From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from wsip-24-249-27-228.ri.ri.cox.net ([24.249.27.228] helo=lava-net.com) by speech.braille.uwo.ca with esmtp (Exim 3.36 #1 (Debian)) id 1HptKI-0002FN-00 for ; Sun, 20 May 2007 17:52:31 -0400 Received: by lava-net.com (Postfix, from userid 1020) id E6D84278002; Sun, 20 May 2007 17:52:52 -0400 (EDT) Date: Sun, 20 May 2007 17:52:51 -0400 From: Igor Gueths To: "Speakup is a screen review system for Linux." Subject: Re: security precautionswith iptables? Message-ID: <20070520215251.GA14939@lava-net.com> References: <000f01c79af4$9917f3d0$6501a8c0@GRANDMA> <627D29CE-08B6-4CDA-A741-CFDDEBCF9F43@softcon.com> Mime-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset=us-ascii Content-Disposition: inline In-Reply-To: <627D29CE-08B6-4CDA-A741-CFDDEBCF9F43@softcon.com> User-Agent: Mutt/1.4.2i X-Lava-net-MailScanner-Information: X-Lava-net-MailScanner: Found to be clean X-Lava-net-MailScanner-From: igueths@lava-net.com X-Spam-Status: No X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: "Speakup is a screen review system for Linux." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 21:52:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi. Another idea is putting this in a script: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT services ports go here /sbin/iptables -P INPUT DROP Only apply that policy when you know that all your required ports are open; if not, you may find yourself locked out of your machine, and only console access can fix things again. Igor On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote: > If you turn off the various utilities in the inetd.conf file that you > don't use, that can help too. > I.E. since you're using ssh, you won't need telnet and rlogin. > Simply comment them out. That way, no matter how many packets go to > that destination port, it won't do a bit of good. > You are of course welcome to block any ports you like, and it's > likely that'll help too, but the inetd daemon is a nice way to secure > the machine as well. > > As for the problem with the outgoing ping packets, there are ways to > specify incoming/outgoing packets, but I've not fiddled with ip rules > for several years, so i don't remember the syntax. However, there's > a very good how-to on the linux how-to site explaining ipfwadm and > ipchains. One of the examples in there is how to secure the machine > for a particular service (don't remember which one) but it covers > that exact problem (if I remember correctly) > Try to see if you can find it. If not, I'm sure I have it *somewhere*. > But, just so you know, there is a solution, I (unfortunately) no > longer remember what it is though. > > > On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote: > > > Hello list, > > I've been told to block ping requests with iptables. I made the > > following rule: > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP > > The only problem with this, is it drops all pings incoming as well, > > which causes a slight problem. > > Any way around this? > > Also, is there anything else that can be done in order to make the > > system more secure? I was told to block fragmented packets. I know > > what they are, but don't know enough about tcp in order to be able > > to do much with them. > > Help is appriciated. > > Thanks, > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4 xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+ OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd aFI+HFrlcLg= =6Fu5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.