Show pageOld revisionsBacklinksAdd to bookExport to MarkdownBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Hardening on CentOS ====== ===== Updates ===== How many security notices, bugfix notices, and enhancement notices are available for your machine? <code> yum updateinfo </code> How many security related packages are available for your machine? <code> yum --security list updates </code> ===== Mount options ===== The ''nodev'' mount option **prevents special files from being interpreted as character or block devices**. The only place legitimate character and block devices should exist on a system is below the ''/dev'' directory on the root partition or within chroot jails built for system services. The ''noexec'' mount option prevents the direct execution of binaries on the mounted filesystem. Users should **not be allowed to execute binaries** that exist in temporary areas or on partitions mounted from removable media (such as a USB key). Using this mount option may provide a line of defense against certain types of worms or malicious code. The ''nosuid'' mount option prevents **set-user-id (setUID) and set-group-id (setGID) permissions from taking their normal effect**. These permissions allow users to execute binaries and inherit the owner and group privileges of the executable owner/group respectively. Do not permit users to introduce setUID and setGID files into the system from removable media partitions. This mount option isn't required if the ''noexec'' option is in effect on a filesystem. An example for a three options active: <code> <device> /<mountpoint> <filesystem> nosuid,noexec,nodev 1 2 </code> ===== Filesystem encryption ===== Using cryptsetup, you can encrypt partitions and/or logical volumes. * Format the partition or logical volume for encryption: <code bash> cryptsetup luksFormat /dev/<device> </code> * Open the partition for using it: <code bash> cryptsetup luksOpen /dev/device <name> </code> * Make filesystem on encrypted partition: <code bash> mkfs -t ext4 /dev/mapper/<name> </code> * For unattandent mounting, you can setup a password file: <code bash> dd if=/dev/urandom of=<password file> bs=4096 count=1 chmod 0600 <password file> cryptsetup luksAddKey /dev/<device> <password file> </code> * Add the encrypted partition into /etc/cryptab: <code bash> <name> /dev/<device> <password file> </code> * The /etc/fstab should contain a line like this: <code bash> /dev/<device> /<mountpoint> ext4 defaults 1 2 </code> ===== Change attributes ===== On Ext2 - Ext4 filesystems the ''chattr'' and ''lsattr'' command can be used for changing or listing file attributes. Example command: * To add an attribute <code bash> chattr +i <file> </code> * To remove an attribute <code bash> chattr -i <file> </code> ==== Attributes ==== ^Attribut ^Bedeutung ^ |''A'' |Bei Dateien mit diesem Attribut wird das Datum des letzten Zugriffes nicht gespeichert. | |''a'' |Dateien mit diesem Attribut können nur im append-Modus zum Schreiben geöffnet werden. Es kann also nur Inhalt an die Datei dran gehangen werden aber nicht gelöscht oder überschrieben werden. Dieses Attribut kann nur mit Root-Rechten gesetzt und entfernt werden. | |''c'' |Dateien mit diesem Attribut werden automatisch vom Kernel gepackt auf der Platte gespeichert. Wird sie ausgelesen, wird sie automatisch wieder entpackt. Dieses Attribut hat momentan noch keine Auswirkungen auf ext2- und ext3-[[https://wiki.ubuntuusers.de/Dateisystem/|Dateisystemen]]. | |''D'' |Wenn ein Ordner dieses Attribut besitzt und verändert wird, werden diese Veränderungen synchron auf die Festplatte geschrieben. | |''d'' |Dateien mit diesem Attribut werden von dem Programm "dump" ignoriert. | |''E'' |Dieses Attribut kann nicht gesetzt werden. Es gibt an, ob eine Datei, die vom Kernel gepackt wurde, einen Kompressions-Fehler besitzt. | |''I'' |Dieses Attribut kann nicht gesetzt werden. Es gibt an, ob ein Ordner über gehashte trees (Bäume) indexiert wird. | |''i'' |Dateien mit diesem Attribut können nicht verändert werden. Sie können nicht gelöscht oder modifiziert werden und man kann keinen harten Link (Hardlink) auf die Datei erstellen. Symbolische Links (Softlinks) sind weiterhin möglich. Dieses Attribut kann nur mit Root-Rechten gesetzt und entfernt werden. | |''j'' |Besitzt eine Datei dieses Attribut, wird ihr ganzer Inhalt erst in das Journal geschrieben bevor es auf die Festplatte geschrieben wird. Es hat nur Auswirkungen auf ext3-[[https://wiki.ubuntuusers.de/Dateisystem/|Dateisystemen]] und nur, wenn es im ''ordered''- oder ''writeback''-Modus läuft. Dieses Attribut kann nur mit Root-Rechten gesetzt und entfernt werden. | |''s'' |Wenn eine Datei mit diesem Attribut gelöscht wird, werden seine Daten auf der Festplatte mit Nullen überschrieben. Dieses Attribut hat momentan noch keine Auswirkungen auf ext2- und ext3-[[https://wiki.ubuntuusers.de/Dateisystem/|Dateisystemen]]. | |''S'' |Wenn eine Datei dieses Attribut besitzt und verändert wird, werden diese Veränderungen synchron auf die Festplatte geschrieben. | |''T'' |Ein Ordner mit diesem Attribut wird vom [[http://en.wikipedia.org/wiki/Orlov_block_allocator|Orlov block allocator]] {{https://media-cdn.ubuntu-de.org/wiki/attachments/35/40/gb.png|{en}}} behandelt, als wäre es der erste Ordner in der Hierarchie. Zugriffe auf diesen Ordner werden dadurch beschleunigt. | |''t'' |Eine Datei auf der Festplatte wird sich den letzten Block, auf dem sie liegt, nicht mit einer anderen Datei teilen (tail-merging). Dieses Attribut hat momentan noch keine Auswirkungen auf ext2- und ext3-[[https://wiki.ubuntuusers.de/Dateisystem/|Dateisystemen]], da diese generell kein tail-merging unterstützen außer in experimentellen Patches. | |''u'' |Wenn eine Datei mit diesem Attribut gelöscht wird, wird ihr Inhalt gespeichert, so dass ein User sie später wieder herstellen kann. Dieses Attribut hat momentan noch keine Auswirkungen auf ext2- und ext3-[[https://wiki.ubuntuusers.de/Dateisystem/|Dateisystemen]]. | |''X'' |Dieses Attribut kann nicht gesetzt werden. Es gibt an, ob eine vom Kernel gepackte Datei auch unentpackt gelesen werden kann. | |''Z'' |Dieses Attribut kann nicht gesetzt werden. Es gibt an, ob eine Datei, die vom Kernel gepackt, wurde einen Fehler besitzt. | ==== Parameter ==== ^Parameter ^Bedeutung ^ |''-R''|Wenn man chattr mit diesem Parameter auf einen Ordner anwendet, werden alle Unterordner und Dateien rekursiv mit dem gewählten Attribut versehen bzw. das Attribut entfernt.| |''-V''|Dieser Paramter ist der Verbose-Modus und man erhält mehr Meldungen auf dem Screen, wenn man Dateiattribute setzt. | ===== Managing ACL's ===== **Important:** Before you change permissions using ACL, you must make sure the permissons for the file or folder don't allow any user except ''root'' to access or change the file or folder! <code> chmod 0770 /<folder> chown root:root /<folder> </code> * Grants read/write/execution permission to user friend <code bash> setfacl -m u:dani:rwx /opt/test getfacl test/ # file: opt/test/ # owner: root # group: root user::rwx user:dani:rwx group::r-x mask::rwx other::r-x </code> * Grants read/execution permission to group users <code bash> setfacl -m g::rx /opt/test getfacl /opt/test/ # file: opt/test/ # owner: root # group: root user::rwx user:dani:rwx group::r-x mask::rwx other::r-x </code> * Grants read/execution permission to group wheel <code bash> setfacl -m g:wheel:rx /opt/test getfacl /opt/test/ # file: opt/test/ # owner: root # group: root user::rwx user:dani:rwx group::r-x group:wheel:r-x mask::rwx other::r-x </code> * Removes the existing ACL for user friend <code bash> setfacl -x u:wheel getfacl /opt/test/ getfacl: Removing leading '/' from absolute path names # file: opt/test/ # owner: root # group: root user::rwx user:dani:rwx group::r-x mask::rwx other::r-x </code> * Changes normal "**others**" permissions <code bash> setfacl -m o::- <filename> getfacl /opt/test/ getfacl: Removing leading '/' from absolute path names # file: opt/test/ # owner: root # group: root user::rwx user:dani:rwx group::r-x mask::rwx other::r-- </code> * Grants user elvis read/write permission to newly created files (and folder) in this directory <code bash> setfacl -m d:u:elvis:rw <directory> getfacl <directory> file: . owner: root group: root user::rwx group::r-x other::r-x default:user::rwx default:user:dani:rwx default:group::r-x default:mask::rwx default:other::r-x </code> ==== Managing Accounts ==== === Password === Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file: {{:images:users.png?direct&600|User management}} === PAM Modules === PAM has a lot of modules usually located in ''/usr/lib64/security'' directory. To show all available pam plugins, use ''man -k pam''! **Important:** If you change anything in pam configuration, test the logins using a new terminal session, this makes sure, you can set back the changes! Example of SSH daemon pam configuration: ''/etc/pam.d/sshd'' <code> #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare </code> Example ''/etc/pam.d/system-auth'' <code> #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so </code> Next table shows the PAM types: ^Type ^Description ^ |**auth** |These rules are checked when someone is authenticating against this application. A user must pass these rules to validate their identity. | |**account** |account rules verify the properties of the user's account. Items such as account expiration, are configuration files in place to keep users from having a session, etc. are checked by these rules. | |**password**|Dictates the behavior of what happens when a user tries to change their password from this application's session. These rules do not determine authentication to the application and are checked during run-time of the application if the user is attempting to change their password through a session of the application.| |**session** |These rules set up other behaviors around the session, or instance of this application. Such things as logging, SELinux properties, device or console ownership, etc. | Next table shows the control keywords: ^Control ^Description ^ |**required** |The user is required to pass, or receive a successful result, from the executable called by this check. If the user fails this check, they may not be authenticated to the application. However, the other rules of this type will still be parsed and executed even though the user has failed their authentication.| |**sufficient**|The user may or may not pass this check, but if they pass, no other rules of this type are checked. If the user fails this check, the other rules of this type will be used to determine their ability to authenticate through this application. | |**optional** |The module called by this check may or not be successful. The outcome of the check is immaterial to the user's ability to authenticate to the application. | |**include** |At this rule, the authentication of this application will open another file and check the rules of the same type in that file. The result of checking the additional rules from the other file determines the success or failure of the include rule itself. | |**requisite** |Similar to required except that if a user fails a requisite check, the application stops checking any further PAM rules and the application closes its call to PAM. | === PAM cracklib === ^Argument ^Description ^ |**minlen** |The minimum length required of a password. By default all characters contribute one to the overall length score. However, with the ?credit adjustments an administrator can give some character types more value thereby requiring fewer overall characters to meet the same length. | |**lcredit** |Amount of credit lower case character contribute to password length. If this value is set to a **negative number**, it instead denotes the number of lower case characters required to be in an acceptable password. | |**ucredit** |Amount of credit upper case character contribute to password length. If this value is set to a **negative number**, it instead denotes the number of upper case characters required to be in an acceptable password. | |**dcredit** |Amount of credit digit characters contribute to password length. If this value is set to a **negative number**, it instead denotes the number of digit characters required to be in an acceptable password. | |**ocredit** |Amount of credit other characters contribute to password length. Other characters are symbols and all characters not included in lower case, upper case, and digit. If this value is set to a **negative number**, it instead denotes the number of other characters required to be in an acceptable password.| |**minclass**|The minimum number of different classes that must be present in a proposed password. Classes are: lower case, upper case, digit, and other. | === Login messages === There are two different configurations possible to show a message during login: ^Configuration^Description ^ |motd: |Shows the message after successful login (SSH, console or XWindows)| ^Configuration ^Description ^ |**''/etc/motd'':** |Shows the message after successful login (SSH, console or XWindows)| |**''/etc/issue'':**|Shows a message in the console, before login | === Lock Accounts with Failed Logins === Using the **pam_tally2** plugin, you can lock accounts defined by the plugin parameters. To activate it, you must edit ''/etc/pam.d/system-auth'' and ''/etc/pam.d/password-auth'' files, just add the two lines containing ''pam_tally2.so'' as shown next: <code> #%PAM-1.0 auth required pam_env.so auth required pam_tally2.so deny=3 unlock_time=180 quiet ... account required pam_tally2.so account required pam_unix.so ... </code> To show locked users, you can use the ''pam_tally2'' command to show them. To unlock, use this command here: <code> pam_tally2 --reset -u student </code> ==== X Windows ==== Looking at''/etc/gconf/schemas/gdm-simple-greeter.schemas%%'', one may notice a schema with the key ''/schemas/apps/gdm/simple-greeter/disable_restart_buttons%%''. Below is a copy of the schema from a sample Red Hat Enterprise Linux system: <code xml> <schema> <key>/schemas/apps/gdm/simple-greeter/disable_restart_buttons</key> <applyto>/apps/gdm/simple-greeter/disable_restart_buttons</applyto> <owner>gdm-simple-greeter</owner> <type>bool</type> <default>FALSE</default> <gettext_domain>gdm</gettext_domain> <locale name="C"> <short>Disable showing the restart buttons</short> <long>Set to true to disable showing the restart buttons in the login window.</long> </locale> </schema> </code> From this schema definition an administrator can gather the items needed to pass to a **gconftool-2** command to update the back-end **gconf** database with a change to this setting. From the schema definition, notice the following items: * **applyto** : ''/apps/gdm/simple-greeter/disable_restart_buttons'' * **type** : ''bool''\\ * **default** : ''FALSE'' Using gconftool2, you can change the behaviour of Gnome Desktop. Here an example how-to enable a message before user login to Window system: * Get the banner_message confuration settings from schema XML file <code bash> grep -A8 -B2 -P 'banner_message_(text|enable)<' /etc/gconf/schemas/gdm-simple-greeter.schemas </code> <code xml> <schema> <key>/schemas/apps/gdm/simple-greeter/banner_message_enable</key> <applyto>/apps/gdm/simple-greeter/banner_message_enable</applyto> <owner>gdm-simple-greeter</owner> <type>bool</type> <default>false</default> <gettext_domain>gdm</gettext_domain> <locale name="C"> <short>Enable showing the banner message</short> <long>Set to true to show the banner message text.</long> </locale> </schema> <schema> <key>/schemas/apps/gdm/simple-greeter/banner_message_text</key> <applyto>/apps/gdm/simple-greeter/banner_message_text</applyto> <owner>gdm-simple-greeter</owner> <type>string</type> <default></default> <gettext_domain>gdm</gettext_domain> <locale name="C"> <short>Banner message text</short> <long>Text banner message to show on the login window.</long> </locale> </schema> </code> **Note:** Read the values out from **key**, **type** and **default**! * Now, you can overwrite the configuration for enabling the greeting banner <code shell> gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/banner_message_enable true </code> * The same for the banner message <code shell> gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --type string --set /apps/gdm/simple-greeter/banner_message_text "$(cat login_banner.txt)" </code> **Important:** The key starts with ''/schemas/apps/…'' will be ''/apps/…''! **Note:** The config source (''--config-source'') must start with ''xml:readwrite:''! ===== Aide ===== Aide is a filesystem intrusion system ([[http://aide.sourceforge.net/|Advanced Intrusion Detection Environment]]). You can watch files and folder with it. Setup of aide: * Initialize aide database (defaults to ''/var/lib/aide/aide.db.new.gz'', but can be changed in configuration) <code shell> cp /etc/aide.conf /etc/aide.conf.orig # delete unwanted entries in config! aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz aide --check </code> * Config file of aide: ''/etc/aide.conf'' ===== IPA integration ===== ==== Server setup ==== * Prepare server for ''ipa-server'' package installation <code bash> chkconfig NetworkManager off; service NetworkManager stop ... vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" HWADDR="52:54:00:00:00:FA" IPV6INIT="yes" MTU="1500" NM_CONTROLLED="no" ONBOOT="yes" TYPE="Ethernet" UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" IPADDR=192.168.0.101 NETMASK=255.255.255.0 GATEWAY=192.168.0.254 DNS1=192.168.0.254 vim /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.X+100 serverX.example.com serverX chkconfig network on; service network restart yum -y update selinux-policy-targeted </code> * Install the package <code bash> yum -y install ipa-server </code> * Configure IPA server (Note the password!) <code bash> ipa-server-install --hostname=serverX.example.com -n example.com -r EXAMPLE.COM -p redhat13 -a redhat13 --no-ntp --idstart=630000000 -U </code> * Restart sshd on the server * Login into server as admin user using kinit (The ''ipa user-find admin'' command should list the user!) <code bash> kinit admin Password for admin@EXAMPLE.COM: redhat13 ipa user-find admin </code> ==== Client setup ==== * You need to install the ipa binaries <code bash> yum -y install ipa-client ipa-admintools </code> * Configure and install the client (''--mkhomedir'' is very important!) <code bash> ipa-client-install --domain=example.com --server=serverX.example.com --realm=EXAMPLE.COM -p admin -w redhat13 --mkhomedir -U </code> * Login as admin user using kinit <code bash> getent passwd admin getent group admins kinit admin </code> * Add users <code bash> ipa user-add gpyle --first=Gomer --last=Pyle --password ipa user-add cboyle --first=Charles --last=Boyle --password ... </code> * Add groups <code bash> ipa group-add marines --desc=Marines </code> * Add users to group <code bash> ipa group-add-member marines --users=gpyle,cboyle,vcarter </code> * Create the sudo rules (on the server!) <code bash> ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail ipa sudocmdgroup-add --desc "List logs" loglist ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist ipa sudorule-add --hostcat "all" loglist-attr ipa sudorule-add-option loglist-attr Sudo Option: !authenticate ipa sudorule-add-user --groups marines loglist-attr ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr </code> * Make password for one user to test <code bash> ldappasswd -Y GSSAPI -S -h serverX.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com </code> * Don't forget to configure ''/etc/nsswitch.conf'' file for the sudoers configuration, just add following line: <code bash> sudoers: files ldap </code> ===== Rsyslog ===== * Make sure the NTP time is working fine on all invoked systems! * Create and change into directory (''ca'') <code shell> mkdir ca cd ca </code> * Create the **ca** privat key (The certtool is in ''gnutls-utils'' package!) <code bash> certtool --generate-privkey --outfile ca-key.pem </code> * Crate the **ca** self signed certificate <code bash> certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Enter the e-mail of the subject of the certificate: root@desktopX.example.com </code> * Create the **server** privat key <code bash> certtool --generate-privkey --outfile serverX-key.pem </code> * Create the **server** certificate request <code bash> certtool --generate-request --load-privkey serverX-key.pem --outfile serverX-request.pem Common name: serverX.example.com Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y </code> * Create the **server** certificate <code bash> certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem \ --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem The certificate will expire in (days): 1000 Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com </code> * Copy the server certs to the server to ''/etc/rsyslog-keys'' folder * Copy the ca.pem file to ''/etc/rsyslog-keys'' on the client * Create new config file in ''/etc/rsyslog.d/server.conf'' (on the server), you can get a template from ''/usr/share/doc/rsyslog*/''. Make sure the **AuthMode** is set to **anon** and add the ''$ModLoad imtcp'' line! <code bash> # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem $ModLoad imtcp # load TCP listener $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514 </code> * Create new config file in ''/etc/rsyslogd/client.conf'' (on the client), you can get a template from ''/usr/share/doc/rsyslog*/''. Make sure the **AuthMode** is set to **anon**! <code bash> # certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem # set up the action $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode anon # server is NOT authenticated *.* @@(o)serverX.example.com:6514 # send (all) messages </code> * Create ''/var/log/remote'' directory * Add following lines into ''/etc/rsyslog.d/remote.conf'', you have a template here: <code bash> curl file:///usr/share/doc/rsyslog-5.8.10/multi_ruleset.html |grep fromhost </code> <code bash> # process remote messages :fromhost-ip, !isequal, "127.0.0.1" /var/log/remote/messages # then discard them :fromhost-ip, !isequal, "127.0.0.1" ~ </code> **Important:** Never add this config into ''/etc/rsyslog.conf'', the discard rule does not work there! ===== Audit ===== The rules file is in ''/etc/audit/audit.rule'' located. The trace command is probably useful (Example for date): <code bash> autrace /bin/date Waiting to execute: /bin/date Thu Jun 20 11:38:46 CEST 2013 Cleaning up... Trace complete. You can locate the records with 'ausearch -i -p 26472' ausearch --raw -p 26572 | aureport --file -i </code> ===== Iptables ===== Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position: <code bash> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 3563K 3226M f2b-php-url-fopen tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 2 3563K 3226M f2b-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 3 3563K 3226M f2b-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 4 3563K 3226M f2b-apache-badbots tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 5 3563K 3226M f2b-apache-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 6 1520 95864 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 match-set f2b-SSH src reject-with icmp-port-unreachable 7 6141K 5818M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 8 1460 137K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 9 53510 3261K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 10 479 20364 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set blockednets src reject-with icmp-port-unreachable 11 511 29728 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22 12 12626 735K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80 13 2994 226K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443 14 174 8732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:3389 15 5 224 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:9090 16 11413 862K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited </code> A very basic example script to initialize ''iptables'': <code bash> iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j REJECT </code> To delete a rule: <code bash> iptables -D INPUT 11 </code> To add a rule (insert): <code bash> iptables -I INPUT 11 </code> hardening.txt Last modified: 2024/11/30 10:22by dani