Bastille...
Hi! Bastille is not working out quite properly for me. It seems as if it doesn't perform all of the actions that I've told it to do when I run 'InteractiveBastille'. Running BastilleBackEnd (with the configuration I've setup) I get this: Executing PSAD Specific ConfigurationCan't locate Bastille/PSAD.pm in @INC (@INC contains: /usr/lib /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl . /usr/lib/perl5/site_perl/ /usr/lib/Bastille) at /usr/sbin/BastilleBackEnd line 78. any clues of what to do? I tried doing it without PSAD aswell, but it still gave me the same error message... ty in advance! //tore
Bastille...
Hi! Bastille is not working out quite properly for me. It seems as if it doesn't perform all of the actions that I've told it to do when I run 'InteractiveBastille'. Running BastilleBackEnd (with the configuration I've setup) I get this: Executing PSAD Specific Configuration Can't locate Bastille/PSAD.pm in @INC (@INC contains: /usr/lib /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl . /usr/lib/perl5/site_perl/ /usr/lib/Bastille) at /usr/sbin/BastilleBackEnd line 78. any clues of what to do? I tried doing it without PSAD aswell, but it still gave me the same error message... ty in advance! //tore
snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Hello! Got this message sent to me by email from logcheck: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Is this anything I should worry about? I also got this: Nov 22 16:39:11 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15138 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:14 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15139 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:20 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15140 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 And this: Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Nov 23 10:48:16 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=14306 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Nov 23 10:48:21 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=14719 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 //Tore Nilsson
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures
IPTables configuration.
Hello! Can someone review my iptables configuration and give suggestions? Btw. if I'd want to block someone completely using this configuration should I put them in "Parole" by using this command: iptables -A PAROLE -s [ip-number] -j DROP //Tore Nilsson here's my configuration. btw, it was made with Bastille: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUTall -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded PAROLE tcp -- anywhere anywhere tcp dpt:www LOGtcp -- anywhere anywhere tcp dpt:telnet state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:ftp state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:imap2 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:pop3 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:finger state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:sunrpc state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:exec state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:login state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:ssh state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:1980 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGudp -- anywhere anywhere udp dpt:31337 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere
Re: IPTables configuration.
your configuration, I need an output of > "/sbin/iptables -L -n -v" > The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't > reveal the per interface filters. > > Vincent > > > > > > -Original Message- > > From: Tore Nilsson [mailto:[EMAIL PROTECTED] > > Sent: Wednesday 4 December 2002 14:23 > > To: debian-security@lists.debian.org > > Subject: IPTables configuration. > > > > > > Hello! > > > > Can someone review my iptables configuration and give suggestions? > > Btw. if I'd want to block someone completely using this configuration > > should I put them in "Parole" by using this command: > > > > iptables -A PAROLE -s [ip-number] -j DROP > > > > //Tore Nilsson > > > > here's my configuration. btw, it was made with Bastille: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > DROP tcp -- anywhere 127.0.0.0/8 > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere > > PUB_IN all -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain FORWARD (policy DROP) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > DROP all -- anywhere anywhere > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > PUB_OUTall -- anywhere anywhere > > > > Chain INT_IN (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain INT_OUT (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > ACCEPT all -- anywhere anywhere > > > > Chain PAROLE (4 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > Chain PUB_IN (1 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere icmp > > destination-unreachable > > ACCEPT icmp -- anywhere anywhere > > icmp echo-reply > > ACCEPT icmp -- anywhere anywhere icmp > > time-exceeded > > PAROLE tcp -- anywhere anywhere > > tcp dpt:www > > LOGtcp -- anywhere anywhere > > tcp dpt:telnet > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:ftp > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:imap2 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:pop3 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:finger > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:sunrpc > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:exec > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:login > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere tcp > > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG > > level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:ssh > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:1980 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGudp -- anywhere anywhere > > udp dpt:31337 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > DROP icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain PUB_OUT (1 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: IPTables configuration.
I see why I should set the "--state NEW" flag on port 80. Would I be sure that it wouldn't hamper the webserver though? And if I'd like to block an IP out of the system, how would that be done the easiest way? Put a rule in PAROLE? //Tore Nilsson - Original Message - From: "DEFFONTAINES Vincent" <[EMAIL PROTECTED]> To: Sent: Wednesday, December 04, 2002 3:45 PM Subject: RE: IPTables configuration. > The call of PAROLE for TCP DST 80 paquets isnt restrictive enough. > I would call that rule only this way : > replace > 384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:80 > with a rule like : > /sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE > in the PUB_IN chain > > So that (nearly) only SYN packets go through that rule, not forget TCP > session packets. > > Your firewall allows all OUT, that is not a bad policy if you trust all > users and applications you run. > I would agree with that policy for a personnal firewall as this seems to be. > > I don't really like the general looking of the rest (some useless chains, > some useless calls). > > The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in it > will never match any packet. > Maybe you want to LOG some packets in that rule, that is another option. > > Chains INT_IN and INT_OUT are never used, delete them. > > Call to chain PUB_OUT is useless, and could be forgotten, as well as that > chain. > > > > This seems to be a very "tiny" (personnal) firewall. > > Probably most important in all I said : set the NEW state in incoming TCP 80 > packets. > The rest is just to make your rules cleaner, it doesn't modify the way the > firewall works.
Re: scan
Hi! I'm not advanced enough to give an educated answer - but I noticed that you had sent a post a week or two earlier about a possible attack, and I'm wondering if this is the same server? //Tore Nilsson - Original Message - From: "danilo lujambio" <[EMAIL PROTECTED]> To: Sent: Thursday, April 10, 2003 7:33 PM Subject: scan > Hi ; > > I have experimented a strange situation in one of the servers > > It runs debian woody (kernel bf24) > > When I scanned with nmap this server , it shuted down and rebooted . I > have logged in it and scanned (localhost in this case) and nothing > happened, but when I scanned from another host it shuted down. > > I changed the net interface but I have obtained the same results. > > Do you have an idea ? > > thanks ! > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Bastille...
Hi! Bastille is not working out quite properly for me. It seems as if it doesn't perform all of the actions that I've told it to do when I run 'InteractiveBastille'. Running BastilleBackEnd (with the configuration I've setup) I get this: Executing PSAD Specific ConfigurationCan't locate Bastille/PSAD.pm in @INC (@INC contains: /usr/lib /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl . /usr/lib/perl5/site_perl/ /usr/lib/Bastille) at /usr/sbin/BastilleBackEnd line 78. any clues of what to do? I tried doing it without PSAD aswell, but it still gave me the same error message... ty in advance! //tore
Bastille...
Hi! Bastille is not working out quite properly for me. It seems as if it doesn't perform all of the actions that I've told it to do when I run 'InteractiveBastille'. Running BastilleBackEnd (with the configuration I've setup) I get this: Executing PSAD Specific Configuration Can't locate Bastille/PSAD.pm in @INC (@INC contains: /usr/lib /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl . /usr/lib/perl5/site_perl/ /usr/lib/Bastille) at /usr/sbin/BastilleBackEnd line 78. any clues of what to do? I tried doing it without PSAD aswell, but it still gave me the same error message... ty in advance! //tore -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Hello! Got this message sent to me by email from logcheck: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Is this anything I should worry about? I also got this: Nov 22 16:39:11 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15138 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:14 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15139 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:20 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15140 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 And this: Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Nov 23 10:48:16 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=14306 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Nov 23 10:48:21 otaku kernel: auditIN=eth0 OUT= MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=14719 DF PROTO=TCP SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 //Tore Nilsson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IPTables configuration.
Hello! Can someone review my iptables configuration and give suggestions? Btw. if I'd want to block someone completely using this configuration should I put them in "Parole" by using this command: iptables -A PAROLE -s [ip-number] -j DROP //Tore Nilsson here's my configuration. btw, it was made with Bastille: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUTall -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded PAROLE tcp -- anywhere anywhere tcp dpt:www LOGtcp -- anywhere anywhere tcp dpt:telnet state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:ftp state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:imap2 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:pop3 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:finger state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:sunrpc state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:exec state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:login state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:ssh state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGtcp -- anywhere anywhere tcp dpt:1980 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' LOGudp -- anywhere anywhere udp dpt:31337 state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit' DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPTables configuration.
> To correctly audit your configuration, I need an output of > "/sbin/iptables -L -n -v" > The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't > reveal the per interface filters. > > Vincent > > > > > > -Original Message- > > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday 4 December 2002 14:23 > > To: [EMAIL PROTECTED] > > Subject: IPTables configuration. > > > > > > Hello! > > > > Can someone review my iptables configuration and give suggestions? > > Btw. if I'd want to block someone completely using this configuration > > should I put them in "Parole" by using this command: > > > > iptables -A PAROLE -s [ip-number] -j DROP > > > > //Tore Nilsson > > > > here's my configuration. btw, it was made with Bastille: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > DROP tcp -- anywhere 127.0.0.0/8 > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere > > PUB_IN all -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain FORWARD (policy DROP) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > DROP all -- anywhere anywhere > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > PUB_OUTall -- anywhere anywhere > > > > Chain INT_IN (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain INT_OUT (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > ACCEPT all -- anywhere anywhere > > > > Chain PAROLE (4 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > Chain PUB_IN (1 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere icmp > > destination-unreachable > > ACCEPT icmp -- anywhere anywhere > > icmp echo-reply > > ACCEPT icmp -- anywhere anywhere icmp > > time-exceeded > > PAROLE tcp -- anywhere anywhere > > tcp dpt:www > > LOGtcp -- anywhere anywhere > > tcp dpt:telnet > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:ftp > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:imap2 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:pop3 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:finger > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:sunrpc > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:exec > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:login > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere tcp > > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG > > level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:ssh > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGtcp -- anywhere anywhere > > tcp dpt:1980 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOGudp -- anywhere anywhere > > udp dpt:31337 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > DROP icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain PUB_OUT (1 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPTables configuration.
I see why I should set the "--state NEW" flag on port 80. Would I be sure that it wouldn't hamper the webserver though? And if I'd like to block an IP out of the system, how would that be done the easiest way? Put a rule in PAROLE? //Tore Nilsson - Original Message - From: "DEFFONTAINES Vincent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 3:45 PM Subject: RE: IPTables configuration. > The call of PAROLE for TCP DST 80 paquets isnt restrictive enough. > I would call that rule only this way : > replace > 384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:80 > with a rule like : > /sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE > in the PUB_IN chain > > So that (nearly) only SYN packets go through that rule, not forget TCP > session packets. > > Your firewall allows all OUT, that is not a bad policy if you trust all > users and applications you run. > I would agree with that policy for a personnal firewall as this seems to be. > > I don't really like the general looking of the rest (some useless chains, > some useless calls). > > The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in it > will never match any packet. > Maybe you want to LOG some packets in that rule, that is another option. > > Chains INT_IN and INT_OUT are never used, delete them. > > Call to chain PUB_OUT is useless, and could be forgotten, as well as that > chain. > > > > This seems to be a very "tiny" (personnal) firewall. > > Probably most important in all I said : set the NEW state in incoming TCP 80 > packets. > The rest is just to make your rules cleaner, it doesn't modify the way the > firewall works. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
