 | |||
|
|
Protect your Server |
|
| |||
the following links and hints may help you to protect your server against attacks from a network.
| Firewall: (block your enemy) | |
| [http://www.gibraltar.at/] | # Gibraltar is bootable Linux (Debian) CD with many features to route, firewall or whatever traffic. You need no Harddisk, only a disk to store your configuration. |
| Scan-detection: (whos gonna try hacking me ?) | |
| [http://www.psionic.org] | # portcentry is a very good scan-detection utility, with the ability to fake open ports or to advise iptables to drop incomming traffic from those ip-adresses |
| [http://www.snort.org] | # intrusion detection system, who knows a lot of attacking sequences |
| Detect Rootkits: (am i allready hacked ?) | |
| [www.chkrootkit.org] | # like the names says, its a toolkit to find rootkits |
| [www.foundstone.com/knowledge/free_tools.html] | # carbonite, another rootkit finder (or just better combination of ps aux and lsof) |
| [checkps.alcom.co.uk] | # checkps, find kernel memory patching rootkits ( diffs the /proc with ps aux) |
| [www.tripwire.org] | # checks to see what files has been changed on your system |
| [www.grsecurity.net] | # linux-kernel patches to improve security |
| find /dev -type f | # find regular files in /dev |
| nmap host -p 47017 | # find a t0rnkit |
| netstat -nlt nmap 127.0.0.1 p 1-65535 | # compare the open ports your systems shows you # with them nmap found |
| Detect Spoofing: (someones trying to fake me ?) | |
| [ftp://ftp.ee.lbl.gov/arpwatch.tar.gz] | # watch out wether someone poisens the arp-tables |
| [ftp://coast.cs.purdue.edu/..~../doc/doc.2.0.tar.Z] | # checks wether every nameserver resolvs a domain to the same ip-address |
| - create a random ISN for every new TCP/IP-handshake (if someone knows how to do this, please tell me) | |
| Honeypot: (come, putputput, come, ....) | |
| in general: | # build a system that looks wide open # wait until the first hackers comes in # watch out what he's doing and learn from him (or laugh ;) |
| [project.honeynet.org] | # know your enemy !! |
| Too late: :-(i've been hacked) | |
| - save the following informations | date (maybe the time ;-) ? ifconfig -a (network interfaces) ps auxf (process tree) lsof (open files) netstat -an (open sockets) netstat -nr (ip routing tables) w (users logged in) lsmod (loaded kernel modules) >> /var/log/your.log (append it to your logfile) |
| - save where ? | netcat -l -p 11111 (doing that on your backup server means, the host in waiting on port 11111 for inbound) cat /var/log/your.log | netcat host 11111 (connects to host on port 11111 and writes your.log on it) |
IP-Tables-Script:
---------------->
#!/bin/bash
base=${0##*/}
# this shell-script may help you to build some rules to protect your private pc against attacks
# from the internet. it reads out your current ip-adress on eth0 and configures your ruleset, so
# it will only accept incoming traffic for ssh make sure you have a current linux kernel with
# iptables modules and installed the iptables packages
##########
# VARIABLES
##########
# this is the path to your iptables programm.if it doesn't work try 'which iptables' as root
IPTABLES="/sbin/iptables"
# greping the interface and ip-adress
MYIF0=`ifconfig | grep eth0 | cut -d ' ' -f 1 | tr -d ' '`
MYIP0=`ifconfig $MYIF0 | grep inet | cut -d ':' -f 2 | cut -d ' ' -f 1 | tr -d ' '`
EXTNET="any/0"
LO="127.0.0.0/8"
##########
# KERNEL PARAMETER
##########
# accept routing
echo "1" > /proc/sys/net/ipv4/ip_forward
# create syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# check reply
echo "1" > /proc/sys/net/ipv4/conf/$MYIF0/rp_filter
# don't accept source routing
echo "0" > /proc/sys/net/ipv4/conf/$MYIF0/accept_source_route
# don't answer icmp broadcast pings#
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
##########
# CLEANUP
##########
$IPTABLES -F
$IPTABLES -t nat -F
##########
# RULEZ
##########
#loop is ok
$IPTABLES -A INPUT -s $LO -i lo -d $LO -j ACCEPT
$IPTABLES -A INPUT -s $LO -i lo -d $MYIP0 -j ACCEPT
$IPTABLES -A INPUT -s $MYIP0 -i lo -d $MYIP0 -j ACCEPT
$IPTABLES -A OUTPUT -s $LO -o lo -d $LO -j ACCEPT
$IPTABLES -A OUTPUT -s $LO -o lo -d $MYIP0 -j ACCEPT
$IPTABLES -A OUTPUT -s $MYIP0 -o lo -d $MYIP0 -j ACCEPT
# no ident timeout
$IPTABLES -A INPUT -p tcp -s $EXTNET -i $MYIF0 -d $MYIP0 --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -s $EXTNET -i $MYIF0 -d $MYIP0 --dport 113 -j REJECT --reject-with icmp-port-unreachable
# new input sessions ssh will be accepted
$IPTABLES -A INPUT -p tcp -s $EXTNET -i $MYIF0 -d $MYIP0 --dport 22 -m state --state NEW -j ACCEPT
# comment out the following line to accept incomming ftp logins
# $IPTABLES -A INPUT -p tcp -s $EXTNET -i $MYIF0 -d $MYIP0 --dport 21 -m state --state NEW -j ACCEPT
# comment out the following line to accept incomming http-requests
# $IPTABLES -A INPUT -p tcp -s $EXTNET -i $MYIF0 -d $MYIP0 --dport 80 -m state --state NEW -j ACCEPT
# accept incomming traffic which is established or related
$IPTABLES -A INPUT -s $EXTNET -i $MYIF0 -d $MYIP0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow new outgoing connection
$IPTABLES -A OUTPUT -s $MYIP0 -d $EXTNET -m state --state NEW -j ACCEPT
# and related
$IPTABLES -A OUTPUT -s $MYIP0 -d $EXTNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# log all but broadcast
$IPTABLES -A INPUT -d 192.168.255.255 -j DROP
$IPTABLES -A INPUT -d 172.31.255.255 -j DROP
$IPTABLES -A INPUT -d 10.255.255.255 -j DROP
$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
$IPTABLES -A INPUT -m limit --limit 1/minute --limit-burst 10 -j LOG
##########
# POLICY
##########
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
##########
# MODULES
##########
# the following module is needed for ftp thru a firewall (with masquerading)
insmod ip_conntrack_ftp
# hope this helps. greet matze
# www.dermatzeimnetz.de
