Hello:
Here's what I've done so far, along with my firewall set of rules. If anyone has further ideas, I'd like to know about it.
First, I disabled root logins, limited login time to 30 seconds and set ssh to only use ppks.
I've also bound mysql to local and do not have much else running open apart from postfix and dovecot.
I've also installed logwatch and set up tripwire.
My questions are:
1) How can my firewall set of rules be improved?
2) Is there anything else I could do differently? Is this a resonable setup? Do people generally add more for their servers? I just want to prevent issues before they happen--they will eventually I'm sure, but I'd rather limit it if I can.
Here's my rules:
Code: #!/bin/sh
#variable declarations
TCPPorts="ssh http"
LocalTCPPorts="mysql"
UDPPorts="ntp 3750"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.16.0.0/16"
LOOPBACK_IF="lo"
EXT_IF="eth0"
echo "Flushing:"
iptables -F
iptables -Z
echo "Enabling input to loopback"
iptables -A INPUT -i LOOPBACK_IF -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o IF_LOOPBACK -j ACCEPT
echo "Setting default policies"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Adding blacklisted people:"
iptables -N sshguard
iptables -A INPUT -j sshguard
echo "Blocking ranges:"
for address in $(cat /etc/firewall/ranges); do
iptables -A INPUT -m iprange --src-range $address -j DROP
done
echo Dropping malformed packets
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
echo "Allowing related and established connections."
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j DROP
echo "Dropping portscans"
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP
echo "Excepting connections on specified TCP PORTS"
echo "Local ports..."
for PORT in $LocalTCPPorts;do
iptables -A INPUT -p tcp --dport $PORT -m state --state NEW -j ACCEPT
done
echo "Remote ports..."
for PORT in $TCPPorts;do
iptables -A INPUT -p tcp --syn --dport $PORT -m state --state NEW -j ACCEPT
done
echo "Excepting connections on UDP ports"
for PORT in $UDPPorts;do
iptables -A INPUT -p udp --dport $PORT -j ACCEPT
done
echo "Setting up synflood protection"
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
echo "Drop internal connections"
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.1/8 -j DROP
echo "Dropping some ICMP packets."
iptables -A INPUT --fragment -p icmp -j DROP
echo "Dropping packets whose addresses we don't want."
iptables -A INPUT -m addrtype --src-type UNSPEC -j DROP
iptables -A INPUT -m addrtype --src-type BROADCAST -j DROP
echo Setting connection limit.
iptables -A INPUT -m connlimit --connlimit-above 6 -j REJECT
Thanks,
[/code]
|