Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There are a whole lot of other elements to the firewall that you'd need. For example you need IN_public_deny to be defined. (That is the specific filter it is working within.) I took the basic filter that SL 7.2 generated and a very modified and very old Trinity OS firewall using IPChains when I installed it and worked from there to add features. But the basics of this rule amount to the -m recent, --rcheck, --seconds NN, and hitcount N parameters. The line I quoted logs the attacking packet. The following is pulled directly from my iptables.24 script (24th significant change.)
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --rcheck --seconds 90 --hitcount 1 -j REJECT --reject-with tcp-reset
The -j REJECT makes the packet go away. And, again, it is in the set of rules in my script that is named IN_public_deny. It is called from IN_public, which is called from .... 

Let's see if I can boil it down a bit.

===8<---   This is long
JDVER=24.1
# tell me where I am in the script.
LOGGER="/usr/bin/logger -t `basename $0`"
$LOGGER -p daemon.notice "Loading Stronger IPTABLES Firewall $JDVER"
echo -e "\nLoading STRONGER rc.firewall - version $JDVER.\n"
#
IPT=/sbin/iptables

#!  Then we flush everything and setup default rules for internal definitions.
# Flush everything for starters
$IPT -F
$IPT -t nat -F

# clearing any previous configuration
#
##  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
##
##    You CANNOT change this to REJECT as it isn't a vaild setting for a
##    policy.  If you want REJECT, you must explictly REJECT at the end
##    of a giving INPUT, OUTPUT, or FORWARD chain
##
echo "  Clearing any existing rules and setting default policy to ACCEPT.."

#for i in filter mangle nat
#  The mangle, raw, and security chains are not used.
for i in filter nat mangle raw security
do
     $IPT -t $i -F
     $IPT -t $i -X
     $IPT -t $i -Z
done

# note:
#   "filter"
#       is  the  default table (if no -t option is passed).
#       and contains:
#       INPUT (for packets coming into the box itself),
#       FORWARD (for altering packets being routed through the box),
#       OUTPUT (for altering locally-generated packets before routing),
#   "mangle"
#       This table is used for specialized packet alteration.
#       and contains:
#       PREROUTING (for altering incoming packets before routing),
#       OUTPUT (for altering locally-generated packets before routing),
#       INPUT (for packets coming into the box itself),
#       FORWARD (for altering packets being routed through the box),
#       POSTROUTING (for altering packets as they are about to go out).
#   "nat" contains
#       is consulted when a packet that creates a new connection is encountered.
#       and contains:
#       PREROUTING (for altering packets as soon as they come in),
#       OUTPUT  (for altering locally-generated packets before routing),
#       POSTROUTING (for altering packets as they are about to go out).
#   "raw" contains
#       is used mainly for configuring exemptions from connection tracking in
#       combination with the NOTRACK target. It registers at the netfilter hooks
#       with higher priority and is  thus called before ip_conntrack, or any
#       other IP tables.
#       and contains:
#       PREROUTING (for packets arriving via any network interface)
#       OUTPUT (for packets generated by local processes)
#   "security" contains
#       This table is used for Mandatory Access Control (MAC) networking rules,
#       such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory
#       Access Control is implemented by Linux Security Modules such as SELinux.
#       The security table is called after the filter table, allowing any
#       Discretionary Access Control (DAC) rules in the filter table to take
#       effect before MAC rules.
#       and contains:
#       INPUT (for packets coming into the box itself)
#       OUTPUT  (for  altering  locally-generated packets before routing)
#       FORWARD (for altering packets being routed through the box).

### Initialize built in chains
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT


#! Second we setup some SOME "filter" chains we may not use.
$IPT -t filter -N INPUT_ZONES
$IPT -t filter -N IN_public
$IPT -t filter -N IN_work
$IPT -t filter -N FORWARD_ext
$IPT -t filter -N FORWARD_int
$IPT -t filter -N OUTPUT_ext
$IPT -t filter -N OUTPUT_int

$IPT -t filter -N IN_work_log
#$IPT -t filter -N IN_work_log
#$IPT -t filter -N IN_work_deny
$IPT -t filter -N IN_work_allow
#$IPT -t filter -N IN_public_log
$IPT -t filter -N IN_public_deny
$IPT -t filter -N IN_public_allow

$IPT -t filter -N FORWARD_IN_ZONES
$IPT -t filter -N FWDI_work
$IPT -t filter -N FWDI_public
#$IPT -t filter -N FWDI_public_log
#$IPT -t filter -N FWDI_public_deny
#$IPT -t filter -N FWDI_public_allow
$IPT -t filter -N FORWARD_OUT_ZONES
$IPT -t filter -N FWDO_public
#$IPT -t filter -N FWDO_public_log
#$IPT -t filter -N FWDO_public_deny
$IPT -t filter -N FWDO_public_allow
$IPT -t filter -N FWDO_work
#$IPT -t filter -N FWDO_work_log
#$IPT -t filter -N FWDO_work_deny
$IPT -t filter -N FWDO_work_allow

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P INPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t nat -N PREROUTING_ZONES
$IPT -t nat -N PRE_public
$IPT -t nat -N PRE_work
$IPT -t nat -N POSTROUTING_ZONES
$IPT -t nat -N POST_public
#$IPT -t nat -N POST_public_log
#$IPT -t nat -N POST_public_deny
$IPT -t nat -N POST_public_allow
$IPT -t nat -N POST_work
#$IPT -t nat -N POST_work_log
#$IPT -t nat -N POST_work_deny
#$IPT -t nat -N POST_work_allow
#$IPT -t nat -N PRE_public_log
#$IPT -t nat -N PRE_public_deny
#$IPT -t nat -N PRE_public_allow
#$IPT -t nat -N PRE_work_log
#$IPT -t nat -N PRE_work_deny
$IPT -t nat -N PRE_work_allow


#
#Configuring specific CHAINS logging for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPT -t filter -N drop-and-log-it
$IPT -A drop-and-log-it -j LOG --log-level info --log-prefix " DALI: "
$IPT -A drop-and-log-it -j DROP

#for testing
$IPT -t filter -N reject-and-log-it
$IPT -A reject-and-log-it -j LOG --log-level info --log-prefix " RALI: "
$IPT -A reject-and-log-it -j REJECT

$IPT -t filter -N drop-and-log-it2
$IPT -A drop-and-log-it2 -j LOG --log-level info --log-prefix " DALI2: "
$IPT -A drop-and-log-it2 -j DROP

$IPT -t filter -N ssh-drop-and-log-it
$IPT -A ssh-drop-and-log-it -j LOG --log-level info --log-prefix " SSH ATTACK: "
$IPT -A ssh-drop-and-log-it -j DROP

$IPT -t filter -N ssh-drop-and-log-it2
$IPT -A ssh-drop-and-log-it2 -j LOG --log-level info --log-prefix " SSH OZONE: "
$IPT -A ssh-drop-and-log-it2 -j DROP

$IPT -t filter -N virus-source-drop-and-log-it
$IPT -A virus-source-drop-and-log-it -j LOG --log-level info --log-prefix " VIRUS SOURCE: " 
$IPT -A virus-source-drop-and-log-it -j DROP

$IPT -t filter -N probe-source-drop-and-log-it
$IPT -A probe-source-drop-and-log-it -j LOG --log-level info --log-prefix " PROBE SOURCE: " 
$IPT -A probe-source-drop-and-log-it -j DROP

$IPT -t filter -N bad-source-drop-and-log-it
$IPT -A bad-source-drop-and-log-it -j LOG --log-level info --log-prefix " BAD IP INTERNAL NET: " 
$IPT -A bad-source-drop-and-log-it -j DROP

$IPT -t filter -N accept-and-log-it
$IPT -A accept-and-log-it -j LOG --log-level info  --log-prefix " FORWARD "
$IPT -A accept-and-log-it -j ACCEPT

echo "Drop chains done."
# Zero counters on all chains
$IPT -Z

#! Now we're really safe. Build some constants and addresses
# Used for parsing ifconfig results to obtain Ethernet port addresses.
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig

# Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  NOTE:  We make use of the "+" interface as a safety trick when new interfaces
#         appear out of the blue.

VIRIF="virbr0"
EXTIF="enp3s0"
INTIF="enp0s31f6"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"

#! Determine the external IP automatically:
# ----------------------------------------
#
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet ' | $AWK '{print $2}' | \
$SED -e 's/.*://'`"
echo "  External IP: $EXTIP"
echo "  ---"

# Assign the internal TCP/IP network and IP address
INTNET="192.168.X.X/22"
#INTIP="192.168.X.X"
VIRNET="192.168.122.0/24"
#! This is handy when migrating machines. So I leave it in.
INTIP="`$IFCONFIG $INTIF | $GREP 'inet ' | $AWK '{print $2}' | \
 $SED -e 's/.*://'`"

echo "  Internal Network: $INTNET"
echo "  Internal Network2: $INTNET2"
echo "  Internal IP:      $INTIP $INTIP2 $INTIP3"
echo "  ---"

if [ "$INTIP" = "" ]; then
# This is a completely separate basic firewall when the Internet connection
# is down.
    exec /etc/sysconfig/iptables.nil
fi

# And here you will notice I do something rather funkity. My internal SSH port
# is 22. My exxternal SSH port is something else. Ditto pop3s and imaps.

#! We expose SSH, POP3S, and IMAPS on a slightly unusual  set of ports.
SSH_PORT=MMMMM
POP3S_PORT=MMMMM1
IMAPS_PORT=MMMMM2
OZONE_SSH_PORT=65535
OZONE_POP_PORT=65534
OZONE_IMP_PORT=65533
#! And we do it using multiport options
# Standard port assigns
MULTIPORT1=ssh,pop3s,imaps
# which are moved to here.
MULTIPORT2=$POP3S_PORT,$IMAPS_PORT,$SSH_PORT
# (Debugging artifact)
MULTIPORT=$MULTIPORT2


#!REDIR to the Media Server machine if set below
REDIR=
REDIRPORT=
#! SSHREDIR - is SSH port change done via the SSH_REDIR options below.
SSH_REDIR=0
#! SSH2
SSH2=0

#! Test SSH DISABLE file - quick way to turn everything off.
if [ -f /etc/SSH ]; then
        . /etc/SSH
else
        SSH_DISABLE=1
fi

// Parse some handy options when used from the commandline
while [ "$#" != "0" ]; do
{
    keyword=$1
    case $keyword in
        video)
            REDIR="192.168.X.X"
            REDIRPORT="XXXXXX"
            echo "Setting up video forwarding"
            ;;
        ssh_redir)
            SSH_REDIR=1
            echo "Setting up SSH, POP3S, and IMAPS redirection"
            ;;
        ssh2)
            SSH2=1
            echo "Enabling second SSH port"
            ;;
        ssh_enable)                         # manually force external SSH enable
            SSH_DISABLE=0
            ;;
        *)
        echo
        echo "$keyword not understood:"
        echo "usable flags:"
        echo "    video - setup video forwardig to .18 locally"
        echo "    ssh_enable"
        echo "    ssh_redir"
        echo "    ssh2"
        /etc/sysconfig/iptables.nil
        exit
        ;;
    esac
    shift 1
}
done

# next I feed the options used to the logger. (left out here.)

#! Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable the following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

#!   Now we begin the serious work
$LOGGER -p daemon.notice "IPTables firewall nat rules"
echo "IPTables firewall nat rules"

#! Table: nat
#! ==========

#! Chain nat:PREROUTING (policy ACCEPT)
$IPT -t nat -A PREROUTING -j PREROUTING_ZONES

#! Chain nat:INPUT (policy ACCEPT)

#! Chain nat:OUTPUT (policy ACCEPT)

#! Chain nat:POSTROUTING (policy ACCEPT)
# TODOTODO The VIRNET (virtual network interface) routing needs some thinking.
$IPT -t nat -A POSTROUTING -s $VIRNET -d 224.0.0.0/24 -j RETURN
$IPT -t nat -A POSTROUTING -s $VIRNET -d 255.255.255.255/32 -j RETURN
$IPT -t nat -A POSTROUTING -s $VIRNET ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 $IPT -t nat -A POSTROUTING -s $VIRNET ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 
$IPT -t nat -A POSTROUTING -s $VIRNET ! -d 192.168.122.0/24 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j POSTROUTING_ZONES

#! Chain nat:POSTROUTING_ZONES  (1 references)
if [ "$EXTIP" != "" ]; then
    $IPT -t nat -A POSTROUTING_ZONES -o $EXTIF -g POST_public
fi
$IPT -t nat -A POSTROUTING_ZONES -o $INTIF -g POST_work
$IPT -t nat -A POSTROUTING_ZONES -o $VIRIF -g POST_work
$IPT -t nat -A POSTROUTING_ZONES -o + -g POST_public

#! Chain nat:POST_public (2 references)
#$IPT -t nat -A POST_public -j POST_public_log
#$IPT -t nat -A POST_public -j POST_public_deny
$IPT -t nat -A POST_public -j POST_public_allow

#! Chain nat:POST_public_log (1 references)

#! Chain nat:POST_public_deny (1 references)

#! Chain nat:POST_public_allow (1 references)
$IPT -t nat -A POST_public_allow ! -o lo -j MASQUERADE

#! Chain nat:POST_work (2 references)    # Basically it's all allowed?
#$IPT -t nat -A POST_work -j POST_work_log
#$IPT -t nat -A POST_work -j POST_work_deny
#$IPT -t nat -A POST_work -j POST_work_allow

#! Chain nat:POST_work_log (1 reference)

#! Chain nat:POST_work_deny (1 reference)

#! Chain nat:POST_work_allow (1 reference)

#! Chain nat:PREROUTING_ZONES (1 references)
if [ "$EXTIP" != "" ]; then
    # Change port numbers on critical ports
    $IPT -t nat -A PREROUTING_ZONES -i $EXTIF -g PRE_public
fi
$IPT -t nat -A PREROUTING_ZONES -i $INTIF -g PRE_work
$IPT -t nat -A PREROUTING_ZONES -i $VIRIF -g PRE_work
$IPT -t nat -A PREROUTING_ZONES -i + -g PRE_public


#! Chain nat:PRE_public (2 references)
if [ $SSH_DISABLE = 0 -a $SSH_REDIR != 0 ]; then
$IPT -t nat -A PRE_public -p tcp --dport ssh -j REDIRECT --to-port $OZONE_SSH_PORT 
    $IPT -t nat -A PRE_public -p tcp --dport $SSH_PORT -j REDIRECT --to-port 22
$IPT -t nat -A PRE_public -p tcp --dport pop3s -j REDIRECT --to-port $OZONE_POP_PORT 
    $IPT -t nat -A PRE_public -p tcp --dport $POP3S_PORT -j REDIRECT --to-port 995
$IPT -t nat -A PRE_public -p tcp --dport imaps -j REDIRECT --to-port $OZONE_IMP_PORT 
    $IPT -t nat -A PRE_public -p tcp --dport $IMAPS_PORT -j REDIRECT --to-port 993
    $LOGGER -p daemon.notice "  Secure ports redirected"
fi

#$IPT -t nat -A PRE_public -j PRE_public_log
#$IPT -t nat -A PRE_public -j PRE_public_deny
#$IPT -t nat -A PRE_public -j PRE_public_allow

#! Chain nat:PRE_work
#$IPT -t nat -A PRE_work -j PRE_work_log
#$IPT -t nat -A PRE_work -j PRE_work_deny
$IPT -t nat -A PRE_work -j PRE_work_allow

#! Chain nat:PRE_work_allow
if [ $SSH_DISABLE = 0 -a $SSH_REDIR != 0 ]; then
    $IPT -t nat -A PRE_work_allow -p tcp --dport $SSH_PORT -j REDIRECT --to-port 22
$IPT -t nat -A PRE_work_allow -p tcp --dport $POP3S_PORT -j REDIRECT --to-port 995 $IPT -t nat -A PRE_work_allow -p tcp --dport $IMAPS_PORT -j REDIRECT --to-port 993 $LOGGER -p daemon.notice " Secure ports redirected to include redirected secure ports on local net" 
fi

# TODOTODO might need mangle just to have:
#$IPT -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 

# more logger to give an idea where I am in the script if anything fails.
#! Table: filter
#! =============

#! Chain filter:INPUT (policy ACCEPT)
$IPT -t filter -A INPUT -i $VIRIF -j ACCEPT -p udp --dport domain
$IPT -t filter -A INPUT -i $VIRIF -j ACCEPT -p tcp --dport domain
$IPT -t filter -A INPUT -i $VIRIF -j ACCEPT -p udp --dport bootps
$IPT -t filter -A INPUT -i $VIRIF -j ACCEPT -p tcp --dport bootps
$IPT -t filter -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -j INPUT_ZONES
# TODOTODO - replace these two lines with a variant of drop and log it.
$IPT -t filter -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -t filter -A INPUT -j REJECT --reject-with icmp-host-prohibited
#end chain

#! Chain filter:FORWARD (policy ACCEPT)
$IPT -t filter -A FORWARD -d $VIRNET -o $VIRIF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A FORWARD -s $VIRNET -i $VIRIF -j ACCEPT
$IPT -t filter -A FORWARD -i $VIRIF -o $VIRIF -j ACCEPT
$IPT -t filter -A FORWARD -o $VIRIF -j REJECT --reject-with icmp-port-unreachable
$IPT -t filter -A FORWARD -i $VIRIF -j REJECT --reject-with icmp-port-unreachable
$IPT -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -i lo -j ACCEPT
$IPT -t filter -A FORWARD -j FORWARD_IN_ZONES
$IPT -t filter -A FORWARD -j FORWARD_OUT_ZONES
# TODOTODO - replace these two lines with a variant of drop and log it.
$IPT -t filter -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPT -t filter -A FORWARD -j REJECT --reject-with icmp-host-prohibited
#end chain

#! Chain filter:OUTPUT (policy ACCEPT)
$IPT -t filter -A OUTPUT -o virbr0 -p udp -m udp --dport bootpc -j ACCEPT

#! Chain filter:FORWARD_IN_ZONES (1 references)
# NOTE: -g means don't come back here. Come back to where this came from. (e.g. FORWARD) 
if [ "$EXTIP" != "" ]; then
    $IPT -t filter -A FORWARD_IN_ZONES -i $EXTIF -g FWDI_public
fi
$IPT -t filter -A FORWARD_IN_ZONES -i $INTIF -g FWDI_work
$IPT -t filter -A FORWARD_IN_ZONES -i $VIRIF -g FWDI_work
$IPT -t filter -A FORWARD_IN_ZONES -i + -g FWDI_public

#! Chain filter:FORWARD_OUT_ZONES (1 references)
if [ "$EXTIP" != "" ]; then
    $IPT -t filter -A FORWARD_OUT_ZONES -o $EXTIF -g FWDO_public
fi
$IPT -t filter -A FORWARD_OUT_ZONES -o $INTIF -g FWDO_work
$IPT -t filter -A FORWARD_OUT_ZONES -o $VIRIF -g FWDO_work
$IPT -t filter -A FORWARD_OUT_ZONES -g FWDO_public

#! Chain filter:FWDI_public (2 references)
#$IPT -t filter -A FWDI_public -j FWDI_public_log
#$IPT -t filter -A FWDI_public -j FWDI_public_deny
#$IPT -t filter -A FWDI_public -j FWDI_public_allow
$IPT -t filter -A FWDI_public -p icmp -j ACCEPT

#! Chain filter:FWDI_work (2 references)
#$IPT -t filter -A FWDI_work -j FWDI_work_log
#$IPT -t filter -A FWDI_work -j FWDI_work_deny
#$IPT -t filter -A FWDI_work -j FWDI_work_allow
$IPT -t filter -A FWDI_work -p icmp -j ACCEPT

#! Chain filter:FWDO_public (2 references)
#$IPT -t filter -A FWDO_public -j FWDO_public_log
#$IPT -t filter -A FWDO_public -j FWDO_public_deny
$IPT -t filter -A FWDO_public -j FWDO_public_allow

#! Chain filter:FWDO_public_allow (1 references)
$IPT -t filter -A FWDO_public_allow -j ACCEPT

#! Chain filter:FWDO_work (2 references)
#$IPT -t filter -A FWDO_work -j FWDO_work_log
#$IPT -t filter -A FWDO_work -j FWDO_work_deny
#$IPT -t filter -A FWDO_work -j FWDO_work_allow

#! Chain filter:INPUT_ZONES (1 references)
if [ "$EXTIP" != "" ]; then
    $IPT -t filter -A INPUT_ZONES -i $EXTIF -g IN_public
fi
$IPT -t filter -A INPUT_ZONES -i $INTIF -g IN_work
$IPT -t filter -A INPUT_ZONES -i $VIRIF -g IN_work
$IPT -t filter -A INPUT_ZONES -i + -g IN_public
# no return

#! Chain filter:IN_public (2 references)
#$IPT -t filter -A IN_public -j IN_public_log
$IPT -t filter -A IN_public -j IN_public_deny
$IPT -t filter -A IN_public -j IN_public_allow
$IPT -t filter -A IN_public -p icmp -j ACCEPT
$IPT -t filter -A IN_public -j drop-and-log-it

#! Chain filter:IN_public_allow (1 references)
$IPT -t filter -A IN_public_allow -p udp -m udp --dport bootps -m conntrack --ctstate NEW -j ACCEPT 
# No ssh in for now
if [ $SSH_DISABLE = 0 ]; then
    if [ $SSH2 != 0 ]; then
$IPT -t filter -A IN_public_allow -p tcp -m tcp --dport 6283 -m conntrack --ctstate NEW -j ACCEPT 
    fi
    if [ $SSH_REDIR != 0 ]; then
$IPT -t filter -A IN_public_allow -p tcp -m tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_public_allow -p tcp -m tcp --dport pop3s -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_public_allow -p tcp -m tcp --dport imaps -m conntrack --ctstate NEW -j ACCEPT 
        $LOGGER -p daemon.notice "  Secure ports redirected"
    fi
fi

#! Chain filter:IN_public_deny (1 references)
# TODOTODO - put in the special drop and log references from the old firewall.
#! IN_public_deny
# TODOTODO Now we add the Chinese, Korean, etc bad guys to the list.
# Or do I put that after the special allows?
# Ch1na 58.14.0.0-55.67.255.255
#       58.14.0.0/14

if [ $SSH_DISABLE = 0 -a $SSH_REDIR = 0 -a $SSH2 = 0 ]; then
    # A typical rule might look like this. This will be VERY important when
    # running with SSH_DISABLE=0, SSH_REDIR=0, and SSH2=0
    # We probably need a side include file here.
# $IPT -A IN_public_deny -p tcp -m multiport -s 58.14.0.0/16 --dports $MULTIPORT1 -j ssh-drop-and-log-it 
    # iptables_input_deny is (basically) made up of the line above with
    # addresses and address ranges I don't want on the machine ever. (Annoying
    # addresses.
    . /etc/sysconfig/iptables_input_deny
fi

# Then we put in the allowances for ssh, pop3s, imaps
# ...the time it gets here.
if [ $SSH_DISABLE = 0 ]; then
    if [ $SSH_REDIR != 0 ]; then
# For this first one note that ssh, pop3s, imaps are fudged to OZONE_PORTs by $IPT -t filter -A IN_public_deny -p tcp -m tcp --dport $OZONE_SSH_PORT -j ssh-drop-and-log-it2 $IPT -t filter -A IN_public_deny -p tcp -m tcp --dport $OZONE_POP_PORT -j ssh-drop-and-log-it2 $IPT -t filter -A IN_public_deny -p tcp -m tcp --dport $OZONE_IMP_PORT -j ssh-drop-and-log-it2
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --rcheck --seconds 90 --hitcount 1 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info $IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --rcheck --seconds 90 --hitcount 1 -j REJECT --reject-with tcp-reset $IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --set
$IPT -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info $IPT -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j REJECT --reject-with tcp-reset $IPT -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name pop3s_attack --set
$IPT -t filter -A IN_public_deny -p tcp --dport imaps --syn -m recent --name IMAPS_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info $IPT -t filter -A IN_public_deny -p tcp --dport imaps --syn -m recent --name IMAPS_attack --rcheck --seconds 90 --hitcount 2 -j REJECT --reject-with tcp-reset $IPT -t filter -A IN_public_deny -p tcp --dport imaps --syn -m recent --name IMAPS_attack --set 

        # Try to block sections of ports.
        . /etc/sysconfig/iptables_input_deny
    else
$IPT -t filter -A IN_public_deny -p tcp -m multiport --dport $MULTIPORT -j ssh-drop-and-log-it 
    fi
else
$IPT -A IN_public_deny -p tcp -m multiport --dports $MULTIPORT -j ssh-drop-and-log-it 

fi

#! Chain filter:IN_public_log (1 references)

#! Chain filter:IN_work (2 references)
#$IPT -t filter -A IN_work -j IN_work_log
#$IPT -t filter -A IN_work -j IN_work_deny
$IPT -t filter -A IN_work -j IN_work_allow
$IPT -t filter -A IN_work -p icmp -j ACCEPT
#$IPT -t filter -A IN_work -j ACCEPT    // Implicit

#! Chain filter:IN_work_allow (1 references)
$IPT -t filter -A IN_work_allow ! -s $INTNET -d 0/0 -j bad-source-drop-and-log-it

# I want to see everything for tcpdump purposes....
$IPT -t filter -A IN_work_allow -j ACCEPT

# these rules are for when I do not want to have everything make it in.
# $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 631 -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport pop3s -m conntrack --ctstate NEW -j ACCEPT 
if [ $SSH_DISABLE = 0 -a $SSH2 != 0 ]; then
   $LOGGER -p daemon.notice "  Secure ports more connect track"
$IPT -t filter -A IN_work_allow -p tcp -m tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport $POP3S_PORT -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport $IMAPS_PORT -m conntrack --ctstate NEW -j ACCEPT 
fi
# $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW -j ACCEPT # $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport 3389 -m conntrack --ctstate NEW -j ACCEPT $IPT -t filter -A IN_work_allow -p tcp -m tcp --dport imaps -m conntrack --ctstate NEW -j ACCEPT 

#! Chain filter:IN_work_deny (1 references)

#! Chain filter:IN_work_log (1 references)

echo "Enable forwarding"
sysctl -w net.ipv4.ip_forward=1

# And we think we are all done now.
$LOGGER -p daemon.notice "IPTables firewall install complete"
echo "IPTables firewall install complete"
====8<----
Before using this I *EVER SO HIGHLY RECOMMEND* reading enough about how to manually configure iptables and analyze what the lines are doing. I admit my understanding is not up there with the pro's. But I have tried and this appears to work like bandit. I DO keep track of what is going on with Logwatch and some private tools I cobbled together.
So far nobody has found the private SSH ports. If they do it'll take them quite awhile to get around to the passwords (and user IDs) that work.
You're not paranoid when they really are out to get you. And here it's nothing personal, they just want to find low hanging fruit. 

{^_^}   Joanne

On 2017-06-29 18:24, Doug wrote:


On 06/29/2017 08:10 PM, jdow wrote:
A rule like this makes cracking your 123456 password a whole lot harder without changing anything else. iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info
The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any given site gets one chance to login before facing a 90 second blockage. If they have to guess "AZBYCXDW" as a password you can imagine how long you have to catch him in your log and explicitly block his whole subnet. 

{^_-}

Hi, Joanne--

I tried to write this command to a root console in PCLInuxOS, but it got rejected.
[root@linux1 doug]# iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info 
iptables: No chain/target/match by that name

Obviously I'm doing something wrong. Do I need some file installed first?
If so, what file? Can you help me, please?

--doug


On 2017-06-29 16:06, Samuel Sieb wrote:

On 06/29/2017 03:28 PM, William Mattison wrote:
While looking at journalctl output yesterday and today for other reasons (separate thread), I saw many "authentication failure" messages, over half also saying "user=root". I also saw many "password check failed for user (root)" messages. I saw many unknown user login attempts, and a few invalid user login attempts, and some attempts using one of the valid regular user names. Why? I am not yet good at reading journalctl output, so I don't know if these connection attempts are coming from "outside" or within this system. I don't know if I should be concerned or not. I do not intend anyone or anything to be able to get in to this system except for things that I initiate (examples: Firefox activity, Thunderbird activity, "dnf upgrade", installs, etc.). And it doesn't make sense to me that any of those would be trying to log in to this system to do what I want. I also don't see why anything on this system would try to log in to this same system except me personally (su, sudo, and 
   actual logins).  I am the only actual user.
What's going on? How do I determine where they're coming from? Is there really someone or something trying to hack in? If no, what really is going on?
Assuming that your computer is directly connected to the internet, then yes, that is someone trying to brute force your root (or other user) password. That is completely "normal". There should be an IP address logged either on the same line or nearby of the computer that's connecting. 


Most important,
How do I prevent connections from outside?
If you have no intention of remotely logging in to your computer, then use the firewall configuration tool to block the ssh port as well. By default, it leaves that one open. On the system I have a password for logging in, I have a firewall rule that limits ssh connections to one per minute for each address connecting. That drastically reduces the brute force attempts. On most other systems I use keys only, so I don't even bother limiting those ones. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux