|
This is my topolgy. Do you guys think I am secure????
Hardware firewall - Running IDS
Only allowed ports inbound are: 80, 443, 25 Linux servers are running iptables with something like this: #!/bin/sh # you set the permission as follow: # chown root.root scriptname # chmod 700 scriptname #=============== Start # Load the netfilter modules /sbin/depmod -a /sbin/modprobe ip_tables # Set iptable variable path IPT=/sbin/iptables echo -n "Loading Firewall Rules....." #Flush all existing rules $IPT -F $IPT -X $IPT -F -t nat #Set default policies $IPT -P INPUT ACCEPT $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT #Set-up the "firewall-chain" rules $IPT -N firewall $IPT -A firewall -m limit --limit 20/minute -j LOG --log-level warning --log-prefix "FIREWALL: " $IPT -A firewall -j DROP #Accept Ourselves $IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT #Drop any bad flags $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: " $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: " $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: " $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L2: " $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: " $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L4: " $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L5: " #Block ping $IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP $IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP #Drop traceroute packets $IPT -A INPUT -s 0/0 -d 192.168.2.2 -p udp --dport 33435:33525 -j DROP #Stuff to drop syn floods #$IPT -N syn-flood #$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN #$IPT -A syn-flood -j LOG --log-level warning --log-prefix "FIREWALL: SYN Flood Stopped: " #$IPT -A syn-flood -j DROP #$IPT -A INPUT -p tcp --syn -j syn-flood #State matching stuff - to accept related and established connections $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Accept SSH $IPT -A INPUT -s 192.168.1.2 -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT #Accept HTTP/S $IPT -A INPUT -s 0/0 -p tcp -d 192.168.2.2 --dport 80 -j ACCEPT $IPT -A INPUT -s 0/0 -p tcp -d 192.168.2.2 --dport 443 j ACCEPT #Accept Samba $IPT -A INPUT -s 192.168.1.2 -p tcp -d 192.168.2.2 --dport 139 -j ACCEPT #Accept Domain Name Server stuff.. #$IPT -A INPUT -i eth0 -s 198.6.1.4/24 -p tcp -d 0/0 --dport 53 -j ACCEPT #$IPT -A INPUT -i eth0 -s 198.6.1.5/24 -p udp -d 0/0 --dport 53 -j ACCEPT #Send everything else to the firewall chain - DENY it and LOG it. $IPT -A INPUT -p tcp --syn -j firewall $IPT -A INPUT -p udp -j firewall $IPT -A INPUT -j DROP echo "DONE" traceroutes come up with nothing. Port scan only shows the above 3 ports open. What do you guys think????? |
One more thing to clarify.
Ports 80,443,25 are only open to the outside. ssh is only allowed from the inside network as well as pop3. Pings are all echoed back as no replys. |
did you try shield's up?
http://grc.com/default.htm |
Yes,
gshield doesnt come up with any vulnerabilities. |
Shields up will give you nothing to go on.
GRC Sucks check that link out, there are some very good and well thought out arguments as to why Steve Gibson knows not of what he speaks. |
zhenwuplz cease posting (other people's) *opinions*, post facts yourself. GRS scanner (sic) has *nothing* to do with "nanoprobes", it's just like any other online scanner.
|
Um, sure thing.
As soon as everyone else here posts 'just the facts.' This board is full of opinions, that's part of what makes it so valuable. Why would you single me out? I just think that it is very important to know more about 'products' such as Shields Up and what they do before considering yourself safe. Here's a 'fact,' if you will: try nMap, which can be found at http://www.insecure.org . This is an excellent portscanner, with many options that can tell you a whole heck of a lot more about your state of security than anything on GRC. |
No ofcourse I won't single you out, but in this case the whole "the world vs. nanoprobes" business is *totally irrelevant* to the functionality and scan results of a simple online scanner.
|
Well fair enough. However, I have had Shields Up scan my system, only to come back and say that I am running completely in stealth mode. I then scan my system (or have a friend scan from another IP) with nMap or other type of scanner and it shows a number of ports open, ports that are commonly used. Ports that SU should have picked up if it was worth its weight in beans.
So I dig a little deeper, not only on grcsucks.com but in LinuxSecurity.org etc. and find that there are many people in the security industry that regard Steve Gibson as little more than a hype-meister with not much real substance behind his claims. Therefore, I think it behooves me when I see people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information and less on hype. Just my two cents' worth. |
Hmm. Therefore,()people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information().
Well, the first point would be the word "feeling". It's not objective, like in *knowing* your box is secure. Clearly those people focus on the wrong tools and methods (like gaining stealth status, which falls in the class "security by obscurity" which is dead wrong). I got no need defending SU, as it clearly states (zip past the nanoprobe marketing text) it's only probing "a handfull of wellknown ports". Spose someone's not reading things well. The second point, "decisions based more on information". Mind you, but Nmap alone won't save the day there as well, (damn good tool as it is, no doubt about that) cuz it ain't painting the whole picture. Either be alerted of vulns in running services or apps (btraq,secfocus,vendors), have own auditing caps, or start by use a vuln scanner like, say Nessus to dig a lil deeper on the networking side of things. Vulnerability in Sshd? Vuln in the sudo+postfix combo? Having /dev/.adm/ dir? Chrooted svc but running as root? This is where gaining knowledge can lead to *knowing* how to make a box secure. Finally, I'd like to close our monologues :-] saying I regard mr. Diettrich's articles very high (find some of my old posts, on the linux.box.sk forum as well). We're all looking for good information, I just think spreading FUD and the accompanying bashing sprees (especially based on other ppl's knowledge) tend to clog up a clear view on security issues where facts are necessary, and not emotions nor marketing schmarketing. |
| All times are GMT -5. The time now is 10:38 PM. |