Re: Port 80 Open

To: debian-firewall@lists.debian.org
Subject: Re: Port 80 Open
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Mon, 29 Oct 2007 12:33:21 +0100
Message-id: <[🔎] 4725C501.3040809@plouf.fr.eu.org>
In-reply-to: <[🔎] 20071028105345.GA20115@mail.planetcobalt.net>
References: <[🔎] 20071027224328.GB13643@elp.rr.com> <[🔎] 20071027233334.GA6948@localhost> <20071027235741.GD13643@elp.rr.com> <[🔎] 20071028001531.GE13643@elp.rr.com> <[🔎] 20071028105345.GA20115@mail.planetcobalt.net>

Hello,

Ansgar -59cobalt- Wiechers a écrit :

On 2007-10-27 Telly Williams wrote:
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT-A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT
No other source address than 127.0.0.1/8 is supposed to appear at the
loopback interface.

Wrong. Any local address, including the whole range 127.0.0.0/8 and alladdresses and aliases configured on local network interfaces may appearin traffic involving the loopback interface. Besides, what's the use ofaddress-based filtering on the loopback interface ?

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP-A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP# With the above two rules, I thought it put me in stealth
 # mode(?).
Repeating myself: "stealth" is braindead marketing babble invented by
people who failed to understand TCP/IP for people who fail to understand
TCP/IP.

Anyway, "stealth" means that your box does not reply to any solicitationfrom the outside, not that it only drops some ICMP types.

Your host doesn't magically become "invisible" just because it
drops packets.


Agreed.

Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
is a vital part of IP and required e.g. for troubleshooting connection
problems. Rather do something like this:

iptables -N icmp_packets
# Allow ping, but limit it to 10 requests per second:
iptables -A icmp_packets -p icmp --icmp-type echo-request \
  -m state --state NEW -m limit --limit 10/sec -j ACCEPT
# Allow echo replies (pong) for accepted pings:
iptables -A icmp_packets -p icmp --icmp-type echo-reply \
  -m state --state ESTABLISHED -j ACCEPT
# Allow troubleshooting messages for all established connections:
iptables -A icmp_packets -p icmp --icmp-type destination-unreachable \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type source-quench \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type time-exceeded \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -j DROP

I used to accept source-quench, but not any more after reading that someDoS attacks were based on it, and I'm not so sure it's really useful. Iacknowledge that destination-unreachable can be abused too, but this oneis really necessary.

-A tcp_packets -p tcp -m tcp --dport 80 -j allowed-A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed-A tcp_packets -p tcp -m tcp --dport 25 -j allowed-A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed
Why are you ACCEPTing NTP packets based on the source port?

Besides, I'm not sure that NTP uses TCP transport. Conversely HTTP(S)and SMTP(S) don't use UDP transport.


I globally agree with the other comments and suggestions.

Reply to:

Follow-Ups:
- Re: Port 80 Open
  - From: Steve Kostecke <steve@debian.org>
- Re: Port 80 Open
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

References:
- Port 80 Open
  - From: Telly Williams <twilliams001@elp.rr.com>
- Re: Port 80 Open
  - From: Paolo <oopla@users.sf.net>
- Re: Port 80 Open
  - From: Telly Williams <twilliams001@elp.rr.com>
- Re: Port 80 Open
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

Prev by Date: Re: Port 80 Open
Next by Date: Re: Port 80 Open
Previous by thread: Re: Port 80 Open
Next by thread: Re: Port 80 Open
Index(es):
- Date
- Thread