Security Basics mailing list archives
Re: Stand alone linux webserver security tuning
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 13 May 2008 20:13:39 +0200
On 2008-05-13 Robert Giruckas wrote:
I am administrating a stand alone linux web server(CentOS latest distro). I would like to know how can I improve my firewall on web server, for example: DoS preventions, Syn port scan detection using iptables and so on.
You don't really need a firewall on a standalone webserver. There are only very few DoS types you can handle on the host itself (syn floods for instance). Most DoS attacks are better handled upstream. There's no real need to handle ICMP aside from what's configured via sysctl (unless you want to apply rate-limiting, which only makes sense on a router, IMHO). And I wouldn't waste my time with detecting portscans. If you really want to run a firewall on the host, go for something like this: ----8<---- #!/bin/sh IPT=/sbin/iptables EXT_ETH="eth0" LOGLEVEL="debug" LIMIT="5/s" BURST_LIMIT="10" LOG_LIMIT="2/s" LOG_BURST_LIMIT="10" # --- Default Policies --- # Always set the policies before flushing the chains $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP $IPT -F $IPT -X # --- User-defined Chains --- $IPT -N SYN_FLOOD $IPT -A SYN_FLOOD -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \ -j RETURN $IPT -A SYN_FLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_BURST_LIMIT \ -j LOG --log-level $LOGLEVEL --log-prefix "SYNFLOOD: " $IPT -A SYN_FLOOD -j DROP # --- INPUT Chain --- $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A INPUT -i lo -j ACCEPT # Detect and handle SYN floods $IPT -A INPUT -p tcp --syn -j SYN_FLOOD # Drop TCP packets with bad flags $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,INTH -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Drop packets from private address ranges coming in on the external # interface $IPT -A INPUT -i $EXT_ETH -s 127.0.0.0/8 -j DROP $IPT -A INPUT -i $EXT_ETH -s 10.0.0.0/8 -j DROP $IPT -A INPUT -i $EXT_ETH -s 172.16.0.0/12 -j DROP $IPT -A INPUT -i $EXT_ETH -s 169.254.0.0/16 -j DROP $IPT -A INPUT -i $EXT_ETH -s 192.168.0.0/16 -j DROP $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $EXT_ETH -p tcp --dport 22 -m state --state NEW -j ACCEPT $IPT -A INPUT -i $EXT_ETH -p tcp --dport 80 -m state --state NEW -j ACCEPT $IPT -A INPUT -p tcp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \ -j REJECT --reject-with tcp-reset $IPT -A INPUT -p udp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \ -j REJECT --reject-with icmp-port-unreachable ---->8---- Keep things simple. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Stand alone linux webserver security tuning Robert Giruckas (May 13)
- Re: Stand alone linux webserver security tuning Ansgar -59cobalt- Wiechers (May 13)