I have been perusing the various linux security sources looking for a
reliable, proven, source for ipfwadm firewall rules. I have found a few
examples, but none that really suit the needs for a regular internet provider
that wants maximum security, but not through obscurity.
My request to someone out there is to please post a working copy of
ipfwadm rules, that is WELL documented and not messy. I have found it
difficult in the past to relate to some of the rules posted by various
sources, as they are not documented enough for a novice ipfwadm user to read
and understand what their purpose is.
I thought it was time that some poor soul has brought this up, as I have
really saw no interaction on the subject with an outcome that is beneficial
to the various linux groups concerned about network integrity and security.
Regards, Shaun.
> On Sun, 14 Jun 1998, Brendon Drew wrote: > | I was wondering if anyone here has or knows how to implement ttysnoop > | w/ssh ? > > Sometime ago the Phrack magazine put out some excellent modules (for > linux) that allows you (the root, ofcourse) to grab any terminal, > read/write. Sorry, can''t remember the exact number, but it''s somewhere > between Phrack 48-50, I think. >This code was called "linspy". It was loadable module that supplied real-time connection monitoring and hijacking. To a certain extent it was useful, but it being unstable would often crash your system. Regards.
I was wondering if anyone here has or knows how to implement ttysnoop w/ssh ?
On Sun, 14 Jun 1998, Brendon Drew wrote:> I was wondering if anyone here has or knows how to implement ttysnoop > w/ssh ?Okay, assuming you got it to work for telnet. In /etc/inetd.conf you told telnetd to use the ttysnoop server as it''s login program with something like... telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /bin/ttysnoops So, to make it work for ssh you need to tell sshd the same thing. This means recompiling sshd. Proceed as per ussual but instead of just ./configure you need to do... ./configure --use-login=/bin/ttysnoops Now compile and install sshd as per normal. The only think left is to make sure that you set... UseLogin yes ...in your sshd_config file. M.
On Sun, 14 Jun 1998, Brendon Drew wrote: | I was wondering if anyone here has or knows how to implement ttysnoop | w/ssh ? Sometime ago the Phrack magazine put out some excellent modules (for linux) that allows you (the root, ofcourse) to grab any terminal, read/write. Sorry, can''t remember the exact number, but it''s somewhere between Phrack 48-50, I think. --- Annex
# My request to someone out there is to please post a working copy of # ipfwadm rules, that is WELL documented and not messy. Shameless plug: http://linux.samiam.org/firewall.html http://linux.samiam.org/firewall.text.html ObRPM: Security fixes should not change the behavior of ps: http://linux.samiam.org/blackdragon/procps-1.2.7-bsdps0.src.rpm http://linux.samiam.org/blackdragon/procps-1.2.7-bsdps0.i386.rpm - Sam "That which does not destroy me, makes me stronger" -- Nietzsche
> My request to someone out there is to please post a working copy of > ipfwadm rules, that is WELL documented and not messy. I have found it > difficult in the past to relate to some of the rules posted by various > sources, as they are not documented enough for a novice ipfwadm user to read > and understand what their purpose is. > > I thought it was time that some poor soul has brought this up, as I have > really saw no interaction on the subject with an outcome that is beneficial > to the various linux groups concerned about network integrity and security. > > Regards, Shaun.There is nothihgn better then a true understanding of TCP-IP security, all your network daemons, client software, etc. The O''Reilly Firewall book is required reading IMHO. I''ll put this on my to-do list (right better firewall examples. BTW for ip accounting, use the ipac package, it generates pretty files =) (http://seifried-gateway.seifried.org/). -seifried #!/bin/sh # PATH=/sbin # ############################################################# # CLEAR ALL RULES ############################################################# # ipfwadm -f -I ipfwadm -f -O ipfwadm -f -F # ############################################################# # ICMP SETTINGS ############################################################# # # Deny ALL ICMP from external. # ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 ipfwadm -O -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 # ############################################################# # ANTI SPOOF RULES ############################################################# # # Disallow 10.0.0.0/8 and 127.0.0.0/8 from external (spoofing) # ipfwadm -I -a deny -S 10.0.0.0/8 -W eth0 -D 0.0.0.0/0 ipfwadm -I -a deny -S 127.0.0.0/8 -W eth0 -D 0.0.0.0/0 # ############################################################# # ALLOW INTERNAL HOSTS RULES ############################################################# # # Allow anything to come in from internal addresses # ipfwadm -I -a accept -P all -S 10.0.0.0/8 -W eth1 -D 0.0.0.0/0 # ############################################################# # ALLOW FTP CLIENTS TO WORK ############################################################# # # Allow ftp-data (20) connections incoming to internal clients (1024:65535) # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D 0.0.0.0/0 1025:65535 # ############################################################# # ALLOW DNS QUERIES TO WORK ############################################################# # # Allow named (udp 53) connections incoming to clients (1024:65535) # ipfwadm -I -a accept -P udp -S 0.0.0.0/0 53 -D 0.0.0.0/0 1025:65535 # ############################################################ # ALLOW TO THE FTP SERVER ############################################################ # # Allow incoming connections to ftp-data (20) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 20 # # Allow incoming connections to ftp (21) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 21 # ############################################################ # ALLOW ACCESS TO SSH - use /etc/ssh/sshd_config ############################################################ # # Allow incoming connections to ssh (22) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 22 # ############################################################ # ALLOW ACCESS TO SENDMAIL - use /etc/mail/* ############################################################ # # Allow incoming connections to smtp (25) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 25 # ############################################################ # ALLOW ACCESS TO DNS SERVER - run chrooted, use named.conf ############################################################ # # Allow incoming connections to named for zone xfers (tcp 53) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 53 # # Allow incoming connections to named queries (udp 53) from anywhere # ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 53 # ############################################################ # ALLOW ACCESS TO HTTP SERVER ############################################################ # # Allow incoming connections to www (80) from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 80 # ############################################################ # ALLOW ACCESS TO HTTPS SERVER ############################################################ # # Allow incoming connections to HTTPS from anywhere # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 443 # ############################################################ # ALLOW ACCESS TO MISC PORTS ############################################################ # # Allow incoming conenctions to port 8080 # #ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 8080 # ############################################################ # ALLOW RETURNED CONNECTIONS ############################################################ # # Allow connections that have been established by clients # ipfwadm -I -a accept -k -P tcp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 ipfwadm -I -a accept -k -P udp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 # ############################################################ # DENY ALL OTHER INCOMING PACKETS ############################################################ # # Deny all incoming conenctions, tcp, udp, to prevent syn floods/etc # ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 # ############################################################ # IP MASQUERADING SETTINGS ############################################################ # # Default deny policy # ipfwadm -F -p deny # # Allow IP Masquerading # #ipfwadm -F -a masquerade -S 10.0.0.0/16 -D 0.0.0.0/0
Hi, S Hedges writes: > > On Sun, 14 Jun 1998, Brendon Drew wrote: > > Sometime ago the Phrack magazine put out some excellent modules (for > > linux) that allows you (the root, ofcourse) to grab any terminal, > > read/write. Sorry, can''t remember the exact number, but it''s somewhere > > between Phrack 48-50, I think. > This code was called "linspy". It was loadable module that supplied another neat program from the same Phrack issue (50) is juggernaut (spying, hijacking, resetting someone''s connection). It helps alot to make your boss aware of the need for security ;-) Regards, Oliver -- Oliver Flimm Email: flimm@ph-cip.uni-koeln.de CipLab, Institutes of Physics flimm@ub.uni-koeln.de, flimm@guug.de Cologne, Germany WWW : http://www.ph-cip.uni-koeln.de/~flimm
> I have been perusing the various linux security sources looking for a > reliable, proven, source for ipfwadm firewall rules. > My request to someone out there is to please post a working copy of > ipfwadm rules, that is WELL documented and not messy.If you haven''t seen them already, try these Web sites for decent info on ipfwadm, including some real examples. http://simba.xos.nl/linux/ipfwadm/ (the Paper at this site is worth reading) http://oloon.student.utwente.nl/linux/ipmasq/index.html (this site is about IP Masquerading, which is related, but it has some links to ipfwadm as well) http://www.indyramp.com/mirrors/ipmasq/ipmasq-HOWTO.html (this is the IP Masquerade mini HOWTO. Section 4.4 covers ipfwadm configuration) What I''d suggest is that you get a _very_ basic set of rules in place one at a time & try various operations to verify that a given port (ie ftp, http, etc) does or does not work, according to the rules defined. This is the best way to get a feel for how they work. Try entering the rules from the command line one at a time, so you can see immediately what''s happened. Once you understand what you need, then create the permanent rules file. Get a friend offsite to try various things & see what appears in the logfile. Once you''ve done this for a few rules, it will become clearer what is going on. Hope this helps. Regards, Jeff Gray O O O ..........-------+++++++******* O O *******+++++++-------.......... Code Azure Pty Ltd, Sydney, Australia http://www.provenance.com.au Geek Code 3.1 : GCS d+(-) s+:-- a C++$ UL++$ E--- W++$ N+ w++$ !O- !M- !V-- PS+ PE+ Y+ PGP++ t- 5- X++ R+ tv++ b+++ DI+ D+ G e+ h--- r+++ y?
On Sat, 13 Jun 1998, S Hedges wrote:> My request to someone out there is to please post a working copy of > ipfwadm rules, that is WELL documented and not messy. I have found it > difficult in the past to relate to some of the rules posted by various > sources, as they are not documented enough for a novice ipfwadm user to read > and understand what their purpose is.I would suggest looking into a program called ''dotfile''. It is made to create various configuration files and you can get an ipfwadm module for it.. It has a nice GUI, and after you are all done, it creates a clear and well-documented set of ipfwadm commands. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Kirk Bauer -- Georgia Tech -- kirk@kaybee.org <== Finger for PGP http://www.kaybee.org/~kirk ResNet RTA Computer Engineering GT Sport Parachuting Club! http://cyberbuzz.gatech.edu/skydive
On Sat, Jun 13, 1998 at 09:15:26PM -0600, S Hedges wrote:> I have been perusing the various linux security sources looking for a > reliable, proven, source for ipfwadm firewall rules.Here is the script I use on my home IP masquerade system. It is designed to deny everything except what is specifically allowed in some of the definitions near the top. Note that there is one fatal problem -- the input firewall is changed to allow incoming data back to ports 1024 through 65535, because any of those might have been used to create an _outgoing_ connection (and thus might have data been sent back to them). NFS servers might run on one of these high port numbers, so watch out. Note that it''s still impossible to open any connections at all to a masqueraded host. Enjoy. I''d be especially interested in hearing about any security problems I''ve missed, or a solution to the one I know about. Have fun, Avery P.S. WARNING: do not run this script on an active system! Test it out carefully first, preferably in single-user mode! #!/bin/bash # Put these in the right order! # # Set the following to the list of services (names from /etc/services, # or port numbers) which should be allowed as incoming connections. # ALLOW="ftp telnet auth domain" ICMP_ALLOW=true # set default policies ipfwadm -Ip reject ipfwadm -Op accept ipfwadm -Fp deny # flush the table contents ipfwadm -Of ipfwadm -If ipfwadm -Ff # localhost communications are allowed ipfwadm -Ia accept -S 127.0.0.0/8 -D 127.0.0.0/8 -W lo ipfwadm -Fa accept -S 127.0.0.0/8 -D 127.0.0.0/8 -W lo # Forward between private networks but masquerade when sending their # connections out. Never deny anything from one of our private networks. # ipfwadm -Fa accept -S 192.168.0.0/16 -D 192.168.0.0/16 ipfwadm -Ia accept -S 192.168.0.0/16 -D 0/0 ipfwadm -Fa masq -S 192.168.0.0/16 -D 0/0 # We need to allow TCP UDP back in on all ports that might have been used to # make an outgoing connection. I don''t really like doing this, but... # ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 1024:65535 ipfwadm -Ia accept -P udp -S 0/0 -D 0/0 1024:65535 # Allow ICMP (eg. ping) if specified # if [ -n "$ICMP_ALLOW" ]; then if $ICMP_ALLOW; then ipfwadm -Ia accept -P icmp -S 0/0 -D 0/0 fi fi # Allow incoming connections for the specified port numbers # function portnum { sed ''s/\(#.*$\|\/tcp\|\/udp\)//g'' /etc/services \ | awk ''/([ ]+|^)''$1''([ /]+|$)/ {print $2; exit 0}'' } echo -e "Open ports: "\\c for d in $ALLOW; do p=`portnum $d` if [ -z "$p" ]; then continue; fi echo -e "$d($p) "\\c ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 $p ipfwadm -Ia accept -P udp -S 0/0 -D 0/0 $p ipfwadm -Ia accept -P tcp -S 0/0 $p -D 0/0 ipfwadm -Ia accept -P udp -S 0/0 $p -D 0/0 done echo
seifried@seifried.org (seifried@seifried.org) wrote:> # Deny ALL ICMP from external. > # > ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0 > ipfwadm -O -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0You don''t want to disable all icmp. It disables MTU discovery. Quoting the ipchains-howto ( http://www.adelaide.net.au/~rustcorp/ipfwchains/HOWTO.html ) A worse problem is the role of ICMP packets in MTU discovery. All good TCP implementations (Linux included) use MTU discovery to try to figure out what the largest packet that can get to a destination without being fragmented (fragmentation slows performance, especially when occasional fragments are lost). MTU discovery works by sending packets with the "Don''t Fragment" bit set, and then sending smaller packets if it gets an ICMP packet indicating "Fragmentation needed but DF set" (`fragmentation-needed''). This is a type of `destination- unreachable'' packet, and if it is never received, the local host will not reduce MTU, and performance will be abysmal or non-existant.> # Allow ftp-data (20) connections incoming to internal clients (1024:65535) > # > ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D 0.0.0.0/0 1025:65535You should only allow these connections, if you are absolutely positve there are no other services running in the 1025:65535 range, that you have not taken care of seperately. It is way too easy to make a connection come from port 20, security measures should not rely on the client behaving pc. A better way IMHO is to force the clients to use PASV-ftp (every client out there supports it) and let an internal squid forward ftp-requests from www-browsers to an external parent, or use some other ftp-proxy.> # Allow named (udp 53) connections incoming to clients (1024:65535) > # > ipfwadm -I -a accept -P udp -S 0.0.0.0/0 53 -D 0.0.0.0/0 1025:65535AFAIK big chinks of dns data are transported via tcp (and not only zone transfers). So you should also allow tcp. Then again, there is this tunneling issue (published in phrack I think), but this can bite you on any other other ports as well. [mod: I thought only zone transfers were done using tcp. Anybody know for sure? (Yes, nslookup also uses tcp if you use the "ls" command, but it just pretends being another named doing a zone transfer) -- REW] Rather than gathering material on ipfwadm, I think we should all turn our heads towards ipchains, the excellent new firewalling implementation by Paul Russel, that is already in the new 2.1 kernels. This is the way to go, IMHO. Check out http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html and let''s work on some basic setup we all can agree on. The Howto has some examples already. just my 2 Pfennig, Bernhard
On Wed, 17 Jun 1998, Joao Pedro Baptista Goncalves wrote:> On Sun, 14 Jun 1998, a mole wrote:> > This means recompiling sshd. Proceed as per ussual but instead of just > > ./configure you need to do... > > ./configure --use-login=/bin/ttysnoops> I do not know to what version of ssh are you referring to, but > 1.2.25 (latest) does not recognize --use-login configure option.you''re right... my applogies... I shoudl have checked the option instead of doing it from memmory... the correct option is --with-login ... from ./configure --help ... --with-login[=PATH] Use login -f to finish login connections.> I''ve scanned through the code and have not realized where could i manually > change that, as it seems sshd treats itself the login sequence.it should be academic now we''ve got the genuine option... but it''s in config.h ... /* Define if you want the login patches. */ #define USELOGIN 1 #define PATH_LOGIN "/bin/login-" Anwyay.. sorry again about the confusion.. I hope this helps some. :) M.
On Wed, Jun 17, 1998 at 02:59:43PM +0100, Glynn Clements wrote:> Avery Pennarun wrote: > > > # We need to allow TCP UDP back in on all ports that might have been > > # used to make an outgoing connection. I don''t really like doing this, > > # but... > > # > > ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 1024:65535 > > You probably want to use the -k flag to only accept packets with the > ACK bit set (i.e. *not* inbound connections). You''ll need to use > passive mode for outbound FTP though.Ah, right. Obviously my brain was running a bit low on sugar when I wrote that comment, because I now remember that non-passive FTP was the main reason I opened ports 1024-65535. I know that some (non-Linux) firewalls do so-called "active firewalling" that opens certain ports only when it is expecting a call (from a particular IP address) on them. That would be ideal -- can Linux do it? How about in the 2.1 kernels with ipchains? Have fun, Avery
On Wed, 17 Jun 1998, Bernhard Weisshuhn wrote:> [mod: I thought only zone transfers were done using tcp. Anybody know > for sure? (Yes, nslookup also uses tcp if you use the "ls" command, but > it just pretends being another named doing a zone transfer) -- REW]It took me a moment to recall when this happens. But it most often happens during MX lookups. If someone has a lot of MX''s, then the UDP packet will indicate that it is truncated. named will then initiate a TCP connection to the same name server. Now - a much more interesting question in my mind - is what named will do if it can''t get the TCP connection? Will it quit? Will it try another valid name server for the domain? Will it return partial data if it can''t talk to any of the name servers because TCP isn''t allowed to any of them? </chris> -- "The only thing more frightening than a programmer with a screwdriver or a hardware enginner with a program is a user with wire cutters and the root password." - Elizabeth Zwicky "The only thing that is in the same league with the user who has the root password is a construction grunt holding the unterminated end of a cat5 cable with a quizical look on their face." - chicks