Sfoglia il codice sorgente

Improving the firewall

Bob Mottram 11 anni fa
parent
commit
4e66894c7b
1 ha cambiato i file con 109 aggiunte e 5 eliminazioni
  1. 109
    5
      beaglebone.txt

+ 109
- 5
beaglebone.txt Vedi File

@@ -450,6 +450,13 @@ apt-get install fail2ban
450 450
 A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
451 451
 
452 452
 #+BEGIN_SRC: bash
453
+apt-get install portsentry
454
+emacs /etc/portsentry/portsentry.conf
455
+#+END_SRC
456
+
457
+Save and exit.
458
+
459
+#+BEGIN_SRC: bash
453 460
 emacs /tmp/firewall.sh
454 461
 #+END_SRC
455 462
 
@@ -457,6 +464,75 @@ Enter the following:
457 464
 
458 465
 #+BEGIN_SRC: bash
459 466
 #!/bin/bash
467
+
468
+# enable syn cookies
469
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
470
+
471
+# other settings
472
+echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
473
+echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
474
+echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
475
+
476
+# First of all delete any existing rules.
477
+# This means you're back to a known state:
478
+iptables -P INPUT ACCEPT
479
+iptables -F
480
+iptables -X
481
+
482
+# Make sure NEW incoming tcp connections are SYN packets
483
+iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
484
+
485
+# Drop packets with incoming fragments
486
+iptables -A INPUT -f -j DROP
487
+
488
+# Incoming malformed XMAS packets drop them
489
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
490
+iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
491
+iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
492
+
493
+# Incoming malformed NULL packets:
494
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
495
+
496
+# limit ssh logins to no more than 3 per min
497
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
498
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SSH-DROP
499
+
500
+# Limit web connections to 20 per min
501
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
502
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTP-DROP
503
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
504
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTPS-DROP
505
+
506
+# Limit number of XMPP connections
507
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
508
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix XMPP-DROP
509
+
510
+# Limit IRC connections
511
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
512
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IRC-DROP
513
+
514
+# Limit gopher connections
515
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
516
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix GOPH-DROP
517
+
518
+# Limit IMAP connections
519
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
520
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IMAP-DROP
521
+
522
+# Limit SIP connections
523
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
524
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix SIP-DROP
525
+
526
+# Limit SMTP/SMTPS connections
527
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
528
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTP-DROP
529
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
530
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTPS-DROP
531
+
532
+# Limit Bitmessage connections
533
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
534
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix BM-DROP
535
+
460 536
 # Limit the number of incoming tcp connections
461 537
 # Interface 0 incoming syn-flood protection
462 538
 iptables -N syn_flood
@@ -464,11 +540,17 @@ iptables -A INPUT -p tcp --syn -j syn_flood
464 540
 iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
465 541
 iptables -A syn_flood -j DROP
466 542
 
467
-#Limiting the incoming icmp ping request:
543
+# Limiting the incoming icmp ping request:
468 544
 iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
469 545
 iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
470 546
 iptables -A INPUT -p icmp -j DROP
471 547
 iptables -A OUTPUT -p icmp -j ACCEPT
548
+
549
+# Save the settings
550
+iptables-save > /etc/firewall.conf
551
+echo '#!/bin/sh' > /etc/network/if-up.d/iptables
552
+echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
553
+chmod +x /etc/network/if-up.d/iptables
472 554
 #+END_SRC
473 555
 
474 556
 Save and exit
@@ -476,10 +558,6 @@ Save and exit
476 558
 #+BEGIN_SRC: bash
477 559
 chmod +x /tmp/firewall.sh
478 560
 . /tmp/firewall.sh
479
-iptables-save > /etc/firewall.conf
480
-echo '#!/bin/sh' > /etc/network/if-up.d/iptables
481
-echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
482
-chmod +x /etc/network/if-up.d/iptables
483 561
 rm /tmp/firewall.sh
484 562
 #+END_SRC
485 563
 
@@ -3248,6 +3326,32 @@ make install
3248 3326
 pybitmessage
3249 3327
 #+END_SRC
3250 3328
 
3329
+*** Connect to Email
3330
+Surely Bitmessage is supposed to be a
3331
+
3332
+#+BEGIN_SRC: bash
3333
+cd /tmp
3334
+wget http://freedombone.uk.to/notbit.tar.gz
3335
+#+END_SRC
3336
+
3337
+Verify it.
3338
+
3339
+#+BEGIN_SRC: bash
3340
+sha256sum notbit.tar.gz
3341
+972fdc9cbb8034141282337dcd5e557bce57969ff6bd1d607da89bd93cc7bb68
3342
+#+END_SRC
3343
+
3344
+Extract and install it.
3345
+
3346
+#+BEGIN_SRC: bash
3347
+tar -xzvf notbit.tar.gz
3348
+cd notbit
3349
+apt-get install dh-autoreconf
3350
+./autogen.sh --prefix=/home/myusername
3351
+make
3352
+make install
3353
+#+END_SRC
3354
+
3251 3355
 ** Overcome restrictive environments
3252 3356
 
3253 3357
 #+BEGIN_VERSE