Home
Browsing the archives for the IPtables tag.
Subscribe


iptables – how to permanently apply changes.

Dec 24, 2008
F.A.Q.'s, How To's, P.C. Linux, Security, Ubuntu, Ubuntu Server

I have been monitoring my analytics apparently people are having problem permanently applying rules into iptables.

If you read this article:

You can see how to make a file with all of your rules, apply it, and make it so it will start everytime networking does.

To add a rule just edit the file, re-apply, and let dry….lol

Any questions just leave me a comment, any problems you can e-mail me: nick|at|grochal|dot|com

@=|at| .=|dot| ; )

No Comments
Tags , , , , , , , , ,

Basic IPtables Commands

Dec 22, 2008
Configuring Ubuntu, F.A.Q.'s, How To's, P.C. Linux, Ubuntu, Ubuntu Server

This is a basic IPtables help guide for beginners, I use ubuntu. I run as root! SO if you are not logged in as root please add
sudo in front of any commands.

Listing your current rule set – 

iptables -L

You should see your rules if you have none you will see:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Allowing Incoming Traffic on Specific Ports

You can go wild and block everything but chances are you will need ssh!

To allow your ssh use your port in place of the one I have used after the -dport switch:

iptables -A INPUT -p tcp --dport 1337 -j ACCEPT

You can use this command to allow any port of your liking!

Blocking Traffic

As long as you have added your rules to accept traffic first you can block all other traffic. This can be done by running the following command:

iptables -i eth0 -A INPUT -j DROP

Loopback

Allow loopback traffic!

iptables -I INPUT 1 -i lo -j ACCEPT

Logging

This will log dropped packets to syslog:

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


Saving iptables

To save your setting please use:

iptables-save

Save rules to a file:

sh -c "iptables-save > /etc/iptables.rules"

make IPtables run on startup:

nano /etc/network/interfaces

now add the following:

pre-up iptables-restore < /etc/iptables.up.rules

Should now look similar to this:

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules

# The primary network interface
...

Any question leave a comment.

No Comments
Tags , , , , , , ,

What is Suhosin Hardened PHP

Dec 9, 2008
Configuring Ubuntu, How To's, LAMP, P.C. Linux, Ubuntu, Ubuntu Server

First off Suhosin or Hardened PHP protects your server from malicious activity that can happen because of poor programming. It fixes some known vulnerabilities with secure workarounds enables some secure encryption algorithms and protects you from know application vulnerabilities (poor coding) and even unknown ones by looking for buffer overflows, etc.

Do you need it?

Well, if you are hosting only your site on your server and you wrote all of your code and you can ensure it is secure and no exploits can happen then no you don’t. Even PHP core programmers are writing insecure code from time to time, because they did not know about a PHP pitfall.

Summed up you don’t have to use it but it would be unwise not to, always keep in mind that you are not only protecting yourself and your users, but also other people on the internet, that might get attacked by your server after it has been turned into a (Spam-/DDOS-)attack drone.

What does Suhosin mean?

Suhosin (???) is a south-korean word that means something very similiar to the english guardian-angel.

Why is Suhosin called Suhosin?

According to some blog entries a few korean people are kinda suprised about the name. They wonder why a german developer has choosen a korean word for his project’s name. The reason for this is very simple. The main developer of Suhosin is interested in korea for about a year now, he enjoys watching korean movies, loves korean food and he learns the korean language for several months now. Additionally the word ‘suhosin’ is quite simple, sounds interesting, describes exactly what the program is and bypasses the problem that most english words are already taken by popular software.

Feature List

Engine Protection (only with patch)

  • Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
  • Protects Destructors of Zend Hashtables
  • Protects Destructors of Zend Linked-Lists
  • Protects the PHP core and extensions against format string vulnerabilities
  • Protects against errors in certain libc realpath() implementations

Misc Features

  • Protection Simulation mode :!:
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Transparent protection of open phpinfo() pages
  • EXPERIMENTAL SQL database user protection

Runtime Protection

  • Transparent Cookie Encryption :!:
  • Protects against different kinds of (Remote-)Include Vulnerabilities
    • disallows Remote URL inclusion (optional: black-/whitelisting)
    • disallows inclusiong of uploaded files
    • optionally stops directory traversal attacks
  • Allows disabling the preg_replace() /e modifier
  • Allows disabling eval()
  • Protects against infinite recursion through a configureabel maximum execution depth
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Supports a separated function black- and whitelist for evaluated code
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds protection against newline attacks to mail()
  • Adds protection against \0 attack on preg_replace()

Session Protection

  • Transparent encryption of session data :!:
  • Transparent session hijacking protection :!:
  • Protection against overlong session identifiers
  • Protection against malicious chars in session identifiers

Filtering Features

  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names:
    • GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
    • _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
    • HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
    • HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)
    • Supports a number of variables per request limit
    • Supports a maximum length of variable names [with and without indicies]
    • Supports a maximum length of array indicies
    • Supports a maximum length of variable values
    • Supports a maximum depth of arrays
  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables
  • Supports automatic banning of uploaded binary files
  • Supports automatic stripping of binary content in uploaded files
  • Configureable action on violation
    • just block violating variables
    • send HTTP response code
    • redirect the browser
    • execute another PHP script

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)
Let me know of any Q’s
No Comments
Tags , , , , ,

Ubuntu Server – Using NMAP to scan your server for vulnerabilities.

Dec 8, 2008
Configuring Ubuntu, LAMP, Open Source, P.C. Linux, Ubuntu, Ubuntu Server

There may be other ways to install and configure this, but this is how I did it!

First install ubuntu, if you are not logged in as root you may need to add “sudo” in front of your command.

apt-get update
apt-get upgrade
apt-get install nmap

Now here is an example of scanning ports randomized (-r) with verbose output (-v) and os detection (-O) for further enumeration/scanning.

nmap -r -v -O putyourdomainhere.com

You should see output similar to this:


Starting Nmap 4.62 ( http://nmap.org ) at 2008-12-08 12:18 EST
Initiating Parallel DNS resolution of 1 host. at 12:18
Completed Parallel DNS resolution of 1 host. at 12:18, 0.04s elapsed
Initiating SYN Stealth Scan at 12:18
Scanning putyourdomainhere.com (xx.xxx.xx.xx) [1715 ports]
Discovered open port 80/tcp on xx.xxx.xx.xx
Completed SYN Stealth Scan at 12:18, 0.05s elapsed (1715 total ports)
Initiating OS detection (try #1) against putyourdomainhere.com (xx.xxx.xx.xx)
Host putyourdomainhere.com (xx.xxx.xx.xx) appears to be up ... good.
Interesting ports on putyourdomainhere.com (xx.xxx.xx.xx):
Not shown: 1714 closed ports
PORT   STATE SERVICE
80/tcp open  http
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.23
Uptime: 2.854 days (since Fri Dec  5 15:49:01 2008)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.721 seconds
           Raw packets sent: 1734 (77.058KB) | Rcvd: 3472 (147.004KB)

NMAP is really that simple!

3 Comments
Tags , , , , ,

Setting Timezone on Ubuntu Server

Dec 5, 2008
Configuring Ubuntu, How To's, LAMP, Ubuntu, Ubuntu Server

To set the timezone enter the following command:

dpkg-reconfigure tzdata

You will now see this, pick your closest zone:

After you pick that you will now pick your closest city:

You should now see some successful output:

Current default timezone: 'America/New_York'
Local time is now:      Fri Dec  5 11:08:46 EST 2008.
Universal Time is now:  Fri Dec  5 16:08:46 UTC 2008.

That was my output your may be different.

No Comments
Tags , , , , ,
« Older Posts
Newer Posts »