Security Basics mailing list archives
Stand alone linux webserver security tuning
From: Robert Giruckas <aka.scut () gmail com>
Date: Tue, 13 May 2008 16:18:26 +0300
Hi,
I am administrating a stand alone linux web server(CentOS latest
distro). I would like to know how can I improve my firewall on web
server, for example: DoS preventions, Syn port scan detection using
iptables and so on. Or maybe I just forgot something to improve....
-- my sysctl configuration --
net.ipv4.ip_forward = 0 # Disable forwarding in kernel
net.ipv4.conf.default.rp_filter = 2 # Disabling IP Spoofing attacks.
net.ipv4.conf.all.rp_filter = 2
net.ipv4.icmp_echo_ignore_broadcasts = 1 # Don't respond to broadcast
pings (Smurf-Amplifier-Protection)
net.ipv4.conf.default.accept_source_route = 0 # Block source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_timestamINT = 0 # Kill timestamINT
net.ipv4.tcp_syncookies = 1 # Enable SYN Cookies
net.ipv4.conf.all.accept_redirects = 0 # Kill redirects
net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error
message protection
net.ipv4.conf.all.log_martians = 1 # Log martians (packets with
impossible addresses)
net.ipv4.ip_local_port_range = "32768 61000" # Set out local port range
net.ipv4.tcp_fin_timeout = 30 #Reduce DoS'ing ability by reducing
timeouts
net.ipv4.tcp_keepalive_time = 2400
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
-- iptables configuration --
#!/bin/bash
IPTABLES=/sbin/iptables # itpables in system link
LOGLEVEL=DEBUG
###########################
# Network Variables
#
EXT_ETH=eth0
EXT_IP=`/sbin/ifconfig $EXT_ETH | grep -i "addr:" | cut -f2 -d: |
cut -f1 -d " "`
EXT_NET=$EXT_IP'/'`ifconfig $EXT_ETH | grep Mask | cut -d : -f 4`
# /24
###########################
# Protection Variables
#
TCINTYNLIMIT="5/s" # Overall Limit for TCP-SYN-Flood detection
TCINTYNLIMITBURST="10" # Burst Limit for TCP-SYN-Flood detection
LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains
LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains
PINGLIMIT="5/s" # Overall Limit for Ping-Flood-Detection
PINGLIMITBURST="10" # Burst Limit for Ping-Flood-Detection
############################
# Special Variables
#
UNIVERSE="0.0.0.0/0" # IP Mask for all IP addresses
ALLPORTS="1:65535" # all ports
UNPRIVPORTS="1024:65535" # Specification of the high unprivileged IP
ports.
XWINPORTS="6000:6063" # Specification of X Window System (TCP)
ports.
IRCPORTS="6665,6666,6667,6668,6669,7000" # Ports for
IRC-Connection-Tracking
############################
# Drop tables
#
$IPTABLES -F # flush tables
$IPTABLES -F -t nat
$IPTABLES -X # delete new tables
$IPTABLES -X -t nat
#############################
# Set Default policy
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT # accept firewall ingoing packets
to lo
$IPTABLES -A OUTPUT -o lo -j ACCEPT # accept firewall outgoing
packets from lo
############################
# error logging
#
$IPTABLES -N LOG_BAD_FLAG #TCP-Packets with one ore more bad flags
(commomly scans)
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,INTH -m
limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS scan: "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
--log-level $LOGLEVEL --log-prefix "Stealth XMAS-INTH scan: "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL ALL -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth FIN scan: "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -m
limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/RST scan: "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -m
limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): "
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL NONE -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth Null scan: "
$IPTABLES -A LOG_BAD_FLAG -j REJECT
$IPTABLES -N LOG_INVALID #Invalid packets (not ESTABLISHED,RELATED
or NEW)
$IPTABLES -A LOG_INVALID -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=INVALID:1
a=DROP "
$IPTABLES -A LOG_INVALID -j DROP
$IPTABLES -N LOG_SPECIAL_PORTS #Logging of connection attempts on
special ports (Trojan portscans, special services, etc.)
