Forum OpenACS Q&A: basic firewall features on RH 8.0
I never had to bother with a firewall so I am quite a newbie. How would basic precautions to secure my server look like and how would I have to proceed?
Linux 2.4 stateful firewall design
Here I learnt how to do portforwarding (NAT) to services within my LAN:
Linux 2.4 NAT HOWTO
Red Hat Linux 6.X as an Internet Gateway for a Home Network
was also helpful, though I used iptables instead of ipchains.
As a basic rule only open what you need. Which is likely http (port 80) and ssh (port 22). You may want to block (DENY or REJECT, I prefer DENY) all ports from 0-1023 (0-64k is even better but I find it an overkill) of all outside interface (e.g. eth0, eth1, etc.). Then using netstat -nap see if any ports above 1023 is running and close them down. Also since this is your first time, try doing it on your home machine. Connect to your remote machine and secure your home machine remotely, that will likely simulate what you need to do in your remote machine. You can use nmap to scan ports for you.
Just remember the basic rule only offer what you really offer to the world. Any other should be kept shut, or better yet shut down the service don't just hide them.
The config file for the firewall is in /etc/sysconfig/iptables and the program that creates the file is in /usr/sbin/lokkit
Use the service scripts to start, stop or reload the firewall: "service iptables start".
Basically, make a firewall with a "high" security level in lokkit and only open the ports you need: http, ssh, maybe smtp or ftp if you're using those. The networking scripts should automatically punch a hole in the firewall for named (DNS) services without you having to do anything.
The man pages, lokkit docs in /usr/share/doc, or the Red Hat site have more info in iptables firewalls.
I just set up my firewall via lokkit, but although I didn't specify port 8000 to be open, I still can access it via http://www.myserver.com:8000 ... (I opened port 10000 for webmin)
This is my iptables file:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 10000 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 220.127.116.11 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 18.104.22.168 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
Here is a basic doc on the RH firewall:
# Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 22.214.171.124 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMITSo how do I modify this to allow communication on ports 8000 and 8443?? If there are any other information you need please let me know. Thank you
It used to not be able to read the current rules (even if it wrote them) and understand what your firewall is trying to do. So all new configs started from scratch and wasted your previous configuration. Has that been fixed, or is it still the typical pos?
Use lokkit to start, then turn to emacs.
Also, there is a terrific book, Real World Linux Security by Toxen that comes with enormous amounts of firewall rulesets. For instance, you really don't want to stop iptables and restart it to load new rules, and Toxen shows you how to eliminate the microseconds of vulnerability. Great for the paranoid but difficult for the arm-chair sysadmin. It also comes with scripts (for non-commercial use) that make logwatch useful, by stripping out all the daily crapola.
Do buy a copy of SSH, The Secure Shell by Barrett & Silverman. There are some wonderful features in SSH that can make it much easier for you to present to the world a tightly locked down box, while presenting to you and only to you, the vast wasteland.
And do remember, a firewall is not enough, because one day you will forget to reenable it, or it will not load. (This actually has been the subject of a redhat errata this week -- a bug in their newest kernel kept iptables from loading on certain machines) So turn off all unnecessary services. Consider removing gcc and even emacs.
If your server is offsite, than consider failsafeing it. Install cron jobs to ensure the firewall is up and that you have connectivity and if you do not to take various failsafe actions: reboot, replace /etc with a failsafe version from a tar file, etc.
Look into chkrootkit and build a CD of executables for chkrootkit to run from. Keep that CD in place and schedule chkrootkit to run nightly. Consider booting from a write-protected floppy (something that can help raided sys disks too) or booting from CD. Note unfortunately that if you do boot from write-protected removable media, that you will be running on old kernels until you can change out the media. Some folks think that's prudent anyway.
Look into bastille. It's useful as a teaching tool, but I didn't like it for the somewhat non-standard (presumably better) tools it used.
Backup your system. I have a website that does nothing more than serve up a MIME encoded encrypted tar backup of my website and pg db along with a few choice keywords. This little known trick lets me obtain recent backups out of the google cache or the Internet wayback machine.
Lastly, if you have a wifi ethernet card, place tin-foil around it. Mars is very close right now, and experts have predicted that populations of martian hybrid babies will skyrocket.
And I probably don't have to mention that the OpenBSD folks takes security very, very seriously.
Ip-tables tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Complete OpenBSD PF documentation: http://www.openbsd.org/faq/pf/index.html
I currently admin 5 OpenBSD based firewalls, and it would take serious kicks from external forces to drive me back to using Linux for this particular application. My main personal DMZ splitter has 33 non-empty lines in the pf.conf file, of which 11 are macro definitions for addresses, networks and interfaces, yet it is configured for default-deny, redirects, 2x NAT, antispoofing, packet priority queueing and renormalisation, statefull/modulating firewalling etc.