LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-18-2010, 03:08 PM   #46
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15

Yikes, very good stuff to know about network security. After I have tightened the input and output rules for each of my internal servers, should I start looking into the modsecurity and snort programs you mentioned earlier to be set up on the internal machines as opposed to the firewall itself?

All of this has been invaluable so far, thanks.
 
Old 03-18-2010, 03:22 PM   #47
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
Yikes, very good stuff to know about network security. After I have tightened the input and output rules for each of my internal servers, should I start looking into the modsecurity and snort programs you mentioned earlier to be set up on the internal machines as opposed to the firewall itself?
Actually, I highly recommend that you install Snort on a dedicated box but yeah, it sounds to me like you're headed in the right direction. Please don't hesitate to post an update on what your firewall rules look like on both your dedicated firewall as well as your servers when you've progressed, so that we may provide you with some feedback and stuff. It's always good to have another set of eyes with these sort of things.

Quote:
All of this has been invaluable so far, thanks.
I'm happy to help!

Last edited by win32sux; 03-18-2010 at 03:24 PM.
 
Old 03-19-2010, 11:45 AM   #48
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
So things are starting to come together for me as I read through the iptables documentation you recommended, and as they do I had a few semantic questions for you.

1) In reading, it suggests adding Snort to each of the machines on your network, would this include the firewall?

2) It also recommends using a web proxy such as Squid when planning for the implementation of your webserver. I know you recommended Modsecurity, are their pros/cons to either approach? And what does this entail as far as hardware, etc?

3) One other recommendation is to use a program like Tripwire as a last line of defense to spot if any configuration files have changed over time. Do you recommend this as well, and would this also be installed on all machines including the firewall?

Thanks again.
 
Old 03-19-2010, 12:40 PM   #49
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
1) In reading, it suggests adding Snort to each of the machines on your network, would this include the firewall?
Yeah, if you interpreted what he wrote as a suggestion (I didn't), there's no reason why it would only be limited to the servers. Once again, though, I recommend you don't do this. Any time you add new network functionality on a box, you're increasing the risk of it being compromised. Plus, if you've got Snort properly installed on a dedicated box on the LAN (by means of port mirroring, for example), it'll have access to each server's traffic anyway.

Quote:
2) It also recommends using a web proxy such as Squid when planning for the implementation of your webserver. I know you recommended Modsecurity, are their pros/cons to either approach? And what does this entail as far as hardware, etc?
They are completely different tools, so comparing them wouldn't make much sense. Squid will help reduce the load on your servers (and speed up the service to clients), while ModSecurity will provide your HTTP server with application-layer inspection.

Quote:
3) One other recommendation is to use a program like Tripwire as a last line of defense to spot if any configuration files have changed over time. Do you recommend this as well, and would this also be installed on all machines including the firewall?
Yes, the importance of being able to know when things change unexpectedly cannot be overstated. I like (and currently use) Tripwire, but keep in mind that there are better maintained alternatives such as AIDE (which is a Tripwire fork) available. You might also be interested in something more advanced, such as Samhain, which complements the traditional passive approach with an active one, and allows for centralized administration. Of course, there's also tons of other HIDS out there for you to choose from, so by no means should you feel limited to these examples. There's also several tools which are a good idea to run periodically, such as Rootkit Hunter and Tiger, for example.

Last edited by win32sux; 03-19-2010 at 12:41 PM.
 
Old 03-19-2010, 03:28 PM   #50
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks, do you have any references you would point too for snort and snort-inline setup, I was particularly interested in both IDS and IPS functionality. As for modsecurity, should I just look at their documentation pages - -http://www.modsecurity.org/documentation/faq.html#d0e224 - or do you recommend other resources as well?

Also, I had not really asked about it yet, but do you have any recommendations for application level firewalls for a mail server (would a nameserver need one as well)?

Last edited by debianfan; 03-19-2010 at 03:54 PM.
 
Old 03-19-2010, 07:48 PM   #51
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
Thanks, do you have any references you would point too for snort and snort-inline setup, I was particularly interested in both IDS and IPS functionality. As for modsecurity, should I just look at their documentation pages - -http://www.modsecurity.org/documentation/faq.html#d0e224 - or do you recommend other resources as well?

Also, I had not really asked about it yet, but do you have any recommendations for application level firewalls for a mail server (would a nameserver need one as well)?
I had a book lying around called Snort for Dummies which IIRC was a pretty neat introduction to Snort. If you do a search for Snort on amazon.com it apparently still shows up, along with a lot of other Snort books. Regarding ModSecurity, I'm hoping others will chime in here soon and share their thoughts, as all I can really say is that there's a couple books with good ratings available on amazon.com. As for application-layer filtering for your other services, you might be able to get a generic proxy firewall such as Zorp GPL to do what you want (I don't know of a more specific solution).

Last edited by win32sux; 03-19-2010 at 07:50 PM.
 
Old 03-20-2010, 09:12 AM   #52
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Ok winding down on questions, but just wanted to double check one thing. In these examples:

Code:
$IPT -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d $SERVER_1_LAN_IP -m multiport --dports 443,80,25,22 \
-m state --state NEW -j ACCEPT
Code:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE -d $SERVER_1_NAT_IP -m multiport --dports 443,80,25,22 \
-j DNAT --to-destination $SERVER_1_LAN_IP
Code:
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -s $SERVER_2_LAN_IP \
-j SNAT --to-source $SERVER_2_NAT_IP
After the backslash in each instance there is an option -m in the first case and -j in the second. Because of how it displayed I can't quite see how it is formatted. Is there a space between the \ and -m or -j, or is there no space and they should be written \-m \-j? Thanks, sorry for the basic question, just going over my work.
 
Old 03-20-2010, 11:08 AM   #53
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Ok, I believe I answered the question above. I tried both ways and \-m and \-j did not produce errors.

However, on a more serious note I believe I have set up my internal nameserver's firewall ruleset correctly, but it still can't get out to the ubuntu update servers.

Here is the error I am getting when I try to get out:

Code:
Err http://us.archive.ubuntu.com karmic Release.gpg                         
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://security.ubuntu.com karmic-security Release.gpg                  
  Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com karmic/main Translation-en_US              
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://security.ubuntu.com karmic-security/main Translation-en_US       
  Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com karmic/restricted Translation-en_US        
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://security.ubuntu.com karmic-security/restricted Translation-en_US 
  Temporary failure resolving 'security.ubuntu.com'
0% [Connecting to us.archive.ubuntu.com] [Connecting to security.ubuntu.com]^C
and here are my firewall rules for my internal nameserver:

Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  709 47174 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  567 87314 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2   120 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443,80 state NEW 
   90  6480 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW
and here are the firewall machines rules:

Code:
Chain INPUT (policy DROP 1176 packets, 286K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  600 80770 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2760  283K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    60 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            192.168.21.45       multiport dports 443,80,22 state NEW 
    1    48 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            192.168.21.46       multiport dports 993,587,143,25,22 state NEW 
    3   192 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            192.168.21.47       tcp dpt:22 state NEW 
    0     0 ACCEPT     udp  --  eth0   eth1    0.0.0.0/0            192.168.21.47       udp dpt:53 state NEW 
    0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            192.168.21.48       tcp dpt:22 state NEW 
    0     0 ACCEPT     udp  --  eth0   eth1    0.0.0.0/0            192.168.21.48       udp dpt:53 state NEW 
    0     0 ACCEPT     tcp  --  eth1   eth0    192.168.21.45        0.0.0.0/0           multiport dports 443,80 state NEW 
    0     0 ACCEPT     udp  --  eth1   eth0    192.168.21.45        0.0.0.0/0           udp dpt:53 state NEW 
    0     0 ACCEPT     tcp  --  eth1   eth0    192.168.21.46        0.0.0.0/0           multiport dports 993,587,443,143,80,25 state NEW 
    0     0 ACCEPT     udp  --  eth1   eth0    192.168.21.46        0.0.0.0/0           udp dpt:53 state NEW 
    0     0 ACCEPT     tcp  --  eth1   eth0    192.168.21.47        0.0.0.0/0           multiport dports 443,80 state NEW 
    0     0 ACCEPT     udp  --  eth1   eth0    192.168.21.47        0.0.0.0/0           udp dpt:53 state NEW 
    0     0 ACCEPT     tcp  --  eth1   eth0    192.168.21.48        0.0.0.0/0           multiport dports 443,80 state NEW 
    0     0 ACCEPT     udp  --  eth1   eth0    192.168.21.48        0.0.0.0/0           udp dpt:53 state NEW 

Chain OUTPUT (policy DROP 24 packets, 1824 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  370 70990 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    4   240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443,80 state NEW 
   38  2614 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW
Do you have an idea of what might be wrong, or how I should troubleshoot? Thanks.

Last edited by debianfan; 03-20-2010 at 01:52 PM.
 
Old 03-20-2010, 01:41 PM   #54
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
The backslashes are only there to escape the newline character. If you're writing the command down on a single line, then you don't need the backslash. As for spaces, you need just one space between each of the options, although in most cases having more than one won't cause any errors.

Regarding the failure to resolve addresses, you'd typically start troubleshooting this sort of thing by temporarily enabling logging in the relevant chains and then studying what the filtered packets look like. Usually, doing so will allow you to see what's wrong pretty quickly. For example, to see if the problem is in the dedicated firewall's FORWARD chain, you could do a:
Code:
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
...and then watch the log file when you try to update the server again.

When you're done doing your test, you can delete that log rule with a -D option:
Code:
iptables -D FORWARD -j LOG --log-prefix "FORWARD DROP: "
That said, this 192.168.21.27 IP looks new to me, did you change it? In a previous post the IP seemed to be 192.168.21.47, which would perfectly explain why it's not working now. This should also be quite evident in the log file.

Last edited by win32sux; 03-20-2010 at 02:22 PM.
 
Old 03-20-2010, 02:36 PM   #55
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Ok, I did not see any FORWARD DROP messages within the firewall log messages. Should I then precede to do the same thing on the internal machine to double check if the problem lies there?

I double checked my network configuration and the firewall script ip addresses and the ip assigned to the internal machine are the same.

I will post back shortly to report what I see in the internal machines records.

Thanks.
 
Old 03-20-2010, 02:52 PM   #56
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Just ran a similar command in the output rules of the internal machines iptables:

Code:
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Unfortunately there was no log event here either when the error message appeared. I checked iptables and it looks like no packets were dropped on output either.

Code:
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  170 22859 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2   120 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443,80 state NEW 
   92  6698 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `OUTPUT DROP: '
I noticed my time is off on this internal machine, so I tried to run ntpdate to synchronize it manually and received this error as well:

Code:
Name server cannot be used, exiting20 Mar 09:42:43 ntpdate[1172]: name server cannot be used, reason: Temporary failure in name resolution
Do you have any ideas on where to look next? Thanks again.
 
Old 03-20-2010, 02:53 PM   #57
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Have you verified that /etc/resolv.conf is properly set on the server?
 
Old 03-20-2010, 03:00 PM   #58
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Ahh good idea, always jumping ahead. I just checked and it looks like I had configured it to the ip address of the lan side of the firewall 192.168.21.1

Probably basic question but this likely won't be able to pass along the firewall's nameservers, correct?

And hah that was it, yup I definitely jump ahead a little too much. I am able to get out now.

Thanks, and sorry for the confusion.

Last edited by debianfan; 03-20-2010 at 03:03 PM.
 
Old 03-20-2010, 03:06 PM   #59
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
Ahh good idea, always jumping ahead. I just checked and it looks like I had configured it to the ip address of the lan side of the firewall 192.168.21.1
That's what I suspected.

That would work if you had something like Dnsmasq running on the firewall's LAN side.

Quote:
Probably basic question but this likely won't be able to pass along the firewall's nameservers, correct?
Not sure I understand the question, could you rephrase it please? FWIW, you'd basically just need to set the same nameserver IPs which you've got set on your firewall. In other words, the ones which typically belong to your ISP.

EDIT: Oh, okay, I see you've got things under control now. Cool!

Last edited by win32sux; 03-20-2010 at 03:08 PM.
 
Old 03-20-2010, 03:12 PM   #60
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
BTW, specifiying the IP of your ISP's DNS servers in your iptables rules could be part of your rule-tightening first steps. In other words, instead of having something like:
Code:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT
...you could have something like:
Code:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 \
-d $ISP_DNS_SERVER_1 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 \
-d $ISP_DNS_SERVER_2 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 \
-d $ISP_DNS_SERVER_3 -m state --state NEW -j ACCEPT
Or install Dnsmasq and eliminate the need to have any FORWARD rules for outbound DNS lookups.

Last edited by win32sux; 03-20-2010 at 03:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing with public IPs crontab Linux - Networking 3 02-10-2009 06:11 AM
Can I use Public IPs on LAN dula Linux - Networking 1 06-07-2007 06:46 AM
NAT + public IPS (+ firestarter) Stefan Pantiru Linux - Networking 2 05-17-2005 05:43 AM
Public IPs behind router Buzer Linux - Networking 2 09-20-2003 01:36 PM
Sharing two public IPs. Unseen Linux - Networking 8 03-20-2003 01:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration