Linux Security: Difference between revisions

From miki
Jump to navigation Jump to search
Line 92: Line 92:
iptables -P OUTPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P FORWARD ACCEPT
</source>

;Save and restore iptables rules
Use <code>iptables-save</code> and <code>iptables-restore</code> to query the iptables rules and save them in a readable format.
Use <code>iptables-restore</code> to restore them later.

<source lang=bash>
iptables-save > iptables.rules # Save the rules
iptables-restore < iptables.rules # Restore the rules
</source>

On Debian, firewall rules are restored at boot using <code>iptables-restore</code>. In file {{file|/etc/network/interfaces}}, we have:
<source lang=bash>
# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...
</source>
</source>


Revision as of 16:07, 8 June 2016

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers: 

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs: 

UMASK       027

Firewall

With UFW

TBC

With iptables

Basic configuration

List current active rules 

iptables -L
# Chain INPUT (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain FORWARD (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain OUTPUT (policy ACCEPT)
# target     prot opt source               destination

By default, there are 3 chains: INPUT, FORWARD, OUTPUT.

To authorise SSH (port 22) and HTTP (port 80): 

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

See the result: 

iptables -L
# Chain INPUT (policy ACCEPT)
#     target     prot opt source               destination         
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
# 
# Chain FORWARD (policy ACCEPT)
#     target     prot opt source               destination         
# 
# Chain OUTPUT (policy ACCEPT)

For the firewall to be effective, we must change the default policy from ACCEPT to DROP (or REJECT, but DROP is better). But before doing so, we need an additional rule: 

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy: 

iptables -A INPUT -i eth0 -j DROP
List, add, delete rules
iptables -L INPUT                # LIST INPUT rules
iptables -L                      # LIST ALL rules
iptables -I INPUT 2 _rule_...    # ADD a rule before 2nd rule
iptables -D INPUT 3              # DELETE 3rd rule
iptables -F INPUT                # FLUSH (delete) all INPUT rules
Some custom rules
iptables -I INPUT 1 -s _src_ip_ -j DROP        # Block a single source IP address
Stop and reset firewall

This will remove all rules and reset the firewall to accept all connections: 

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Save and restore iptables rules

Use iptables-save and iptables-restore to query the iptables rules and save them in a readable format. Use iptables-restore to restore them later. 

iptables-save > iptables.rules     # Save the rules
iptables-restore < iptables.rules  # Restore the rules

On Debian, firewall rules are restored at boot using iptables-restore. In file /etc/network/interfaces, we have: 

# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...

Server hardening

Assume server name is myserver.org.

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config: 

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [2]: 

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line: 

DebianBanner no

Restart and verify the banner: 

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
rate-limit incoming connections

Add the following rules to iptables [3],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule: 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Use the following script to test your new rules: 

#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc myserver.org 22 ;
done
Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Linux_Security&oldid=8303"