Re: Port 80 Open
Hello,
Ansgar -59cobalt- Wiechers a écrit :
On 2007-10-27 Telly Williams wrote:
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT
No other source address than 127.0.0.1/8 is supposed to appear at the
loopback interface.
Wrong. Any local address, including the whole range 127.0.0.0/8 and all
addresses and aliases configured on local network interfaces may appear
in traffic involving the loopback interface. Besides, what's the use of
address-based filtering on the loopback interface ?
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP
# With the above two rules, I thought it put me in stealth
# mode(?).
Repeating myself: "stealth" is braindead marketing babble invented by
people who failed to understand TCP/IP for people who fail to understand
TCP/IP.
Anyway, "stealth" means that your box does not reply to any solicitation
from the outside, not that it only drops some ICMP types.
Your host doesn't magically become "invisible" just because it
drops packets.
Agreed.
Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
is a vital part of IP and required e.g. for troubleshooting connection
problems. Rather do something like this:
iptables -N icmp_packets
# Allow ping, but limit it to 10 requests per second:
iptables -A icmp_packets -p icmp --icmp-type echo-request \
-m state --state NEW -m limit --limit 10/sec -j ACCEPT
# Allow echo replies (pong) for accepted pings:
iptables -A icmp_packets -p icmp --icmp-type echo-reply \
-m state --state ESTABLISHED -j ACCEPT
# Allow troubleshooting messages for all established connections:
iptables -A icmp_packets -p icmp --icmp-type destination-unreachable \
-m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type source-quench \
-m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type time-exceeded \
-m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
-m state --state RELATED -j ACCEPT
iptables -A icmp_packets -j DROP
I used to accept source-quench, but not any more after reading that some
DoS attacks were based on it, and I'm not so sure it's really useful. I
acknowledge that destination-unreachable can be abused too, but this one
is really necessary.
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed
-A tcp_packets -p tcp -m tcp --dport 25 -j allowed
-A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed
Why are you ACCEPTing NTP packets based on the source port?
Besides, I'm not sure that NTP uses TCP transport. Conversely HTTP(S)
and SMTP(S) don't use UDP transport.
I globally agree with the other comments and suggestions.
Reply to: