firewall

In part two of this series we’re going to discuss adding firewall rules to the router.  Everyone knows that adding ingress (or incoming) firewall rules is important to securing your network.  However, the same can be said for adding egress rules for traffic leaving your network.  For instance, aside from an email server, no client should ever send traffic to the Internet via TCP port 25.  If you see traffic like this, it could mean that you have an infected computer within your network.  Egress firewall rules, along with logging of those rules, will help track down problems before it gets out of hand.

First lets up the ingress rules to protect the router from incoming traffic we do not want.

    iptables -A INPUT -m state –state INVALID -j DROP

    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

    iptables -A INPUT -s 192.168.2.0/24 -p icmp -j ACCEPT

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -s 192.168.2.0/24 -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

    iptables -A INPUT -i eth0 -j LOG –log-prefix ” *** IPTABLES DENY IN *** “

    iptables -A INPUT -j REJECT

The first rule allows us to configure the stateful firewall.  Any connections that are already established on the server is allowed through, new connections will not be allowed by this line.  The second rule allows for internal clients to ping their default gateway.  Third rule is VERY IMPORTANT as it allows server traffic to be allowed on the loopback interface.  Most Linux communication including X and service daemons use the loopback for internal communication.  If you do not allow this rule then you could kill everything.  The fourth line allows internal traffic to connect through SSH for remote administration.  We can further restrict SSH by only allowing SSH keys, or if you have a monitor hooked up to the router you could skip this rule altogether.  And the last rule blocks all other incoming traffic to the router.

Now lets setup the egress rules on the router.  To do this, we will use the forward table in iptables.  This is used to forward traffic from one interface to another.

    iptables -A FORWARD -m state –state INVALID -j DROP

    iptables -A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 22 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 80 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 443 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 465 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 587 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 993 -j ACCEPT

    iptables -A FORWARD -i eth1 -j LOG –log-prefix " *** IPTABLES DENY OUT *** "

    iptables -A FORWARD -j REJECT

    iptables -A FORWARD -s 192.168.2.0/24 -i eth0 -j DROP

The first rule for this is similar to the first rule to the last set.  The next set of rules allow internal clients to connect to any server on the Internet using SSH, HTTP/HTTPS, and email.  The last few lines are important as first we log dropped packets, then drop packets that do not meet the lines above, and then an anti-spoofing line.  We will talk about logging in a minute, I just want to point out one additional thing.  Be extremely careful when creating egress firewall rules as this will break things.  For instance, if someone needs to establish an outgoing VPN connection then you will need to add those rules in or it will not work.

To get IPTABLES to log dropped packets to a log file, we use rsyslog.  In the /etc/rsyslog.conf file add the following lines:

    :msg,startswith,” *** IPTABLES DENY OUT *** ” /var/log/iptables-egress

    :msg,startswith,” *** IPTABLES DENY IN *** ” /var/log/iptables-ingress

    &~

Now start the rsyslog daemon and restart iptables and you’ll be all set.

As a part of the sys admin’s job, it is important to take a few extra minutes to go through and properly secure a newly installed Linux server. These steps include enabling SELinux on the machine, configuring the firewall, and setting user permissions. There are however additional steps one should take in order to secure their server. One would be to tune and secure kernel parameters, set limits on kernel dumps, prevent IPv6 from loading if you company is not using it, and turning off unnecessary services.

Networking 

First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:

    net.ipv4.conf.all.accept_source_route = 0 

    net.ipv4.conf.all.accept_redirects = 0 

    net.ipv4.conf.all.secure_redirects = 0 

    net.ipv4.conf.all.log_martians = 1 

    net.ipv4.conf.default.accept_source_route = 0 

    net.ipv4.conf.default.accept_redirects = 0 

    net.ipv4.conf.default.secure_redirects = 0 

    net.ipv4.icmp_echo_ignore_broadcasts = 1 

    net.ipv4.icmp_ignore_bogus_error_messages = 1 

    net.ipv4.tcp_syncookies = 1 

    net.ipv4.conf.all.rp_filter = 1 

   net.ipv4.conf.default.rp_filter = 1 

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:

    net.ipv6.conf.default.router_solicitations = 0 

    net.ipv6.conf.default.accept_ra_rtr_pref = 0 

    net.ipv6.conf.default.accept_ra_pinfo = 0 

    net.ipv6.conf.default.accept_ra_defrtr = 0 

    net.ipv6.conf.default.autoconf = 0 

    net.ipv6.conf.default.dad_transmits = 0 

    net.ipv6.conf.default.max_addresses = 1 

To make these settings effective without rebooting the server type sysctl -p 

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:

    inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link 

    inet6 addr: ::1/128 Scope:Host 

    inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link 

To prevent IPv6 from loading, run the following command:

echo install ipv6 /bin/true > /etc/modprobe.d/ipv6 

Then add the following lines to /etc/sysconfig/network:

NETWORKING_IPV6=no 

    IPV6INIT=no 

This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:

NOZEROCONF=yes 

Server security 

Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:

* hard core 0 

We should also prevent setuid programs from creating these as well:

sysctl -w fs.suid_dumpable=0 

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:

    sysctl -w kernel.exec-shield=1 

    sysctl -w kernel.randomize_va_space=1 

These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:

for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans 

    do 

    service $i stop 

    chkconfig $i off 

    done 

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault: