User Tools

Site Tools


rootserver:security

Links

Firewall

Die Schwierigkeit liegt darin, dass man sich sehr leicht den Zugang zum Server abschneiden kann, wenn man per SSH verbunden ist.
Eine Lösungsmöglichkeit: ein Script bauen, das z.B. alle 5 Minuten per cron aufgerufen wird, welche die Firewall öffnet.
Sobald das Script richtig funktioniert, Eintrag aus crontab wieder entfernen!
Beachten: cron hat wahrscheinlich nicht den Pfad von root, weshalb das iptables Kommando besser voll qualifiziert angegeben wird.

#!/bin/bash
echo "BEGIN shutdown firewall" `date`
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
echo "END shutdown firewall"
exit 0

Und der crontab Eintrag (crontab -e):

#  m   h  dom mon dow   command
*/5    *    *   *   *   /root/firewall.off.sh >> /root/firewall.log

Mit folgendem Script können verschiedene Einstellungen des IP-Stacks (Version 4) geprüft werden:

#!/bin/bash

echo "response to ping enabled         [0]: " `cat /proc/sys/net/ipv4/icmp_echo_ignore_all`
echo "response to broadcasts enabled   [1]: " `cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts`
echo "accept source routed packets     [0]: " `cat /proc/sys/net/ipv4/conf/all/accept_source_route`
echo "ICMP redirect acceptance enabled [0]: " `cat /proc/sys/net/ipv4/conf/all/accept_redirects`
echo "bad error message protection     [1]: " `cat /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses`
echo "reverse path filtering..."
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo "${interface} [1]:" `cat ${interface}`
done
echo "log spoofed, source routed, redirect packets [1]: " `cat /proc/sys/net/ipv4/conf/all/log_martians`
echo "IP forwarding enabled            [0]: " `cat /proc/sys/net/ipv4/ip_forward`

Die in Klammern stehenden Werte stellen die Einstellungen dar, die evtl. sicherer sind.
Da es nichts umsonst gibt, sind damit aber zum Teil Nachteile verbunden oder bestimmte Voraussetzungen zu erfüllen.
Eine Erklärung zu den einzelnen Einstellungen sind unter http://www.sns.ias.edu/~jns/wp/2006/01/12/iptables-example-rulesets/ zu finden.

Firewall-Script

Hier ist das vorläufige Firewall-Script (keinerlei Garantie!)

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start/stop firewall
# Description:       Start/stop firewall, a ruleset for iptables.
### END INIT INFO

## Original script comes from
##     James Stephens (jns@ias.edu)
##     http://www.sns.ias.edu/~jns/
##     http://www.sns.ias.edu/~jns/files/iptables_ruleset
##
## Modified by: Heinrich Goebl

echo "BEGIN init firewall" `date`

## ===========================================================
## Some definitions:

IFACE="eth0"
IPADDR="80.239.139.37"
NAMESERVER_1="80.239.139.37"
NAMESERVER_2="80.239.139.2"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
# TODO adopt limit-burst to reasonable values
LOG_LIMIT_INFO="-m limit --limit 1/h --limit-burst 5"
LOG_LIMIT_WARN="-m limit --limit 6/h --limit-burst 5"
LOG_LIMIT_ERROR="-m limit --limit 12/h --limit-burst 5"

KERNEL_FLAGS=1
SPOOFING=1
SYN_FLOODING=1 
FRAGMENTS=1

## ============================================================
#
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack

# These lines are here in case rules are already in place and the script is ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero the counters
# before we implement new rules.
iptables -F
iptables -X
iptables -Z

# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a default DROP
# policy), what happens is that there is a small time period when packets are denied until
# the new rules are back in place. There is no period, however small, when packets we
# don't want are allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

if [ $KERNEL_FLAGS -eq 1 ]; then
## ============================================================
## Kernel flags
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:

# Disable response to ping.
#hgoebl disabled
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
#hgoebl disabled
#for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
#   /bin/echo "1" > ${interface}
#done

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

# Note: With connection tracking, all fragments are reassembled before being
# passed to the packet-filtering code so there is no ip_always_defrag switch as there
# was in the 2.2 kernel.

fi # KERNEL_FLAGS

## ============================================================
# RULES

## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#echo "loopback ok"

# accept established connections
iptables -A INPUT  -i $IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
#echo "established ok"

if [ $SYN_FLOODING -eq 1 ]; then
#
# hgoebl: this section comes from http://www.sns.ias.edu/~jns/files/iptables_ruleset
#         In http://www.sns.ias.edu/~jns/files/iptables_ruleset_updated this section
#         is commented (=inactive).
#         In the generated scripts from http://www.tobias-bauer.de/computer/iptables/index.html
#         there could be an alternative, but I didn't try it:
#         (I find "FORWARD" especially curious ...)
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood $LOG_LIMIT_WARN -j LOG --log-prefix "IPTABLES SYN-FLOOD: "
iptables -A syn-flood -j DROP
#echo "syn-flood ok"
fi

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW $LOG_LIMIT_WARN -j LOG --log-prefix "IPTABLES SYN-NEW: "
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#echo "ensure new syn"

if [ $FRAGMENTS -eq 1 ]; then
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2  to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
iptables -A INPUT -i $IFACE -f $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP
#echo "fragments ok"
fi

if [ $SPOOFING -eq 1 ]; then
## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
# have set in the kernel above ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i $IFACE -s $IPADDR $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF1: "
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF2: "
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF3: "
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
iptables -A INPUT -i $IFACE -s $CLASS_C $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF4: "
iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF5: "
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF6: "
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES SPOOF7: " 
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
#echo "spoofing ok"
fi

## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport domain -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport domain -m state --state ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
#echo "dns ok"

## time synchronization
# Allow UDP packets in for NTP client from any timeserver.
# TODO following rule might be obsolete because of global "established" rule
iptables -A INPUT -i $IFACE -p udp --sport ntp -m state --state ESTABLISHED -j ACCEPT
# Allow UDP packets to NTP servers from client.
iptables -A OUTPUT -o $IFACE -p udp --dport ntp -m state --state NEW,ESTABLISHED -j ACCEPT
#echo "ntp ok"

###     I N B O U N D
# shell
# following 2 rules are for the paranoic guys - works even w/o global "established" rule
#iptables -A INPUT  -i $IFACE -p tcp --dport ssh --sport $UP_PORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p tcp --sport ssh --dport $UP_PORTS -m state --state     ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport ssh   -m state --state NEW -j ACCEPT
# web
iptables -A INPUT -i $IFACE -p tcp --dport www   -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport https -m state --state NEW -j ACCEPT
# mail
iptables -A INPUT -i $IFACE -p tcp --dport smtp  -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport pop3  -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport imap  -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport ssmtp -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport pop3s -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport imaps -m state --state NEW -j ACCEPT
#echo "inbound ok"

###      O U T B O U N D
# shell
iptables -A OUTPUT -o $IFACE -p tcp --dport ssh -m state --state NEW -j ACCEPT
# web/apt-get/wget/...
iptables -A OUTPUT -o $IFACE -p tcp -m multiport --dports www,http-alt,https -m state --state NEW -j ACCEPT
# mail (add pop3, imap if needed)
iptables -A OUTPUT -o $IFACE -p tcp --dport smtp  -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport imaps -m state --state NEW -j ACCEPT
#echo "outbound ok"

## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \
  -m state --state NEW -j ACCEPT
#echo "traceroute ok"

# ICMP
# We accept icmp in if it is "related" to other connections (e.g a time exceeded (11)
# from a traceroute) or it is part of an "established" connection (e.g. an echo reply (0)
# from an echo-request (8)).
iptables -A INPUT  -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# We always allow icmp out.
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#echo "icmp ok"

## LOGGING
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You cam implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.
iptables -A INPUT  -i $IFACE -p udp $LOG_LIMIT_INFO -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT  -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT  -i $IFACE -p icmp $LOG_LIMIT_INFO -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT  -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp $LOG_LIMIT_WARN -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT  -i $IFACE -p tcp $LOG_LIMIT_INFO -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT  -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT  -i $IFACE $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT  -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE $LOG_LIMIT_ERROR -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
#echo "logging ok"

# THE END 
echo "END init firewall"
exit 0

Software

rkhunter (Rootkit Hunter)

Nach Updates und Neuinstallationen rkhunter.dat updaten mit

# rkhunter --propupd

rkhunter manuell ausführen

# rkhunter -c

Unter Debian GNU/Linux sind folgende Meldungen “Standard”:

Warning: Suspicious file types found in /dev:
       /dev/shm/network/ifstate: ASCII text
Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

Durch folgende Zeilen in /etc/rkhunter.conf können die Meldungen unterbunden werden:

ALLOWDEVFILE=/dev/shm/network/ifstate
APP_WHITELIST="gpg:1.4.9 openssl:0.9.8g php:5.2.6 sshd:5.1p1"

Speziell in virtuellen Servern taucht gerne folgende Meldung auf:

Warning: The kernel module directory '/lib/modules' is missing.

Unterbunden wird diese Meldung durch:

DISABLE_TESTS="... os_specific"

apache

    <VirtualHost _default_:443>
       DocumentRoot /var/www/wellcrafted.de/
       #ErrorLog /usr/local/apache/logs/error_log
       #TransferLog /usr/local/apache/logs/access_log
       SSLEngine on
       SSLProtocol all -SSLv2
       SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 
       SSLCertificateFile /etc/apache2/ssl/ssl.crt
       SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
       SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
       SSLCACertificateFile /etc/apache2/ssl/ca.pem
       SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
       #CustomLog /usr/local/apache/logs/ssl_request_log \
       #   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>
rootserver/security.txt · Last modified: 2015/10/22 11:35 by hgoebl