sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_keepalive_time=1500
sysctl -w net.ipv4.tcp_sack=0
sysctl -w net.ipv4.tcp_max_tw_buckets=1440000
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_keepalive_intvl=40
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.inet_peer_gc_maxtime=240
sysctl -w net.ipv4.inet_peer_maxttl=500
sysctl -w net.ipv4.inet_peer_minttl=80
Jumat, 28 Februari 2014
Kernel parameter for network security
The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.
For each tunable kernel parameters you need to be add it to the /etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:
# sysctl -p
Enable TCP SYN Cookie Protection
A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.
To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Enable Ignoring to ICMP Requests
If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
This cannot be done in many environments.
Enable Ignoring Broadcasts Request
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable Bad Error Message Protection
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
# sysctl -p
Enable TCP SYN Cookie Protection
A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.
To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Enable Ignoring to ICMP Requests
If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
This cannot be done in many environments.
Enable Ignoring Broadcasts Request
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable Bad Error Message Protection
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
Read more: http://linuxpoison.blogspot.com/2008/10/kernel-parameters-for-enhance-security.html#ixzz2ugOskcQv
Secure server with bash script
#!/bin/bash
#
# modified: 18.08.2013 11:49 AM
#
# sys_tweaks, program check and "permissive rules" are from
# http://www.emoticode.net/bash/iptables-firewall.html
firewall="/sbin/iptables"
net_interface="wlan0"
tcp_ports="21,53,80,443,587,993,6697,7000,9600,9418,51000"
udp_ports="53,80,443,51000"
user_check() {
if [ "$(id -u)" != "0" ]; then
echo "ERROR: This script must be run as root" 1>&2
exit 1
fi
}
program_check() {
#Check if firewall exists on system
lsmod 2>/dev/null | grep -q -c ip_tables
if [ $? -ne 0 ]; then
echo -e "ERROR: Can't find ip_tables module" && sleep 1
echo "Trying to modprobe ip_tables..."
modprobe ip_tables
if [ $? -ne 0 ]; then
tput sgr0
exit 1
fi
fi
# Check if firewall exists on system
#if [ ! -e "$firewall" ]
# then
# echo "ERROR: $firewall is not available. Do you have iptables or netfilter installed?"
# exit 2
# fi
}
sys_tweaks() {
# Try to prevent SYN floods
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable response to ICMP broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Reject source-routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
# Disable ICMP redirect acceptance
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable send ICMP redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
# Enable reverse path filtering
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
# Log spoofed packets, source-routed packets, redirect packets
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/conf/default/log_martians
# Disable IP forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward
}
permissive_rules() {
echo '[ .. ] Configuring iptables ports and services (permissive rules)...'
#user check
user_check
# Check if firewall exists on system
#program_check
# flush *all* rules
do_flush
# system tweaks
sys_tweaks
# Drop all incoming fragments
#$firewall -A INPUT -i $net_interface -f -j DROP
$firewall -A INPUT -f -j DROP
# Drop outside packets with localhost address - anti-spoofing measure
$firewall -A INPUT -s 127.0.0.0/255.0.0.0 -i !lo -j DROP
# Pass all locally-originating packets
$firewall -A INPUT -i lo -j ACCEPT
$firewall -A OUTPUT -o lo -j ACCEPT
# Allow inbound established and related outside communication
$firewall -A INPUT -m state --state ESTABLISHED,RELATED -i $net_interface -j ACCEPT
# Drop outside initiated connections
#$firewall -A INPUT -m state --state NEW -i $net_interface -j DROP
$firewall -A INPUT -m state --state NEW -j DROP
# Allow all outbound tcp + udp traffic with state
$firewall -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$firewall -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
#$firewall -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
}
do_start () {
echo '[ .. ] Configuring iptables ports and services (Paranoia mode)...'
#user check
user_check
# Check if firewall exists on system
#program_check
# flush *all* rules
do_flush
# system tweaks
sys_tweaks
# ftp stuff
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
# *Do not allow anything*
$firewall -P INPUT DROP
$firewall -P OUTPUT DROP
$firewall -P FORWARD DROP
# Sometimes you can be nice
#$firewall -P FORWARD REJECT
# almighty localhost for web developing and testing
$firewall -A INPUT -i lo -j ACCEPT
$firewall -A OUTPUT -o lo -j ACCEPT
# allow specified ports for TCP and UDP
$firewall -A OUTPUT -p tcp -m multiport --dports $tcp_ports -j ACCEPT
$firewall -A OUTPUT -p udp -m multiport --dports $udp_ports -j ACCEPT
$firewall -A INPUT -p tcp -m multiport --sports $tcp_ports -m state --state RELATED,ESTABLISHED -j ACCEPT
$firewall -A INPUT -p udp -m multiport --sports $udp_ports -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop outside packets with localhost address - anti-spoofing measure
$firewall -A INPUT -s 127.0.0.0/255.0.0.0 -i !lo -j DROP
# allow all traffic in IP range
#$firewall -A INPUT -s 192.168.1.0/23 -j ACCEPT
#Prevent DDoS?
#$firewall -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# examples for explicitly denying all traffic on port
#$firewall -A INPUT -p udp --dport 22 -j DROP
#$firewall -A INPUT -p tcp --dport 22 -j DROP
# I repeat: *Do not allow anything*
$firewall -P INPUT DROP
$firewall -P OUTPUT DROP
$firewall -P FORWARD DROP
# Sometimes you can be nice
#$firewall -P FORWARD REJECT
}
do_flush () {
echo '[ .. ] Flushing all iptables rules...'
# Check if firewall exists on system
#program_check
$firewall -F
$firewall -X
$firewall -Z
$firewall -t nat -F
$firewall -t mangle -F
$firewall -t filter -F
$firewall -t nat -X
$firewall -t mangle -X
$firewall -t filter -X
$firewall -P INPUT ACCEPT
$firewall -P FORWARD ACCEPT
$firewall -P OUTPUT ACCEPT
}
help () {
echo "$0 - manage iptables rules
usage: $0 action
Actions:
start - use defined (paranoia) iptables rules
stop - flush iptables rules
permissive - use permissive mode
* - displays this help and exits"
}
case $@ in
start ) do_start ;;
permissive ) permissive_rules ;;
stop ) do_flush ;;
* ) help ;;
esac
exit 0
Manual init.d IPTables configuration
Another possibility is to manually configure your firewall rules through an init.d script that will run all the
Reference : https://www.debian.org/doc/manuals/securing-debian-howto/
iptables commands. Take the following steps:- Review the script below and adapt it to your needs.
- Test the script and review the syslog messages to see which traffic is being dropped. If you are testing from the network you will want to either run the sample shell snippet to remove the firewall (if you don't type anything in 20 seconds) or you might want to comment out the default deny policy definitions (-P INPUT DROP and -P OUTPUT DROP) and check that the system will not drop any legitimate traffic.
- Move the script to
/etc/init.d/myfirewall
- Configure the system to run the script before any network is configured:
#update-rc.d myfirewall start 40 S . stop 89 0 6 .
#!/bin/sh
# Simple example firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the iptables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#
# You can test this script before applying with the following shell
# snippet, if you do not type anything in 10 seconds the firewall
# rules will be cleared.
#---------------------------------------------------------------
# while true; do test=""; read -t 20 -p "OK? " test ; \
# [ -z "$test" ] && /etc/init.d/myfirewall clear ; done
#---------------------------------------------------------------
PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Services that the system will offer to the network
TCP_SERVICES="22" # SSH only
UDP_SERVICES=""
# Services the system will use from the network
REMOTE_TCP_SERVICES="80" # web browsing
REMOTE_UDP_SERVICES="53" # DNS
# Network that will be used for remote mgmt
# (if undefined, no rules will be setup)
# NETWORK_MGMT=192.168.0.0/24
# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
# SSH_PORT="22"
if ! [ -x /sbin/iptables ]; then
exit 0
fi
fw_start () {
# Input traffic:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Services
if [ -n "$TCP_SERVICES" ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$UDP_SERVICES" ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# Remote management
if [ -n "$NETWORK_MGMT" ] ; then
/sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
else
/sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
fi
# Remote testing
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -j LOG
# Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP is permitted:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# So are security package updates:
# Note: You can hardcode the IP address here to prevent DNS spoofing
# and to setup the rules even if DNS does not work but then you
# will not "see" IP changes for this service:
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
# As well as the services we have defined:
if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$REMOTE_UDP_SERVICES" ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# All other connections are registered in syslog
/sbin/iptables -A OUTPUT -j LOG
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -P OUTPUT DROP
# Other network protections
# (some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
fw_stop () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
case "$1" in
start|restart)
echo -n "Starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "Stopping firewall.."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing firewall rules.."
fw_clear
echo "done."
;;
*)
echo "Usage: $0 {start|stop|restart|clear}"
exit 1
;;
esac
exit 0
Instead of including all of the iptables rules in the init.d script you can use the iptables-restore program to restore the rules saved using iptables-save. In order to do this you need to setup your rules, save the ruleset under a static location (such as /etc/default/firewall).Reference : https://www.debian.org/doc/manuals/securing-debian-howto/
Kamis, 27 Februari 2014
Speedtest CLI
$ wget -O speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
$ chmod +x speedtest-cli
$ ./speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Comcast Cable (x.x.x.x)...
Selecting best server based on ping...
Hosted by FiberCloud, Inc (Seattle, WA) [12.03 km]: 44.028 ms
Testing download speed........................................
Download: 32.29 Mbit/s
Testing upload speed..................................................
Upload: 5.18 Mbit/sInstall GoDaddy SSL Certificate
In this tutorial I'll show you how you can install a GoDaddy SSL certificate.
This example was made with a GoDaddy certificate:
Generate certificate for GoDaddy:
#openssl genrsa -des3 -out www.fasttrack2marketing.com.key 2048
#openssl req -new -key www.fasttrack2marketing.com.key -out www.fasttrack2marketing.com.csr
Give to GoDaddy the contain of www.fasttrack2marketing.com.csr.
Then you'll recive a mail on the administrative contact of the domain mail address.
After that you'll recive from GoDaddy a zip file containing the cert, in our example fasttrack2marketing.com.crt.
If you set up a pass when you've created the cert file and you want to get rid of it here is how you can remove the pass:
#openssl rsa -passin pass:yourpass -in www.fasttrack2marketing.com.key -out www.fasttrack2marketing.com.key.nopass
#mv www.fasttrack2marketing.com.key.nopass www.fasttrack2marketing.com.key
Then place the key and crt file into /etc/pki/tls/cets dir:
#mv fasttrack2marketing.com.crt /etc/pki/tls/certs/
#mv www.fasttrack2marketing.com.key /etc/pki/tls/certs/
Make sure that nobody other then root can access those files:
#chmod 0600 /etc/pki/tls/certs/fasttrack2marketing.com.crt
#chmod 0600 /etc/pki/tls/certs/www.fasttrack2marketing.com.key
Configuring apache:
Install mod_ssl for apache:
#yum install mod_ssl
Edit /etc/httpd/conf.d/ssl.conf according to this:
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/fasttrack2marketing.com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/certs/www.fasttrack2marketing.com.key
Add document root wich should contain the dir where your webfiles are stored:
DocumentRoot /virtual/web/sites/shared/www.fasttrack2marketing.com/html
Add Directory wich should contain path to your web files:
<Directory "/virtual/web/sites/shared/www.fasttrack2marketing.com/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Then restart the apache:
#/etc/init.d/httpd restart
Next you need to force http request to https. In order to do that create a .htaccess file inside your web dir containing:
RewriteEngine on
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}
That's it! Goodluck!
Source : http://www.linuxexpert.ro/Linux-Tutorials/install-godaddy-ssl-certificate.html
Prevent DDOS Attack
Find.. to which IP address in the server is targeted by the ddos attack
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c
Find… from which IPs, the attack is coming
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c
In csf:
vi /etc/csf/csf.conf
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD_RATE = “5/s”
SYNFLOOD_BURST = “3″
my eg:
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
PORTFLOOD
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.
In /etc/sysctl.conf
Paste the following into the file, you can overwrite the current information.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
Run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
TCP Syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Some IPTABLES Rules:
iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A INPUT -p tcp –syn -m state –state ESTABLISHED,RELATED –dport 80 -m limit –limit 1/s –limit-burst 2 -j ACCEPT
This article source from : http://linuxstuffs.wordpress.com/2009/10/25/drop-syncddos-attack/
Rabu, 26 Februari 2014
IPTables
Here is our iptable rules:
#Name Servers
DNS1=""
DNS2=""
#Default Deny
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#Allow Loopback
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#Deny Bad Pckets
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Deny Packets from Invalid Address Space
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#Allow ICMP(Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
#Allow DNS
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
## Allow Selective Inbound Connections
#DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -j ACCEPT
#HTTP (Web Server)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT
#HTTPS (Web Server)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000:3100 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3000:3100 --dport 1024:65535 -j ACCEPT
#SSH
iptables -A INPUT -p tcp --dport 4777 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4777 --dport 1024:65535 -j ACCEPT
#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT
#Secure SMTP
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 465 --dport 1024:65535 -j ACCEPT
#IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 --dport 1024:65535 -j ACCEPT
#Secure IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 --dport 1024:65535 -j ACCEPT
#POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 --dport 1024:65535 -j ACCEPT
#Secure POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 --dport 1024:65535 -j ACCEPT
#cPanel
iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2082 --dport 1024:65535 -j ACCEPT
#Secure cPanel
iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2083 --dport 1024:65535 -j ACCEPT
#Web Host Manager
iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2086 --dport 1024:65535 -j ACCEPT
#Secure Web Host Manager
iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2087 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 2087 -j ACCEPT
#Webmail
iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2095 --dport 1024:65535 -j ACCEPT
#Secure Webmail
iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2096 --dport 1024:65535 -j ACCEPT
## Allow Selective Outbound Connections
#SMTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT
#HTTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
#cPanel Licensing
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 2089 -j ACCEPT
iptables -A INPUT -p tcp --sport 2089 --dport 1024:65535 -j ACCEPT
#WHOIS
iptables -A OUTPUT -p udp --sport 1024:65535 --dport 43 -j ACCEPT
iptables -A INPUT -p udp --sport 43 --dport 1024:65535 -j ACCEPT
any ideas what we need to change?
#Name Servers
DNS1=""
DNS2=""
#Default Deny
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#Allow Loopback
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#Deny Bad Pckets
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Deny Packets from Invalid Address Space
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#Allow ICMP(Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
#Allow DNS
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1024:65535 -d $DNS2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state NEW,ESTABLISHE D -j ACCEPT
## Allow Selective Inbound Connections
#DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -j ACCEPT
#HTTP (Web Server)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT
#HTTPS (Web Server)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000:3100 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3000:3100 --dport 1024:65535 -j ACCEPT
#SSH
iptables -A INPUT -p tcp --dport 4777 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4777 --dport 1024:65535 -j ACCEPT
#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT
#Secure SMTP
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 465 --dport 1024:65535 -j ACCEPT
#IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 --dport 1024:65535 -j ACCEPT
#Secure IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 --dport 1024:65535 -j ACCEPT
#POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 --dport 1024:65535 -j ACCEPT
#Secure POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 --dport 1024:65535 -j ACCEPT
#cPanel
iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2082 --dport 1024:65535 -j ACCEPT
#Secure cPanel
iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2083 --dport 1024:65535 -j ACCEPT
#Web Host Manager
iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2086 --dport 1024:65535 -j ACCEPT
#Secure Web Host Manager
iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2087 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 2087 -j ACCEPT
#Webmail
iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2095 --dport 1024:65535 -j ACCEPT
#Secure Webmail
iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2096 --dport 1024:65535 -j ACCEPT
## Allow Selective Outbound Connections
#SMTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024:65535 -j ACCEPT
#HTTP
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
#cPanel Licensing
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 2089 -j ACCEPT
iptables -A INPUT -p tcp --sport 2089 --dport 1024:65535 -j ACCEPT
#WHOIS
iptables -A OUTPUT -p udp --sport 1024:65535 --dport 43 -j ACCEPT
iptables -A INPUT -p udp --sport 43 --dport 1024:65535 -j ACCEPT
any ideas what we need to change?
Langganan:
Postingan (Atom)