fayax.info

More Here

Linus Torvalds, creator of the Linux kernel, has, along with others like Richard Stallman, literally changed the world of software forever. Linux-based distributions seem to pop up every day, while more and more devices now run Linux at their core, from mobile phones to inflight entertainment systems, to the world’s mission critical server infrastructures. Linux-based distributions seem to pop up every day, while more and more devices now run Linux at their core, from mobile phones to inflight entertainment systems, to the world’s mission critical server infrastructures.

The development of the kernel has changed, and Linux is just getting better and better. The development of the kernel has changed, and Linux is just getting better and better. However, with a community as large and fractured as the Linux community, it can sometimes be hard to get a big picture overview of where Linux is going: what’s happening with kernel version 2.6? However, with a community as large and fractured as the Linux community, it can sometimes be hard to get a big picture overview of where Linux is going : what’s happening with kernel version 2.6? Will there be a version 3.0? Will there be a version 3.0? What has Linus been up to lately? What Linus has been up to lately? What does he get up to in his spare time? What does he get up to in his spare time?

Complete Interview

Members of the Ubuntu colocation team suggest the attack could have begun with a Chinese IP address.

The Ubuntu community had to yank five of the eight Ubuntu-hosted community servers sponsored by Canonical offline Aug. 6 after discovering that the servers had been hijacked and were attacking other machines.

It was suggested during an IRC (Internet relay chat) meeting of the Ubuntu colocation team Aug. 14 that the source of the troubles might have been a Chinese IP address trying to log onto the servers by brute force “for a long time now it seems,” said a participant.

On Aug. 14, the community began to bring the machines back up in a safe state so that they could recover data from them. Unfortunately, according to Ubuntu Community Manager Jono Bacon, the servers were all found to be out of date, stuffed with Web software, and missing security patches—at least in the instances where it was easy to determine what version they’re running.

“An attacker could have gotten a shell through almost any of these sites,” Bono wrote in a posting, regarding a change to location server policy that resulted from the incident.

“FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords,” he said. Also, “the servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root.”

Bringing the servers back up has taken longer than the managers would have liked, Bono said. Given that they’ve been relying on help from members spread over the globe, there are “arbitrary limits imposed by those remote hands” and there’s a “(relative) lack of bandwidth” available with which data can be copied from the machines, he wrote.

During the Aug. 14 IRC meeting, location teams were given a choice to migrate to the Canonical data center or stay on the hosted/outsourced servers. Canonical, based in the U.K., is a provider of services to individual and corporate open-source software users.

The pluses of moving to the Canonical data center, Bono said, include better hardware and bandwidth, full-time support from Canonical’s systems administration team—including software maintenance—and integration into Ubuntu’s existing backup infrastructure.

Some of the minuses the Ubuntu community will have to deal with in a move to Canonical—the company behind the Ubuntu distribution—include having less software supported—with the wiki engine MoinMoin, the blog platform WordPress and the Ubuntu community forum Planet on the short list of still-supported applications.

The migration was still in swing as of Aug. 14, and the collocation team leaders were looking for help. “I’d be very happy if I got one index.html file to ubuntu-fi.org today as a start MoinMoin would be very nice too,” one said during the IRC meeting. “One thing I would ask for is patience. I understand that a service outage like this makes many people anxious,” he said, requesting that those anxious about restoration of services go to the #canonical-sysadmin channel and ask publicly so that the first available systems administrator can answer the request.

In the meantime, data isn’t lost, although applications must be deep-sixed since executable code simply can’t be trusted following the intrusion.

“Due to the nature of the intrusion, we must assume that any and all executable code of any sort on the old sites is dangerous,” said the meeting leader, “Spads.” “…We have data, but executable code (python, PHP, Perl, any CGI, etc.) will need to be replaced.”

If you’re an amateur to the web world specially web hosting then there are many decisions you have to make. Hosting provides the concrete base on which every E-business works as well as blooms. There are numerous choices available in the market but it’s the Linux and Windows hosting which heads the list. Everyone has their own knowledge bag according to which they govern their business but which is profitable to you may not be profitable for someone else. That’s why majority of the people are in trouble waters while choosing the hosting server for their business. Let’s delve into each hosting and get the clear picture. The usual cost involved in running a server generally doesn’t affect the cost of complete web hosting package. Windows Hosting is owned and developed by Microsoft whereas Linux is an open source and free too. The crux is that using Windows Hosting can be more expensive at times but it has its own benefits too.

According to the common myth people assume that because their computer runs Windows they too have to buy Windows hosting package. But this myth is absolutely wrong. You can normally access your web account through FTP or a control panel and both the servers support these methods. But the major difference lies in the FTP commands that are somewhat different in Linux and Windows. In short, occasionally when you try to get your FTP program to do something it returns an error message. Still, this won’t happen very often. Linux and Windows Hosting provide same features that include PHP, mySQL, POP3 and many more. The major difference arises when you want to create your site using Access, Windows Streaming Media, ASP, .NET environment, FrontPage or any other Microsoft technologies. Then you’re bound to use a Windows as your hosting server. However, in Linux there is a limited support for these technologies and what all are available are very expensive. That’s why it’s wise to think twice before selecting a hosting server as shifting from one server to another can be very hard.

The next points to argue are the reliability and stability of the servers. Windows is far more insecure in comparison to Linux. Windows is widely used operating system for home PC’s but not Linux. However, Linux is equally insecure as whooping number of successful hack attempts have been made on it till now. Thus, in the end we can say that the security of both the servers usually depends upon the competency of the system administrators. Herein, if you’re security minded then you’ll choose the best and secured hosting company irrespective of the chosen server. Now discussing the performance there isn’t much difference between the two. Linux is faster than Windows as Linux is loaded with extendable implementation. Whereas Windows tries to provide “’all in one” package which isn’t fruitful at times. There isn’t much difference between both the servers but in terms of performance Linux outshines Windows.

Thus, if you’re hunting for the server for your E-business then think before you jump on any conclusion and don’t leave any stone unturned.

Tar files creation command :

tar -cvf mystuff.tar mystuff/
tar -czvf mystuff.tgz mystuff/

extracting:

tar -xvf mystuff.tar
tar -xzvf mystuff.tgz
testing/viewing:

tar -tvf mystuff.tar
tar -tzvf mystuff.tgz

Note : .tgz is the same thing as .tar.gz

A quick and useful command for checking if a server is under ddos is:netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amounts of connections to a server. It is important to remember that the ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

To Block a certain IP address that on server .Please use following commands

—————–command——————————

route add ipaddress reject

for example route add 192.168.0.168 reject

You can check whether given IP is blocked on server by using following command

route -n |grep IPaddress

—————–command——————————

OR

use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

—————–command——————————

Then KILL all httpd connection and restarted httpd service by using following command

killall -KILL httpd

service httpd start

Main benefit of setting transparent proxy is you do not have to setup individual browsers to work with proxies.

Install the Squid proxy server. I use Debian as my Linux distro. So I will be using APT to install.

# apt-get install squid squid-common 

Now let’s edit the config file squid.conf

# vi /etc/squid/squid.conf

Modify or add the following squid directive to squid.conf

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

•  httpd_accel_host virtual: Squid as an httpd accelerator

• httpd_accel_port 80: 80 is port you want to act as a proxy
• httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
• httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
• acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
• http_access allow localhost: Squid access to LAN and localhost ACL only
• http_access allow lan: — same as above –

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines)

# grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’

Or try out sed

# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128:

iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.1:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port 3128 

Where eth0 is the WAN interface and eth1 is LAN interface

Here is complete shell script. Script first configure Linux system as router and forwards all http requests to port 3128

#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute the script so that system will act as a router and forward the ports:

# chmod +x /etc/firewall.sh
# /etc/firewall.sh
# service iptables save
# chkconfig iptables on

Start or restart the Squid:

# /etc/init.d/squid restart
# chkconfig squid on

Even though we know that Linux is quite secure by default installation of nearly any distribution, if you want to be sure that it is secure enough there are applications and services available that will make your computer/system more secure and manageable.

Antivirus

• Clam AntiVirus – Extremely popular antivirus solution for UNIX based machines. Includes real time virus scanning and a virus definition database updated multiple times per day.
• AVScan – A front-end for Clam AntiVirus.
• AVG Anti-Virus – Effective virus scanning suite. Requires regular virus definition updates.
• Avast Home Edition  – Complete antivirus suite including real time scanning, email protection, internet traffic filtering, a firewall and more.

RootkitRootkits are about the nastiest forms of malware around. To keep your computer (and your privacy) safe, you’ll need an application to scan for rootkits.

• chkrootkit  – The definitive solution for finding and removing rootkits from Linux machines.

Firewall

• Firestarter – Real time firewall that monitors all of the open ports and active network connections on your computer. Allows you to specify a very strict rule set.
• Firewall Builder  – Useful tool for assembling a firewall rule set or policy for popular UNIX based firewalls including iptables, ipfilter, etc.
• TuxGuardian  – Verifies the integrity of applications trying to gain access to the network. Useful for preventing viruses, trojans, spyware, etc. from spreading throughout the network.
• HardWall Firewall  – Iptables based script that performs detailed packet inspection and filtering to keep your computer free from malicious traffic.
• BullDog  – Complex firewall for advanced users.

Email

• Smart sendmail filters  – A collection of tools to block and filter sendmail spam as well as scan attachments for viruses.
• Sagator – An interface for the postfix, sendmail and other smtpd gateways that run popular antivirus and antispam solutions.

Web Utility

1. Tor  – Uses a network of virtual tunnels to provide anonymity for surfing the internet and transferring files over a network.
2. WebCleaner  – Allows you to control the type of data your proxy parses. Useful for eliminating dangerous malware and removing annoying popup ads.

Network

1. SmoothWall  – Firewall, IDS and VPN system for home users and networks.
2. Nagios  – Comprehensive web based tool equipped with virtually every imaginable feature for knowing exactly what’s going on in your network.
3. nLive Core  – Monitors the traffic that traverses your network via packet inspection and filtering.
4. Nessus  – Industry leading open source network vulnerability scanner. Highly scalable and very thorough.

Intrusion Detection System

• Snort  – The premier free IDS solution. Detects a wide variety of attacks including buffer overflows, OS fingerprinting, CGI scans and more. Uses real time traffic analysis and packet logging on IP networks.
• HenWen [Mac] – Effective implementation of Snort IDS for Mac users.
• Open Source Host-based Intrusion Detection System  – Personal IDS performing log analysis, registry monitoring, malware detection, time-based alerting and active response.
• Prelude  – Detects system anomalies and reports findings to the user. Also analyzes logs for anomalies.

Virtual Private Network

• SSL-Explorer  – Highly scalable VPN that integrates directly into your browser. Requires only a single open port to work.
• OpenVPN – Popular VPN solution specializing in remote access.
• strongSwan – IPsec based VPN using multiple encryption methods.

Wireless

• Kismet  – Very popular wireless network detector, sniffer, and IDS.

Encryption

1. GNU Privacy Guard  – A command line based encryption tool using multiple encryption algorithms including OpenPGP, AES, SHA-1, and more.
2. TrueCrypt  – Creates virtual encrypted drives.

The list is of course not complete and there are a lot more applications that you can find for securing your Linux box.

Central to securing a Linux server that’s connected to the Internet is having a good firewall and specific policies in place. Numerous options exist for those considering firewalls for Linux, however, a free and included solution is onoffer through Netfilter and iptables.

Stateful Firewall

As of Linux kernel 2.4 and above, Netfilter has been included as a kernel extension by the majority of (if not all) Linux distributors. iptables is its counterpart and the tool for managing firewall rules. The duo, which I call simply “iptables”, creates a stateful firewall on a Linux desktop or server. “Stateful” refers to the firewall’s ability to track the state of packets moving in and out of a server and/or network.

This is an improvement on the former ipchains, through which packet state was not available. Thus, iptables can distinguish between new and existing connections and keep track of traffic. iptables recognizes four kinds of packet states: new, established, related and invalid.

The developer can take any number of routes and options when deploying an iptables firewall: via prepackaged solutions like APF, from within a control panel such as Webmin, which has an iptables module, or by way of a GUI configuration tool such as Firestarter.

For the purpose of this article, we’ll focus on securing a single development Web server environment where multiple services are offered. This will be accomplished via configuring iptables manually in a command line text editor (which is traditionally stored at /etc/sysocnfig/iptables).

This also means we will only be discussing the filter table, which is one of three tables in the firewall system (others include Mangle, which manages quality of services issues with packet traffic, and the NAT (network address translation) table).

How iptables Works

iptables executes its rules based on the TCP protocol handshake. When a remote device connects to your server, a packet is sent with a SYN (short for synchronization) bit, which is generally acknowledged with a SYN/ACK (synchronization acknowledged) sent from your server back to the client. The client then acknowledges receipt of this with an ACK, and the network relationship is established.

This terminology has also become more familiar to non-network administrators in recent years due to some well-publicized cases of SYN flooding, which is used to execute denial-of-service attacks. This occurs when a remote malicious host (or hosts) repeatedly sends SYN packets to multiple ports on a server, which the server acknowledges. However, instead of sending an ACK back to open a legitimate connection, the remote malicious host(s) continues sending SYN packets and the server repeatedly attempts to acknowledge them, ultimately clogging bandwidth and system resources, and either severely hampering or blocking all other traffic.

We will look at an option to protect against SYN flooding later, when we configure our server’s firewall.

Getting Started

Only the root user can manage iptables, so the usual precautions — taking action as root — can cause damage to your server’s health if a user is not careful.

iptables may or may not be running on your system. You can check by issuing ‘/etc/rc.d/init.d/iptables status’, which will either list the status of your firewall rules, or return something along the lines of ‘firewall is stopped’.

Controlling iptables operations is simple, with options such as start, stop, status and others using the above command.

At this point, we’ll assume that you don’t have an iptables configuration, and we’ll build the rules file from scratch. First, we need to identify the services you wish to enable (i.e. FTP, SSH, mail and HTTP), identify areas of concern (i.e. like SYN flooding) and potentially note any IP addresses whose access you may seek to ban.

If you are using a Red Hat-flavored system, as I am (Fedora Core 3 on a development server), you may find some generic rules in the /etc/sysconfig/iptables file. You will want to back up an existing iptables file if it has been in use. This can be done on the command line via ‘cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup’.

To start building your rules, open that file in your favorite command line editor. I issue ‘vi /etc/sysconfig/iptables’; you will press the Insert key or letter I key to start editing. Remember that when you’re finished editing, you’ll want to press the ESC key and type ‘:wq’ to save the file in Vi.

Allowing Targeted Access

Let’s build a set of firewall rules that will allow ftp, and allow ssh only to the IP addresses you specify and some additional ports you may need for other services. We’ll break each section down and discuss the details as we go.

One caveat: this firewall example will not be a completely hardened overview for the truly paranoid production box; it’s meant to serve as a primer to help you get used to handling basic rules with a solid level of packet filtering.

With the iptables file open in your favorite text editor, begin by setting some basic parameters. Use the following entry:

#My firewall config in /etc/sysconfig/iptables
#It is good practice to comment, initial, and date your config files for the sake of shared #administrative environments and, also, so you remember what has been done in a file.
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:FWALL-INPUT – [0:0]
:INPUT ACCEPT [0:0]
-A INPUT -j FWALL-INPUT

This allows outgoing access from your server, and allows forwarding as well as accepting all incoming traffic (if passing packets through your server is not needed, simply change the FORWARD from ACCEPT to DROP). However, this code forwards all incoming traffic to our firewall rules (FWALL-INPUT) for filtering.

As SSH is a critical factor for system management, user access and other options such as requiring SFTP from your clients, let’s enable this service. Depending on how you manage your clients/users, you may simply allow all incoming SSH traffic:

#accept all incoming ssh traffic
-A FWALL-INPUT -p tcp -m tcp -s 0/0 –dport 22 -j ACCEPT

Alternatively, SSH can be restricted to identified static IP address hosts:

#accept incoming ssh traffic from user John Doe
-A FWALL-INPUT -p tcp -m tcp -s x.x.x.x –dport 22 -j ACCEPT
#end specific ssh access – this commenting is handy of you have multiple users here as #you can start and end sections if users have multiple IPs from which they can access

In breaking down those lines of code, we see:

• -A appends the rule to the firewall rule set
• -p represents protocol (which can be tcp, udp and icmp in varying cases)
• -m is for match and opens up options for extending packet management, for example to have granular control over SYN bits, defining destination and source ports. This is better explained at length in ‘man iptables’ than here, as multiple levels of options are available.
• -s signifies the source address, where 0/0 stands for any host, a specific host IP address can be used (as in the example above), or a network segment can be denoted, such as 10.0.1.0/24.
• –dport points to the destination port; in the case of SSH, it’s 22.
• -j selects the target (or jump target), which may be a custom target, or one of the common built-in targets such as ACCEPT or DROP.

Next, let’s consider FTP, an entry for the Webmin control panel, and a host of commonly used ports that are important to your server’s operation on the Internet.

# manage ftp port traffic
-A FWALL-INPUT-p tcp -m tcp –dport 21 -j ACCEPT
# end ftp port

#My webmin custom port
-A FWALL-INPUT-p tcp -m tcp –dport 42009 -j ACCEPT
# end webmin

#SNMP monitoring so I can use a remote monitoring tool
-A FWALL-INPUT-p udp -m udp –dport 161 -j ACCEPT
-A FWALL-INPUT-p udp -m udp –sport 1023:2999 -j ACCEPT
#end SNMP

A quick security note: when enabling remote access to SNMP, please be sure to have invested time in securing your SNMP configuration file(s), including changing community strings and using authentication.

# some standard out ports with port definition
#POP mail
-A FWALL-INPUT-p tcp -m tcp –dport 110 -j ACCEPT –syn
#HTTPS
-A FWALL-INPUT-p tcp -m tcp –dport 443 -j ACCEPT –syn
#SMTP Traffic
-A FWALL-INPUT-p tcp -m tcp –dport 25 -j ACCEPT –syn
#HTTP
-A FWALL-INPUT-p tcp -m tcp –dport 80 -j ACCEPT –syn
#In my case – Urchin
-A FWALL-INPUT-p tcp -m tcp –dport 9999 -j ACCEPT –syn
#MySQL database server
-A FWALL-INPUT-p tcp -m tcp –dport 3306 -j ACCEPT –syn
-A FWALL-INPUT-p udp -m udp –dport 3306 -j ACCEPT
#IMAP mail services
-A FWALL-INPUT-p tcp -m tcp –dport 143 -j ACCEPT –syn
#DNS
-A FWALL-INPUT-p tcp -m tcp –dport 53 -j ACCEPT –syn
-A FWALL-INPUT-p udp -m udp –dport 53 -j ACCEPT
-A FWALL-INPUT-p udp -m udp -s 0/0 -d 0/0 –sport 53 -j ACCEPT
#Localhost traffic
-A FWALL-INPUT-i lo -j ACCEPT
#The below commits the rules to production for iptables to execute
COMMIT

You will notice we added the –syn flag. This is part of the previously mentioned -m (for matching) option in iptables. Here, we are specifically ensuring that only new connections with a SYN bit, and for which no ACK is set, are accepted.

At this point, you have a working development firewall. You can add and remove services to meet your own requirements. However, we can make some additional entries. We can add a final rule that drops all packets that do not qualify for any of our preceding ports.

#Drop all other new requests not meeting any existing rule requirements applied to traffic
-A FWALL-INPUT -p tcp -m tcp -j REJECT –syn
-A FWALL-INPUT -p udp -m udp -j REJECT

SYN Flood Protection

For some added protection, we can also seek to prevent the flooding of new requests (packets with the SYN bit set and no ACK, as discussed earlier in the article) by limiting the amount of requests to 5 seconds, which allows the system time to apply the rules.

-A FWALL-INPUT –p tcp –syn -m limit –limit 5/second -j ACCEPT

This should appear at the top of your rules, just above the first SSH entry.

Banning Access

If there are troublesome hosts you have discovered in your logs, these can be banned via iptables; however, be cautious in light of IP masquerading. Do some research on the IP address you wish to block, to ensure it is not a legitimate SMTP server, or worse: one of your clients who has been spoofed.

To block a specific host:

#Block malicious system
-A FWALL-INPUT -p tcp -m tcp -s x.x.x.x -j DROP

Checking Firewall Logs

iptables traditionally logs basic entries to /var/log/messages. However, specific logging needs to be noted in your firewall rules if you’d like to track and research traffic. Many prefer to log only drop/reject actions, as this allows them to see any potential malicious behavior that’s being attempted.

This can be handled with an entry like the following:

#Option 1 logging drop/reject actions
-A FWALL-INPUT -j LOG –log-level alert
#Option 2 logging with a prefix for easy search/grep of log file
-A FWALL-INPUT -j LOG –log-prefix “Dropped: “

Finally, a nice open source iptables log analyzer is available; it provides an interface similar to those commonly used to view Web traffic statistics. Found online at gege.org, this daemon can be implemented into a LAMP (specifically PHP and MySQL) environment and used to log all iptables actions in place of the default /var/log/messages.

Setup and configuration is straightforward and only a minor edit to your iptables file will start the reporting process.

Next Steps

The man pages for iptables are extensive and it is recommended to spend some time getting accustomed to the various options before moving a firewall into production. For example, options exist for using the -m (matching) option to manage packet states – i.e. allowing only new and established connections for specific services.

There are endless documents related to iptables on the Web, however, the best place to start is at the source: Netfilter’s Website. Tutorials range from basic networking concepts and packet filtering to setting up network address translation and advanced connection tracking options.

Finally, as noted before, this firewall does not represent the be-all and end-all configuration. It is a great place to start when exploring your options with iptables. Administrators, based on their environment, will have varying levels of paranoia to accommodate. Some systems I manage are locked as tight as possible, while others have fairly open doors for testing and development.

Samba is “a Unix server application used to implement Windows file sharing and domain controlling functionality. SAMR is the named pipe used to access the SAM, security accounts manager, database. This database stores login credentials on NT based systems”.

Remote exploitation of a command injection vulnerability within Samba Project’s Samba could allow an attacker to execute arbitrary code with nobody privileges. Read more »