If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.
I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.
Set two cron jobs:
[root@kanyakonil root] # crontab -l /10 * * * * cp /root/hosts .deny /etc/hosts .deny /10 * * * * /sbin/iptables --flush |
Tcp wrappers:
I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.
It looked good after cron ran.
# cat /etc/hosts.deny # ... #ALL: ALL |
Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.
# more /etc/hosts.allow ... # Host allowed to SSH sshd: xx.xx.xx.xx |
Test from non allowed and allowed host.
Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened for user aharon by (uid=0) Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx) Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password for aharon from xx.xx.xx.xx port 37415 ssh2 Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened for user aharon by (uid=0) |
Now lets go tune the firewall rules…
List rules:
# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:etlservicemgr ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:redwood-broker ACCEPT tcp -- anywhere anywhere state NEW tcp dpt: ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt: ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
Saved rules in this file:
# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp- type any -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT |
Delete unneeded rules:
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT # iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT # iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT |
Check (and test using something like nmap):
# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:etlservicemgr ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:redwood-broker ACCEPT tcp -- anywhere anywhere state NEW tcp dpt: ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT
Interesting ports on 192.168.1.3:
Not shown: 1693 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))
113/tcp closed auth
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)
MAC Address: 00:0D:88:B3:72:F3 (D-Link)
Device type: general purpose|WAP|specialized|storage-misc|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)
Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds
Save the rules:
# service iptables save Saving firewall rules to /etc/sysconfig/iptables : [ OK ] |
Check stored rules:
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [734:96465] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp- type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Feb 24 05:48:21 2012 |
Check running rules:
# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:etlservicemgr ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:redwood-broker ACCEPT tcp -- anywhere anywhere state NEW tcp dpt: ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |