Use Linux firewall rules to protect against attacks. (ipchains: kernel 2.6, 2.4 or iptables: kernel 2.2) Access denial rules can also be implemented on the fly by portsentry.
(Place at the end of /etc/rc.d/rc.local to be executed upon system boot, or some other appropriate script)
- iptables script:
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny outside packets from internet which
claim to be from your loopback interface.
- ipchains script:
# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT - This rule is essential if you want your own computer
iptables -A OUTPUT -o lo -p all -j ACCEPT to be able to access itself throught the loopback interface
ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT - Block NFS
ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT - Block NFS
ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT - Block X-Windows
ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT - Block X-Windows font server
ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT - Block printer port
ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT - Block printer port
ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT - Block Sun rpc/NFS
ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT - Block Sun rpc/NFS
ipchains -A input -j REJECT -p all -s localhost -i eth0 -l - Deny and log ("-l") outside packets from internet
which claim to be from your loopback interface.
- iptables uses the chain rule “INPUT” and ipchains uses the lower case descriptor “input”.
- View rules with iptables -L or ipchains -L command.
- iptables man page
- When running an internet web server it is best from a security point of view, that one NOT run printing, X-Window, NFS or any services which may be exploited if a vulnerability is discovered or if misconfigured regardless of firewall rules.
It is best for security reasons that you reduce the number of inetd network services exposed. The more sevices exposed, the greater your vulnerability. Reduce the number of network services accessible through the xinet or inet daemon by:
- inetd: (Red Hat 7.0 and earlier) Comment out un-needed services in the /etc/initd.conf file.
Sample: (FTP is the only service I run)
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
Restart the daemon to apply changes: /etc/rc.d/init.d/inetd restart
- xinetd: (Red Hat 7.1 and later) All network services are turned off by default during an upgrade. Sample file: /etc/xinetd.d/wu-ftpd:
disable = yes - Default is off. This line controls xinetd service (enabled or not)
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
Turning on/off an xinetd service:
- List init settings including all xinetd controlled services: chkconfig --list
- List status of services (Red Hat/Fedora Core based systems): service --status-all
Security configuration and set-up for Linux servers exposed to the internet: Any computer connected to the internet will require steps and precautions to be taken to reduce the exposure to hacker threats. Web, mail and DNS servers are especially vulnerable. Large operations will hide behind a CISCO firewall for most of their protection. The Linux server must be configured for network security and have its applications and services configured for security. This tutorial covers steps and tools which can be used to monitor and counteract hacker threats. Simply put, it is security risk management.
Basic Linux Security Overview:
Perform the following steps to secure your web site:
- See Distribution erratas and security fixes
Update your system where appropriate.
- Reduce the number of network services exposed. These will be started by scripts in /etc/rc.d/rc*.d/ directories. (See full list of services in: /etc/init.d/) There may be no need to run sendmail (mail server), portmap (RPC listener required by NFS), lpd (Line printer server daemon. Hackers probe my system for this service all the time.), innd (News server), linuxconf etc. For example, sendmail can be removed from the boot process using the command: chkconfig --del sendmail or by using the configuration tool ntsysv. The service can be terminated using the command /etc/rc.d/init.d/sendmail stop. At the very least one should run the command chkconfig --list to see what processes are configured to be operable after boot-up.
- Verify your configuration. List the open ports and processes which hold them: netstat -punta (Also try netstat -nlp)
- List RPC services: [root]# rpcinfo -p localhost
Ideally you would NOT be running portmapper so no RPC services would be available. Turn off portmapper: service portmap stop (or: /etc/init.d/portmap stop) and remove it from the system boot sequence: chkconfig --del portmap (Portmap is required by NFS.)
- Anonymous FTP (Using wu_ftpd – Last shipped with RH 8.0. RH 9 and FC use vsftpd): By default Red Hat comes configured for anonymous FTP. This allows users to ftp to your server and log in with the login anonymous and use an email address as the password. If you wish to turn off this feature edit the file /etc/ftpaccess and change:
class all real,guest,anonymous *
class all real,guest *
- Use the find command to locate vulnerabilities – find suid and guid files (which can execute with root privileges) as well as world writable files and directories. For example:
- find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
Remove suid privileges on executable programs with the command: chmod -s filename
- find / -xdev \( -nouser -o -nogroup \) -print
Find files not owned by a valid user or group.
- Use the command chattr and lsattr to make a sensitive security file unmodifiable over and above the usual permissions.
- Make a file unmodifiable: chattr +i /bin/ls
Make directories unmodifiable: chattr -R +i /bin /sbin /boot /lib
Make a file append only: chattr +a /var/log/messages
- Use “tripwire” [sourceforge: tripwire] for security monitoring of your system for signs of unauthorized file changes. Tripwire is offered as part of the base Red Hat and Ubuntu distributions. Tripwire configuration is covered below.
- Watch your log files especially /var/log/messages and /var/log/secure.
- Avoid generic account names such as guest.
- Use PAM network wrapper configurations to disallow passwords which can be found easily by crack or other hacking programs. PAM authentication can also disallow root network login access. (Default Red Hat configuration. You must login as a regular user and su - to obtain root access. This is NOT the default for ssh and must be changed as noted below.)
- Remote access should NOT be done with clear text telnet but with an encrypted connection using ssh. (Later in this tutorial)
- Proc file settings for defense against attackes. This includes protective measures against IP spoofing, SYN flood or syncookie attacks.
- DDoS (Distributed Denial of Service) attacks: The only thing you can do is have gobs of bandwidth and processing power/firewall. Lots of processing power or a firewall are useless without gobs of bandwidth as the network can get sooo overloaded from a distributed attack.
- Turn off ICMP (look invisible to network scans)
- Monitor the attack with tcpdump
Unfortunately the packets are usually spoofed and in my case the FBI didn’t care. If the server is a remote server, have a dial-up modem or a second IP address and route for access because the attacked route is blocked by the flood of network attacks. You can also request that your ISP drop ICMP traffic to the IP addresses of your servers. (and UDP if all you are running is a web server. DNS name servers use UDP.) For very interesting reading see “The Strange Tale” of the GRC.com DDoS attack. (Very interesing read about the anatomy of the hacker bot networks.)
- User access can be restricted with the following configuration files:
- Remove un-needed users from the system. See /etc/passwd. By default Red Hat installations have many user accounts created to support various processes. It you do not intend to run these processes, remove the users. i.e. remove user ids games, uucp, rpc, rpcd, ...