Drop access to unused ports

beaglebone.txt

 -- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/
 #+END_VERSE
 
-A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
+A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack.
 
 #+BEGIN_SRC: bash
 apt-get install portsentry
 #+BEGIN_SRC: bash
 #!/bin/bash
 
-# enable syn cookies
+# Enable syn cookies
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
-# other settings
+# Other settings
 echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
 echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
 echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
 iptables -F
 iptables -X
 
+# Drop access to unused ports
+iptables -A INPUT -p tcp --destination-port 1 -j DROP
+iptables -A INPUT -p tcp --destination-port 7 -j DROP
+iptables -A INPUT -p tcp --destination-port 109:111 -j DROP
+iptables -A INPUT -p tcp --destination-port 995 -j DROP
+iptables -A INPUT -p tcp --destination-port 139 -j DROP
+iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP
+iptables -A INPUT -p tcp --destination-port 9 -j DROP
+iptables -A INPUT -p tcp --destination-port 79 -j DROP
+iptables -A INPUT -p tcp --destination-port 515 -j DROP
+iptables -A INPUT -p tcp --destination-port 4001 -j DROP
+iptables -A INPUT -p tcp --destination-port 1524 -j DROP
+iptables -A INPUT -p tcp --destination-port 1080 -j DROP
+iptables -A INPUT -p tcp --destination-port 512:514 -j DROP
+iptables -A INPUT -p tcp --destination-port 31337 -j DROP
+iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP
+iptables -A INPUT -p tcp --destination-port 12345 -j DROP
+iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP
+iptables -A INPUT -p tcp --destination-port 4000 -j DROP
+iptables -A INPUT -p udp --destination-port 1 -j DROP
+iptables -A INPUT -p udp --destination-port 7 -j DROP
+iptables -A INPUT -p udp --destination-port 109:111 -j DROP
+iptables -A INPUT -p udp --destination-port 995 -j DROP
+iptables -A INPUT -p udp --destination-port 139 -j DROP
+iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP
+iptables -A INPUT -p udp --destination-port 9 -j DROP
+iptables -A INPUT -p udp --destination-port 79 -j DROP
+iptables -A INPUT -p udp --destination-port 515 -j DROP
+iptables -A INPUT -p udp --destination-port 4001 -j DROP
+iptables -A INPUT -p udp --destination-port 1524 -j DROP
+iptables -A INPUT -p udp --destination-port 1080 -j DROP
+iptables -A INPUT -p udp --destination-port 512:514 -j DROP
+iptables -A INPUT -p udp --destination-port 31337 -j DROP
+iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP
+iptables -A INPUT -p udp --destination-port 12345 -j DROP
+iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP
+iptables -A INPUT -p udp --destination-port 4000 -j DROP
+
 # Make sure NEW incoming tcp connections are SYN packets
 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
 # Incoming malformed NULL packets:
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
-# drop UDP to used ports
+# Drop UDP to used ports
 iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6670,993,5060,5061,25 -j DROP
 iptables -A INPUT -p udp --match multiport --dports 465,22,5222,5223,5269,5280,5281,8444 -j DROP
 
-# limit ssh logins
+# Limit ssh logins
 iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
 
 # Limit web connections
 # Limit number of XMPP connections
 iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
 
+# Limit NNTP connections
+iptables -A INPUT -p tcp --dport 119 -m limit --limit 5/minute --limit-burst 1 -j ACCEPT
+
 # Limit IRC connections
 iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT