LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-21-2006, 12:29 AM   #1
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Rep: Reputation: 15
tcp wrappers / iptables dilemma


Hey all,

I have a security-related question and would like to
solicit your advice on the best way to lock down my
system, given the situation.

My Redhat system is on a network, has a public static
IP, and is exposed to the full traffic of the Internet
- no DMZ or router/firewall protection. (I've
considered adding a small router in front of it, but
that is a separate issue.)

I'm using an iptables firewall along with TCP
wrappers. These two measures bolster system security
by only allowing connections from a limited set of IP
addresses where I and/or authorized users should be
coming from while accessing the system remotely via
SSH2. (All other connections are automatically denied
by the firewall). I've also implemented some secondary
security measures, but TCP wrappers and the firewall
stop over 99% of break-in attempts.

Here's the issue. As with many broadband customers, my
IP changes occasionally, and every so often, my
assigned client IP address falls outside of the range
defined by the firewall and TCP wrappers on the
remote Red Hat server. However, expanding the range of
IP's users are permitted to come from, is a problem for two
reasons:

1. I don't know the full range of IP's offered by my
ISP. The pool of possible IP's I've so far been
assigned from is HUGE - ranging at least 4 Class A
address groups, based on the ones my ISP has pushed at
me so far. Meaning the IP assigned varies anywhere
between 200-203.XXX.XXX.XXX. Not literally 200-203 but you get the idea. I'm not even sure how I'd determine the range of dynamically-assigned IP's even if I wanted to. I doubt tech support knows. Most of their customers aren't trying to run servers.

That is a gargatuan amount of addresses to leave open,
since potentially many thousands of attackers would be
able to bypass both of my primary security measures
and have a shot at guessing a user/pass combination
that would let them onto the system.

2. My logs have indeed recorded numerous break-in attempts on
the server by individuals originating from the range
listed above. So again, I'd prefer not to just open
the entire range, since that lets attackers past my 2
best security layers.

On the one hand,
I'm sick of getting either locked out of my own system
when my IP changes. On the other, I'm sick of people
who have the same ISP as I do, trying to crack into my
server. There has to be an answer. Any advice would be appreciated.

Thanks,
Matt
 
Old 09-21-2006, 04:32 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
One trick I've found useful is to use a partial hostname (FQDN) in hosts.allow instead of an IP address, that way it doesn't matter when the IP changes dynamically. It really only works if your ISP uses regional DNS names like 1234ABCD.charlotte-west.att.com or something similar. In that situation you could use .charlotte-west.att.com which would significantly reduce the number of IPs. Other than that, you can try to narrow down the range of IP address or just skip to using keys instead which would eliminate the problem altogether.

Last edited by Capt_Caveman; 09-21-2006 at 04:35 PM.
 
Old 09-23-2006, 12:36 AM   #3
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Original Poster
Rep: Reputation: 15
tcp wrappers / ip tables dilemma

How do I determine if my ISP supports FQDN's or not, and what do I do if the answer is no?

I can tell you that when I look at my access logs, where it shows my own login sessions, it looks something like "adsl-my-ip-address-here.dsl1.myisp.com" with the dashes containing what looks like an IP, only with the dashes instead of the usual dots.

Is your suggestion still practical, given this information? I am not sure if this constitutes an FQDN or not.
 
Old 09-23-2006, 04:06 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
One thing I like to do is get a low cost or free shell account e.g. from sdf.lonestar.org which has a static IP, and then use it to login and change the firewall rules. I don't usually use domain names in my hosts.allow unless they're hardcoded into /etc/hosts in case the DNS server gets compromised (I'm paranoid).

But if you are less paranoid you could allow connections from *.dsl1.myisp.com which would solve your problem at the expense of allowing all DSL customers with the domain of dsl1.myisp.com through.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
tcp wrappers or iptables? dominant Linux - Security 3 02-23-2004 01:56 PM
TCP Wrappers ? juanb Linux - Newbie 1 01-31-2004 02:35 PM
relativity between tcp-wrappers and iptables dominant Linux - Security 8 01-26-2004 12:20 PM
tcp wrappers --with-tcp-wrappers ForumKid Linux - Security 2 01-04-2002 05:01 PM
TCP Wrappers ltrain Linux - Security 6 05-31-2001 11:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration