|
@@ -450,6 +450,13 @@ apt-get install fail2ban
|
450
|
450
|
A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
|
451
|
451
|
|
452
|
452
|
#+BEGIN_SRC: bash
|
|
453
|
+apt-get install portsentry
|
|
454
|
+emacs /etc/portsentry/portsentry.conf
|
|
455
|
+#+END_SRC
|
|
456
|
+
|
|
457
|
+Save and exit.
|
|
458
|
+
|
|
459
|
+#+BEGIN_SRC: bash
|
453
|
460
|
emacs /tmp/firewall.sh
|
454
|
461
|
#+END_SRC
|
455
|
462
|
|
|
@@ -457,6 +464,75 @@ Enter the following:
|
457
|
464
|
|
458
|
465
|
#+BEGIN_SRC: bash
|
459
|
466
|
#!/bin/bash
|
|
467
|
+
|
|
468
|
+# enable syn cookies
|
|
469
|
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
470
|
+
|
|
471
|
+# other settings
|
|
472
|
+echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
|
|
473
|
+echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
|
|
474
|
+echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
|
|
475
|
+
|
|
476
|
+# First of all delete any existing rules.
|
|
477
|
+# This means you're back to a known state:
|
|
478
|
+iptables -P INPUT ACCEPT
|
|
479
|
+iptables -F
|
|
480
|
+iptables -X
|
|
481
|
+
|
|
482
|
+# Make sure NEW incoming tcp connections are SYN packets
|
|
483
|
+iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
484
|
+
|
|
485
|
+# Drop packets with incoming fragments
|
|
486
|
+iptables -A INPUT -f -j DROP
|
|
487
|
+
|
|
488
|
+# Incoming malformed XMAS packets drop them
|
|
489
|
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
|
490
|
+iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
|
491
|
+iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
|
492
|
+
|
|
493
|
+# Incoming malformed NULL packets:
|
|
494
|
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
|
495
|
+
|
|
496
|
+# limit ssh logins to no more than 3 per min
|
|
497
|
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
|
498
|
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SSH-DROP
|
|
499
|
+
|
|
500
|
+# Limit web connections to 20 per min
|
|
501
|
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
502
|
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTP-DROP
|
|
503
|
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
504
|
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTPS-DROP
|
|
505
|
+
|
|
506
|
+# Limit number of XMPP connections
|
|
507
|
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
508
|
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix XMPP-DROP
|
|
509
|
+
|
|
510
|
+# Limit IRC connections
|
|
511
|
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
512
|
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IRC-DROP
|
|
513
|
+
|
|
514
|
+# Limit gopher connections
|
|
515
|
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
516
|
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix GOPH-DROP
|
|
517
|
+
|
|
518
|
+# Limit IMAP connections
|
|
519
|
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
520
|
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IMAP-DROP
|
|
521
|
+
|
|
522
|
+# Limit SIP connections
|
|
523
|
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
524
|
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix SIP-DROP
|
|
525
|
+
|
|
526
|
+# Limit SMTP/SMTPS connections
|
|
527
|
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
|
528
|
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTP-DROP
|
|
529
|
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
|
530
|
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTPS-DROP
|
|
531
|
+
|
|
532
|
+# Limit Bitmessage connections
|
|
533
|
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
|
534
|
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix BM-DROP
|
|
535
|
+
|
460
|
536
|
# Limit the number of incoming tcp connections
|
461
|
537
|
# Interface 0 incoming syn-flood protection
|
462
|
538
|
iptables -N syn_flood
|
|
@@ -464,11 +540,17 @@ iptables -A INPUT -p tcp --syn -j syn_flood
|
464
|
540
|
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
465
|
541
|
iptables -A syn_flood -j DROP
|
466
|
542
|
|
467
|
|
-#Limiting the incoming icmp ping request:
|
|
543
|
+# Limiting the incoming icmp ping request:
|
468
|
544
|
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
|
469
|
545
|
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
|
470
|
546
|
iptables -A INPUT -p icmp -j DROP
|
471
|
547
|
iptables -A OUTPUT -p icmp -j ACCEPT
|
|
548
|
+
|
|
549
|
+# Save the settings
|
|
550
|
+iptables-save > /etc/firewall.conf
|
|
551
|
+echo '#!/bin/sh' > /etc/network/if-up.d/iptables
|
|
552
|
+echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
|
|
553
|
+chmod +x /etc/network/if-up.d/iptables
|
472
|
554
|
#+END_SRC
|
473
|
555
|
|
474
|
556
|
Save and exit
|
|
@@ -476,10 +558,6 @@ Save and exit
|
476
|
558
|
#+BEGIN_SRC: bash
|
477
|
559
|
chmod +x /tmp/firewall.sh
|
478
|
560
|
. /tmp/firewall.sh
|
479
|
|
-iptables-save > /etc/firewall.conf
|
480
|
|
-echo '#!/bin/sh' > /etc/network/if-up.d/iptables
|
481
|
|
-echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
|
482
|
|
-chmod +x /etc/network/if-up.d/iptables
|
483
|
561
|
rm /tmp/firewall.sh
|
484
|
562
|
#+END_SRC
|
485
|
563
|
|
|
@@ -3248,6 +3326,32 @@ make install
|
3248
|
3326
|
pybitmessage
|
3249
|
3327
|
#+END_SRC
|
3250
|
3328
|
|
|
3329
|
+*** Connect to Email
|
|
3330
|
+Surely Bitmessage is supposed to be a
|
|
3331
|
+
|
|
3332
|
+#+BEGIN_SRC: bash
|
|
3333
|
+cd /tmp
|
|
3334
|
+wget http://freedombone.uk.to/notbit.tar.gz
|
|
3335
|
+#+END_SRC
|
|
3336
|
+
|
|
3337
|
+Verify it.
|
|
3338
|
+
|
|
3339
|
+#+BEGIN_SRC: bash
|
|
3340
|
+sha256sum notbit.tar.gz
|
|
3341
|
+972fdc9cbb8034141282337dcd5e557bce57969ff6bd1d607da89bd93cc7bb68
|
|
3342
|
+#+END_SRC
|
|
3343
|
+
|
|
3344
|
+Extract and install it.
|
|
3345
|
+
|
|
3346
|
+#+BEGIN_SRC: bash
|
|
3347
|
+tar -xzvf notbit.tar.gz
|
|
3348
|
+cd notbit
|
|
3349
|
+apt-get install dh-autoreconf
|
|
3350
|
+./autogen.sh --prefix=/home/myusername
|
|
3351
|
+make
|
|
3352
|
+make install
|
|
3353
|
+#+END_SRC
|
|
3354
|
+
|
3251
|
3355
|
** Overcome restrictive environments
|
3252
|
3356
|
|
3253
|
3357
|
#+BEGIN_VERSE
|