Re: easiest way to shut down all network services besides ssh?

To: debian-user@lists.debian.org
Subject: Re: easiest way to shut down all network services besides ssh?
From: Reco <recoverym4n@gmail.com>
Date: Thu, 18 Dec 2014 19:43:41 +0300
Message-id: <[🔎] 20141218194341.55a72661ff572893bbb7b58c@gmail.com>
In-reply-to: <[🔎] 86a92ltcl8.fsf@gaheris.avalon.lan>
References: <[🔎] CAC4O8c_s_bQvyE980Fj2OK+qdEeiNkmCp3u0aqcw4HJSRi5U1g@mail.gmail.com> <[🔎] 86egrxthyx.fsf@gaheris.avalon.lan> <[🔎] 20141218101453.GA13083@d1696.int.rdtex.ru> <[🔎] 86a92ltcl8.fsf@gaheris.avalon.lan>

 Hi.

On Thu, 18 Dec 2014 12:35:31 +0100
Mart van de Wege <mvdwege@gmail.com> wrote:

> Reco <recoverym4n@gmail.com> writes:
> 
> >  Hi.
> >
> > On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote:
> >> Britton Kerin <britton.kerin@gmail.com> writes:
> >> 
> >> > I have a system that I would like to make accessible only by ssh.
> >> >
> >> > No apache telnet ftp anything else.
> >> >
> >> > What is the easiest way to achieve this?  It came from a vendor with
> >> > a slew of package of all sorts, so I don't even know everything that
> >> > I want to remove.
> >> >
> >> Simplest solution is to use iptables to reject all traffic except for
> >> port 22:
> >> 
> >> iptables -I INPUT -p tcp --dport 22 -j ACCEPT
> >> iptables -P INPUT DROP
> >> 
> >> Of course, this depends on none of the shell users having root access.
> >
> > The simplest *working* solution is to use iptables this way:
> >
> > iptables -F INPUT
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A INPUT -p icmp -j ACCEPT
> > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
> > iptables -P INPUT DROP
> > iptables -F OUTPUT
> > iptables -P OUTPUT ACCEPT
> >
> >
> > Your rules will block anything on the interface lo and outbound traffic,
> > which is just asking for all kinds of trouble. And blocking icmp is just
> > rude ;)
> 
> Heh. You're right about the lo blockage, I keep forgetting that
> everytime I write iptables rules.

Oops. I forgot about this one:

iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT


> Outbound traffic is not necessary, surely? The answers of the box to
> incoming ssh packets still count as part of the INPUT stream.

Not unless you use '-m conntrack --ctstate NEW'. And (see below) not
unless you'll want to limit all new outbound connections to ssh only.


> The
> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
> like to open new outbound connections in response to inbound requests.

Not quite true. You forgot to take into account good old DNS, for
example. Now, sure, DNS *is* stupid, but sshd relies on it to some
extent. Or, say, NTP, which is UDP-based too.

Besides, OP may need to establish new outbound connections from his
host. This:

iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT

will allow such connections without the need to punch multiple holes in
the INPUT chain.


> Then again, chain OUTPUT defaults to ACCEPT anyway.

True. But, just to be on the safe side, I'd add '-P ACCEPT' to OUTPUT
too.

Reco

Reply to:

Follow-Ups:
- Re: easiest way to shut down all network services besides ssh?
  - From: Mart van de Wege <mvdwege@gmail.com>

References:
- easiest way to shut down all network services besides ssh?
  - From: Britton Kerin <britton.kerin@gmail.com>
- Re: easiest way to shut down all network services besides ssh?
  - From: Mart van de Wege <mvdwege@gmail.com>
- Re: easiest way to shut down all network services besides ssh?
  - From: Reco <recoverym4n@gmail.com>
- Re: easiest way to shut down all network services besides ssh?
  - From: Mart van de Wege <mvdwege@gmail.com>

Prev by Date: Re: Re: grub-pc update causes mount hang
Next by Date: broken apt " -f install" wont fix what to do ?
Previous by thread: Re: easiest way to shut down all network services besides ssh?
Next by thread: Re: easiest way to shut down all network services besides ssh?
Index(es):
- Date
- Thread