LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-28-2002, 08:05 AM   #1
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
This is my topolgy. Do you guys think I am secure????


Hardware firewall - Running IDS
Only allowed ports inbound are: 80, 443, 25

Linux servers are running iptables with something like this:
#!/bin/sh


# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname

#=============== Start

# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables

# Set iptable variable path
IPT=/sbin/iptables

echo -n "Loading Firewall Rules....."

#Flush all existing rules
$IPT -F
$IPT -X
$IPT -F -t nat

#Set default policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

#Set-up the "firewall-chain" rules
$IPT -N firewall
$IPT -A firewall -m limit --limit 20/minute -j LOG --log-level warning --log-prefix "FIREWALL: "
$IPT -A firewall -j DROP

#Accept Ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#Drop any bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L2: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L4: "
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L5: "

#Block ping
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP

#Drop traceroute packets
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p udp --dport 33435:33525 -j DROP

#Stuff to drop syn floods
#$IPT -N syn-flood
#$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
#$IPT -A syn-flood -j LOG --log-level warning --log-prefix "FIREWALL: SYN Flood Stopped: "
#$IPT -A syn-flood -j DROP
#$IPT -A INPUT -p tcp --syn -j syn-flood

#State matching stuff - to accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Accept SSH
$IPT -A INPUT -s 192.168.1.2 -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT

#Accept HTTP/S
$IPT -A INPUT -s 0/0 -p tcp -d 192.168.2.2 --dport 80 -j ACCEPT
$IPT -A INPUT -s 0/0 -p tcp -d 192.168.2.2 --dport 443 j ACCEPT

#Accept Samba
$IPT -A INPUT -s 192.168.1.2 -p tcp -d 192.168.2.2 --dport 139 -j ACCEPT

#Accept Domain Name Server stuff..
#$IPT -A INPUT -i eth0 -s 198.6.1.4/24 -p tcp -d 0/0 --dport 53 -j ACCEPT
#$IPT -A INPUT -i eth0 -s 198.6.1.5/24 -p udp -d 0/0 --dport 53 -j ACCEPT

#Send everything else to the firewall chain - DENY it and LOG it.
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall
$IPT -A INPUT -j DROP
echo "DONE"

traceroutes come up with nothing. Port scan only shows the above 3 ports open.

What do you guys think?????
 
Old 01-28-2002, 08:11 AM   #2
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
One more thing to clarify.
Ports 80,443,25 are only open to the outside. ssh is only allowed from the inside network as well as pop3.
Pings are all echoed back as no replys.
 
Old 01-28-2002, 08:18 AM   #3
theFuzzyOne
Member
 
Registered: Dec 2001
Distribution: redhat
Posts: 154

Rep: Reputation: 30
did you try shield's up?
http://grc.com/default.htm
 
Old 01-28-2002, 08:30 AM   #4
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Yes,
gshield doesnt come up with any vulnerabilities.
 
Old 01-31-2002, 05:50 PM   #5
zhenwu
Member
 
Registered: Jul 2001
Location: Taiwan (ex-Victoria BC)
Distribution: RH 9.0
Posts: 126

Rep: Reputation: 15
Shields up will give you nothing to go on.

GRC Sucks

check that link out, there are some very good and well thought out arguments as to why Steve Gibson knows not of what he speaks.
 
Old 02-01-2002, 01:29 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
zhenwuplz cease posting (other people's) *opinions*, post facts yourself. GRS scanner (sic) has *nothing* to do with "nanoprobes", it's just like any other online scanner.
 
Old 02-01-2002, 01:41 AM   #7
zhenwu
Member
 
Registered: Jul 2001
Location: Taiwan (ex-Victoria BC)
Distribution: RH 9.0
Posts: 126

Rep: Reputation: 15
Um, sure thing.

As soon as everyone else here posts 'just the facts.' This board is full of opinions, that's part of what makes it so valuable. Why would you single me out?

I just think that it is very important to know more about 'products' such as Shields Up and what they do before considering yourself safe.

Here's a 'fact,' if you will:

try nMap, which can be found at http://www.insecure.org . This is an excellent portscanner, with many options that can tell you a whole heck of a lot more about your state of security than anything on GRC.
 
Old 02-01-2002, 05:10 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No ofcourse I won't single you out, but in this case the whole "the world vs. nanoprobes" business is *totally irrelevant* to the functionality and scan results of a simple online scanner.
 
Old 02-01-2002, 08:49 PM   #9
zhenwu
Member
 
Registered: Jul 2001
Location: Taiwan (ex-Victoria BC)
Distribution: RH 9.0
Posts: 126

Rep: Reputation: 15
Well fair enough. However, I have had Shields Up scan my system, only to come back and say that I am running completely in stealth mode. I then scan my system (or have a friend scan from another IP) with nMap or other type of scanner and it shows a number of ports open, ports that are commonly used. Ports that SU should have picked up if it was worth its weight in beans.

So I dig a little deeper, not only on grcsucks.com but in LinuxSecurity.org etc. and find that there are many people in the security industry that regard Steve Gibson as little more than a hype-meister with not much real substance behind his claims.

Therefore, I think it behooves me when I see people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information and less on hype.

Just my two cents' worth.
 
Old 02-02-2002, 04:38 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmm. Therefore,()people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information().

Well, the first point would be the word "feeling". It's not objective, like in *knowing* your box is secure. Clearly those people focus on the wrong tools and methods (like gaining stealth status, which falls in the class "security by obscurity" which is dead wrong). I got no need defending SU, as it clearly states (zip past the nanoprobe marketing text) it's only probing "a handfull of wellknown ports". Spose someone's not reading things well.

The second point, "decisions based more on information". Mind you, but Nmap alone won't save the day there as well, (damn good tool as it is, no doubt about that) cuz it ain't painting the whole picture. Either be alerted of vulns in running services or apps (btraq,secfocus,vendors), have own auditing caps, or start by use a vuln scanner like, say Nessus to dig a lil deeper on the networking side of things. Vulnerability in Sshd? Vuln in the sudo+postfix combo? Having /dev/.adm/ dir? Chrooted svc but running as root? This is where gaining knowledge can lead to *knowing* how to make a box secure.

Finally, I'd like to close our monologues :-] saying I regard mr. Diettrich's articles very high (find some of my old posts, on the linux.box.sk forum as well). We're all looking for good information, I just think spreading FUD and the accompanying bashing sprees (especially based on other ppl's knowledge) tend to clog up a clear view on security issues where facts are necessary, and not emotions nor marketing schmarketing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 6 02-24-2020 11:49 PM
Thanks to all you guys! LizardMan Slackware 5 10-03-2005 09:04 AM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM
What Now Guys! dannyflounders Slackware 10 07-29-2003 08:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration