Security
Methods for improving the security for your Access Grid.
Changing System Services
One method of increasing security is by shutting down services that are not required.
You can change whether a particular services is running or not by using the chkconfig command.
-
As super user, you can use the command: chkconfig --list to see what services are currently designed to be started upon bootup, depending on the run level.
-
To remove a service from starting up at boot, use the following command chkconfig --del <servicename>. An example of a servicename is gpm
-
To add a service to the starting up list at boot, use the following command chkconfig --add <servicename>. This will add the service to the default init levels
-
The following lists the current default services I would recommend running:
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off
readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Setting up a personal Firewall
Using a personal firewall on can also protect your machine from external attacks.
-
I have a proposed configuration that may help in protecting your machine, but I should add, that it isn't as strict as other might like, but you can simply modify, delete or remove rules if you would like.
-
The current rules I have listed are:
- Accept all traffic from localhost (Required for things like rat, etc)
- Accept all multicast traffic (224.0.0.0/4)
- Accept all port 21 traffic (FTP)
- Accept all port 22 traffic (SSH)
- Accept all port 80 traffic (HTTP)
- Accept all port 443 traffic (TLS/SSL)
- Accept all port 631 traffic (IPP)
- Accept all port 5353 traffic (Multicast DNS)
- Accept icmp traffic (ping)
- Accept traffic from ports 5900-5920 (Required for VenueVNC)
- Accept traffic from ports 8000, 8002 and 8004 (Required for Multicast Beacon)
- Accept traffic from ports 10000, 10002 and 10004 (Required for VenueServer)
- Accept traffic from ports 11000, 11100 (Required for NodeService Manager)
- Accept traffic from ports 20000-20020 (Required for BridgeServer)
The following will provide steps on how to setup a firewall with the above rules:
- Download the file iptables-saved-file.txt. The contents of the file can be seen below:
# Generated by iptables-save v1.3.5 on Tue Apr 11 13:36:08 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2237815:1184810927]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5900:5920 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.0/240.0.0.0 -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 20000:20020 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 10002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 10003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10004 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 11000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 11100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8004 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Apr 11 13:36:08 2006 -
As super user, issue the following command iptables-restore < /path/to/iptables-saved-file
-
Then issue the command service iptables save, which will save the iptables rules.
-
Hopefully your firewall will now be up and running and saved.
-
If you issue the command service iptables status you should get the following output:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT)
num target prot opt source destinationChain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5920
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20000:20020
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
6 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10002
17 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10003
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10004
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:11000
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:11100
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8002
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8004
24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
To add a iptable chain rule, you can issue a command similar to iptables -I RH-Firewall-1-INPUT -p tcp -m tcp --dport 6666:7777 -j ACCEPT, which would accept all traffic using any port within the port range of 6666 - 7777.
-
To remove a iptable chain rule, you can issue a command similar to iptables -D RH-Firewall-1-INPUT 5, which would delete the rule number 5 from the rule base. Which in the above case, would prevent icmp traffic, which would not allows pings.
| Attachment | Size |
|---|---|
| iptables-saved-file.txt | 1.96 KB |