with examples to implement on the iptables or good websites that have these examples?
You've got your priorities out of order IMHO. You need to focus on securing the service you are providing. Iptables is just a precautionary measure against unwanted transport/network layer traffic. Most of the threat nowadays lies at the application layer, however. Ideally, you'd want your service to be reasonably secure with or without iptables. In summary, you don't secure "the port", you secure "the service that is listening on the port".

Last edited by win32sux; 04-24-2009 at 07:31 AM.
 
Old 04-24-2009, 10:25 AM   #9
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
That's what I should've said first. Harden the service first, then other apply layers of security.
 
Old 04-25-2009, 01:57 AM   #10
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Which is why you need to focus your energy on that instead of iptables.

You've got your priorities out of order IMHO. You need to focus on securing the service you are providing. Iptables is just a precautionary measure against unwanted transport/network layer traffic. Most of the threat nowadays lies at the application layer, however. Ideally, you'd want your service to be reasonably secure with or without iptables. In summary, you don't secure "the port", you secure "the service that is listening on the port".
securing the service, how can I do that?
 
Old 04-25-2009, 01:59 AM   #11
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unixfool View Post
That's what I should've said first. Harden the service first, then other apply layers of security.
but how I do that practically?. A friend told me that I can add some security using the iptables using "connlimit" and threshold. Can I use them?
 
Old 04-25-2009, 10:29 AM   #12
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
I've no experience with GridFTP, but if its like any other service, you should be able to manipulate who can access what files, who can write to certain directories, who can delete directories, turn on/off anonymous access, turn off root access...all of these things.

I'd also check on the recent bug reports for that software, check what version you have and mitigate any risks that are exposed by the bug reports.
 
Old 04-26-2009, 03:37 AM   #13
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unixfool View Post
I've no experience with GridFTP, but if its like any other service, you should be able to manipulate who can access what files, who can write to certain directories, who can delete directories, turn on/off anonymous access, turn off root access...all of these things.

I'd also check on the recent bug reports for that software, check what version you have and mitigate any risks that are exposed by the bug reports.

Yeah, this is what I would like to do:
- users only can write to a specific directory.
- users cannot read or copy any file from that directory.
- users can only access that directory.

Could please help to do that?

Sorry that my experience is not that good in linux .

Thanks in advance,
Jefn
 
Old 04-26-2009, 04:02 AM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jefn View Post
Yeah, this is what I would like to do:
- users only can write to a specific directory.
- users cannot read or copy any file from that directory.
- users can only access that directory.

Could please help to do that?

Sorry that my experience is not that good in linux .

Thanks in advance,
Jefn
Does GridFTP come with any built-in chroot functionality? That would be specified in the GridFTP documentation, and although it wouldn't be the solution to all the goals you mentioned it would certainly help you move in that direction.

Last edited by win32sux; 04-26-2009 at 04:10 AM.
 
Old 04-27-2009, 04:31 AM   #15
jefn
Member
 
Registered: Mar 2009
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Does GridFTP come with any built-in chroot functionality? That would be specified in the GridFTP documentation, and although it wouldn't be the solution to all the goals you mentioned it would certainly help you move in that direction.
Yeah, GridFTP is a secure file transfer protocol which needs a certificate. The service is a little bit secure but I think I need to secure the firewall itself. I think I need how to limit users to only access a specific folder on the firewall. and how can I check if a user is trying to deny a service with sending high traffic.


Thanks alot,
J
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to open a port without using iptables msteiner Linux - Networking 5 11-28-2007 02:23 PM
How to Open a Port in IPtables Doug Vitale Linux - Networking 4 10-14-2007 09:14 PM
Iptables - Port Won't Open stascrash Linux - Security 11 11-09-2006 10:39 AM
iptables won't allow ftp even with port 21 open. keithxl Linux - Security 12 05-22-2006 11:36 PM
Open/Closing port without iptables? hottdogg Slackware 8 12-27-2005 03:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration