Hackerlere karsi önlem (iptables): ... # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP
# accept client at port tcp:22 and register in WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST --set -j ACCEPT ... Ayni adresten 20 saniye icinde en fazla 1 baglantiya müsade var. 20 saniye icinde tekrar baglanmasi engelleniyor. Bunu denemek icin söyle yapin: ssh -p22 -l isim makina Password: isteyince CTRL-C yapin ve hemen tekrar baglanmayi deneyin. --> Tekrar baglanmak mümkün degil! :-) Tabii bu test 2 terminal penceresinden de denenebilir: birinde normal login, ikincisinde login yapmak mümkün degildir. Login 20 saniye sonra mümkün olur. Bu isin calismasi icin Linux kernel >= 2.6.14'e gerek var. Ve ipt_recent modulü yüklenmis olmali (modprobe ipt_recent). Kontrol icin: cat /proc/net/ip_tables_matches O listede "recent" yoksa yukarki modprobe komutu ile yüklenmesi gerekir. Makinayi reboot yapinca iptables kurallarinin otomatikmen yüklenmesi icin o kurallar /etc/network/if-pre-up.d/ altinda bir dosyada tutulmali ve chmod +x yapilmis olmali... Tabii ssh icin port 22 yerine baska bir port kullanilirsa daha saglam olur. Bunun icin /etc/ssh/sshd_config dosyasina bakin... iptables'de de ayni port ayari yapilmali tabii... :-) ##################################################### ### MY_firewall.sh /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -m state --state INVALID -j DROP # lo_mode= # "1" : set lo rules at top (--> then other rules are not applied to lo) # "2" : set lo rules at end (--> then other rules are applied to lo too) lo_mode="1" if [ "$lo_mode" = "1" ] then /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT fi /sbin/iptables -t mangle -F /sbin/iptables -t mangle -X /sbin/iptables -t mangle -Z /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -P INPUT ACCEPT /sbin/iptables -t mangle -P FORWARD ACCEPT /sbin/iptables -t mangle -P POSTROUTING ACCEPT /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/iptables -t nat -Z /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT if cat /proc/net/ip_tables_matches | grep "recent" &>/dev/null ; then # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP # accept client at port tcp:22 and register in WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST --set -j ACCEPT # if anybody tries to connect to tcp:139 (windows filesharing), then drop them and add them to the WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST --set -j DROP # accept client at port tcp:8192 (my test port) and register in WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 8192 --match recent --name WATCHLIST --set -j ACCEPT else echo "# ipt_recent module is not loaded. Cannot use WATCHLIST feature. Ask your HN admin." /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP /sbin/iptables -A INPUT -p tcp --dport 8192 -j ACCEPT fi /sbin/iptables -A INPUT -p tcp --dport 4643 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 119 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 563 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT if [ "$lo_mode" != "1" ] then /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT fi /sbin/iptables -A INPUT -j DROP /sbin/iptables -A OUTPUT -j ACCEPT # on a openVZ HN we must enable FORWARD: if test -d /proc/vz && test -f /usr/sbin/vzctl ; then echo "# This is an openVZ HN: FORWARD packets will be ACCEPTed" /sbin/iptables -A FORWARD -j ACCEPT else echo "# This is not an openVZ HN: FORWARD packets will be DROPped" /sbin/iptables -A FORWARD -j DROP fi /sbin/iptables -v -L ##################################################### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
