You either have a need to install linux or were just interested in doing so. Either way, linux is now installed and you'd like to connect your computer to the internet. Being a responsible network citizen, you'd like to be sure that your computer is configured to make a minimum negative impact on the network. In this page, I will outline some simple steps that you can take that will make your computer (and your data and your reputation) relatively safe from the big, bad internet.
Assumptions on my part:
You are the system administrator (posess the password for the root account)
You are running a distribution based on RedHat 6.2 or 7.0
You are going to connect your computer to the internet
Parts left out can't break (or maybe they can, but who can tell ?)
Many distributions of linux offer lots of network services by default. Rather than starting from this relatively insecure stance, we will turn all network services off until we need them.
Linux distributions based upon RedHat 6/7 have the configuration utility /sbin/chkconfig that can be used to see and to set what programs are started at system boot time. Here is an example:
[****@**** ~]$ /sbin/chkconfig --list
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:on 5:off 6:off
named 0:off 1:off 2:off 3:off 4:off 5:off 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:on 2:on 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
linuxconf 0:off 1:off 2:on 3:off 4:off 5:off 6:off
lpd 0:off 1:off 2:on 3:off 4:off 5:off 6:off
inet 0:off 1:off 2:off 3:off 4:off 5:off 6:off
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
postgresql 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xfs 0:off 1:off 2:on 3:off 4:off 5:off 6:off
routed 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:off 4:off 5:off 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
fwall 0:off 1:off 2:off 3:off 4:off 5:off 6:off
anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipchains 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdcrotate 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off
identd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[morris@goes ~]$
The left hand column is the name of the boot time service, while the numbered columns are the run levels and off / on indicate the state of the service at that run level. For example, in the case above the service ipchains is on at run levels 3, 4, and 5 while the service sendmail is off at all run levels. Since our initial configuration will have every network service turned off, we will run chkconfig and turn off each of the services given in the list below. An example command is given after the list. Note that after all of these services are turned off, you must reboot the computer for the changes to take effect. Also, you may not see all of these services and some may already be turned off. Don't worry about this, it is only necessary for you to use chkconfig to turn off services that your computer lists as being on that are on the following list:
httpd
named
netfs
nfs
linuxconf
lpd
inet
portmap
routed
rstatd
rusersd
rwhod
smb
sendmail
snmpd
ypbind
yppasswdd
ypserv
nfslock
identd
dhcpd
For example, to turn off identd:
[****@*****]# /sbin/chkconfig identd off
Paranoia is good, so let's firewall anyway
We've turned off all network services, so why should be install a firewall ? Isn't this kind of paranoid ? Well, yes, but it's pretty common to have two lines of defense, just in case of a later misconfiguration. Network security is one of those fields where a little paranoia can be a good investment.
To turn on a firewall on a RedHat 6/7 host:
Turn on the ipchains service: /sbin/chkconfig ipchains on
Copy the following to /etc/sysconfig/ipchains
Reboot
[*****@**** ~]$ cat /etc/sysconfig/ipchains
:input DENY
:forward DENY
:output ACCEPT
-A input -s 127.0.0.1/255.255.255.255 -d 127.0.0.1/255.255.255.255 -i lo -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 67:67 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 68:68 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 1 -j ACCEPT
A brief description of the above IPChains rules:
:input DENY
:forward DENY
:output ACCEPT
Set the default policies to DENY (block) for inbound and forwarded packets, and ACCEPT (pass) for outbound packets.
-A input -s 127.0.0.1/255.255.255.255 -d 127.0.0.1/255.255.255.255 -i lo -j ACCEPT
Allow inbound packets from the loopback address on the loopback interface
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j ACCEPT ! -y
Allow packets inbound that belong to established connections
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth0 -p 6 -j ACCEPT
Allow inbound packets on the well known port for SSH (the secure shell)
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
Allow inbound udp packets from the well known DNS source port
-A input -s 0.0.0.0/0.0.0.0 67:67 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 68:68 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
Allow inbound udp packets from the well known BOOTP(C/S) ports
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 1 -j ACCEPT
Allow inbound ICMP
FTP does not work!
FTP is a bizarre protocol. It has active and passive modes, and if you have a choice, you should choose passive. If you don't have a choice, you will have to add a "hole" to the firewall to enable active ftp to work. Here are the two lines to add to your firewall configuration (/etc/sysconfig/ipchains)
-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 1024:5999 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 6010: -p 6 -j ACCEPT
As before, you will have to restart. You should also note that this is a pretty significant reduction in your firewall's security. On the other hand, you are still much better off than if you had no firewall whatsoever.
Turning services on
Now it's time to offer selected services to the internet. For each of these services, we will need to:
Turn a service on
Add configuration to our firewall
Optionally edit configuration for a service
Reboot
Turn on web service (httpd)
Run the following command to turn the service on:
/sbin/chkconfig httpd on
Add to the firewall configuration (/etc/sysconfig/ipchains):
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -i eth0 -p 6 -j ACCEPT
Turn on ftp service (inet)
Run the following command to turn the service (inet) on:
/sbin/chkconfig inet on
Add to the firewall configuration (/etc/sysconfig/ipchains):
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -i eth0 -p 6 -j ACCEPT
Edit the service configuration file, /etc/inetd.conf. All lines should be commented out (the first character in the line should be #) except the line that begins with ftp. Note that a commented out (disabled) telnet service line is included to illustrate how to comment out ALL of the services besides ftp.
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Turn on pop service (inet)
Run the following command to turn the service (inet) on:
/sbin/chkconfig inet on
Add to the firewall configuration (/etc/sysconfig/ipchains):
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110:110 -i eth0 -p 6 -j ACCEPT
Edit the service configuration file, /etc/inetd.conf. All lines should be commented out (the first character in the line should be #) except the line that begins with pop-3. Note that commented out (disabled) pop-2 and imap service lines are included for illustration.
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
Caveats
Thinking of turning on telnet to conect to your host remotely? Don't! Use ssh (secure shell) instead. Likewise, if you are going to use ftp, be aware that the telnet and ftp protocols reveal your username and password to anyone who has access to the network traffic (which is almost anyone) and therefore are security risks. Thinking of having an anonymous ftp server? Pay VERY close attention to the ownership and permissions of all directories in the anonymous ftp tree. I have seen many instances recently where user's disks were filled with data and they unwittingly became distribution sites for pirated software, music, movies, you name it! It happened to me ...
No comments:
Post a Comment