Security Basics mailing list archives
Stand alone linux webserver security tuning
From: Robert Giruckas <aka.scut () gmail com>
Date: Tue, 13 May 2008 16:18:26 +0300
Hi, I am administrating a stand alone linux web server(CentOS latest distro). I would like to know how can I improve my firewall on web server, for example: DoS preventions, Syn port scan detection using iptables and so on. Or maybe I just forgot something to improve.... -- my sysctl configuration -- net.ipv4.ip_forward = 0 # Disable forwarding in kernel net.ipv4.conf.default.rp_filter = 2 # Disabling IP Spoofing attacks. net.ipv4.conf.all.rp_filter = 2 net.ipv4.icmp_echo_ignore_broadcasts = 1 # Don't respond to broadcast pings (Smurf-Amplifier-Protection) net.ipv4.conf.default.accept_source_route = 0 # Block source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.tcp_timestamINT = 0 # Kill timestamINT net.ipv4.tcp_syncookies = 1 # Enable SYN Cookies net.ipv4.conf.all.accept_redirects = 0 # Kill redirects net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message protection net.ipv4.conf.all.log_martians = 1 # Log martians (packets with impossible addresses) net.ipv4.ip_local_port_range = "32768 61000" # Set out local port range net.ipv4.tcp_fin_timeout = 30 #Reduce DoS'ing ability by reducing timeouts net.ipv4.tcp_keepalive_time = 2400 net.ipv4.tcp_window_scaling = 0 net.ipv4.tcp_sack = 0 -- iptables configuration -- #!/bin/bash IPTABLES=/sbin/iptables # itpables in system link LOGLEVEL=DEBUG ########################### # Network Variables # EXT_ETH=eth0 EXT_IP=`/sbin/ifconfig $EXT_ETH | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "` EXT_NET=$EXT_IP'/'`ifconfig $EXT_ETH | grep Mask | cut -d : -f 4` # /24 ########################### # Protection Variables # TCINTYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection TCINTYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection ############################ # Special Variables # UNIVERSE="0.0.0.0/0" # IP Mask for all IP addresses ALLPORTS="1:65535" # all ports UNPRIVPORTS="1024:65535" # Specification of the high unprivileged IP ports. XWINPORTS="6000:6063" # Specification of X Window System (TCP) ports. IRCPORTS="6665,6666,6667,6668,6669,7000" # Ports for IRC-Connection-Tracking ############################ # Drop tables # $IPTABLES -F # flush tables $IPTABLES -F -t nat $IPTABLES -X # delete new tables $IPTABLES -X -t nat ############################# # Set Default policy # $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT # accept firewall ingoing packets to lo $IPTABLES -A OUTPUT -o lo -j ACCEPT # accept firewall outgoing packets from lo ############################ # error logging # $IPTABLES -N LOG_BAD_FLAG #TCP-Packets with one ore more bad flags (commomly scans) $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,INTH -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS scan: " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-INTH scan: " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL ALL -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth FIN scan: " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/RST scan: " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): " $IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL NONE -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: " $IPTABLES -A LOG_BAD_FLAG -j REJECT $IPTABLES -N LOG_INVALID #Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -A LOG_INVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=INVALID:1 a=DROP " $IPTABLES -A LOG_INVALID -j DROP $IPTABLES -N LOG_SPECIAL_PORTS #Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -A LOG_SPECIAL_PORTS -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=SPECIALPORT:1 a=DROP " $IPTABLES -A LOG_SPECIAL_PORTS -j DROP $IPTABLES -N LOG_SYN_FLOOD #Logging of possible TCP-SYN-Floods $IPTABLES -A LOG_SYN_FLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=SYNFLOOD:1 a=DROP " $IPTABLES -A LOG_SYN_FLOOD -j DROP $IPTABLES -N LOG_PING_FLOOD #Logging of possible Ping-Floods $IPTABLES -A LOG_PING_FLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=PINGFLOOD:1 a=DROP " $IPTABLES -A LOG_PING_FLOOD -j DROP $IPTABLES -N LOG_DROP #All other dropped packets $IPTABLES -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=TCP:1 a=DROP " $IPTABLES -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=UDP:2 a=DROP " $IPTABLES -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=ICMP:3 a=DROP " $IPTABLES -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=FRAGMENT:4 a=DROP " $IPTABLES -A LOG_DROP -j DROP $IPTABLES -N LOG_REJECT #All other rejected packets $IPTABLES -A LOG_REJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=TCP:1 a=REJECT " $IPTABLES -A LOG_REJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=UDP:2 a=REJECT " $IPTABLES -A LOG_REJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=ICMP:3 a=REJECT " $IPTABLES -A LOG_REJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=FRAGMENT:4 a=REJECT " $IPTABLES -A LOG_REJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LOG_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LOG_REJECT -j DROP ############################# # TCP_ACCEPT - Check for SYN-Floods before letting TCP-Packets in # $IPTABLES -N TCP_ACCEPT $IPTABLES -A TCP_ACCEPT -p tcp --syn -m limit --limit $TCINTYNLIMIT --limit-burst $TCINTYNLIMITBURST -j ACCEPT $IPTABLES -A TCP_ACCEPT -p tcp --syn -j LOG_SYN_FLOOD $IPTABLES -A TCP_ACCEPT -p tcp ! --syn -j ACCEPT ############################# # CHECK_BAD_FLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan) # $IPTABLES -N CHECK_BAD_FLAG $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,INTH -j LOG_BAD_FLAG # NMAP FIN/URG/INTH $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_BAD_FLAG # SYN/RST/ACK/FIN/URG $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL ALL -j LOG_BAD_FLAG # ALL/ALL Scan $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL NONE -j LOG_BAD_FLAG # NMAP Null Scan $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LOG_BAD_FLAG # SYN/RST $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_BAD_FLAG # SYN/FIN -- Scan(probably) $IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN -j LOG_BAD_FLAG # NMAP FIN Stealth ############################# #FILTERING FOR SPECIAL PORTS -- Inbound/Outbound SILENTDROINT/REJECTS (Things we don't want in our Logs) # $IPTABLES -N SAMBA #SAMBA-Traffic $IPTABLES -A SAMBA -p tcp --dport 137 -j DROP $IPTABLES -A SAMBA -p tcp --dport 138 -j DROP $IPTABLES -A SAMBA -p tcp --dport 139 -j DROP $IPTABLES -A SAMBA -p tcp --dport 445 -j DROP $IPTABLES -A SAMBA -p udp --dport 137 -j DROP $IPTABLES -A SAMBA -p udp --dport 138 -j DROP $IPTABLES -A SAMBA -p udp --dport 139 -j DROP $IPTABLES -A SAMBA -p udp --dport 445 -j DROP $IPTABLES -A SAMBA -p tcp --sport 137 -j DROP $IPTABLES -A SAMBA -p tcp --sport 138 -j DROP $IPTABLES -A SAMBA -p tcp --sport 139 -j DROP $IPTABLES -A SAMBA -p tcp --sport 445 -j DROP $IPTABLES -A SAMBA -p udp --sport 137 -j DROP $IPTABLES -A SAMBA -p udp --sport 138 -j DROP $IPTABLES -A SAMBA -p udp --sport 139 -j DROP $IPTABLES -A SAMBA -p udp --sport 445 -j DROP $IPTABLES -N SPECIAL_PORTS #Inbound Special Ports $IPTABLES -A SPECIAL_PORTS -p tcp --dport 6670 -j LOG_SPECIAL_PORTS #Deepthroat Scan $IPTABLES -A SPECIAL_PORTS -p tcp --dport 1243 -j LOG_SPECIAL_PORTS #Subseven Scan $IPTABLES -A SPECIAL_PORTS -p udp --dport 1243 -j LOG_SPECIAL_PORTS $IPTABLES -A SPECIAL_PORTS -p tcp --dport 27374 -j LOG_SPECIAL_PORTS $IPTABLES -A SPECIAL_PORTS -p udp --dport 27374 -j LOG_SPECIAL_PORTS $IPTABLES -A SPECIAL_PORTS -p tcp --dport 6711:6713 -j LOG_SPECIAL_PORTS $IPTABLES -A SPECIAL_PORTS -p tcp --dport 12345:12346 -j LOG_SPECIAL_PORTS #Netbus Scan $IPTABLES -A SPECIAL_PORTS -p tcp --dport 20034 -j LOG_SPECIAL_PORTS $IPTABLES -A SPECIAL_PORTS -p udp --dport 31337:31338 -j LOG_SPECIAL_PORTS #Back Orifice scan $IPTABLES -A SPECIAL_PORTS -p tcp --dport $XWINPORTS -j LOG_SPECIAL_PORTS #X-Win $IPTABLES -A SPECIAL_PORTS -p udp --dport 28431 -j LOG_SPECIAL_PORTS #Hack'a'Tack 2000 ############################# # ICMP/TRACEROUTE FILTERING # $IPTABLES -N ICMP_INBOUND #Inbound ICMP/Traceroute $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped. $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type echo-request -j LOG_PING_FLOOD $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMP_INBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP $IPTABLES -A ICMP_INBOUND -p icmp -j ACCEPT #Allow all other ICMP in $IPTABLES -N ICMP_OUTBOUND #Outbound ICMP/Traceroute $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOG_DROP #Block ICMP-TTL-Expired MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOG_DROP $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP #Block ICMP-Parameter-Problem $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP $IPTABLES -A ICMP_OUTBOUND -p icmp -j ACCEPT #Accept all other ICMP going out ################# ## INPUT-Chain ## (everything that is addressed to the firewall itself) ################# $IPTABLES -A INPUT -d 127.0.0.0/8 -j LOG_REJECT #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) ########################## # GENERAL Filtering # $IPTABLES -A INPUT -p tcp -j CHECK_BAD_FLAG # Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -m state --state INVALID -j LOG_INVALID # Kill INVALID packets (not ESTABLISHED, RELATED or NEW) ########################## #ICMP & Traceroute filtering # $IPTABLES -A INPUT -i $EXT_ETH -p icmp -j ICMP_INBOUND #Filter ICMP $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG_DROP #Block UDP-Traceroute ########################## #Silent DroINT/Rejects (Things we don't want in our logs) # $IPTABLES -A INPUT -i $EXT_ETH -j SAMBA #Drop all SAMBA-Traffic $IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 113 -j REJECT --reject-with tcp-reset #Silently reject Ident ########################## # Block partizans # $IPTABLES -A INPUT -i $EXT_ETH -d $EXT_IP -s <some networks of bad guys> -j LOG_DROP ########################## # Public services running ON Server (comment out to activate): # #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 20 -j TCP_ACCEPT # ftp-data #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 21 -j TCP_ACCEPT # ftp $IPTABLES -A INPUT -i $EXT_ETH -p tcp -d $EXT_IP --dport 22 -j TCP_ACCEPT # ssh #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 23 -j TCP_ACCEPT # telnet #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 25 -j TCP_ACCEPT # smtp #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 53 -j TCP_ACCEPT # DNS #$IPTABLES -A INPUT -i $EXT_ETH -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -i $EXT_ETH -p tcp -d $EXT_IP --dport 80 -j TCP_ACCEPT # http #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 443 -j TCP_ACCEPT # https #$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 110 -j TCP_ACCEPT # POP-3 ########################## #Separate logging of special portscans/connection attempts # $IPTABLES -A INPUT -i $EXT_ETH -j SPECIAL_PORTS ########################## #Allow ESTABLISHED/RELATED connections in # $IPTABLES -A INPUT -i $EXT_ETH -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCP_ACCEPT $IPTABLES -A INPUT -i $EXT_ETH -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT ########################## #Catch all rule # $IPTABLES -A INPUT -j LOG_DROP ################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ################## ######################## #Silent DroINT/Rejects (Things we don't want in our logs) # $IPTABLES -A OUTPUT -o $EXT_ETH -j SAMBA #SAMBA $IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 113 -j REJECT --reject-with tcp-reset #Ident ######################## # Public services running ON Server (comment out to activate): # #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 20 -j ACCEPT # ftp-data #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 21 -j ACCEPT # ftp $IPTABLES -A OUTPUT -o $EXT_ETH -p tcp -s $EXT_IP --sport 22 -j ACCEPT # ssh #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT # telnet #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT # smtp #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 53 -j ACCEPT # DNS #$IPTABLES -A OUTPUT -o $EXT_ETH -p udp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_ETH -p tcp -s $EXT_IP --sport 80 -m state --state ESTABLISHED -j ACCEPT # http #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # https #$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT #POP-3 $IPTABLES -A OUTPUT -o $EXT_ETH -s $EXT_IP -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXT_ETH -s $EXT_IP -p udp --sport $UNPRIVPORTS -j ACCEPT ######################## #Catch all rule # $IPTABLES -A OUTPUT -j LOG_DROP ## -- END OF RULES SET -- ## Thank you for any help :)
Current thread:
- Stand alone linux webserver security tuning Robert Giruckas (May 13)
- Re: Stand alone linux webserver security tuning Ansgar -59cobalt- Wiechers (May 13)