Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Stand alone linux webserver security tuning

Re: Stand alone linux webserver security tuning

From: Ansgar -59cobalt- Wiechers <bugtraq_at_planetcobalt.net>
Date: Tue, 13 May 2008 20:13:39 +0200

On 2008-05-13 Robert Giruckas wrote:
> I am administrating a stand alone linux web server(CentOS latest
> distro). I would like to know how can I improve my firewall on web
> server, for example: DoS preventions, Syn port scan detection using
> iptables and so on.

You don't really need a firewall on a standalone webserver. There are
only very few DoS types you can handle on the host itself (syn floods
for instance). Most DoS attacks are better handled upstream. There's no
real need to handle ICMP aside from what's configured via sysctl (unless
you want to apply rate-limiting, which only makes sense on a router,
IMHO). And I wouldn't waste my time with detecting portscans.

If you really want to run a firewall on the host, go for something like
this:

----8<----
#!/bin/sh

IPT=/sbin/iptables

EXT_ETH="eth0"

LOGLEVEL="debug"
LIMIT="5/s"
BURST_LIMIT="10"
LOG_LIMIT="2/s"
LOG_BURST_LIMIT="10"

# --- Default Policies ---

# Always set the policies before flushing the chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -F
$IPT -X

# --- User-defined Chains ---

$IPT -N SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j RETURN
$IPT -A SYN_FLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_BURST_LIMIT \
  -j LOG --log-level $LOGLEVEL --log-prefix "SYNFLOOD: "
$IPT -A SYN_FLOOD -j DROP

# --- INPUT Chain ---

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -i lo -j ACCEPT

# Detect and handle SYN floods
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD

# Drop TCP packets with bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,INTH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop packets from private address ranges coming in on the external
# interface
$IPT -A INPUT -i $EXT_ETH -s 127.0.0.0/8 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $EXT_ETH -s 192.168.0.0/16 -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i $EXT_ETH -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXT_ETH -p tcp --dport 80 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p tcp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -m limit --limit $LIMIT --limit-burst $BURST_LIMIT \
  -j REJECT --reject-with icmp-port-unreachable
---->8----

Keep things simple.

Regards
Ansgar Wiechers 

-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Received on May 13 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]