free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Firewall

Bob Mottram 11 years ago
parent
e94cfe55a1
commit
ba001abf5e
1 changed files with 119 additions and 0 deletions
Split View Show Diff Stats
  1. 119
    0
      beaglebone.txt

+ 119
- 0
beaglebone.txt View File 

@@ -397,6 +397,49 @@ apt-get install ntp
397 397 
 apt-get install fail2ban
398 398 
 #+END_SRC
399 399
400 
+** Set up a firewall
401 
+
402 
+#+BEGIN_VERSE
403 
+/The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder/
404 
+
405 
+-- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/
406 
+#+END_VERSE
407 
+
408 
+A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
409 
+
410 
+#+BEGIN_SRC: bash
411 
+emacs /tmp/firewall.sh
412 
+#+END_SRC
413 
+
414 
+Enter the following:
415 
+
416 
+#+BEGIN_SRC: bash
417 
+#!/bin/bash
418 
+# Limit the number of incoming tcp connections
419 
+# Interface 0 incoming syn-flood protection
420 
+iptables -N syn_flood
421 
+iptables -A INPUT -p tcp --syn -j syn_flood
422 
+iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
423 
+iptables -A syn_flood -j DROP
424 
+#Limiting the incoming icmp ping request:
425 
+iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
426 
+iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
427 
+iptables -A INPUT -p icmp -j DROP
428 
+iptables -A OUTPUT -p icmp -j ACCEPT
429 
+#+END_SRC
430 
+
431 
+Save and exit
432 
+
433 
+#+BEGIN_SRC: bash
434 
+chmod +x /tmp/firewall.sh
435 
+. /tmp/firewall.sh
436 
+iptables-save > /etc/firewall.conf
437 
+echo "#!/bin/sh" > /etc/network/if-up.d/iptables
438 
+echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables
439 
+chmod +x /etc/network/if-up.d/iptables
440 
+rm /tmp/firewall.sh
441 
+#+END_SRC
442 
+
400 443 
 ** Getting onto the web
401 444 
 Create a subdomain on [[http://freedns.afraid.org][freeDNS]].  You may need to click on "/subdomains/" a couple of times.  FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts.  So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet.  If you do have money to spend there is also a premium option.
402 445 
 
@@ -3551,3 +3594,79 @@ Under security tab, set "Enable ZRTP/SRTP encryption"
3551 3594 
 TODO
3552 3595
3553 3596 
 CSipSimple?
3597 
+** Install Medagoblin
3598 
+
3599 
+#+BEGIN_SRC: bash
3600 
+apt-get install git-core python python-dev python-lxml python-imaging python-virtualenv apache2-suexec libapache2-mod-fcgid
3601 
+#+END_SRC
3602 
+
3603 
+#+BEGIN_SRC: bash
3604 
+adduser --system mediagoblin
3605 
+addgroup mediagoblin
3606 
+adduser mediagoblin mediagoblin
3607 
+export HOSTNAME=mydomainname.com
3608 
+cd /var/www/$HOSTNAME/htdocs
3609 
+git clone git://gitorious.org/mediagoblin/mediagoblin.git mediagoblin
3610 
+chown -hR mediagoblin:mediagoblin /var/www/$HOSTNAME/htdocs/mediagoblin
3611 
+cd /var/www/$HOSTNAME/htdocs/mediagoblin
3612 
+git submodule init && git submodule update
3613 
+cp mediagoblin.ini mediagoblin_local.ini
3614 
+emacs mediagoblin.ini
3615 
+#+END_SRC
3616 
+
3617 
+Set email_sender_address to the address you wish to be used as the sender for system-generated emails
3618 
+
3619 
+Edit direct_remote_path, base_dir, and base_url if your mediagoblin directory is not the root directory of your vhost.
3620 
+
3621 
+Save and exit.
3622 
+
3623 
+#+BEGIN_SRC: bash
3624 
+a2enmod suexec
3625 
+a2enmod fcgid
3626 
+emacs /etc/apache2/sites-available/$HOSTNAME
3627 
+#+END_SRC
3628 
+
3629 
+Add the following to the 80 virtual host, replacing mydomainname.com with your domain name.
3630 
+
3631 
+#+BEGIN_SRC: bash
3632 
+  <Directory /var/www/mydomainname.com/htdocs/mediagoblin>
3633 
+    deny from all
3634 
+  </Directory>
3635 
+#+END_SRC
3636 
+
3637 
+Add the following to the 443 virtual host.
3638 
+
3639 
+#+BEGIN_SRC: bash
3640 
+  # Serve static and media files via alias
3641 
+  Alias /mgoblin_static/ /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/static/
3642 
+  Alias /mgoblin_media/ /var/www/mydomainname.com/htdocs/mediagoblin/user_dev/media/public/
3643 
+
3644 
+  # Rewrite all URLs to fcgi, except for static and media urls
3645 
+  RewriteEngine On
3646 
+  RewriteRule ^(mgoblin_static|mgoblin_media)($|/) - [L]
3647 
+  RewriteCond %{REQUEST_FILENAME} !-f
3648 
+  RewriteRule ^/(.*)$ /mg.fcgi/$1 [QSA,L]
3649 
+
3650 
+  # Allow access to static and media directories
3651 
+  <Directory /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/static>
3652 
+    Order allow,deny
3653 
+    Allow from all
3654 
+  </Directory>
3655 
+  <Directory /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/user_dev/media/public>
3656 
+    Order allow,deny
3657 
+    Allow from all
3658 
+  </Directory>
3659 
+
3660 
+  # Connect to fcgi server
3661 
+  FastCGIExternalServer /var/www/mg.fcgi -host 127.0.0.1:26543
3662 
+#+END_SRC
3663 
+
3664 
+Save and exit
3665 
+
3666 
+#+BEGIN_SRC: bash
3667 
+cd /var/www/$HOSTNAME/htdocs/mediagoblin
3668 
+./lazyserver.sh --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543
3669 
+#+END_SRC
3670 
+
3671 
+https://github.com/joar/mediagoblin-init-scripts
3672 
+