Re: Request for comments: iptables script for use on laptops.
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote: On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote: But if one can spoof 127.0.0.1, then one can spoof anything else, so creating any rule with an ip address matching is useless. Correct. IP-based authentication is inherently flawed. If you want something like that, use strong cryptography to verify the sender/receiver (think certificates, SSL, etc.). No, it's not inherently flawed for loopback addresses on the loopback interface. There are valid reasons to want a different set of rules on the local host than on the network. (E.g., want to be able to test without the complexity of an encryption layer, don't want overhead of encrypting both sides of a local connection, etc.) Aside from that, yeah, ip addresses shouldn't be used for authentication on untrusted networks. (Though they are useful as one layer of security, to mitigate the risk of vulnerabilities in the encryption routines.) Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Decent iptables script for bridging?
Christian Holler schrieb: Hello, I'm currently setting up a bridge on Debian, which is meant to act as an invisible filter in our network which is otherwise directly exposed to the internet (every host directly reachable from the internet, no NAT or anything like that). I found a good Debian howto that describes this setup, but I was wondering if there is an iptables firewall script which is meant for that kind of setup. All iptables scripts I know are for NAT or Home Firewalling (including dialup etc). Thanks in advance for useful hints. Shorewall should do the trick just look on the website of it for a example setup with bridging. Also I prefere writing my own script :-) greets Uwe -- http://www.x-tec.de http://www.highspeed-firewall.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
Hi, On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote: > But if one can spoof 127.0.0.1, then one can spoof anything else, so creating > any rule with an ip address matching is useless. Correct. IP-based authentication is inherently flawed. If you want something like that, use strong cryptography to verify the sender/receiver (think certificates, SSL, etc.). > If I set up my firewall > to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting > to a port (eg. smtp), then anyone can spoof that too. So what's the point of > creating rules? :) Well, there are still some benefits in using a firewall. For example, if you don't allow access to any port per default, but only open a few ones you really need (in case you're running servers which must be reachable from the net). If you accidentally/unknowingly install/start a daemon which should _not_ be reachable from outside, the firewall will block any traffic to it, and hence any exploit attempts. There are many other valid examples. It's not the concept of a firewall that is flawed, it's relying on IP addresses for authentication which is a bad idea. Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature
Decent iptables script for bridging?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm currently setting up a bridge on Debian, which is meant to act as an invisible filter in our network which is otherwise directly exposed to the internet (every host directly reachable from the internet, no NAT or anything like that). I found a good Debian howto that describes this setup, but I was wondering if there is an iptables firewall script which is meant for that kind of setup. All iptables scripts I know are for NAT or Home Firewalling (including dialup etc). Thanks in advance for useful hints. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEcxF9JQIKXnJyDxURAihkAJkBeBTQq667ke3ySiYeZ11hQcHVBwCfaUme qcSRC0rZDnXccoikcV2fTKo= =2hQe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
2006. május 23. 10:06, Rolf Kutz <[EMAIL PROTECTED]> -> debian-security@lists.debian.org,: > * Quoting LeVA ([EMAIL PROTECTED]): > > > iptables -A INPUT -i lo -j ACCEPT > > > iptables -A OUTPUT -o lo -j ACCEPT > > > > But if one can spoof 127.0.0.1, then one can spoof anything else, so > > creating any rule with an ip address matching is useless. No? If I set up > > my firewall to accept only my local network (eg. -s > > 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone > > can spoof that too. So what's the point of creating rules? :) > > The script under scrutiny was intended for a > laptop. A router or firewall setup is something > different and should not route traffic with > spoofed addresses. rp_filter should catch this > easily, if you can use it. If not, an IP-based > rule is ok, IMHO. So sticking with the smtp example, if I have enabled rp_filter, then does it matter whether I'm using this: iptables -A INPUT -p tcp -i lo --dport 25 -j ACCEPT or this: iptables -A INPUT -p tcp -s 127.0.0.1 --dport 25 -j ACCEPT Daniel -- LeVA
Re: Request for comments: iptables script for use on laptops.
LeVA said: > But if one can spoof 127.0.0.1, then one can spoof anything else, so > creating any rule with an ip address matching is useless. No? It's not totally useless but gives only a minor level of protection, i.e. it helps against attacks without spoofing :) > If I set up my firewall to accept only my local network (eg. > -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then > anyone can spoof that too. So what's the point of creating rules? :) This is ok. You simply need some more "anti-spoofing" rules. You can allow packets from 127.0.0.1 only if they come from the loopback interface. And you may want to discard packets coming from the internal network card, if they don't have an approriate IP address. Here is an example: http://www.sns.ias.edu/~jns/files/iptables_ruleset -- Michel Messerschmidt, [EMAIL PROTECTED] $ rpm -q --whatrequires linux no package requires linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote: [...] >> iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host >> iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 > Correct me if I'm wrong, but I think this would also allow incoming > traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing > his IP address to appear to be 127.0.0.1 could send _any_ traffic > to you and you would ACCEPT it, basically rendering the firewall > useless. Did I miss anything? Kernel shoots any packet it considers as being "martian" -- e.g. packets from 127.0.0.0/8 cannot appear on any interface except lo. The same applies to the reverse case: no packet coming from "external" interface but claiming to be destined to 127.0.0.0/8 woun't be passed further by the kernel. See RFC 1812 for explanations. One can switch logging records about killed martian packets with net/ipv4/conf/ethN/log_martians=1 in /etc/sysctl.conf [...] I agree to your other comments. P.S. I think the best way to secure the box is the simplest: allow incoming packets with states ESTABLISHED and RELATED, deny all others (except for OpenVPN or whatever remote access is needed). May be it's also worth accepting ICMP Ping packets. All special ICMP packets needed for proper functioning of TCP/IP (PMTU discovery for example) fall to the RELATED domain and are passed to the stack. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote: The script under scrutiny was intended for a laptop. A router or firewall setup is something different and should not route traffic with spoofed addresses. rp_filter should catch this easily, if you can use it. If not, an IP-based rule is ok, IMHO. No, if you mean to accept loopback traffic then you should accept -i lo. If nothing else, all of 127.0.0.0/8 is loopback addresses, not just 127.0.0.1, and I have seen software that makes use of that. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
Hi, > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 > > Correct me if I'm wrong, but I think this would also allow incoming > traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing > his IP address to appear to be 127.0.0.1 could send _any_ traffic > to you and you would ACCEPT it, basically rendering the firewall > useless. Did I miss anything? > yes, i think this allow incoming spoofed traffic to eth0 (or it is "martian?") but the response must follow what found in routing table -> lo interfaces... am i wong? bye
Re: How to prevent daemons from ever being started?
On Mon, May 15, 2006 at 10:27:00PM -0700, Vineet Kumar wrote: > > > echo "This daemon has been disabled" > > > exit 0 > > > > > > near the top of the init.d scripts :) > > > > using a /etc/default/daemon > > DAEMON=disable > > > > and a small check in the init.d script is what lots of packages actually do. > > I think Uwe wanted them to not start automatically at boot but to be > able to invoke the init script manually. Both of these ideas prevent > the manual invocation as well. Correct. And I also don't like the idea of manually editing files in /etc/init.d... I think policy-rc.d looks like what I want. Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1073-1] New MySQL 4.1 packages fix several vulnerabilities
Martin Schulze wrote: > The following vulnerability matrix shows which version of MySQL in > which distribution has this problem fixed: > >woodysargesid > mysql3.23.49-8.15n/a n/a > mysql-dfsg n/a 4.0.24-10sarge2 n/a > mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a > mysql-dfsg-5.0 n/a n/a 5.0.21-3 I can't "apt-get upgrade" from 4.0.24-10sarge1 to 4.0.24-10sarge2. Is that package already created / uploaded to the security repository ? Or am I missing something? Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting Michael Stone ([EMAIL PROTECTED]): > On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote: > >The script under scrutiny was intended for a > >laptop. A router or firewall setup is something > >different and should not route traffic with > >spoofed addresses. rp_filter should catch this > >easily, if you can use it. If not, an IP-based > >rule is ok, IMHO. > > No, if you mean to accept loopback traffic then you should accept -i lo. > If nothing else, all of 127.0.0.0/8 is loopback addresses, not just > 127.0.0.1, and I have seen software that makes use of that. Locally, yes, but on a firewall or router? _And I was referring to 192.168.x.x addresses. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting LeVA ([EMAIL PROTECTED]): > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A OUTPUT -o lo -j ACCEPT > > > But if one can spoof 127.0.0.1, then one can spoof anything else, so creating > any rule with an ip address matching is useless. No? If I set up my firewall > to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting > to a port (eg. smtp), then anyone can spoof that too. So what's the point of > creating rules? :) The script under scrutiny was intended for a laptop. A router or firewall setup is something different and should not route traffic with spoofed addresses. rp_filter should catch this easily, if you can use it. If not, an IP-based rule is ok, IMHO. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting Uwe Hermann ([EMAIL PROTECTED]): > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 > > Correct me if I'm wrong, but I think this would also allow incoming > traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing > his IP address to appear to be 127.0.0.1 could send _any_ traffic > to you and you would ACCEPT it, basically rendering the firewall > useless. Did I miss anything? Maybe this: | echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
2006. május 23. 02:04, Uwe Hermann <[EMAIL PROTECTED]> -> George Hein <[EMAIL PROTECTED]>,debian-laptop@lists.debian.org, debian-security@lists.debian.org: > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 > > Correct me if I'm wrong, but I think this would also allow incoming > traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing > his IP address to appear to be 127.0.0.1 could send _any_ traffic > to you and you would ACCEPT it, basically rendering the firewall > useless. Did I miss anything? > > The following should be better, as it only allows traffic to/from the > loopback interface (but not eth0 or what have you)... > > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > But if one can spoof 127.0.0.1, then one can spoof anything else, so creating any rule with an ip address matching is useless. No? If I set up my firewall to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone can spoof that too. So what's the point of creating rules? :) Daniel -- LeVA
Re: How to prevent daemons from ever being started?
Hi, On Mon, May 15, 2006 at 08:49:36PM +0200, Javier Fernández-Sanguino Peña wrote: > Please see > http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv > > and the preceeding paragraph: > > "If you want to keep some services but use them rarely, use the > update-commands, e.g. update-inetd and update-rc.d to remove them from the > startup process. For more information on how to disable network services read > Disabling daemon services, Section 3.6.1. If you want to change the default > behaviour of starting up services on installation of their associated > packages[4] use policy-rc.d, please read > /usr/share/doc/sysv-rcREADME.policy-rc.d.gz for more information." > > I believe all the mechanisms dissuggested in this thread are already there. Yes, policy-rc.d indeed looks like it does what I want, thanks! Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature
can not connect to sshd
Hi! I'm experiencing this problem: After my server has lost it's internet connection, I can not ssh to it from our local network. I get this in the auth.log: sshd[10746]: Did not receive identification string from :::192.168.0.3 But that is all, I can not notice anything else in the log files. Also, I can not connect from the server itself (localhost): sshd[10797]: refused connect from localhost.localdomain (:::127.0.0.1) My hosts.allow any hosts.deny files are configured to allow anything from LOCAL and from my network. After the internet connection comes back again, I can connect to the machine. What could be the problem? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
Hi, On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote: > Your iptables scares me a bit, do we really have to do all that stuff > like "echo to /proc/sys/...". I was a TP professional many years ago > but since the internet I have become a novice, thus running scared. You don't really _need_ those lines, but they're mostly useful in that they add some more levels of security (or mitigate some attacks), in addition to just closing TCP/UDP ports. > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 Correct me if I'm wrong, but I think this would also allow incoming traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing his IP address to appear to be 127.0.0.1 could send _any_ traffic to you and you would ACCEPT it, basically rendering the firewall useless. Did I miss anything? The following should be better, as it only allows traffic to/from the loopback interface (but not eth0 or what have you)... iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT > iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7 > iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28 IP-based blocking of traffic is almost always not a good idea. Same reason as above - IPs are easily faked, so any intruder could pretend to be 192.168.0.2 and would bypass the firewall. > # iptables -A INPUT -j ACCEPT -p icmp -m icmp --icmp-type 3 > # iptables -A OUTPUT -j ACCEPT -p icmp -m icmp --icmp-type 3 > iptables -A INPUT -j ACCEPT -p tcp -m multiport --port > 20,21,25,37,80,110,111,119,443 > iptables -A INPUT -j ACCEPT -p udp -m multiport --port > 53,67,68,111,520,631 Are you sure you want to allow the whole Internet access to all those ports? Especially portmap, FTP, CUPS etc? Are you running a server which needs to be reachable from the Internet? Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature
Re: Request for comments: iptables script for use on laptops.
Hi, On Mon, May 22, 2006 at 03:16:04PM -0700, Vineet Kumar wrote: > > echo 1 > /proc/sys/net/ipv4/ip_forward > > echo 0 > /proc/sys/net/ipv4/ip_forward > > While I haven't yet gone through the actual content of the script, a > note of style preference: > > Personally, I prefer using sysctl -w instead of echo > /proc/sys. I > prefer /etc/sysctl.conf further still. Ok, this is a matter of taste, I guess. I would argue that echo is available pretty much everywhere, but on the other hand sysctl should also be available everywhere where you have iptables... Is there any _real_ reason why sysctl might be better in certain situations? For me /etc/sysctl.conf is not so nice, as I want to be able to download my own script from my website when I'm at other machines which I want to secure. Thus, I'd like to have everything in one single script (vs. multiple files). Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature