You can tunnel TCP connections over ICMP echo-reply/echo-request packets.
You need a PingTunnel Server(called proxy) and a client both with the application PingTunnel installed on it .
It is useful behind firewall.
Follow this URL. Its all there
PingTunnel
Thursday, December 20, 2007
Wednesday, December 19, 2007
SecureServer.sh
#!/bin/bash
########### SysCTL Hardening #########
# Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker
sysctl -w net.ipv4.conf.all.accept_redirects=0
#sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
#sysctl -w net.ipv6.conf.all.send_redirects=0
#Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
# sysctl -w net.ipv4.conf.all.mc_forwarding=0
#Enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived.
sysctl -w net.ipv4.conf.all.rp_filter=1
#Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars). These days most hosts have a default route, meaning that there would be no such thing as a Martian packet, but to be safe and complete...
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
# Enable TCP_SYNCOOKIES to prevent SYN Flood Attack
#A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
sysctl -w net.ipv4.tcp_syncookies=1
#########################################
INET_IF=eth0
LAN_IF=eth1
LAN=192.168.0.0/24
INTERNET=NET.WRK.RAN.GE/SUB.NET.MAS.KKK
# Flush all the Existing rules
iptables -F
iptables -t nat -F
#Log and DROP SYN Flood Attack Attempts and Related
#Block IP Spoofed-Sequence Number Prediction Attack.Referhttp://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "SYN Flood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
# NEW but not SYN
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not SYN:"
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
# Block SYN Flood
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SYNFlood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name synflood --rsource
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j LOG --log-prefix "SYNFLOOD"
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j DROP
# Accept RESET Flagged Packets
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
# Drop FIN packets that is not accompanied with any ACK
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
########iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG,FIN,SYN,RST,PSH,ACK,URG -m state --state NEW-j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
#Block NetBIOS and Samba Broadcast Floods
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 135:139 -j DROP
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 67:68 -j DROP
# Control over ICMP requests
# Allow time-exceeded
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Allow echo Request
#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Limit PING to 3 times/Minute .But burstable to a maximum of 10 Pings/Minute
iptables -A INPUT -p icmp -m limit --limit 3/min --limit-burst 10 -j ACCEPT
# Log PING Traffic Analysis details 10 times/minute
iptables -A INPUT -p icmp -m limit --limit 10/min --limit-burst 1 -j LOG --log-prefix "Ping DROP:"
# DROP Address mask request(ICMP Type 17)
iptables -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
#DROP Timestamp request(ICMP Type 13)
iptables -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
#Disable ICMP router solicitations and advertisements, and ICMP subnet mask requests and replies. An attacker might be able to use unsolicited advertisements and replies to misadjust host routing tables. An attack also might be able to use solicitations and requests to reverse engineer some details of your network infrastructure. It appears that you will have to do this with packet-filtering rules on the host.
# Router Advertisement (ICMP Type 9)
iptables -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
# Router Solicitation(ICMP Type 10)
iptables -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
#Drop all ICMP
#iptables -A INPUT -p icmp -j DROP
# Accept all ESTABLISHED and RELATED connections.Don't do a double check
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Custom ACCEPT Rules for specific ports
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443,3306,25,143,110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 10/sec -j ACCEPT
# IP Spoofing preventions
#iptables -A INPUT -s $LAN -i $LAN_IF -j ACCEPT
#iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A INPUT -s $LAN -i lo -j ACCEPT
# Drop packets from Internet/LAN arriving at Loopback
iptables -A INPUT -s $INTERNET -i lo -j DROP
iptables -A INPUT -s $LAN -i lo -j DROP
# Drop packets arriving at Internet Interface that are not from Internet
iptables -A INPUT -s $LAN -i $INET_IF -j DROP
iptables -A INPUT -s ! $INTERNET -i $INET_IF -j DROP
# Drop packets at LAN Interface if they are not from LAN
iptables -A INPUT -s ! $LAN -i $LAN_IF -j DROP
iptables -A INPUT -s $INTERNET -i $LAN_IF -j DROP
# Drop DHCP requests
iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
#If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
iptables -A INPUT -i $INET_IF -d 224.0.0.0/8 -j DROP
# Log weird packets that don't match the above.
iptables -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
#Drop Packets in INVALID State
iptables -A INPUT -m state --state INVALID -j DROP
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
#iptables -A INPUT -m recent --name portscan --remove
#iptables -A FORWARD -m recent --name portscan --remove
# Block all aother know Attacks
# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6670 -m limit --limit 3/hour -j LOG --log-prefix "Deepthroat scan"
iptables -A INPUT -p tcp -m tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6711 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6712 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6713 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12346 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20034 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 20034 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 31337 -m limit --limit 3/hour -j LOG --log-prefix "Back orifice scan"
iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6000 -m limit --limit 3/hour -j LOG --log-prefix "X-Windows Port"
iptables -A INPUT -p tcp -m tcp --dport 6000 -j DROP
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
iptables -A OUTPUT -m state --state INVALID -j DROP
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -j DROP
#iptables -A INPUT -p tcp -j DROP
# iptables -A INPUT -p udp -j DROP
##### Stop IP Spoofing ##########
SERVER_IP=122.167.53.54
# Add your IP range/IPs here,
#SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 224.0.0.0/3"
#SPOOF_IPS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
iptables -A INPUT -s $SERVER_IP -j DROP
for ip in $SPOOF_IPS
do
iptables -A INPUT -s $ip -j DROP
done
## Now add net.ipv4.conf.all.rp_filter = 1 to sysctl.conf
sysctl -w net.ipv4.conf.all.rp_filter=1
References
Cromwell-intl.com
iptables-tutorial.frozentux.net
iptables-tutorial.frozentux.net/other/ip-sysctl.txt
cyberciti.biz
cyberciti.biz
faqs.org
newartisans.com
########### SysCTL Hardening #########
# Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker
sysctl -w net.ipv4.conf.all.accept_redirects=0
#sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
#sysctl -w net.ipv6.conf.all.send_redirects=0
#Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
# sysctl -w net.ipv4.conf.all.mc_forwarding=0
#Enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived.
sysctl -w net.ipv4.conf.all.rp_filter=1
#Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars). These days most hosts have a default route, meaning that there would be no such thing as a Martian packet, but to be safe and complete...
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
# Enable TCP_SYNCOOKIES to prevent SYN Flood Attack
#A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
sysctl -w net.ipv4.tcp_syncookies=1
#########################################
INET_IF=eth0
LAN_IF=eth1
LAN=192.168.0.0/24
INTERNET=NET.WRK.RAN.GE/SUB.NET.MAS.KKK
# Flush all the Existing rules
iptables -F
iptables -t nat -F
#Log and DROP SYN Flood Attack Attempts and Related
#Block IP Spoofed-Sequence Number Prediction Attack.Referhttp://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "SYN Flood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
# NEW but not SYN
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not SYN:"
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
# Block SYN Flood
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SYNFlood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name synflood --rsource
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j LOG --log-prefix "SYNFLOOD"
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j DROP
# Accept RESET Flagged Packets
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
# Drop FIN packets that is not accompanied with any ACK
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
########iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG,FIN,SYN,RST,PSH,ACK,URG -m state --state NEW-j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
#Block NetBIOS and Samba Broadcast Floods
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 135:139 -j DROP
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 67:68 -j DROP
# Control over ICMP requests
# Allow time-exceeded
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Allow echo Request
#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Limit PING to 3 times/Minute .But burstable to a maximum of 10 Pings/Minute
iptables -A INPUT -p icmp -m limit --limit 3/min --limit-burst 10 -j ACCEPT
# Log PING Traffic Analysis details 10 times/minute
iptables -A INPUT -p icmp -m limit --limit 10/min --limit-burst 1 -j LOG --log-prefix "Ping DROP:"
# DROP Address mask request(ICMP Type 17)
iptables -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
#DROP Timestamp request(ICMP Type 13)
iptables -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
#Disable ICMP router solicitations and advertisements, and ICMP subnet mask requests and replies. An attacker might be able to use unsolicited advertisements and replies to misadjust host routing tables. An attack also might be able to use solicitations and requests to reverse engineer some details of your network infrastructure. It appears that you will have to do this with packet-filtering rules on the host.
# Router Advertisement (ICMP Type 9)
iptables -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
# Router Solicitation(ICMP Type 10)
iptables -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
#Drop all ICMP
#iptables -A INPUT -p icmp -j DROP
# Accept all ESTABLISHED and RELATED connections.Don't do a double check
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Custom ACCEPT Rules for specific ports
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443,3306,25,143,110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 10/sec -j ACCEPT
# IP Spoofing preventions
#iptables -A INPUT -s $LAN -i $LAN_IF -j ACCEPT
#iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A INPUT -s $LAN -i lo -j ACCEPT
# Drop packets from Internet/LAN arriving at Loopback
iptables -A INPUT -s $INTERNET -i lo -j DROP
iptables -A INPUT -s $LAN -i lo -j DROP
# Drop packets arriving at Internet Interface that are not from Internet
iptables -A INPUT -s $LAN -i $INET_IF -j DROP
iptables -A INPUT -s ! $INTERNET -i $INET_IF -j DROP
# Drop packets at LAN Interface if they are not from LAN
iptables -A INPUT -s ! $LAN -i $LAN_IF -j DROP
iptables -A INPUT -s $INTERNET -i $LAN_IF -j DROP
# Drop DHCP requests
iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
#If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
iptables -A INPUT -i $INET_IF -d 224.0.0.0/8 -j DROP
# Log weird packets that don't match the above.
iptables -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
#Drop Packets in INVALID State
iptables -A INPUT -m state --state INVALID -j DROP
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
#iptables -A INPUT -m recent --name portscan --remove
#iptables -A FORWARD -m recent --name portscan --remove
# Block all aother know Attacks
# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6670 -m limit --limit 3/hour -j LOG --log-prefix "Deepthroat scan"
iptables -A INPUT -p tcp -m tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6711 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6712 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6713 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12346 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20034 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 20034 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 31337 -m limit --limit 3/hour -j LOG --log-prefix "Back orifice scan"
iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6000 -m limit --limit 3/hour -j LOG --log-prefix "X-Windows Port"
iptables -A INPUT -p tcp -m tcp --dport 6000 -j DROP
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
iptables -A OUTPUT -m state --state INVALID -j DROP
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -j DROP
#iptables -A INPUT -p tcp -j DROP
# iptables -A INPUT -p udp -j DROP
##### Stop IP Spoofing ##########
SERVER_IP=122.167.53.54
# Add your IP range/IPs here,
#SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 224.0.0.0/3"
#SPOOF_IPS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
iptables -A INPUT -s $SERVER_IP -j DROP
for ip in $SPOOF_IPS
do
iptables -A INPUT -s $ip -j DROP
done
## Now add net.ipv4.conf.all.rp_filter = 1 to sysctl.conf
sysctl -w net.ipv4.conf.all.rp_filter=1
References
Cromwell-intl.com
iptables-tutorial.frozentux.net
iptables-tutorial.frozentux.net/other/ip-sysctl.txt
cyberciti.biz
cyberciti.biz
faqs.org
newartisans.com
Tuesday, December 18, 2007
Limit number of Shell logins by a USER or GROUP
To limit multiple Shell login by the same user on a Linux box you have to set a maximum number of logins in /etc/security/limits.conf for a user or a group.
For example:
# groupadd salesgroup
# useradd -G salesgroup salesman1
# useradd -G salesgroup salesmanager
# echo "@salesgroup - maxlogins 10" >> /etc/security/limits.conf
# echo "salesman1 - maxlogins 5" >> /etc/security/limits.conf
Here the group salesgroup can make a maximum of 10 logins at a time.
And the user salesman1 is limited to 5 simultaneous logins.
For example:
# groupadd salesgroup
# useradd -G salesgroup salesman1
# useradd -G salesgroup salesmanager
# echo "@salesgroup - maxlogins 10" >> /etc/security/limits.conf
# echo "salesman1 - maxlogins 5" >> /etc/security/limits.conf
Here the group salesgroup can make a maximum of 10 logins at a time.
And the user salesman1 is limited to 5 simultaneous logins.
Monday, December 10, 2007
Starting httpd: execvp: No such file or directory [FAILED]
I downloaded the source for the latest Apache HTTP and installed it
1. ./configure --enable-so
2. make
3. make install
When I ran
# /usr/local/apache2/bin/apachectl start
it was fine.
But it began to show errors when I tried to run
# /etc/init.d/httpd start
My /etc/init.d/httpd is as follows
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo -n "Starting httpd: "
daemon httpd -DSSL
echo
touch /var/lock/subsys/httpd
;;
stop)
echo -n "Shutting down http: "
killproc httpd
echo
rm -f /var/lock/subsys/httpd
rm -f /usr/local/apache2/logs/httpd.pid
;;
status)
status httpd
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reloading httpd: "
killproc httpd -HUP
echo
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0
I have done
# chkconfig --add httpd
# chkconfig httpd on
# service httpd start
This command returned the following error:
[root@localhost conf]# service httpd start
Starting httpd: execvp: No such file or directory [FAILED]
I've double checked the path of apache installation and the one that I have specified in the init script.It was fine.
The solution is just simple
You can work on it in two ways.
1. Create a soft link to /usr/local/apache/bin/httpd under some System PATH
# ln -s /usr/local/apache/bin/httpd /usr/sbin/httpd
Then start httpd using the service command
2. Include the Apache Binary PATH into the /etc/init.d/functions file
Append /usr/local/apache/bin to the line similar to
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin"
Thereafter it should look like
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/apache2/bin"
Then start httpd using the service command
Apart from this always be aware of Permission too.
Follow ups
Plug.Org
mail-archives.apache.org
1. ./configure --enable-so
2. make
3. make install
When I ran
# /usr/local/apache2/bin/apachectl start
it was fine.
But it began to show errors when I tried to run
# /etc/init.d/httpd start
My /etc/init.d/httpd is as follows
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo -n "Starting httpd: "
daemon httpd -DSSL
echo
touch /var/lock/subsys/httpd
;;
stop)
echo -n "Shutting down http: "
killproc httpd
echo
rm -f /var/lock/subsys/httpd
rm -f /usr/local/apache2/logs/httpd.pid
;;
status)
status httpd
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reloading httpd: "
killproc httpd -HUP
echo
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0
I have done
# chkconfig --add httpd
# chkconfig httpd on
# service httpd start
This command returned the following error:
[root@localhost conf]# service httpd start
Starting httpd: execvp: No such file or directory [FAILED]
I've double checked the path of apache installation and the one that I have specified in the init script.It was fine.
The solution is just simple
You can work on it in two ways.
1. Create a soft link to /usr/local/apache/bin/httpd under some System PATH
# ln -s /usr/local/apache/bin/httpd /usr/sbin/httpd
Then start httpd using the service command
2. Include the Apache Binary PATH into the /etc/init.d/functions file
Append /usr/local/apache/bin to the line similar to
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin"
Thereafter it should look like
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/apache2/bin"
Then start httpd using the service command
Apart from this always be aware of Permission too.
Follow ups
Plug.Org
mail-archives.apache.org
Friday, December 7, 2007
How to Disable Alt+Ctrl+Bksp and Ctrl+Alt+Function Keys
System administrators should be aware that now there is the ability to turn off switching to text mode virtual terminals via CTL-ALT-FunctionKey. This can come in handy when locking down a system (such when a Linux box is used as a kiosk) when used in conjunction with disabling CTL-ALT-BKSP (forceful kill of the X server). To do this, edit your /etc/X11/XF86Config or /etc/X11/xorg.conf and add the following:
Section "ServerFlags"
# prevent the use of CTL-ALT-F1, etc
Option "DontVTSwitch" "On"
# prevent the use of CTL-ALT-BKSP
Option "DontZap" "On"
EndSection
Here the Vitrual Consoles can be locked in /etc/inittab also
Open /etc/inittab and comment the following
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
You can shift the Virtual Consoles from Alt+Ctrl+F1 -> F6 to Alt+Ctrl+F8 -> F12
To do so edit /etc/securetty.And rename the tty entries by the number of Virtual Terminal you want to use
eg :
console
vc/1
#vc/2
#vc/3
#vc/4
#vc/5
#vc/6
#vc/7
#vc/8
#vc/9
#vc/10
#vc/11
#tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11
tty12
This will enable a single Console at tty12 ie, Alt+Ctrl+F12 Keystroke
Reboot the machine to get affected by the changes made.
Section "ServerFlags"
# prevent the use of CTL-ALT-F1, etc
Option "DontVTSwitch" "On"
# prevent the use of CTL-ALT-BKSP
Option "DontZap" "On"
EndSection
Here the Vitrual Consoles can be locked in /etc/inittab also
Open /etc/inittab and comment the following
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
You can shift the Virtual Consoles from Alt+Ctrl+F1 -> F6 to Alt+Ctrl+F8 -> F12
To do so edit /etc/securetty.And rename the tty entries by the number of Virtual Terminal you want to use
eg :
console
vc/1
#vc/2
#vc/3
#vc/4
#vc/5
#vc/6
#vc/7
#vc/8
#vc/9
#vc/10
#vc/11
#tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11
tty12
This will enable a single Console at tty12 ie, Alt+Ctrl+F12 Keystroke
Reboot the machine to get affected by the changes made.
Subscribe to:
Posts (Atom)