From: Katherine Villyard <[EMAIL PROTECTED]>
Date: Fri, 26 Jan 2001 14:17:20 -0500
John Petraitis wrote:
>I truly appreciate the level of expertise shown by the people involved in
>these emails, but there are many levels of users out there. Without some
>nuts-n-bolts, how-to information, all I'm getting is another email I have to
>delete. (...like this one :)
[disclaimer: I'm not really an expert either.]
Well, first of all, I'd do what Matt Southall suggested. :)
Secondly, any services like telnet or ftp (I'd use ssh instead, but
if for whatever reason you can't or won't) should be wrapped if
possible (with the TCP Wrappers packages) to restrict them by IP.
Example /etc/hosts.allow file:
in.telnetd: 192.168.1.1
in.ftpd: 192.168.1.1
(where 192.168.1.1 is your workstation on your corporate LAN or
whatever. Add as many lines as you want)
Example /etc/hosts/deny file:
in.telnetd: ALL
in.ftpd: ALL
Then when skript kiddie tries to log into your server from an @home
cable modem, access is denied. (This isn't 100% foolproof, but it
helps.) But if you're giving developers with dialup access
(randomly-assigned IPs) ftp, you can't do this. :(
Thirdly, I'd use apache to restrict access to your cfide directory by
IP if possible.
Sample .htaccess file:
Order allow, deny:
Allow from 192.168.1.1
Deny from ALL
[See note above about developers who use dialup.]
I'm not sure I can give you a generic ipchains script; mine is pretty
specialized, and while ipchains is great, ipchains kind of requires
you to know what ports your applications are using (you can find out
by typing "netstat" at the command line and reading the /etc/services
file). I like _Linux Firewalls_ by Robert L. Ziegler.
Just a start, you'd need to make sure this didn't break anything:
:input DENY
:forward DENY
:output ACCEPT
# establish your chains
-A input -s 192.168.5.4/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY -l
# where 192.168.5.4 is the IP number of someone naughty
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 20:21 -p 6 -j ALLOW
# ftp and ftp-data; should prevent the "blind ftp" problem
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 23:23 -p 6 -j ALLOW
# telnet, for ssh use 22
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ALLOW
# http
-A input -s 192.168.1.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 137:139 -p
6 -j ALLOW
-A input -s 192.168.1.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 137:139 -p
17 -j ALLOW
-A output -s ! 192.168.1.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 137:139
-p 6 -j DENY
-A output -s ! 192.168.1.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 137:139
-p 17 -j DENY
# you're running Samba (not a great idea, it's a common exploit hole)
and only want your desktop on your corporate LAN to get there.
! means not ("! 192.168.1.1" means "not me")
-A means append
-I means insert (the order in which the rules are applied is important)
-s means source, or where the packet comes from
-d means destination, or where the packet is going
-p 6 means protocol 6, or tcp/ip
-p 17 is udp, used by some protocols like SMB/samba.
Now that you feel hopeless information overload, I'd like to
recommend one more thing: Psionic software (http://www.psionic.com/)
offers free security tools, including portsentry and logcheck.
(Portsentry watches for portscans and drops the IP of the scanner
into ipchains in real-time, while logcheck sends you happy little
reports of same and other possible violations.) I recommend you get
both of these.
I'd also apply these changes in stages and then test for broken stuff
before moving on to the next stage. If you install portsentry and
have all or most of your ports open with IPchains you will get lots
and lots and lots of activity (back when I was starting out with
linux masquerade to share an IP connection I got a very large
firewall of naughty people before I closed off a lot of my ports).
Hope that helps,
Katherine
http://www.geekiness.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
