[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port 80 Open

Forgot to send this via distro:

> > > 	ports to see what's wrong with it.  Only port 80 comes up as
> > > 	open, and, apparently, is a security violation.
> > 
> > why? 
> 
 	It's what I got from the check at grc.com.
> 
> > > 	ESTABLISHED,RELATED, the packets being dropped if they don't
> > 
> > ... you want just these.
> > 
 	OK, thanks.
> 
> > > 	Also, I'm running in stealth (not allowing icmp echo replies or
> > 
> > eh, not quite stealth
> 
 	What do you mean by that?  Ansgar said the same thing.  Now I'm
 	feeling like a dummy.
> 
> > > 	requests).  Some of my ports (i.e., 25 and 443) are coming up as
> > > 	closed.  Why are these ports showing up as closed at all?
> > 
> > why should they be open? are you providing SMTP and HTTPS to the outside?
> 
 	No, but I now understand what you're saying.
> 
> > perhaps providing a bit more info would help (eg iptables-save, interfaces)
> 
> 
 # Generated by iptables-save v1.3.6 on Sat Oct 27 17:51:42 2007
 *filter
 :INPUT DROP [8702:393937]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [12:1175]
 :All_flags - [0:0]
 :Fragment - [0:0]
 :Invalid - [0:0]
 :No_flags - [0:0]
 :Spoofs - [0:0]
 :allowed - [0:0]
 :bad_tcp - [0:0]
 :icmp_packets - [0:0]
 :tcp_packets - [0:0]
 :udp_packets - [0:0]
 -A INPUT -p tcp -j bad_tcp 
 -A INPUT -p tcp -f -j Fragment 
 -A INPUT -p tcp -m iprange --src-range 10.0.0.0-10.255.255.255 -j Spoofs 
 -A INPUT -p tcp -m iprange --src-range 172.16.0.0-172.31.255.255 -j Spoofs 
 -A INPUT -p tcp -m iprange --src-range 192.168.0.0-192.168.255.255 -j Spoofs 
 -A INPUT -p tcp -m iprange --src-range 169.254.0.0-169.254.255.255 -j Spoofs 
 -A INPUT -s 127.0.0.1 -i lo -j ACCEPT 
 -A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT 
 -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
 -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP 
 -A INPUT -d XX.XXX.XXX.XXX -m state --state RELATED,ESTABLISHED -j ACCEPT 
 -A INPUT -i eth1 -p tcp -j tcp_packets 
 -A INPUT -i eth1 -p udp -j udp_packets 
 -A INPUT -i eth1 -p icmp -j icmp_packets 
 -A INPUT -p tcp -m multiport --sports ! 8002 -m limit --limit 6/min --limit-burst 6 -j LOG --log-prefix "INPUT pkt dead: " --log-level 7 
 	#The above was for xmms.  I couldn't get it to work otherwise,
 	#but I'm still figuring out iptables & tcp/ip.
 
 -A OUTPUT -p tcp -j tcp_packets 
 -A OUTPUT -s XX.XX.XXX.XXX -j ACCEPT 
 -A OUTPUT -p tcp -m multiport --dports ! 8002 -m limit --limit 6/min --limit-burst 6 -j LOG --log-prefix "OUTPUT pkt dead: " --log-level 7 
 	# These numbers were arbitrary.  I'm still trying to understand
 	# them enough to put in accurate numbers.
 
 -A All_flags -j LOG --log-prefix "All Flags Set: " --log-level 5 
 -A All_flags -j DROP 
 -A Fragment -j LOG --log-prefix "Fragment: " --log-level 5 
 -A Fragment -j DROP 
 -A Invalid -j LOG --log-prefix "Packet not ID'd: " --log-level 5 
 -A Invalid -j DROP 
 -A No_flags -j LOG --log-prefix "No Flags Set: " --log-level 5 
 -A No_flags -j DROP 
 -A Spoofs -j LOG --log-prefix "Spoof: " --log-level 5 
 -A Spoofs -j DROP 
 -A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
 -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
 -A allowed -p tcp -j DROP 
 -A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "No SYN/ACK: " --log-level 5 
 -A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
 -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j All_flags 
 -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j No_flags 
 -A bad_tcp -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " --log-level 5 
 -A bad_tcp -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
 -A bad_tcp -p tcp -m state --state INVALID -j Invalid 
 -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
 -A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP 
 	# With the above two rules, I thought it put me in stealth
 	# mode(?).
 
 -A tcp_packets -p tcp -m tcp --dport 80 -j allowed 
 -A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed 
 -A tcp_packets -p tcp -m tcp --dport 25 -j allowed 
 -A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed 
 -A tcp_packets -p tcp -m tcp --dport 465 -m comment --comment "SMTPS" -j allowed 
 -A udp_packets -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "DHCP Purposes" -j ACCEPT 
 -A udp_packets -p udp -m udp --dport 80 -j ACCEPT 
 -A udp_packets -p udp -m udp --sport 123 -m comment --comment "NTP" -j ACCEPT 
 -A udp_packets -p udp -m udp --dport 443 -j ACCEPT 
 -A udp_packets -p udp -m udp --dport 465 -m comment --comment "SMTPS" -j ACCEPT 
 -A udp_packets -s XX.XX.XX.XX -p udp -m udp --dport 53 -j ACCEPT 
 -A udp_packets -s XX.XX.XX.XX -p udp -m udp --dport 53 -j ACCEPT 
 COMMIT
 # Completed on Sat Oct 27 17:51:42 2007
 
 Hope this helps.
 
 --------------------
 Telly Williams
 "Knowledge Is Power"
Reply to: