|
Is this an ok firewall?
Ok, so to set up ssh, i had to get a new firewall
I found this script on the net Is this good enough? It seems pretty simple, but I don't really know fi thats a good thing or a bad thing... I basically just need basic internet stuff and ssh, no mail/web server etc [code] #!/bin/bash # main code is from Ziegler's book "Linux Firewalls": # "optimized code for stand-alone firewall" # # modified from our gateway firewall script to use it only on stand-alone Lin$ # OUTPUT chain has default policy "accept". # So all the rules below are about allowing some input ports. # First Date: Oct. 11th, 2002 ################################################################# # Load Modules modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe iptable_filter EXT_IF="eth0" # network interface to the external: 128$ LOOPBACK_INTERFACE="lo" # however your system names it EXT_IPADDR="192.168.1.166" # static allocated IP address CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well-known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range IMAP4SSL_PORT="993" ############################################################### # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Do not log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $f done ############################################################### # Remove any existing rules from all chains iptables --flush iptables -t nat --flush iptables -t mangle --flush # Unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Set the default policy to drop iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD DROP iptables -t nat --policy PREROUTING ACCEPT iptables -t nat --policy OUTPUT ACCEPT iptables -t nat --policy POSTROUTING ACCEPT iptables -t mangle --policy PREROUTING ACCEPT iptables -t mangle --policy OUTPUT ACCEPT # Remove any pre-existing user-defined chains iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain ############################################################### # Using Connection State to By-pass Rule Checking iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP ############################################################### # Stealth Scans and TCP State Flags # All of the bits are cleared iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP ############################################################### # Source Address Spoofing and Other Bad Addresses iptables -A OUTPUT -s ! $EXT_IPADDR -j DROP iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP ############################################################## # ICMP Control and Status Messages # allow incoming pings from anywhere iptables -A INPUT -p icmp --icmp-type echo-request -d $EXT_IPADDR \ -m state --state NEW -j ACCEPT # Drop initial ICMP fragments iptables -A INPUT -p icmp --fragment -j DROP iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT # Intermediate traceroute responses iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT ############################################################### # Accept the following input requests and ports # ############################################################### # reject outside AUTH request. iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 113 -j REJECT --reject-w$ ############################################################### # Accept SMTP, IMAPS from outside. iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 25 -m state --state NEW $ iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport $IMAP4SSL_PORT -m state $ ############################################################### # accept outside ssh (TCP Port 22) iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 22 -m state --state NEW $ EDIT: I did a web port scan, and they found that port 22 is OPEN, but this is neccesary, and can't be hidden (i learn this from the tread about it on thsi page). but ssh is veyr secure right, so i shouldn't have to worry? Oh, and when i got my friend to ssh, he had the option of a basic or encrypted pass, can i remove the basic option? and im guessing that would be in sshd_config, i will go look around in there... |
Ya, that is pretty good. If you don't run a SMTP or IMAPS server you don't need those lines in there. Besically the only thing that'll let in currently is ssh, SMTP, and IMAPS though, and it shouldn't reply to port scanning.
|
SMTP is only if i want it to be a mail server, right? which i dont....
so i will get rid of those lines... also, do ./rc.firewall start|stop work? otherwise, how would i turn it off (if i wanted to) |
The following 3 commands should turn everything off.
iptables --flush iptables -t nat --flush iptables -t mangle --flush |
alright, i ran nmap..
Code:
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-02-09 00:51 EST |
By the way, I wouldn't disable logging martians. You want to know if some device on your network has a wrong IP address (or is trying to spoof an address, perhaps as part of a DoS attack on some remote host). You also want to know if a packet is trying to spoof it's way in from outside your firewall.
SSH is only as secure as the daemon that's running it. What version of OpenSSH are you running, and do you know if you've updated it since you installed the system? If you haven't installed at least one update for OpenSSH, chances are it's vulnerable. |
Your firewall isn't protecting your loopback adaptor (which is what you ran nmap against). Try running the scan from outside your box (maybe from another box on your network?).
Edit: Oh, I should clarify that... your loopback adaptor is only available to the machine itself, not to the outside world. If you're firewalling your network card, then no one else can connect to your loopback adaptor. You need to run nmap against your NIC's IP, not against localhost (localhost will resolve to the loopback). |
so i shoudl nmap my isp's ip then?
Loggin martians? what? :D I can't find where by firewall put's its logs by the way.... 02:14:26-~:ssh -V OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 Also: scp doesn't seem to work (?) but sftp does, so if i use sftp to copy files, i guess i need that port open, eh? |
In /etc/ssh/sshd_config, change the line that says either
Protocol 2,1 or #Protocol 2,1 to: Protocol 2 (don't forget to start and stop sshd after you save this change) The reason is that SSHv1 has a number of flaws, which although mostly mitigated by workarounds in OpenSSH, is still not entirely safe. You must be using scp incorrectly, because it will work as long as normal ssh does. Recheck your syntax to make sure you're doing it right. Also, make sure you're scp'ing in the correct direction. You can't open an scp connection to a host that is not running an ssh daemon. As for the martians, I'm referring to this section: Code:
# Do not log packets with impossible addresses.Edit: Oh, and to get the correct IP address to scan, do ifconfig eth0 look for the address. That is the one you want to nmap. It may or may not work if you do it from the same machine, though (depending on how iptables and your NIC driver handle that sort of thing). The best solution would be to use another computer to nmap it. |
| All times are GMT -5. The time now is 04:41 AM. |