iptables

gagol.eu

Malmö 04.12.2012

Hardening Linux

Install only the base system and kernel.

1st
/proc is pseudo-filesystem whith kernel settings - check them out.
ping blocking

 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

protection against smurf

 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

protection against ICMP Error

 echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

does not accept redirect that can change our routing table

 echo "0"/proc/sys/net/ipv4/conf/all/accept_redirects

we do not want to route

 echo "0" > /proc/sys/net/ipv4/ip_forward

2nd
Netfilter and iptables. This is a base example:

# Flush rules
iptables-F
# Default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# # LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# BLOCK THIS IP!
iptables -A INPUT -s 64.4.11.37-j DROP
iptables -A INPUT -s 65.55.58.201-j DROP
# # Dns to OpenDNS, in google is 8.8.8.8 and 8.8.4.4, or what we get from ISP
iptables -A OUTPUT -p udp -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 208.67.222.222 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -d 208.67.220.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 208.67.220.220 --sport 53 -m state --state ESTABLISHED -j ACCEPT
# # INBOUND (for servers)
# ssh server
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# http server
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# smtp server
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# # OUTBOUND
# http (for clients - apt works at http)
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80-m state --state ESTABLISHED -j ACCEPT
# https out
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# smtp out
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

Block unauthorized subnets.

iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

To change the port for ssh is required.

3rd
IDS - snort. Configure /etc/aliases for postfix and update them

 newaliases

Denyhost - protection against brute-force attack on SSH. Specify your own IP in /etc/hosts.allow to guarantee that you do not lose ssh connection.

4th
Password settings in /etc/login.defs