Re: easiest way to shut down all network services besides ssh?
Reco writes: > >> The >> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that >> like to open new outbound connections in response to inbound requests. > > Not quite true. You forgot to take into account good old DNS, for > example. Now, sure, DNS *is* stupid, but sshd relies on it to some > extent. Or, say, NTP, which is UDP-based too. > Yah, I never run into that because I usually do this on my laptop, and that has a local instance of bind running a slave of my own private zone and a caching resolver. Slaving runs over an OpenVPN link using TCP, so I can get by with an outbound ACCEPT policy. But yeah, the most comprehensive policy runs a conntrack for related and established outbound connections. Mart -- "We will need a longer wall when the revolution comes." --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86388ct807@gaheris.avalon.lan
Re: easiest way to shut down all network services besides ssh?
Mart van de Wege a écrit : > Reco writes: > >> The simplest *working* solution is to use iptables this way: >> >> iptables -F INPUT >> iptables -A INPUT -i lo -j ACCEPT >> iptables -A INPUT -p icmp -j ACCEPT Too permissive. Allow only safe error types (i.e. destination-unreachable, time-exceeded and parameter-problem but NOT redirect or source-quench) in the RELATED state. >> iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT Too restrictive. If you allow any protocol outbound, you must allow any protocol reply inbound. >> iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT >> iptables -P INPUT DROP >> iptables -F OUTPUT >> iptables -P OUTPUT ACCEPT >> >> >> Your rules will block anything on the interface lo and outbound traffic, >> which is just asking for all kinds of trouble. And blocking icmp is just >> rude ;) No. Blocking /valid/ ICMP /error/ packets is rude and may cause trouble. You may happily and safely drop any other ICMP packets. > Outbound traffic is not necessary, surely? Of course it is. At least reply packets to incoming SSH packets. > The > RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that > like to open new outbound connections in response to inbound requests. Wrong. ESTABLISHED is for all connection-oriented protocols like TCP and SCTP, but also some UDP-based protocols such as DNS, and ICMP echo (ping). RELATED is also for ICMP error messages. Useful to get the replies from an outgoing traceroute. > Then again, chain OUTPUT defaults to ACCEPT anyway. > > Mart > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54933279.1050...@plouf.fr.eu.org
Re: easiest way to shut down all network services besides ssh?
Hi. On Thu, 18 Dec 2014 12:35:31 +0100 Mart van de Wege wrote: > Reco writes: > > > Hi. > > > > On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote: > >> Britton Kerin writes: > >> > >> > I have a system that I would like to make accessible only by ssh. > >> > > >> > No apache telnet ftp anything else. > >> > > >> > What is the easiest way to achieve this? It came from a vendor with > >> > a slew of package of all sorts, so I don't even know everything that > >> > I want to remove. > >> > > >> Simplest solution is to use iptables to reject all traffic except for > >> port 22: > >> > >> iptables -I INPUT -p tcp --dport 22 -j ACCEPT > >> iptables -P INPUT DROP > >> > >> Of course, this depends on none of the shell users having root access. > > > > The simplest *working* solution is to use iptables this way: > > > > iptables -F INPUT > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -p icmp -j ACCEPT > > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j > > ACCEPT > > iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT > > iptables -P INPUT DROP > > iptables -F OUTPUT > > iptables -P OUTPUT ACCEPT > > > > > > Your rules will block anything on the interface lo and outbound traffic, > > which is just asking for all kinds of trouble. And blocking icmp is just > > rude ;) > > Heh. You're right about the lo blockage, I keep forgetting that > everytime I write iptables rules. Oops. I forgot about this one: iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT > Outbound traffic is not necessary, surely? The answers of the box to > incoming ssh packets still count as part of the INPUT stream. Not unless you use '-m conntrack --ctstate NEW'. And (see below) not unless you'll want to limit all new outbound connections to ssh only. > The > RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that > like to open new outbound connections in response to inbound requests. Not quite true. You forgot to take into account good old DNS, for example. Now, sure, DNS *is* stupid, but sshd relies on it to some extent. Or, say, NTP, which is UDP-based too. Besides, OP may need to establish new outbound connections from his host. This: iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT will allow such connections without the need to punch multiple holes in the INPUT chain. > Then again, chain OUTPUT defaults to ACCEPT anyway. True. But, just to be on the safe side, I'd add '-P ACCEPT' to OUTPUT too. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218194341.55a72661ff572893bbb7b...@gmail.com
Re: easiest way to shut down all network services besides ssh?
Le 18.12.2014 06:08, Britton Kerin a écrit : I have a system that I would like to make accessible only by ssh. No apache telnet ftp anything else. What is the easiest way to achieve this? It came from a vendor with a slew of package of all sorts, so I don't even know everything that I want to remove. Thanks, Britton Reinstalling a clean system is probably the easier solution. But, if you can't do that, then you can list all running services (if and only if they support sysvinit tools) with this command: # service --status-all 2>/dev/null |grep +|cut -f2 -d ']' Then, just stop services manually, or build a script which stops everything except the few services you want to keep alive. And if you want to have this disabling permanent, then: $ less /etc/rc$(/sbin/runlevel |cut -f 2 -d' ').d/README will give you pointers about how to do that. It is also possible that things starts with cron, so you should probably check into /etc/ and /var/spool/cron/ everything included in cron's directories. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2158a28d409a963bb1bf93f0b6821...@neutralite.org
Re: easiest way to shut down all network services besides ssh?
Reco writes: > Hi. > > On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote: >> Britton Kerin writes: >> >> > I have a system that I would like to make accessible only by ssh. >> > >> > No apache telnet ftp anything else. >> > >> > What is the easiest way to achieve this? It came from a vendor with >> > a slew of package of all sorts, so I don't even know everything that >> > I want to remove. >> > >> Simplest solution is to use iptables to reject all traffic except for >> port 22: >> >> iptables -I INPUT -p tcp --dport 22 -j ACCEPT >> iptables -P INPUT DROP >> >> Of course, this depends on none of the shell users having root access. > > The simplest *working* solution is to use iptables this way: > > iptables -F INPUT > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -p icmp -j ACCEPT > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT > iptables -P INPUT DROP > iptables -F OUTPUT > iptables -P OUTPUT ACCEPT > > > Your rules will block anything on the interface lo and outbound traffic, > which is just asking for all kinds of trouble. And blocking icmp is just > rude ;) Heh. You're right about the lo blockage, I keep forgetting that everytime I write iptables rules. Outbound traffic is not necessary, surely? The answers of the box to incoming ssh packets still count as part of the INPUT stream. The RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that like to open new outbound connections in response to inbound requests. Then again, chain OUTPUT defaults to ACCEPT anyway. Mart -- "We will need a longer wall when the revolution comes." --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86a92ltcl8@gaheris.avalon.lan
Re: easiest way to shut down all network services besides ssh?
Hi. On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote: > Britton Kerin writes: > > > I have a system that I would like to make accessible only by ssh. > > > > No apache telnet ftp anything else. > > > > What is the easiest way to achieve this? It came from a vendor with > > a slew of package of all sorts, so I don't even know everything that > > I want to remove. > > > Simplest solution is to use iptables to reject all traffic except for > port 22: > > iptables -I INPUT -p tcp --dport 22 -j ACCEPT > iptables -P INPUT DROP > > Of course, this depends on none of the shell users having root access. The simplest *working* solution is to use iptables this way: iptables -F INPUT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT iptables -P INPUT DROP iptables -F OUTPUT iptables -P OUTPUT ACCEPT Your rules will block anything on the interface lo and outbound traffic, which is just asking for all kinds of trouble. And blocking icmp is just rude ;) Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218101453.ga13...@d1696.int.rdtex.ru
Re: easiest way to shut down all network services besides ssh?
Am Donnerstag, 18. Dezember 2014, 10:39:18 schrieb Mart van de Wege: > Britton Kerin writes: > > I have a system that I would like to make accessible only by ssh. > > > > No apache telnet ftp anything else. > > > > What is the easiest way to achieve this? It came from a vendor with > > a slew of package of all sorts, so I don't even know everything that > > I want to remove. > > Simplest solution is to use iptables to reject all traffic except for > port 22: > > iptables -I INPUT -p tcp --dport 22 -j ACCEPT > iptables -P INPUT DROP > > Of course, this depends on none of the shell users having root access. > > Mart I would additionally uninstall all not needed packages. Maybe you can find out with netstat, which program is listening. You might also want to install denyhosts to prevent brute force attacks. Also portsentry might be interesting for you. happy hacking Hans -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2597450.Ns2OQTrcH2@protheus2
Re: easiest way to shut down all network services besides ssh?
Britton Kerin writes: > I have a system that I would like to make accessible only by ssh. > > No apache telnet ftp anything else. > > What is the easiest way to achieve this? It came from a vendor with > a slew of package of all sorts, so I don't even know everything that > I want to remove. > Simplest solution is to use iptables to reject all traffic except for port 22: iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -P INPUT DROP Of course, this depends on none of the shell users having root access. Mart -- "We will need a longer wall when the revolution comes." --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86egrxthyx@gaheris.avalon.lan
Re: easiest way to shut down all network services besides ssh?
On Jo, 18 dec 14, 00:37:30, The Wanderer wrote: > > If you want to transform your current system by removing > externally-accessible services, I don't know of a strictly "easy" way, > but if I wanted to do that on a machine under my control, what I'd do > is: > > * Get a list of open ports by running 'nmap localhost' (or by running > nmap against the system from a different machine, which might give > more reliable results). > > * Do some guesswork against the installed package list to figure out > what might be opening each of the listed ports. > > * Remove all of those packages except for the chosen SSH server package. > > The guesswork is the difficult part, and although it doesn't seem > terribly difficult from my end when I do a trial run (omitting the final > "remove" part) on my own system, I can imagine that it could easily > enough be more difficult under your circumstances. I don't have any good > suggestions for how to make it any easier. 'netstat -plant' will show the executable responsible for opening the port and 'dpkg -S' can tell you to which package it belongs. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: easiest way to shut down all network services besides ssh?
On 12/18/2014 at 12:08 AM, Britton Kerin wrote: > I have a system that I would like to make accessible only by ssh. > > No apache telnet ftp anything else. > > What is the easiest way to achieve this? It came from a vendor with > a slew of package of all sorts, so I don't even know everything that > I want to remove. The literal easiest way is probably to reinstall from scratch as a minimal system, then install openssh-server. If you want to transform your current system by removing externally-accessible services, I don't know of a strictly "easy" way, but if I wanted to do that on a machine under my control, what I'd do is: * Get a list of open ports by running 'nmap localhost' (or by running nmap against the system from a different machine, which might give more reliable results). * Do some guesswork against the installed package list to figure out what might be opening each of the listed ports. * Remove all of those packages except for the chosen SSH server package. The guesswork is the difficult part, and although it doesn't seem terribly difficult from my end when I do a trial run (omitting the final "remove" part) on my own system, I can imagine that it could easily enough be more difficult under your circumstances. I don't have any good suggestions for how to make it any easier. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
easiest way to shut down all network services besides ssh?
I have a system that I would like to make accessible only by ssh. No apache telnet ftp anything else. What is the easiest way to achieve this? It came from a vendor with a slew of package of all sorts, so I don't even know everything that I want to remove. Thanks, Britton -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cac4o8c_s_bqvye980fj2ok+qdeeinkmcp3u0aqcw4hjsri5...@mail.gmail.com