Security Basics mailing list archives

Re: Stand alone linux webserver security tuning

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 13 May 2008 20:13:39 +0200

On 2008-05-13 Robert Giruckas wrote:

I am administrating a stand alone linux web server(CentOS latest
distro). I would like to know how can I improve my firewall on web
server, for example: DoS preventions, Syn port scan detection using
iptables and so on.


You don't really need a firewall on a standalone webserver. There are
only very few DoS types you can handle on the host itself (syn floods
for instance). Most DoS attacks are better handled upstream. There's no
real need to handle ICMP aside from what's configured via sysctl (unless
you want to apply rate-limiting, which only makes sense on a router,
IMHO). And I wouldn't waste my time with detecting portscans.

If you really want to run a firewall on the host, go for something like
this:

----8<----
#!/bin/sh

IPT=/sbin/iptables

EXT_ETH="eth0"

LOGLEVEL="debug"
LIMIT="5/s"
BURST_LIMIT="10"
LOG_LIMIT="2/s"
LOG_BURST_LIMIT="10"

# --- Default Policies ---

# Always set the policies before flushing the chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -F
$IPT -X

# --- User-defined Chains ---

$IPT -N SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j RETURN
$IPT -A SYN_FLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_BURST_LIMIT \
  -j LOG --log-level $LOGLEVEL --log-prefix "SYNFLOOD: "
$IPT -A SYN_FLOOD -j DROP

# --- INPUT Chain ---

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -i lo -j ACCEPT

# Detect and handle SYN floods
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD

# Drop TCP packets with bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,INTH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop packets from private address ranges coming in on the external
# interface
$IPT -A INPUT -i $EXT_ETH -s 127.0.0.0/8 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 192.168.0.0/16 -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i $EXT_ETH -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXT_ETH -p tcp --dport 80 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p tcp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j REJECT --reject-with icmp-port-unreachable
---->8----

Keep things simple.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

Stand alone linux webserver security tuning Robert Giruckas (May 13)
- Re: Stand alone linux webserver security tuning Ansgar -59cobalt- Wiechers (May 13)