[EMAIL PROTECTED] wrote:
>
> Attached is a list of tasks for the security category. Admittedly, these
> tasks were originally written prior to the release of iptables. We will
> not be removing the ipchains tasks, but we must also include duplicate
> tasks which address iptables.
>
> Can you security experts provide matching tasks (or additional ones if
> applicable) which covers technical details involved with iptables?
>
Attached. And do I have heartburn with two tasks here. How about: How
can you configure ipchains (iptables) to totally frustrate your
web-browsing users and keep your phone ringing off the hook? (DROP ALL
ICMP PACKETS!!!!).
Question: I've seen a _lot_ of problems with folks enabling ECN without
knowing what it is, then complaining they can't get to web site
such-and-such (because the broken firewall drop packets with the TCP ECN
(E) option set).
Not even sure where this would be tested. echo 0 >
/proc/sys/net/ipv4/tcp_ecn
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
1.1.5 Pre-configure ssh-agent system-wide
3.2.1 Turn on and off IP forwarding by changing the value of
/proc/sys/net/ipv4/ip_forward.
3.2.2 Use tcp_max_syn_backlog, tcp_syn_retries and tcp_syncookies to manage
syn connections and synflood attacks.
Subarea 4: CIDR
3.4.1 Configure ipchains to set up ip masquerading.
Configure iptables to set up ip masquerading.
3.4.2 Use ipchains redirect to send input packets to IP servers -- ???
redirect only redirects on the local host. If I read this correctly, this requires
ipfwadm with ipchains. ???
Use iptables to redirect incoming packets to other servers
3.4.4 List firewall rules on a chain using ipchains.
List firewall rules on chains in various tables using iptables
3.7.1 Set up secure anonymous ftp server for web host clients
3.7.2 L1 Change the /etc/ftpaccess file to include the DENY keyword.
5.2.2 hi,L1 Set up secure shell
5.2.5 L1 Generate a SSH public/private key pair (in ~/.ssh/identity and
~/.ssh/identity.pub).
5.2.7 Configure a remote system to allow SSH logins with a public key by
adding the key to ~/.ssh/authorized_keys.
5.2.8 L1 Properly configure and use ssh-agent, including killing it off at
logout properly.
5.2.9 Manage multiple connections from multiple locations to prevent network
connection loss during sensitive remote system changes.
5.2.10 Set up special secure ports to allow remote administration as
superuser.
5.2.11 hi Use tcpwrappers or ipchains (or iptables) to manage remote access.
5.2.13 Use ssh's port forward ability to encrypt insecure connections to a
remote server and vice versa
5.2.16 Setup ssh to properly handle incoming and outgoing Ssh ver. 1 and ver.
2 connections
5.2.17 Disable ssh connections for everyone except root during system
maintenance
5.2.18 Setup trusted hosts for ssh connections that allow logins without
password
5.2.22 lo Setup kerberos to provide better security while allowing centralized
user account management
6.2.2 lo Perform basic security auditing of sensitive source code, such as
scanning for insecure usage of functions like 'strcpy' and 'sprintf'
6.2.7 Read bug track to learn about new security problems and fix them.
6.2.8 Check for open mail relays and anonymous ftp servers
6.2.9 lo Install and configure the snort intrusion detection tool
6.2.10 lo Update the snort configuration files to reflect newly-discovered
vulnurabilities
6.3.1 Disable logging on as root by changing the /etc/ssh/sshd_config by
entering DenyGroup root
6.3.5 hi Apply security bugfixes to important daemons
6.4.1 Change the firewall setup to block hosts that do portscans or test for
vulnerabilities
Change the firewall setup to block connections from hosts that do
portscans or test for vulnerabilities using iptables stateful rules
6.4.3 Set up ipchains to accept packets into your network by specific
network blocks.
Set up iptables to accept SYN packets into your network by specific
network blocks
6.4.4 Set up ipchains to deny ICMP packets into your network by specific
network blocks.
6.4.5 Set up ipchains to reject ICMP packets into your network.
AAAAGGGHHHH -- I have _extreme_ heartburn with the above two tasks. You might want to
reject or deny (drop) ICMP ping packets, but _NEVER_ _EVER_ EVER_ ALL ICMP packets.
Talk about a self-inflicted gunshot wound to the kneecap with a howitzer! I can't
believe the above two are actually tasks as they stand.
6.4.4 Set up ipchains (iptables) to deny (drop) ICMP ping (echo-request)
packets into your network by specific network blocks
6.4.5 Set up ipchains (iptables) to reject ICMP ping (echo-request) packets
into your network by specific netowrk blocks
Extra: Set up iptables to only allow return connections (ESTABLISHED or
RELATED) connections back into your network while dropping or rejecting new or invalid
connections
Extra: Set up iptables to allow active FTP sessions through your firewall
Extra: Set up netfilter to do IP defragmentation
Extra: Set up iptables rules to correct window sizes to account for broken
ISP routers (TCPMSS)
