Hackerlere karsi onlem (iptables)
Hackerlere karsi önlem (iptables):
...
# if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them!
/sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP
# accept client at port tcp:22 and register in WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST --set -j ACCEPT
...
Ayni adresten 20 saniye icinde en fazla 1 baglantiya müsade var.
20 saniye icinde tekrar baglanmasi engelleniyor.
Bunu denemek icin söyle yapin:
ssh -p22 -l isim makina
Password: isteyince CTRL-C yapin ve hemen tekrar baglanmayi deneyin.
--> Tekrar baglanmak mümkün degil! :-)
Tabii bu test 2 terminal penceresinden de denenebilir:
birinde normal login, ikincisinde login yapmak mümkün degildir.
Login 20 saniye sonra mümkün olur.
Bu isin calismasi icin Linux kernel >= 2.6.14'e gerek var.
Ve ipt_recent modulü yüklenmis olmali (modprobe ipt_recent).
Kontrol icin: cat /proc/net/ip_tables_matches
O listede "recent" yoksa yukarki modprobe komutu ile yüklenmesi gerekir.
Makinayi reboot yapinca iptables kurallarinin otomatikmen yüklenmesi
icin o kurallar /etc/network/if-pre-up.d/ altinda bir dosyada tutulmali
ve chmod +x yapilmis olmali...
Tabii ssh icin port 22 yerine baska bir port kullanilirsa daha saglam olur.
Bunun icin /etc/ssh/sshd_config dosyasina bakin... iptables'de de ayni
port ayari yapilmali tabii... :-)
#####################################################
### MY_firewall.sh
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
# lo_mode=
# "1" : set lo rules at top (--> then other rules are not applied to lo)
# "2" : set lo rules at end (--> then other rules are applied to lo too)
lo_mode="1"
if [ "$lo_mode" = "1" ]
then
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
fi
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
if cat /proc/net/ip_tables_matches | grep "recent" &>/dev/null ; then
# if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them!
/sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP
# accept client at port tcp:22 and register in WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST --set -j ACCEPT
# if anybody tries to connect to tcp:139 (windows filesharing), then drop them and add them to the WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST --set -j DROP
# accept client at port tcp:8192 (my test port) and register in WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 8192 --match recent --name WATCHLIST --set -j ACCEPT
else
echo "# ipt_recent module is not loaded. Cannot use WATCHLIST feature. Ask your HN admin."
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 8192 -j ACCEPT
fi
/sbin/iptables -A INPUT -p tcp --dport 4643 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 119 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 563 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
if [ "$lo_mode" != "1" ]
then
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
fi
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j ACCEPT
# on a openVZ HN we must enable FORWARD:
if test -d /proc/vz && test -f /usr/sbin/vzctl ; then
echo "# This is an openVZ HN: FORWARD packets will be ACCEPTed"
/sbin/iptables -A FORWARD -j ACCEPT
else
echo "# This is not an openVZ HN: FORWARD packets will be DROPped"
/sbin/iptables -A FORWARD -j DROP
fi
/sbin/iptables -v -L
#####################################################
Reply to: