from:"William Twomey"

Re: Why not have firewall rules by default?

2008-01-23 Thread William Twomey



If this is needed/wanted to Debian, no problems, but remember obscure 
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy 
made and maintain firewall/s at Linux and all of these are regular 
Debian packages. That is true at there should be more information 
about firewall possibilities example at 
http://www.debian.org/doc/manuals/securing-debian-howto/


I guess my point is if the 'iptables' package is installed by default on 
Debian, then better integration with Debian would probably be a good idea.


Why is iptables installed by default and why is there no debian way to 
load/save/unload the iptables rules without making your own init script? 
Why was the init script removed from Debian (security? no maintainer?)


I like Debian because it don't tried install for me selinux, firewalls 
and all bells and whistles. This isn't sometimes remember at some 
distributions :) I can choose myself which is suitable for me.
I agree; not having all the bells and whistles is good, but having 
choice is good too. No one (I hope) is complaining that after install 
ssh/apache a file is put in /etc/init.d and /etc/rc2.d. Or that services 
are starting by default when you install them.


The fact that a debian machine connected to the internet is vulnerable 
to attacks that have build-in protection on Linux/iptables is strange to 
me. It would be nice to be able to enable these settings so they stay 
after a reset via apt or the install.


-Will


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Why not have firewall rules by default?

2008-01-23 Thread William Twomey

It's my understanding (and experience) that a Debian system by default 
is vulnerable to SYN flooding (at least when running services) and other 
such mischeif. I was curious as to why tcp_syncookies (and similar 
things) are not enabled by default.


Many distros (RPM-based mostly from my experience) ask you during the 
install if you'd like to enable firewall protection. I was curious if 
debian was every going to have this as an option?


One solution could be to have a folder called /etc/security/iptables 
that contains files that get passed to iptables at startup (in the same 
way /etc/rc2.d gets read in numeric order). So you could have files like 
22ssh, 23ftp, etc. with iptable rules in each file. You could also have 
an 'ENABLED' variable like some files in /etc/default have (so that 
ports wouldn't be opened by default; the user would have to manually 
enable them for the port to be opened). 

Then they'd just run /etc/init.d/iptables restart and the port would be 
opened (flush the rules, reapply).


Even a central iptables-save format file that gets passed to iptables at 
startup would be nice. It's easy enough to do manually, but would be 
nice to see integrated with debian itself (packages managing their own 
rules, etc.).


Is debian every going to introduce a better way of having iptables rules 
be run at startup and easily saved/managed, or will this always be a 
manual process?


Thanks!

-Will


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

netstat shows strange output

2008-01-06 Thread William Twomey


netstat | grep www | wc -l
1138

I was seeing lots of 'SYN_RECV' on port 80 coming from one host. I've 
tried the following iptables rules (from iptables-save). Kind of a mess, 
as I've been trying multiple things to solve this problem.


-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG 
-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG 
-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK -j DROP

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DDoS

I also disabled ipv6, which I was seeing a lot of from this host.

I am now seeing a lot of entries like this:

tcp0  0 192.168.1.240:www   ba.2c.5646.static:34884 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:33860 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:33863 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44103 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57671 
ESTABLISHED
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57927 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57926 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:58489 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:57465 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:50041 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:48251 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44155 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:55675 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:41850 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:55674 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44413 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:59517 
ESTABLISHED
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44401 
CLOSE_WAIT


I've blocked this IP (resolves to 18255.com) on this machine using 
iptables -I INPUT -s 66.116.125.131 -j DROP


This doesn't work, so perhaps it's a spoofed IP? *shrugs*

Any help would be appreciated, this is causing a bit of strain on my web 
server. :/


-Will


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Why not have firewall rules by default?

Why not have firewall rules by default?

netstat shows strange output

3 matches

Site Navigation

Mail list logo

Footer information