[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SLUG] Firewalling and Optus@nospam.Home
On Friday night there was some discussion about Optus@nospam.Home's policy of
portscanning to figure out whether a user is running a server. Several
people claimed that this was discrimination against Linux users. I
disagree; it's merely an indication that your machine is insecure.
Start by making sure you've turned off all network services you don't
need. These include the portmapper, finger, telnet, etc. Some are run via
tcp wrappers, so are controlled by /etc/inetd.conf and etc/hosts.allow and
/etc/hosts.deny. Others, such as the portmapper, are run independently,
and so are started by a script in /etc/rc.d/...
To find out what's listening, run `netstat -atn|grep LISTEN' (tcp) and
`netstat -au' (udp). For a standalone machine you need very little
running. You can find out which process is using each port with fuser.
For example:
[root@nospam.dropbear ~]$ netstat -atn|grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.16:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
[root@nospam.dropbear ~]# fuser -n tcp 6000
6000/tcp: 487
[root@nospam.dropbear ~]# ps ax|grep 487
487 ? S 97:07 /etc/X11/X :0 -auth /home/johnc/.Xauthority
The other ports are 21 (inetd, ftpd), 22 (sshd), 23 (inetd, telnet) 25
(sendmail), 37 (inetd, in.timed), 53 (named), 80 (apache), 139 (smbd), 515
(lpd) and 3306 (mysql). A normal home machine probably won't need all of
these, but you'll have to decide for yourself.
The next step is to make sure that the services you do need to run are not
accessible from outside your network. As some of you have discovered, tcp
wrappers is not sufficient to prevent Optus from thinking you're running a
server. This is because inetd accepts the connection, then works out if
access is allowed, and closes the connection if not. Optus merely detect
the connection establishment.
So, you need to setup firewalling. If you only need to allow outgoing
connections (i.e. you really *don't* want to run a server), then it's
easy. The basic rules are:
1. Default policy is to deny all packets. Then rules are added to allow
certain packets through the firewall. Note that we use DENY rather
than REJECT so that the originator doesn't know that their packets are
being discarded until they time out.
2. Allow all packets on the loopback interface and any local ethernets.
3. Allow any packet in from ppp0 with the ACK bit set.
4. Allow all packets on ppp0 from the ftp-data port to ports 1024-65535.
5. Allow udp packets to/from port 53 (dns).
6. Reject (rather than deny) incoming auth requests.
7. Deny anything which gets through these rules and log it to syslog.
To understand rule 3, you need to know how tcp connections are
established. This is what's known as the three-way handshake. The client
sends a packet with the SYN bit set, and the ACK bit clear. The server
responds with a packet that has both SYN and ACK set. The client then
sends its next packet with ACK set and SYN clear. Every packet from then
on has the ACK bit set, and the SYN bit clear. The important thing to
note is that the only packet which has SYN set and ACK clear is the
incoming connection request. Filtering these packets prevents a
connection from being established.
To understand rule 4, you need to be aware of how ftp works. There are
two connections required for an ftp transfer - the command channel on port
20, and the data channel on port 21. The command channel is always opened
by the client, but the data channel can be opened by either the client or
the server. Traditional ftp clients used to have the server open the data
channel, so your firewall must allow incoming connections from the
ftp-data port to non-privileged ports (1024-65535). Web browsers use
what's known as passive ftp, where the client originates the connection,
so as long as you allow outgoing connection requests, passive ftp will
work.
Rule 5 is required because dns lookups generally use udp rather than tcp.
The destination port is always 53. tcp is only used if the response
doesn't fit into a udp packet, and for zone transfers. Normal dns lookups
don't use zone transfer, so you don't need to worry about them, but
allowing outgoing connection requests will take care of these anyway.
Rule 6 is used to stop servers which send auth requests from waiting for
their request to timeout. Some servers will send an auth request to the
client machine whenever an incoming connection is made. Rejecting these
packets will tell the server immediately that it's not going to get a
response, rather than waiting for it to timeout.
Ideally, you'd modify the output rules to restrict what gets sent too, but
this is left as an exercise for the reader. You'd also add address
checking on all interfaces to prevent spoofing, but that falls into the
same class, as does forwarding :-) I'm not going to do it all for you.
Now having explained the rules, here are the ipchains commands required to
achieve them:
#!/bin/sh
ANY=0.0.0.0/0
# flush all rules
ipchains -F input
ipchains -F forward
ipchains -F output
# policy deny for all rules
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
# accept all packets on the loopback interface
ipchains -A input -p all -i lo -j ACCEPT
ipchains -A output -p all -i lo -j ACCEPT
# If you have an ethernet, use the next two rules to accept any packet on
# eth0. Use a similar pair of rules for each ethernet if you have more
# than one. You can improve this rule by checking source/destination
# addresses too, but this basic rule is a good starting point.
ipchains -A input -p all -i eth0 -j ACCEPT
ipchains -A output -p all -i eth0 -j ACCEPT
# ppp0
# accept any packet with ACK set and SYN clear
ipchains -A input -p all -i ppp0 ! -y -j ACCEPT
# accept incoming ftp-data connections (for outgoing active ftp)
ipchains -A input -p tcp -s $ANY ftp-data -d $ANY 1024:65535 -i ppp0 -y -j ACCEPT
# allow udp responses to dns lookups
ipchains -A input -p udp -s $ANY dns -d $ANY 1024:65535 -i ppp0 -j ACCEPT
# immediately reject incoming auth requests
ipchains -A input -p tcp -d $ANY auth -i ppp0 -j REJECT
# and allow all packets out
ipchains -A output -p all -i ppp0 -j ACCEPT
# log everything else to syslog and drop the packet
ipchains -A input -l -j DENY
ipchains -A output -s $ANY -d $ANY -l -j DENY
Anyone still running a 2.0 series kernel can email me directly for the
equivalent ipfwadm rules if necessary, but it should be easy enough to
work them out for yourself.
Note that this is not meant to be a perfectly secure firewall (there's no
such thing), but it's better than nothing, and it'll help those of you who
are having problems with Optus. You should check syslog regularly for any
notification of packets which weren't let through. Logcheck is a good
tool to do this for you, get it from http://www.psionic.com/. While
you're there, check out Portsentry too.
I don't think there are any errors in the above rules, but I'm sure
someone will let me know if I've screwed up ;-)
Cheers,
John
--
whois !JC774-AU@nospam.whois.aunic.net
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to slug-request@nospam.slug.org.au with
unsubscribe in the text