Open ports using IPTABLES

If you want your machine to respond to requests initiated from elsewhere on the internet you need to open the required ports. You need to know below details first:

1. Service name you want to open up
2. Is it a tcp or udp service?
3. Port number(s) uses by service?

Example:

To enable ssh access to your box from anywhere on for Class A networks, you could use something like

iptables -A allowed -p tcp –dport 22 -s 10.2.0.0/16 -j ACCEPT
iptables -A allowed -p udp –dport 22 -s 10.2.0.0/16 -j ACCEPT

iptables -A allowed -p tcp –dport 22 -s 10.8.0.0/16 -j ACCEPT
iptables -A allowed -p udp –dport 22 -s 10.8.0.0/16 -j ACCEPT

This allows both udp and tcp traffic from either of the two class A networks to access port 22 on your machine.

Work with tcpwrappers hosts.deny and hosts.allow

You can use tcpwrappers to Block user,ip,daemon from outside or your inside newwork. For allow use host.allow file and to block use host.deny file.

Step 1. Use your favorite editor like vi.

Step 2. Type vi /etc/hosts.deny
Step 3. At the bottom line just type “ALL:ALL:deny” to restricted all of daemon process
Step 4. Save it.
Step 5. Open “/etc/hosts.allow” with vi editor
Step 6. At the buttom line “ALL some ip that you allow):allow” to allow anything from my IP address
Step 7. Save it.

Disable Users to login into the server

Suppose we want to take a backup of user’s account. So for that first of all we have to block the user to login into their account to maintain data integrity of user’s backup files. So using below technique we can do that very easily.enjoy !!!

Edit the pam file located in /etc/pam.d/ directory for the service you want to control.

 Example : Suppose you want to do control  ssh service

Step 1: Add below line in /etc/pam.d/sshd file if it is not available.

account required pam_nologin.so

Step 2: Create the /etc/nologin file,

# touch /etc/nologin

This should disable the login from ssh for every user except administrator user(root).

Step 3: To re-enable the login just remove /etc/nologin

# rm –rf /etc/nologin

How to Prevent the reuse of old passwords

For RHEL/Fedora distribution 

To remember the last 5 passwords, add the line below to the file /etc/pam.d/system-auth file:

password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=5

For Debian/ubuntu distribution

To remember the last 5 passwords, add the line below to the file /etc/pam.d/common-password file:

password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=5

How to Use MD5 Sum

Full Name : Message-Digest algorithm 5

Usage : Using an MD5 checksum you can  verify the integrity of data

Algorithm : cryptographic hash function with a 128-bit value 

 

MD5 sum first identify the the data which is backup and then create a MD5 checksum which is combination of unique string of letters and numbers put together string like : 3dfsdjl2342ldkfjkdf32k. MD5 checksums are very useful for the verification of data and for passwords

 

Check MD5 sum usage

Step 1 : Generate a MD5 checksum:

 Go to in Shell console

#md5sum filename > filename.md5″

Step 2: Verify a MD5 checksum:

#md5sum -c filename.md5″

Iptables Unblock/delete

Display the List existing chains Entry

iptables -L –n

iptables -L -n -v

iptables -L chain-name -n -v

iptables -L spamips -n –v

 

Display List existing chains with line number

iptables -L INPUT -n –line-numbers

iptables -L OUTPUT -n –line-numbers

 iptables -L spamips -n -v –line-numbers

 

Delete Rule from IPTABLES using line number

iptables -D INPUT linunumber

Example : iptables -D INPUT 11

 

You can also use the Below syntax to delete / unblock an IP 

iptables -D INPUT -s ipaddress -j DROP

 

 

Block brute force attacks using denyhost

Issue:

Check your /var/log/auth.log file. In this file you can able to see that some unauthorized user is constantly trying to access your system using brute force attacks. He/she trying to get the access of your system by some scripts which is trying to login with different password. We can block this using simple iptables rule.

Step 1 : Install Denyhost tools in your system.

apt-get install denyhost

Step 2 : Configure /etc/denyhost.conf file based on your requirement

* configure this file to anylize the log file

SECURE_LOG = /var/log/auth.log(default)

DENY_THRESHOLD_INVALID = 3 (will  block each host after the number of failed login)

DENY_THRESHOLD_VALID = 5  (will  block each host after the number of failed login for valid user login attempts)

DENY_THRESHOLD_ROOT = 3 (for root login)

Step 3 : Restat denyhost

#/etc/init.d/denyhost restart

Create a Encrypted Folder On Ubuntu for security

Step 1 : Install eCryptfs in Ubuntu

apt-get  install ecryptfs-utils

Step 2 : Create a new directory to encrypt.

#mkdir foldername

#chmod 700 foldername

Step 3 : Mount the ecryptfs to the other folder using the following command

#mount -t ecryptfs foldername[entryptedfolder] folder2[ directorywhereyouwanttomount]

It will then prompt you to answer a few questions.

Press “1″ to select passphrase

Basic Rules of a typical Firewall

Kill INVALID packets with illegal combination flags.

$IPTABLES -A INPUT -m state –state INVALID -j DROP

$IPTABLES -A FORWARD -m state –state INVALID -j DROP

 

No restrictions to connections from localhost

 

$IPTABLES -A INPUT -i lo -j ACCEPT

 

 

Reject connections from Outside world to Internal loop back device.

$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

 

 

No restrictions for traffic generating from legit internal addresses

$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT

 

 

Incase we have to use IPv6 addresses in your environment uncomment the below line:

#$IPTABLES -A INPUT -p ipv6 -j ACCEPT

 

 

Kill all packets from Outside world claiming to be packets generated from Internal network.

$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT

 

 

Block ICMP requests.

$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -o $INTERNALIF -j REJECT

 

 

Prevent Ping flood attacks:

$IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j DROP

 

Deny pings to local broadcast address:

$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP

 

Allow all other icmp

$IPTABLES -A INPUT -p icmp -j ACCEPT

 

 No restrictions to established connections:

$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

 

 

Dont forward SMB related traffic. Samba Services are one of the most aimed targets by hackers.

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp –dport 137 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp –dport 138 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp –dport 139 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p udp –dport 137 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p udp –dport 138 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p udp –dport 139 -j REJECT

$IPTABLES -A INPUT -i $EXTERNALIF -p udp –dport 137 -j REJECT

 

 

Disable Samba Share

$IPTABLES -A INPUT -p tcp –dport 137 -j ACCEPT

$IPTABLES -A INPUT -p udp –dport 137 -j ACCEPT

$IPTABLES -A INPUT -p tcp –dport 138 -j ACCEPT

$IPTABLES -A INPUT -p udp –dport 138 -j ACCEPT

$IPTABLES -A INPUT -p tcp –dport 139 -j ACCEPT

$IPTABLES -A INPUT -p udp –dport 139 -j ACCEPT

 

Allow all other connections to be forwarded

$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT

 

Allow replies from established connections :

$IPTABLES -A FORWARD -i $EXTERNALIF -m state –state ESTABLISHED,RELATED -j ACCEPT

 

Allow yourself to be a DHCP server for your inside network

$IPTABLES -A INPUT -i $INTERNALIF -p tcp –sport 68 –dport 67 -j ACCEPT

$IPTABLES -A INPUT -i $INTERNALIF -p udp –sport 68 –dport 67 -j ACCEPT

 

 ftp-data

 

$IPTABLES -A INPUT -p tcp  –dport 20 -j ACCEPT

 

 ftp

$IPTABLES -A INPUT -p tcp  –dport 21 -j ACCEPT

 

 ssh

#$IPTABLES -A INPUT -p tcp –dport 22 -j ACCEPT

 

Telnet

$IPTABLES -A INPUT -p tcp –dport 23 -j ACCEPT

 

 

 DNS  

$IPTABLES -A INPUT -p tcp –dport 53 -j ACCEPT

$IPTABLES -A INPUT -p udp –dport 53 -j ACCEPT

 

 http

$IPTABLES -A INPUT -p tcp –dport 80 -j ACCEPT

 

 POP-3

$IPTABLES -A INPUT -p tcp –dport 110 -j ACCEPT

 

 https

$IPTABLES -A INPUT -p tcp –dport 443 -j ACCEPT

 

VNC Server

$IPTABLES -A INPUT -p tcp –dport 5801 -j ACCEPT

$IPTABLES -A INPUT -p tcp –dport 5901 -j ACCEPT

$IPTABLES -A INPUT -p tcp –dport 6001 -j ACCEPT

 

EXPLICITLY BLOCKING SERVICE PORTS FOR GATEWAY FROM OUTSIDE WORLD

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 21        # ftp

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 22        # ssh

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 23        # telnet

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 25        # smtp

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 53        # domain

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 79        # finger

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 80        # httpd

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 110       # pop3

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 111       # sunrpc

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp –dport 137       # netbios-ns