Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need an expert eye on my FW rules to see if everything is OK. I have been using these for a very long time and don't have any problems. I want to have these evaluated once and for all so that I don't ever have to come back to them.
I don't know what some of the rules are for and I am not sure if the rules are ordered correctly. Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests. Thanks.
# Generated by iptables-save v1.4.21 on Sat May 26 00:03:57 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [716:124495]
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat May 26 00:03:57 2018
I'm certainly not an expert on firewall rules, but all the ports listed as open are ports that legitimately could be open for tcp, http, https, and email.
Your defaults are all drops, and mine are all accepts. Which is better? My rules are for a server. At the moment all outgoing traffic are allowed. This seems too relaxed.
I have been using these for a very long time and don't have any problems.
You may encounter problems on different levels. For now remember that continuous systems hardening and monitoring are a given, and that compromises most likely take place at OSI layer 7 (application) and 8 (wetware ;-p).
Quote:
Originally Posted by DevGuy
I want to have these evaluated once and for all so that I don't ever have to come back to them.
You use of the machine should include regular review of security posture. On ounce of prevention and all that.
Quote:
Originally Posted by DevGuy
I don't know what some of the rules are for and I am not sure if the rules are ordered correctly.
If you're a Dev guy doing Ops then your rudimentary knowledge should include basic Linux admin knowledge I'd say?
Quote:
Originally Posted by DevGuy
Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests.
Looks OK. Slight tweaks:
Code:
*filter
:INPUT ACCEPT [0:0]
# You're not forwarding so explicitly deny it.
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [716:124495]
# Get loopback device out of the way, also keeps you from having to use Ethernet device names if you have just one.
-A INPUT -i lo -j ACCEPT
# The next rules should be ordered "first match wins", meaning since it's a server you want to prioritize what you serve, yes?
# I've taken the liberty to make this an Internet-facing server so prioritize DNS over the rest and remote over local req's.
# Tweak or remove limits as you see fit. Also spot a new port for SSH:
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m limit --limit 10/s -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m tcp --dport 53 -m limit --limit 5/s -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -m limit --limit 120/s -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 22,25 -m limit --limit 1/s -j ACCEPT
-A INPUT -m conntrack --ctstate NEW RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Indeed your egress rule set is empty. You could populate it with a list of bogon ranges (https://www.team-cymru.org/Services/...ogons-ipv4.txt), common ports for say IRC and Bitcoin miners, but instead of that I'd invest time in basic hardening & monitoring.
If you're a Dev guy doing Ops then your rudimentary knowledge should include basic Linux admin knowledge I'd say?
Too much knowledge makes for too little time. I am happy to outsource to experts. Gives them a chance to use their skills before becoming rusty .
Based on your evaluation, I have modified my FW rules accordingly:
Quote:
# Generated by iptables-save v1.4.21 on Sun May 27 14:49:37 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [485:169191]
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport xxxxx -m comment --comment Apps -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m limit --limit 10/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -m limit --limit 120/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m limit --limit 10/sec -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport xxxxxx -m comment --comment "backup access from secondary server" -j ACCEPT
-A INPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LOG
COMMIT
# Completed on Sun May 27 14:49:37 2018
The "all access from own IP" rule remains at the top because that's a script generated entry (done on demand), and I don't know a way to generate it at an arbitrary line towards the bottom.
I have no idea what the appropriate limits should be. So, I am using the ones you indicated.
Port 25 SMTP limit is set to 10. No idea if this is good but seems more forgiving than 1.
Public access to SSH port 22 is not required. All SSH access will be private and granted by the "all access from own IP" rule.
I have decided not to add any OUTPUT rules but to set up log for observation. At the moment, most of the log is about port 22 which I don't need. How do I exclude port 22 from logging?
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.
I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.
Can I see a short sample. If it makes sense to me, I'll make use of what you have.
My INPUT rules should be OK.
Not sure if it's because I don't know how to read the OUTPUT log, my server appears to be contacting IP's from all over the place. Not sure why. I could do with some control over that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.