Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-21-2006, 12:29 AM
|
#1
|
Member
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54
Rep:
|
tcp wrappers / iptables dilemma
Hey all,
I have a security-related question and would like to
solicit your advice on the best way to lock down my
system, given the situation.
My Redhat system is on a network, has a public static
IP, and is exposed to the full traffic of the Internet
- no DMZ or router/firewall protection. (I've
considered adding a small router in front of it, but
that is a separate issue.)
I'm using an iptables firewall along with TCP
wrappers. These two measures bolster system security
by only allowing connections from a limited set of IP
addresses where I and/or authorized users should be
coming from while accessing the system remotely via
SSH2. (All other connections are automatically denied
by the firewall). I've also implemented some secondary
security measures, but TCP wrappers and the firewall
stop over 99% of break-in attempts.
Here's the issue. As with many broadband customers, my
IP changes occasionally, and every so often, my
assigned client IP address falls outside of the range
defined by the firewall and TCP wrappers on the
remote Red Hat server. However, expanding the range of
IP's users are permitted to come from, is a problem for two
reasons:
1. I don't know the full range of IP's offered by my
ISP. The pool of possible IP's I've so far been
assigned from is HUGE - ranging at least 4 Class A
address groups, based on the ones my ISP has pushed at
me so far. Meaning the IP assigned varies anywhere
between 200-203.XXX.XXX.XXX. Not literally 200-203 but you get the idea. I'm not even sure how I'd determine the range of dynamically-assigned IP's even if I wanted to. I doubt tech support knows. Most of their customers aren't trying to run servers.
That is a gargatuan amount of addresses to leave open,
since potentially many thousands of attackers would be
able to bypass both of my primary security measures
and have a shot at guessing a user/pass combination
that would let them onto the system.
2. My logs have indeed recorded numerous break-in attempts on
the server by individuals originating from the range
listed above. So again, I'd prefer not to just open
the entire range, since that lets attackers past my 2
best security layers.
On the one hand,
I'm sick of getting either locked out of my own system
when my IP changes. On the other, I'm sick of people
who have the same ISP as I do, trying to crack into my
server. There has to be an answer. Any advice would be appreciated.
Thanks,
Matt
|
|
|
09-21-2006, 04:32 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
One trick I've found useful is to use a partial hostname (FQDN) in hosts.allow instead of an IP address, that way it doesn't matter when the IP changes dynamically. It really only works if your ISP uses regional DNS names like 1234ABCD.charlotte-west.att.com or something similar. In that situation you could use .charlotte-west.att.com which would significantly reduce the number of IPs. Other than that, you can try to narrow down the range of IP address or just skip to using keys instead which would eliminate the problem altogether.
Last edited by Capt_Caveman; 09-21-2006 at 04:35 PM.
|
|
|
09-23-2006, 12:36 AM
|
#3
|
Member
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54
Original Poster
Rep:
|
tcp wrappers / ip tables dilemma
How do I determine if my ISP supports FQDN's or not, and what do I do if the answer is no?
I can tell you that when I look at my access logs, where it shows my own login sessions, it looks something like "adsl-my-ip-address-here.dsl1.myisp.com" with the dashes containing what looks like an IP, only with the dashes instead of the usual dots.
Is your suggestion still practical, given this information? I am not sure if this constitutes an FQDN or not.
|
|
|
09-23-2006, 04:06 PM
|
#4
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
One thing I like to do is get a low cost or free shell account e.g. from sdf.lonestar.org which has a static IP, and then use it to login and change the firewall rules. I don't usually use domain names in my hosts.allow unless they're hardcoded into /etc/hosts in case the DNS server gets compromised (I'm paranoid).
But if you are less paranoid you could allow connections from *.dsl1.myisp.com which would solve your problem at the expense of allowing all DSL customers with the domain of dsl1.myisp.com through.
|
|
|
All times are GMT -5. The time now is 07:02 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|