"Burke, Thomas G." wrote:
> I need to install the errata & updates (which I have already downloaded),
> but I can't remember the command for the graphical RPM tool (Is it glint?)
> (I ask for the graphical, as I am doing everything from remote X)...
gnorpm is the currently distributed graphical rpm front-end. I don't
recall whether or not kpackage is currently distributed, it may be.
They both work well enough, but I find it soooo much simpler to "rpm
-Fvh *.i386.rpm" (I just wish the rpm developers would accept my patch
to make rpm -F work right)
> I have been looking at the services & inet.conf files, & it looks like
> there's a gob more stuff in there than there used to be. I plan on
> disabling everything, and then re-enabling the things I want, but maybe this
> is excessive
I don't think so. It sounds just fine to me. You probably shouldn't
edit /etc/services.
> - What I want is samba (internal interface only), apache (all
> interfaces), and some method of telnet and ftp (from all interfaces - I
> understand that neither are secure, so how do I go about fixing this? - What
> are issues I'll need to contend with for ssh?), POP from the internal
> interface, and smtp from all interfaces. I also plan to use this box as a
> masquerading router. Do I really need DNS for this?
You can run a DNS server if you like, with good firewalling rules, you
shouldn't have to worry about it too much.
I've attached my own rc.firewall script, and you should find it easy to
use. You shouldn't need to adjust anything other than the shell
variables at the top of the file. What I like about it is that you can
tell it to be paranoid about a specific (or several specific) device,
and it will lock that device down well. You can then tell it to
specifically open ports. For instance, if your public interface is
eth1, you can use:
PARANOID_DEV="eth1"
PARANOIA_ALLOWS_PORTS="21 22 23 25 80"
This will close down everything on eth1, but leave ftp, ssh, telnet (are
you absolutely certain? I wouldn't), SMTP, and http open. Anything
else you run will only be available on your internal, private ethernet
interface.
If you can use openssh rather than telnet, do so. You can then use scp
for authenticated file transfers, and only use anonymous ftp. You, then,
never send passwords in plain text. Also, if you can have your mail
hosted somewhere else, and use fetchmail to retrieve it (over spop,
hopefully :), consider it a good option. If not, remove sendmail and
use qmail or postfix.
The script I'm sending also provides you a simple way to configure
masquerading through ipchains.
> After I have the machine locked down, I will obviously want to add IPCHAINS
> for the firewall & masq - Where is a good resource for this?
See my script :)
> I also plan on
> installing port sentry (I had this up before) - does anyone know of a way to
> have sentry put locked out machines into the IPCHAINs scripts, so they
> aren't lost after a reboot
Portsentry doesn't mix with closing up ports via ipchains, AFAIK.
Portsentry doesn't ever detect scans because the kernel drops the
packets. I'm perfectly happy with that, since the REJECT'ed packets are
logged to syslog (so I get reports), and there's no need to add firewall
rules to block out someone who's locked out by default. :)
> I also plan on
> installing tripwire onto the system, but the version I have (sorry don't
> remember which) is a little buggy with some filenames... Is there a newer
> version, and where can I get it (sorry, I forgot)?
Look at www.freshmeat.net for all of your Free software needs. A new
version of ViperDB was just released, and I think I like it's philosophy
above tripwire's.
> The last thing I would lik to do is throw in an automated log checking
> daemon (or some such) so that I don't have to peruse a jillion MBs of logs
> each day... Preferably, this software would notify me by e-mail (random
> account) of anything unusual going on.. What's a good package for this.
I'm still using logwatch, but it takes a lot of configuring if your
server is a busy one. If not, it only takes a little configuring.
Regardless of what you use, I advise that you launch several attacks
against your machine from the outside world. The kind that are going to
generate log entries. Make absolutely certain that your log checker is
reporting EVERYTHING that you want to see.
> I have set up a couple systems in the past, but I have never tried to make
> the box so paranoid as I want to make this new install... (I had never had
> a problem with my installation until I was recently hacked).
Yep, that's always a bitch. Good luck. One more secure host is a safer
internet for all.
MSG
#!/bin/sh
# Source functions
. /etc/rc.d/init.d/functions
#
# <CONFIGURATION>
#
IPCHAINS="/sbin/ipchains"
IPMASQADM="/usr/sbin/ipmasqadm"
#
# The following variables accept space separated lists of items
#
SPOOF_PROTECTION_ON="ALL"
PARANOID_DEV="eth1"
PARANOIA_ALLOWS_PORTS="22 443 993"
PARANOIA_EXTRA_PORTS="2049 3306"
# Prove paranoia:
LOG_DENIED="TRUE"
MASQ_NET="192.168.1.0/24"
FORWARD_NET="192.168.10.0/24"
#
# This is a little weird, but I wanted to provide a simple way to
# do it, so here's the best you get:
# format: local_ip(local_port)-remote_ip(remote_port)
# e.g.: 192.168.0.2(21)-192.168.1.5(21)
#
#PORT_FORWARDS="192.168.0.2(5155)-192.168.1.5(22)"
# To use ALLOW or DENY, the device must be a "PARANOID_DEV"
#ETH1_ALLOW="206.43.48.6()-192.168.0.2(:1024)"
#ETH1_DENY="206.43.48.3()-192.168.0.2()"
#
# </CONFIGURATION>
#
configure_system() {
# Turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
if [ "$SPOOF_PROTECTION_ON" = "ALL" ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done"
fi
else
echo "SPOOF PROTECTION NOT AVAILABLE ON THIS SYSTEM."
fi
if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then
echo "/proc/sys/net/ipv4/ip_forward is missing --" \
"cannot control IP forwarding" >&2
return 1
fi
if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then
echo "Routing has not been enabled." >&2
echo "Please set FORWARD_IPV4=\"yes\" in /etc/sysconfig/network" >&2
echo " or use your network configuration tool to enable ip
forwarding." >&2
return 1
fi
#
# Flush the old rules, so that we don't duplicate them.
# This is important if the rules have changed.
#
action "Flushing old firewalling rules" $IPCHAINS -F
[ -x $IPMASQADM ] && \
action "Flushing forwarded ports" $IPMASQADM portfw -f
#
# Set the default for packet forwarding to REJECT. We only want to
# forward packets for those in our own network.
#
action "Denying packet forwarding by default" \
$IPCHAINS -P forward REJECT
action "Extending default timouts for masqueraded IP connections" \
$IPCHAINS -M -S 14400 0 0
# Load all available ip_masq modules
OLD_DIR="$PWD"
cd /lib/modules/`uname -r`/ipv4/
ls ip_masq* | sed 's/.o$//' | while read masqmod ; do
action "Loading masquerade module $masqmod " \
modprobe "$masqmod"
done
cd "$OLD_DIR"
}
lock_down_dev() {
LOG=""
if [ "$LOG_DENIED" = "TRUE" ]; then
LOG=" -l "
fi
action "Disallowing incoming connections on $ARG_PARANOID_DEV" \
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port :1023 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port :1023 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port 6000:6010 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port 6000:6010 -j REJECT $LOG
[ -n "$PARANOIA_EXTRA_PORTS" ] && for PORTS in $PARANOIA_EXTRA_PORTS; do
action " including extra port $PORTS" \
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port "$PORTS" -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port "$PORTS" -j REJECT $LOG
done
[ -n "$PARANOIA_ALLOWS_PORTS" ] && for PORTS in $PARANOIA_ALLOWS_PORTS; do
action " except for port $PORTS" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port "$PORTS" -j ACCEPT
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port "$PORTS" -j ACCEPT
done
[ -e /proc/sys/net/ipv4/conf/all/rp_filter ] &&
for DEV in "$SPOOF_PROTECTION_ON"; do
[ "$DEV" = "$ARG_PARANOID_DEV" ] &&
action "Setting up IP spoofing protection on
$ARG_PARANOID_DEV" \
echo 1 >
/proc/sys/net/ipv4/conf/"$ARG_PARANOID_DEV"/rp_filter
done
UP_DEV=`echo "$ARG_PARANOID_DEV" | tr [a-z] [A-Z]`
eval "DEV_DENY=\$${UP_DEV}_DENY"
[ -n "$DEV_ALLOW" ] && for DENY in $DEV_DENY; do
LOCAL_DENY=`echo $DENY | cut -f2 -d-`
REMOTE_DENY=`echo $DENY | cut -f1 -d-`
LOCAL_IP=`echo $LOCAL_DENY | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_DENY | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_DENY | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_DENY | sed "s/.*(\|)//g"`
action " removing access from $REMOTE_IP $REMOTE_PORT to $LOCAL_IP
$LOCAL_PORT" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT
$LOG
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT
$LOG
done
eval "DEV_ALLOW=\$${UP_DEV}_ALLOW"
[ -n "$DEV_ALLOW" ] && for ALLOW in $DEV_ALLOW; do
LOCAL_ALLOW=`echo $ALLOW | cut -f2 -d-`
REMOTE_ALLOW=`echo $ALLOW | cut -f1 -d-`
LOCAL_IP=`echo $LOCAL_ALLOW | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_ALLOW | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_ALLOW | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_ALLOW | sed "s/.*(\|)//g"`
action " allowing $REMOTE_IP $REMOTE_PORT to access $LOCAL_IP
$LOCAL_PORT" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT
done
}
masq_network() {
action "Activating masquerading for network $ARG_MASQ_NET" \
$IPCHAINS -A forward -s $ARG_MASQ_NET -d 0/0 -j MASQ
}
forward_network() {
action "Allowing network $ARG_FWD_NET to be forwarded" \
$IPCHAINS -A forward -b -s $ARG_FWD_NET -d 0/0 -j ACCEPT
}
do_port_forward() {
[ ! -x $IPMASQADM ] && {
echo "Please install ipmasqadm for port forwarding" >&2
return 1
}
LOCAL_F=`echo $ARG_PORT_FORWARD | cut -f1 -d-`
REMOTE_F=`echo $ARG_PORT_FORWARD | cut -f2 -d-`
LOCAL_IP=`echo $LOCAL_F | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_F | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_F | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_F | sed "s/.*(\|)//g"`
action "Forwarding $LOCAL_F to $REMOTE_F" \
$IPMASQADM portfw -a -P tcp \
-L "$LOCAL_IP" "$LOCAL_PORT" -R "$REMOTE_IP" "$REMOTE_PORT"
}
#-----------------------
configure_system
[ -n "$PARANOID_DEV" ] && for PD in $PARANOID_DEV; do
ARG_PARANOID_DEV="$PD"
lock_down_dev
done
[ -n "$MASQ_NET" ] && for MN in $MASQ_NET; do
ARG_MASQ_NET=$MN
masq_network
done
[ -n "$FORWARD_NET" ] && for FN in $FORWARD_NET; do
ARG_FWD_NET=$FN
forward_network
done
[ -n "$PORT_FORWARDS" ] && for PF in $PORT_FORWARDS ; do
ARG_PORT_FORWARD=$PF
do_port_forward
done
# Port sentry:
if ( ! /sbin/pidof portsentry > /dev/null ); then
if [ -x /usr/local/psionic/portsentry/portsentry ]; then
action "Starting portsentry watching tcp" \
/usr/local/psionic/portsentry/portsentry -atcp
action "Starting portsentry watching udp" \
/usr/local/psionic/portsentry/portsentry -audp
fi
fi
