Security

From Elvanör's Technical Wiki
Jump to: navigation, search

iptables

General

  • iptables needs to have some kernel level support. You activate kernel support by compiling the Netfilter framework. Don't check the advanced Netfilter configuration option. It's important to have support for connection tracking, and packet filtering. Other options may be needed but it depends on what you want to do exactly.
  • iptables work by sending a set of rules to the kernel. You can list the current rules by issuing:
iptables -nL
  • You can always revert to the default rules (accept everything) with the following commands:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
  • Two important commands, iptables-save and iptables-restore, save and restore the rules to a file. These are used by the Gentoo init script to setup rules at boot and to save them on shutdown (eg, /etc/init.d/iptables stop saves the rules, /etc/init.d/iptables start restores the rules). The rules are saved in /var/lib/iptables/rules-save.
  • You can edit a file created by iptables-restore, but the syntax is not easy. One important thing to note is that you can't have blank lines. If iptables-restore fails on the last line, be warned that this not necessarily means the last line (COMMIT) is at fault. It is probably a line earlier (if it's not a syntax error, it usually means kernel support is absent).
  • The orders of rules matter and is very important! If you have a rule after a catchall rule rejecting all packets, for example, it won't have any effect. It also seems you cannot "move" a rule with the command line, only delete it and recreate it.

Command Line options

  • This will add a new rule to the INPUT chain:
iptables -I INPUT 9 -m state --state NEW --protocol tcp --dport 46922 -j ACCEPT

Note the number after -I INPUT indicates the index of the rule.

  • This will allow all connections from a given IP:
iptables -I INPUT 2 -p all -s xx.xx.xx.xx -d 0.0.0.0/0 -j ACCEPT
  • This will reject all incoming packets:
iptables -I INPUT 10 -j DROP
  • This will allow ping requests:
iptables -I INPUT 6 -p icmp --icmp-type 8 -s 0/0 -j ACCEPT
  • To delete a rule:
iptables -D INPUT 8
  • If you use the --dport option, you must specify a protocol that "allows" it, such as tcp or udp. You cannot for example specify "all". Note that if you wish to add the same rule for two different protocols (usually TCP + UDP), it is not possible in a single rule: you must insert two separate rules, one for each protocol.

Firewall concepts

  • If you use localhost or 127.0.0.1 as an address to connect to yourself, the firewall / iptables will never block you. But if you access yourself via a domain name that is resolved to your external (true) IP address, the firewall will take effect (the packets probably go to your local gateway and come back). This means that it can be useful to whitelist your own IP address.

sshguard

  • The concept for sshguard is simple. Messages from sshd are passed to sshguard via syslog-ng. sshguard analyses those, and if need be adds a rule to iptables blocking a given IP. Note that sshguard runs as a daemon. It is started from syslog-ng the first time a relevant message comes by.
  • To install and setup sshguard:
    • Emerge sshguard
    • Modify syslog-ng configuration so that sshd messages go to sshguard (look at sshguard README file)
    • Add the necessary rules to iptables (look at sshguard README file)
  • WARNING: be careful that you enter the correct path to the sshguard binary in syslog-ng.conf! The example given in the README file does not work with Gentoo.
  • Be also careful about the order of the iptables rule.
  • To whitelist a given IP address, you can start sshguard with the -w xx.xx.xx.xx argument. You should write it directly in the syslog-ng configuration file too.

Rootkits

Linux

  • chkrootkit and rkhunter and two rootkit detectors. chkrootkit can produce false positives for the LKM trojan quite often apparently.

Mac OS X

  • No known root kits yet. Consequently, no root kit detectors are available for this platform.

Bandwidth consumption