Setting up TCP Wrappers and local firewall on a remote host

If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.

I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.

Set two cron jobs:

[root@kanyakonil root]# crontab -l
/10 * * * * cp /root/hosts.deny /etc/hosts.deny
/10 * * * * /sbin/iptables --flush

Tcp wrappers:

I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.

It looked good after cron ran.

# cat /etc/hosts.deny
#
...
#ALL: ALL

Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.

# more /etc/hosts.allow
...
# Host allowed to SSH
sshd: xx.xx.xx.xx

Test from non allowed and allowed host.

Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened for user aharon by (uid=0)
Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)
Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password for aharon from xx.xx.xx.xx port 37415 ssh2
Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened for user aharon by (uid=0)

Now lets go tune the firewall rules…

List rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saved rules in this file:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Delete unneeded rules:

# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

Check (and test using something like nmap):

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT

Interesting ports on 192.168.1.3:

Not shown: 1693 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))

113/tcp closed auth

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

MAC Address: 00:0D:88:B3:72:F3 (D-Link)

Device type: general purpose|WAP|specialized|storage-misc|broadband router

Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)

Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds


Save the rules:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Check stored rules:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [734:96465]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Feb 24 05:48:21 2012

Check running rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.