How to seal all the ports except HTTP and FTP sevvice?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wish to make a secure Linux box which allow only HTTP and FTP services, what can I do to make my system isolated from outside world except this two services?
I'm thinking of close down all the ports EXCEPT HTTP and FTP port (21 and 80), does it help to improve the security? What else should I do to improve the security? I'm doing this as a project, pls provide your help if you have any idea to improve it. Every single contribution is greatly appreciated.
Yes. Access restrictions will make it more secure.
Ull need to:
-Edit startup behaviour to stop of all daemons u dont need to run, or better if u dont need em, remove em.
-Edit /etc/inetd.conf and prepend a hash (#) to all the services that are not needed (all except ftp, http), if u find u need a service, just uncomment it.
-Look for services that are not started from inetd, or are not wrapped tru tcpd (tcpwrappers).
-Edit the tcpwrapper config files /etc/hosts.deny to default deny from all, add services and allowed hosts to hosts.allow.
-Install Iptables (kernel-2.4x) or Ipchains (2.2x) and configure to deny all traffic except for 21 and 80.
Next to this ull also want to check ure ftp and http daemon's compile options, config, patchlevel or/and version for vulnerabilities (including .cgi files, ssi's etc).
If ure ftpd hasnt got a built-in chroot, consider running it chrooted.
Consider running a more restricted and separate dev server off another port if ure trying/developping experimental stuff.
Dont place symlinks into the system in public space, restrict uploads to one upload directory and set the immutable bit on everything a user can wink at.
Ok. Check. Weve covered
-disabling unneeded services (inetd)
-restricting access to used services (inetd, wrappers)
-restricting access to host & services (tables/chains)
Now look for the Linux Administrators Security Guide (LASG) somewhere over at linuxdoc.org, go to the SANS Top-ten and keep up on security bulletins from ure ftpd & httpd makers.
Theres lotsa tools to make a start with checking ure system's security and do some intrusion detection, Ill just throw in a few terms u can lookup for ureself: portsentry, snort, aide, tripwire, cops, ippl, logcheck, secfocus.com, cert.org. Theres also local security like users, restrictions, PAM and undeletable/immutable/sgid/suid bits.
If ure interested, just ask, and we'll set up a thread on that later on.
You'll also want to improve the ipv4 stack to stop spoofing and DOS attacks etc etc etc.
all the files in /proc/sys/net/ipv4 set-up your default IP options on packets and other tcp handlers.
put these in your /etc/rc.d/rc.local file
# stops SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# stop port rewriting attack before firewall frags them back
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# ignores snort or ICMP broadcast attacks
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# RFC's sending ICMP error replies to a broadcast frame is forbidden, so drop response to them.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Stops incorrectly source packets from been routed when to different interface from different input
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# stops the routing table been modified by packets non-sourced route, network should be set-up correctly in first place.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# same as above stop your system doing the same to other routing tables
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# stops anyone doing an OS finger print scan on your IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/conf/all/ip_default_ttl
These are just some extra examples of how you need to improve the Linux OS security.
Good one Razbot, I always forget to mention these..
Doodah, /etc/services is essentially a lookup table, it doesnt have any effect on running/starting/stopping scripts.
Want to show only "normal" ports: use /etc/services, want to show almost "all" ports: use services file from nmap...
Thanks unSpawn, razbot, doodah, mongrel, you guys are really helpful.
I'm new to Linux, so I don't really familiar with all the stuffs that all of you mentioned above, but I'll try it out one by one later, thanks again!
By the way, what are the patches that I should apply for the system and for the Apache server? Especially the Apache server, there are really damn a lot of modules, I'm getting confuse already.
Pls keep on posting anything that you have in mind. With the help I'm getting here, I should be confident with my project, he he...
Why not just disable what u don't want in /etc/inetd.conf ?
Here's a snippet of the format its in:
#:STANDARD: These are standard services.
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
#telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd1 -i
You should always Close Down Unnecessary Services. A good way to find out what's going on is to run the command netstat -vat The output will look something like the following:
root$ netstat -vat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 dsl081-050-241.dsl-:ftp grce.speakeasy.or:3045 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl081-00-04-sfo:4169 ESTABLISHED
tcp 0 0 *:1004 *:* LISTEN
tcp 0 0 dsl081-050-241.dsl:1624 cs6.ms.yahoo.com:5050 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl81-050-1-sfo:2103 ESTABLISHED
tcp 0 0 *:6000 *:* LISTEN
tcp 0 138 dsl081-050-241.d:telnet dsl081-00-1-sfo:1697 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl081-00-14-sfo:1026 ESTABLISHED
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:amidxtape *:* LISTEN
tcp 0 0 *:amandaidx *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
Originally posted by raz You'll also want to improve the ipv4 stack to stop spoofing and DOS attacks etc etc etc.
all the files in /proc/sys/net/ipv4 set-up your default IP options on packets and other tcp handlers.
put these in your /etc/rc.d/rc.local file
# stops SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# stop port rewriting attack before firewall frags them back
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# ignores snort or ICMP broadcast attacks
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# RFC's sending ICMP error replies to a broadcast frame is forbidden, so drop response to them.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Stops incorrectly source packets from been routed when to different interface from different input
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# stops the routing table been modified by packets non-sourced route, network should be set-up correctly in first place.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# same as above stop your system doing the same to other routing tables
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# stops anyone doing an OS finger print scan on your IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/conf/all/ip_default_ttl
These are just some extra examples of how you need to improve the Linux OS security.
/Raz
For all of these... do you still want to set the bit to 1 even if the file (such as icmp_ignore_bogus_error_responses) doesn't exist? I'm running Redhat 7.1.
If it doesnt exist in /proc/sys/net/ipv4 (and the path is correctly entered), no. Proc is the virtual representation of stuff running in the kernel, so if it aint there, it aint used in the kernel. If youre switching between kernels where it is/isnt available, and you want some extra signalling you could add it like this to your scripts:
if [ ! -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "/proc/sys/net/ipv4/conf/all/send_redirects aint there"; else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
or silence it like
if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.