free
/
freedombone
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
Bladeren bron

Drop access to unused ports

Bob Mottram 11 jaren geleden
bovenliggende
41d9636d16
commit
b86389bd99
1 gewijzigde bestanden met toevoegingen van 46 en 5 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 46
    5
      beaglebone.txt

+ 46
- 5
beaglebone.txt Bestand weergeven 

@@ -447,7 +447,7 @@ apt-get install fail2ban
447 447 
 -- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/
448 448 
 #+END_VERSE
449 449
450 
-A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
450 
+A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack.
451 451
452 452 
 #+BEGIN_SRC: bash
453 453 
 apt-get install portsentry
 
@@ -483,10 +483,10 @@ Enter the following:
483 483 
 #+BEGIN_SRC: bash
484 484 
 #!/bin/bash
485 485
486 
-# enable syn cookies
486 
+# Enable syn cookies
487 487 
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
488 488
489 
-# other settings
489 
+# Other settings
490 490 
 echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
491 491 
 echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
492 492 
 echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
 
@@ -497,6 +497,44 @@ iptables -P INPUT ACCEPT
497 497 
 iptables -F
498 498 
 iptables -X
499 499
500 
+# Drop access to unused ports
501 
+iptables -A INPUT -p tcp --destination-port 1 -j DROP
502 
+iptables -A INPUT -p tcp --destination-port 7 -j DROP
503 
+iptables -A INPUT -p tcp --destination-port 109:111 -j DROP
504 
+iptables -A INPUT -p tcp --destination-port 995 -j DROP
505 
+iptables -A INPUT -p tcp --destination-port 139 -j DROP
506 
+iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP
507 
+iptables -A INPUT -p tcp --destination-port 9 -j DROP
508 
+iptables -A INPUT -p tcp --destination-port 79 -j DROP
509 
+iptables -A INPUT -p tcp --destination-port 515 -j DROP
510 
+iptables -A INPUT -p tcp --destination-port 4001 -j DROP
511 
+iptables -A INPUT -p tcp --destination-port 1524 -j DROP
512 
+iptables -A INPUT -p tcp --destination-port 1080 -j DROP
513 
+iptables -A INPUT -p tcp --destination-port 512:514 -j DROP
514 
+iptables -A INPUT -p tcp --destination-port 31337 -j DROP
515 
+iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP
516 
+iptables -A INPUT -p tcp --destination-port 12345 -j DROP
517 
+iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP
518 
+iptables -A INPUT -p tcp --destination-port 4000 -j DROP
519 
+iptables -A INPUT -p udp --destination-port 1 -j DROP
520 
+iptables -A INPUT -p udp --destination-port 7 -j DROP
521 
+iptables -A INPUT -p udp --destination-port 109:111 -j DROP
522 
+iptables -A INPUT -p udp --destination-port 995 -j DROP
523 
+iptables -A INPUT -p udp --destination-port 139 -j DROP
524 
+iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP
525 
+iptables -A INPUT -p udp --destination-port 9 -j DROP
526 
+iptables -A INPUT -p udp --destination-port 79 -j DROP
527 
+iptables -A INPUT -p udp --destination-port 515 -j DROP
528 
+iptables -A INPUT -p udp --destination-port 4001 -j DROP
529 
+iptables -A INPUT -p udp --destination-port 1524 -j DROP
530 
+iptables -A INPUT -p udp --destination-port 1080 -j DROP
531 
+iptables -A INPUT -p udp --destination-port 512:514 -j DROP
532 
+iptables -A INPUT -p udp --destination-port 31337 -j DROP
533 
+iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP
534 
+iptables -A INPUT -p udp --destination-port 12345 -j DROP
535 
+iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP
536 
+iptables -A INPUT -p udp --destination-port 4000 -j DROP
537 
+
500 538 
 # Make sure NEW incoming tcp connections are SYN packets
501 539 
 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
502 540 
 
@@ -511,11 +549,11 @@ iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
511 549 
 # Incoming malformed NULL packets:
512 550 
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
513 551
514 
-# drop UDP to used ports
552 
+# Drop UDP to used ports
515 553 
 iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6670,993,5060,5061,25 -j DROP
516 554 
 iptables -A INPUT -p udp --match multiport --dports 465,22,5222,5223,5269,5280,5281,8444 -j DROP
517 555
518 
-# limit ssh logins
556 
+# Limit ssh logins
519 557 
 iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
520 558
521 559 
 # Limit web connections
 
@@ -525,6 +563,9 @@ iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1
525 563 
 # Limit number of XMPP connections
526 564 
 iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
527 565
566 
+# Limit NNTP connections
567 
+iptables -A INPUT -p tcp --dport 119 -m limit --limit 5/minute --limit-burst 1 -j ACCEPT
568 
+
528 569 
 # Limit IRC connections
529 570 
 iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
530 571