$IPTABLES -A LOG_SPECIAL_PORTS -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LOG_SPECIAL_PORTS -j DROP
$IPTABLES -N LOG_SYN_FLOOD #Logging of possible TCP-SYN-Floods
$IPTABLES -A LOG_SYN_FLOOD -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=SYNFLOOD:1
a=DROP "
$IPTABLES -A LOG_SYN_FLOOD -j DROP
$IPTABLES -N LOG_PING_FLOOD #Logging of possible Ping-Floods
$IPTABLES -A LOG_PING_FLOOD -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=PINGFLOOD:1
a=DROP "
$IPTABLES -A LOG_PING_FLOOD -j DROP
$IPTABLES -N LOG_DROP #All other dropped packets
$IPTABLES -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=TCP:1 a=DROP "
$IPTABLES -A LOG_DROP -p udp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=UDP:2 a=DROP "
$IPTABLES -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=ICMP:3 a=DROP "
$IPTABLES -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=FRAGMENT:4
a=DROP "
$IPTABLES -A LOG_DROP -j DROP
$IPTABLES -N LOG_REJECT #All other rejected packets
$IPTABLES -A LOG_REJECT -p tcp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=TCP:1 a=REJECT "
$IPTABLES -A LOG_REJECT -p udp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=UDP:2 a=REJECT "
$IPTABLES -A LOG_REJECT -p icmp -m limit --limit $LOGLIMIT
--limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix
"fp=ICMP:3 a=REJECT "
$IPTABLES -A LOG_REJECT -f -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "fp=FRAGMENT:4
a=REJECT "
$IPTABLES -A LOG_REJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LOG_REJECT -p udp -j REJECT --reject-with
icmp-port-unreachable
$IPTABLES -A LOG_REJECT -j DROP
#############################
# TCP_ACCEPT - Check for SYN-Floods before letting TCP-Packets in
#
$IPTABLES -N TCP_ACCEPT
$IPTABLES -A TCP_ACCEPT -p tcp --syn -m limit --limit $TCINTYNLIMIT
--limit-burst $TCINTYNLIMITBURST -j ACCEPT
$IPTABLES -A TCP_ACCEPT -p tcp --syn -j LOG_SYN_FLOOD
$IPTABLES -A TCP_ACCEPT -p tcp ! --syn -j ACCEPT
#############################
# CHECK_BAD_FLAG - Kill any Inbound/Outbound TCP-Packets with impossible
flag-combinations (Some port-scanners use these, eg. nmap
Xmas,Null,etc.-scan)
#
$IPTABLES -N CHECK_BAD_FLAG
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,INTH -j
LOG_BAD_FLAG # NMAP FIN/URG/INTH
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL
SYN,RST,ACK,FIN,URG -j LOG_BAD_FLAG # SYN/RST/ACK/FIN/URG
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL ALL -j
LOG_BAD_FLAG # ALL/ALL Scan
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL NONE -j
LOG_BAD_FLAG # NMAP Null Scan
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j
LOG_BAD_FLAG # SYN/RST
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j
LOG_BAD_FLAG # SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN -j
LOG_BAD_FLAG # NMAP FIN Stealth
#############################
#FILTERING FOR SPECIAL PORTS -- Inbound/Outbound SILENTDROINT/REJECTS
(Things we don't want in our Logs)
#
$IPTABLES -N SAMBA #SAMBA-Traffic
$IPTABLES -A SAMBA -p tcp --dport 137 -j DROP
$IPTABLES -A SAMBA -p tcp --dport 138 -j DROP
$IPTABLES -A SAMBA -p tcp --dport 139 -j DROP
$IPTABLES -A SAMBA -p tcp --dport 445 -j DROP
$IPTABLES -A SAMBA -p udp --dport 137 -j DROP
$IPTABLES -A SAMBA -p udp --dport 138 -j DROP
$IPTABLES -A SAMBA -p udp --dport 139 -j DROP
$IPTABLES -A SAMBA -p udp --dport 445 -j DROP
$IPTABLES -A SAMBA -p tcp --sport 137 -j DROP
$IPTABLES -A SAMBA -p tcp --sport 138 -j DROP
$IPTABLES -A SAMBA -p tcp --sport 139 -j DROP
$IPTABLES -A SAMBA -p tcp --sport 445 -j DROP
$IPTABLES -A SAMBA -p udp --sport 137 -j DROP
$IPTABLES -A SAMBA -p udp --sport 138 -j DROP
$IPTABLES -A SAMBA -p udp --sport 139 -j DROP
$IPTABLES -A SAMBA -p udp --sport 445 -j DROP
$IPTABLES -N SPECIAL_PORTS #Inbound Special Ports
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 6670 -j LOG_SPECIAL_PORTS
#Deepthroat Scan
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 1243 -j LOG_SPECIAL_PORTS
#Subseven Scan
$IPTABLES -A SPECIAL_PORTS -p udp --dport 1243 -j LOG_SPECIAL_PORTS
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 27374 -j LOG_SPECIAL_PORTS
$IPTABLES -A SPECIAL_PORTS -p udp --dport 27374 -j LOG_SPECIAL_PORTS
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 6711:6713 -j
LOG_SPECIAL_PORTS
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 12345:12346 -j
LOG_SPECIAL_PORTS #Netbus Scan
$IPTABLES -A SPECIAL_PORTS -p tcp --dport 20034 -j LOG_SPECIAL_PORTS
$IPTABLES -A SPECIAL_PORTS -p udp --dport 31337:31338 -j
LOG_SPECIAL_PORTS #Back Orifice scan
$IPTABLES -A SPECIAL_PORTS -p tcp --dport $XWINPORTS -j
LOG_SPECIAL_PORTS #X-Win
$IPTABLES -A SPECIAL_PORTS -p udp --dport 28431 -j LOG_SPECIAL_PORTS
#Hack'a'Tack 2000
#############################
# ICMP/TRACEROUTE FILTERING
#
$IPTABLES -N ICMP_INBOUND #Inbound ICMP/Traceroute
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type echo-request -m limit
--limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT #Ping Flood
protection. Accept $PINGLIMIT echo-requests/sec, rest will be
logged/dropped.
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type echo-request -j
LOG_PING_FLOOD
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type redirect -j LOG_DROP
#Block ICMP-Redirects (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type timestamp-request -j
LOG_DROP #Block ICMP-Timestamp (Should already be catched by
sysctl-options, if enabled)
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type timestamp-reply -j
LOG_DROP
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type address-mask-request
-j LOG_DROP #Block ICMP-address-mask (can help to prevent
OS-fingerprinting)
$IPTABLES -A ICMP_INBOUND -p icmp --icmp-type address-mask-reply -j
LOG_DROP
$IPTABLES -A ICMP_INBOUND -p icmp -j ACCEPT #Allow all other ICMP in
$IPTABLES -N ICMP_OUTBOUND #Outbound ICMP/Traceroute
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type redirect -j LOG_DROP
#Block ICMP-Redirects (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type
ttl-zero-during-transit -j LOG_DROP #Block ICMP-TTL-Expired MS
Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type
ttl-zero-during-reassembly -j LOG_DROP
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type parameter-problem -j
LOG_DROP #Block ICMP-Parameter-Problem
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type timestamp-request -j
LOG_DROP #Block ICMP-Timestamp (Should already be catched by
sysctl-options, if enabled)
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type timestamp-reply -j
LOG_DROP
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type address-mask-request
-j LOG_DROP #Block ICMP-address-mask (can help to prevent
OS-fingerprinting)
$IPTABLES -A ICMP_OUTBOUND -p icmp --icmp-type address-mask-reply -j
LOG_DROP
$IPTABLES -A ICMP_OUTBOUND -p icmp -j ACCEPT #Accept all other ICMP
going out
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
$IPTABLES -A INPUT -d 127.0.0.0/8 -j LOG_REJECT #Kill connections
to the local interface from the outside world (--> Should be already
catched by kernel/rp_filter)
##########################
# GENERAL Filtering
#
$IPTABLES -A INPUT -p tcp -j CHECK_BAD_FLAG # Check TCP-Packets for
Bad Flags
$IPTABLES -A INPUT -m state --state INVALID -j LOG_INVALID # Kill
INVALID packets (not ESTABLISHED, RELATED or NEW)
##########################
#ICMP & Traceroute filtering
#
$IPTABLES -A INPUT -i $EXT_ETH -p icmp -j ICMP_INBOUND #Filter ICMP
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG_DROP #Block
UDP-Traceroute
##########################
#Silent DroINT/Rejects (Things we don't want in our logs)
#
$IPTABLES -A INPUT -i $EXT_ETH -j SAMBA #Drop all SAMBA-Traffic
$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 113 -j REJECT
--reject-with tcp-reset #Silently reject Ident
##########################
# Block partizans
#
$IPTABLES -A INPUT -i $EXT_ETH -d $EXT_IP -s <some networks of bad
guys> -j LOG_DROP
##########################
# Public services running ON Server (comment out to activate):
#
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 20 -j TCP_ACCEPT #
ftp-data
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 21 -j TCP_ACCEPT #
ftp
$IPTABLES -A INPUT -i $EXT_ETH -p tcp -d $EXT_IP --dport 22 -j
TCP_ACCEPT # ssh
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 23 -j TCP_ACCEPT #
telnet
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 25 -j TCP_ACCEPT #
smtp
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 53 -j TCP_ACCEPT #
DNS
#$IPTABLES -A INPUT -i $EXT_ETH -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXT_ETH -p tcp -d $EXT_IP --dport 80 -j
TCP_ACCEPT # http
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 443 -j TCP_ACCEPT #
https
#$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport 110 -j TCP_ACCEPT #
POP-3
##########################
#Separate logging of special portscans/connection attempts
#
$IPTABLES -A INPUT -i $EXT_ETH -j SPECIAL_PORTS
##########################
#Allow ESTABLISHED/RELATED connections in
#
$IPTABLES -A INPUT -i $EXT_ETH -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A INPUT -i $EXT_ETH -p tcp --dport $UNPRIVPORTS -m state
--state RELATED -j TCP_ACCEPT
$IPTABLES -A INPUT -i $EXT_ETH -p udp --dport $UNPRIVPORTS -m state
--state RELATED -j ACCEPT
##########################
#Catch all rule
#
$IPTABLES -A INPUT -j LOG_DROP
##################
## Output-Chain ## (everything that comes directly from the
Firewall-Box)
##################
########################
#Silent DroINT/Rejects (Things we don't want in our logs)
#
$IPTABLES -A OUTPUT -o $EXT_ETH -j SAMBA #SAMBA
$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 113 -j REJECT
--reject-with tcp-reset #Ident
########################
# Public services running ON Server (comment out to activate):
#
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 20 -j ACCEPT #
ftp-data
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 21 -j ACCEPT # ftp
$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp -s $EXT_IP --sport 22 -j
ACCEPT # ssh
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 23 -m state --state
ESTABLISHED -j ACCEPT # telnet
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT # smtp
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 53 -j ACCEPT # DNS
#$IPTABLES -A OUTPUT -o $EXT_ETH -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp -s $EXT_IP --sport 80 -m
state --state ESTABLISHED -j ACCEPT # http
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 443 -m state --state
ESTABLISHED -j ACCEPT # https
#$IPTABLES -A OUTPUT -o $EXT_ETH -p tcp --sport 110 -m state --state
ESTABLISHED -j ACCEPT #POP-3
$IPTABLES -A OUTPUT -o $EXT_ETH -s $EXT_IP -p tcp --sport
$UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_ETH -s $EXT_IP -p udp --sport
$UNPRIVPORTS -j ACCEPT
########################
#Catch all rule
#
$IPTABLES -A OUTPUT -j LOG_DROP
## -- END OF RULES SET -- ##
Thank you for any help :)
Current thread:
- Stand alone linux webserver security tuning Robert Giruckas (May 13)
- Re: Stand alone linux webserver security tuning Ansgar -59cobalt- Wiechers (May 13)