On Wed, Jun 01, 2005 at 12:32:49PM +0200, LoSpippolo wrote: > io uso questo
Te lo sei fatto a manina o con l'aiuto di qualche programma/pacchetto? eventualmente, complimenti per aver usato i commenti ;-) > #--------------------------------------------------------------- > # Enabling spooginf protection > #--------------------------------------------------------------- > echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > #--------------------------------------------------------------- > # Enabling SYN-flood protection - Protection from Denial of Service (DOS) > attacks > #--------------------------------------------------------------- > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > #--------------------------------------------------------------- > # Disableing the acception of ICMP-redirect messages. > #--------------------------------------------------------------- > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > #--------------------------------------------------------------- > # Disable responding to ping broadcasts > #--------------------------------------------------------------- > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > #------------------------------------------------------------- > # ICMP Dead Error Messages protection > #------------------------------------------------------------- > echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > #--------------------------------------------------------------- > # Disable routing triangulation. Respond to queries out > # the same interface, not another. Helps to maintain state > # Also protects against IP spoofing > #--------------------------------------------------------------- > echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter > #--------------------------------------------------------------- > # Drop Invalid packets > #--------------------------------------------------------------- > iptables -A INPUT -m state --state INVALID -j DROP > iptables -A FORWARD -m state --state INVALID -j DROP > #--------------------------------------------------------------- > # Allow world to send ICMP packets? > #--------------------------------------------------------------- > iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/second > --limit-burst 100 -j ACCEPT > #--------------------------------------------------------------- > # Drop (NMAP) scan packets # > #--------------------------------------------------------------- > iptables -N VALID_CHECK > iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP > #--------------------------------------------------------------- > # Drop packets with bad tcp flags > #--------------------------------------------------------------- > iptables -A VALID_CHECK -p tcp --tcp-option 64 -j DROP > iptables -A VALID_CHECK -p tcp --tcp-option 128 -j DROP > iptables -A INPUT -p tcp --dport 0 -j DROP > iptables -A INPUT -p udp --dport 0 -j DROP > iptables -A INPUT -p tcp --sport 0 -j DROP > iptables -A INPUT -p udp --sport 0 -j DROP > #--------------------------------------------------------------- > # General stealth scan drop > #--------------------------------------------------------------- > iptables -A INPUT -p tcp ! --syn -j DROP > # -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
