AccessGrid.org

Security (Please note that this document is going to be reviewed quite extensively and updated shortly)

Methods for improving the security for your Access Grid.

Changing System Services

One method of increasing security is by shutting down services that are not required.

You can change whether a particular services is running or not by using the chkconfig command.

  • As super user, you can use the command: chkconfig --list to see what services are currently designed to be started upon bootup, depending on the run level.

  • To remove a service from starting up at boot, use the following command chkconfig --del <servicename>. An example of a servicename is gpm

  • To add a service to the starting up list at boot, use the following command chkconfig --add <servicename>. This will add the service to the default init levels

  • The following lists the current default services I would recommend running:

    acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
    haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    hplip 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
    pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    readahead_later 0:off 1:off 2:off 3:off 4:off 5:on 6:off
    restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    yum-updatesd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Setting up a personal Firewall

Using a personal firewall can protect your machine from external attacks.

  • I have a proposed configuration that may help in protecting your machine, but I should add, that it isn't as strict as others might like, but you can simply modify, delete or remove rules if you would like.

  • The current rules I have listed are:

    • Accept all traffic from localhost (Required for things like rat, etc)
    • Accept all multicast traffic (224.0.0.0/4)
    • Accept all port 21 traffic (FTP)
    • Accept all port 22 traffic (SSH)
    • Accept all port 80 traffic (HTTP)
    • Accept all port 443 traffic (TLS/SSL)
    • Accept all port 631 traffic (IPP)
    • Accept all port 5353 traffic (Multicast DNS)
    • Accept icmp traffic (ping)
    • Accept traffic from ports 5900-5920 (Required for VenueVNC)
    • Accept traffic from ports 8000, 8002, 8003, 8004 and 8006 (Required for VenueServer)
    • Accept traffic from ports 10000, 10002 and 10004 (Required for Multicast Beacon)
    • Accept traffic from ports 11000, 11100 (Required for NodeService Manager)
    • Accept traffic from ports 20000-20020 (Required for BridgeServer)

The following will provide steps on how to setup a firewall with the above rules:

  1. Download the file iptables-saved-file_0.txt. The contents of the file can be seen below:

    # Generated by iptables-save v1.3.5 on Tue Apr 11 13:36:08 2006
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2237815:1184810927]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5900:5920 -j ACCEPT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -d 224.0.0.0/240.0.0.0 -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 20000:20020 -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 10002 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 10003 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10004 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 11000 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 11100 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8000 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8002 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8004 -j ACCEPT
                 -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8006 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Tue Apr 11 13:36:08 2006

  2. As super user, issue the following command iptables-restore < /path/to/iptables-saved-file_0

  3. Then issue the command service iptables save, which will save the iptables rules.

  4. Hopefully your firewall will now be up and running and saved.

  5. If you issue the command service iptables status you should get the following output:

    Table: filter
    Chain INPUT (policy ACCEPT)
    num target prot opt source destination
    1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination
    1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    num target prot opt source destination
    1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5920
    2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    3 ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
    4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20000:20020
    5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
    6 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
    7 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
    8 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
    9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
    10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
    11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
    13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
    14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
    15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
    16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10002
    17 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10003
    18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10004
    19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:11000
    20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:11100
    21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
    22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8002
    23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8004
    24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

  6. To add a iptable chain rule, you can issue a command similar to iptables -I RH-Firewall-1-INPUT -p tcp -m tcp --dport 6666:7777 -j ACCEPT, which would accept all traffic using any port within the port range of 6666 - 7777.

  7. To remove a iptable chain rule, you can issue a command similar to iptables -D RH-Firewall-1-INPUT 5, which would delete the rule number 5 from the rule base. Which in the above case, would prevent icmp traffic, which would not allows pings.

login or register to post comments