This is my topolgy. Do you guys think I am secure????
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#Drop any bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L2: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L4: "
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L5: "
#Block ping
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p icmp --icmp-type echo-request -j DROP
#Drop traceroute packets
$IPT -A INPUT -s 0/0 -d 192.168.2.2 -p udp --dport 33435:33525 -j DROP
#Stuff to drop syn floods
#$IPT -N syn-flood
#$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
#$IPT -A syn-flood -j LOG --log-level warning --log-prefix "FIREWALL: SYN Flood Stopped: "
#$IPT -A syn-flood -j DROP
#$IPT -A INPUT -p tcp --syn -j syn-flood
#State matching stuff - to accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept Domain Name Server stuff..
#$IPT -A INPUT -i eth0 -s 198.6.1.4/24 -p tcp -d 0/0 --dport 53 -j ACCEPT
#$IPT -A INPUT -i eth0 -s 198.6.1.5/24 -p udp -d 0/0 --dport 53 -j ACCEPT
#Send everything else to the firewall chain - DENY it and LOG it.
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall
$IPT -A INPUT -j DROP
echo "DONE"
traceroutes come up with nothing. Port scan only shows the above 3 ports open.
One more thing to clarify.
Ports 80,443,25 are only open to the outside. ssh is only allowed from the inside network as well as pop3.
Pings are all echoed back as no replys.
zhenwuplz cease posting (other people's) *opinions*, post facts yourself. GRS scanner (sic) has *nothing* to do with "nanoprobes", it's just like any other online scanner.
As soon as everyone else here posts 'just the facts.' This board is full of opinions, that's part of what makes it so valuable. Why would you single me out?
I just think that it is very important to know more about 'products' such as Shields Up and what they do before considering yourself safe.
Here's a 'fact,' if you will:
try nMap, which can be found at http://www.insecure.org . This is an excellent portscanner, with many options that can tell you a whole heck of a lot more about your state of security than anything on GRC.
No ofcourse I won't single you out, but in this case the whole "the world vs. nanoprobes" business is *totally irrelevant* to the functionality and scan results of a simple online scanner.
Well fair enough. However, I have had Shields Up scan my system, only to come back and say that I am running completely in stealth mode. I then scan my system (or have a friend scan from another IP) with nMap or other type of scanner and it shows a number of ports open, ports that are commonly used. Ports that SU should have picked up if it was worth its weight in beans.
So I dig a little deeper, not only on grcsucks.com but in LinuxSecurity.org etc. and find that there are many people in the security industry that regard Steve Gibson as little more than a hype-meister with not much real substance behind his claims.
Therefore, I think it behooves me when I see people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information and less on hype.
Hmm. Therefore,()people feeling secure after having SU do a scan to tell them that there may be more out there to investigate, and make their decisions based more on information().
Well, the first point would be the word "feeling". It's not objective, like in *knowing* your box is secure. Clearly those people focus on the wrong tools and methods (like gaining stealth status, which falls in the class "security by obscurity" which is dead wrong). I got no need defending SU, as it clearly states (zip past the nanoprobe marketing text) it's only probing "a handfull of wellknown ports". Spose someone's not reading things well.
The second point, "decisions based more on information". Mind you, but Nmap alone won't save the day there as well, (damn good tool as it is, no doubt about that) cuz it ain't painting the whole picture. Either be alerted of vulns in running services or apps (btraq,secfocus,vendors), have own auditing caps, or start by use a vuln scanner like, say Nessus to dig a lil deeper on the networking side of things. Vulnerability in Sshd? Vuln in the sudo+postfix combo? Having /dev/.adm/ dir? Chrooted svc but running as root? This is where gaining knowledge can lead to *knowing* how to make a box secure.
Finally, I'd like to close our monologues :-] saying I regard mr. Diettrich's articles very high (find some of my old posts, on the linux.box.sk forum as well). We're all looking for good information, I just think spreading FUD and the accompanying bashing sprees (especially based on other ppl's knowledge) tend to clog up a clear view on security issues where facts are necessary, and not emotions nor marketing schmarketing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.