FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-02-2012, 05:06 PM
"Blackburn, Marvin"
 
Default iptables rule question for Centos 5

I have a server that allows incoming traffic for ssh and some other
things.

I need to set up a rule that will drop/reject all traffic from a
particular server except ssh.

How can I do that.





_____________________________________
"He's no failure. He's not dead yet."
William Lloyd George



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-02-2012, 05:17 PM
Steve Clark
 
Default iptables rule question for Centos 5

On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
> I have a server that allows incoming traffic for ssh and some other
> things.
>
> I need to set up a rule that will drop/reject all traffic from a
> particular server except ssh.
>
> How can I do that.
>
>
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Something like this first in your ruleset:
-A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d 10.0.1.90/32 ! --dport 22 -j DROP

substitute your appropriate ips and interface


--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@netwolves.com
http://www.netwolves.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-03-2012, 08:25 PM
"Blackburn, Marvin"
 
Default iptables rule question for Centos 5

We have a simple configuration so we could get by with this

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with
icmp-host-prohibited

it doesn't scale well but servies the purpose.



_____________________________________
"He's no failure. He's not dead yet."
William Lloyd George


-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf Of Steve Clark
Sent: Thursday, August 02, 2012 1:17 PM
To: CentOS mailing list
Cc: Blackburn, Marvin
Subject: Re: [CentOS] iptables rule question for Centos 5

On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
> I have a server that allows incoming traffic for ssh and some other
> things.
>
> I need to set up a rule that will drop/reject all traffic from a
> particular server except ssh.
>
> How can I do that.
>
>
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Something like this first in your ruleset:
-A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d
10.0.1.90/32 ! --dport 22 -j DROP

substitute your appropriate ips and interface


--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@netwolves.com
http://www.netwolves.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-04-2012, 03:21 AM
SilverTip257
 
Default iptables rule question for Centos 5

Marvin,

You're leaving SSH open to the world with that.
If this is a box behind a firewall, then it's not _as much of a
concern_ ... otherwise you're opening that server up to ssh brute
force attempts.

Your existing configuration is probably set up to drop/reject if
traffic does not match any of your rules, so you've nearly solved the
"blocking all other traffic" from server2. But you really should put
a specific rule on server1 with source as server2 and dest port 22
being accepted.

-s server2 -p tcp --dport 22 -j ACCEPT

Best of luck,
---~~.~~---
Mike
// SilverTip257 //


On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin
<mblackburn@glenraven.com> wrote:
> We have a simple configuration so we could get by with this
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with
> icmp-host-prohibited
>
> it doesn't scale well but servies the purpose.
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Steve Clark
> Sent: Thursday, August 02, 2012 1:17 PM
> To: CentOS mailing list
> Cc: Blackburn, Marvin
> Subject: Re: [CentOS] iptables rule question for Centos 5
>
> On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
>> I have a server that allows incoming traffic for ssh and some other
>> things.
>>
>> I need to set up a rule that will drop/reject all traffic from a
>> particular server except ssh.
>>
>> How can I do that.
>>
>>
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Something like this first in your ruleset:
> -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d
> 10.0.1.90/32 ! --dport 22 -j DROP
>
> substitute your appropriate ips and interface
>
>
> --
> Stephen Clark
> *NetWolves*
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark@netwolves.com
> http://www.netwolves.com
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-04-2012, 06:43 AM
Keith Roberts
 
Default iptables rule question for Centos 5

On Fri, 3 Aug 2012, SilverTip257 wrote:

> To: CentOS mailing list <centos@centos.org>
> From: SilverTip257 <silvertip257@gmail.com>
> Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5
>
> Marvin,
>
> You're leaving SSH open to the world with that.
> If this is a box behind a firewall, then it's not _as much of a
> concern_ ... otherwise you're opening that server up to ssh brute
> force attempts.
>
> Your existing configuration is probably set up to drop/reject if
> traffic does not match any of your rules, so you've nearly solved the
> "blocking all other traffic" from server2. But you really should put
> a specific rule on server1 with source as server2 and dest port 22
> being accepted.
>
> -s server2 -p tcp --dport 22 -j ACCEPT

Or move the SSH port to a non-standard one?

Keith
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-04-2012, 07:37 AM
Johnny Hughes
 
Default iptables rule question for Centos 5

On 08/04/2012 01:43 AM, Keith Roberts wrote:
> On Fri, 3 Aug 2012, SilverTip257 wrote:
>
>> To: CentOS mailing list <centos@centos.org>
>> From: SilverTip257 <silvertip257@gmail.com>
>> Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5
>>
>> Marvin,
>>
>> You're leaving SSH open to the world with that.
>> If this is a box behind a firewall, then it's not _as much of a
>> concern_ ... otherwise you're opening that server up to ssh brute
>> force attempts.
>>
>> Your existing configuration is probably set up to drop/reject if
>> traffic does not match any of your rules, so you've nearly solved the
>> "blocking all other traffic" from server2. But you really should put
>> a specific rule on server1 with source as server2 and dest port 22
>> being accepted.
>>
>> -s server2 -p tcp --dport 22 -j ACCEPT
> Or move the SSH port to a non-standard one?
>

Moving the port to a non-standard port is better than nothing ... but
only be a very slight bit. It might work on the least knowledgeable
script kiddies who only look at port 22, but it will do nothing to hide
the fact that it is an open to the world ssh port on an nmap scan, etc.

Three much better options are:

1. Use a --source in the IPTABLES rules if you only connect from a
limited number of places.
2. Some kind of VPN (like openvpn)
3. Port Knocking: http://www.portknocking.org/view/faq

2 and 3 can both be open from everywhere, and all 3 do not show as an
open ssh port from remote scans, which is what you want.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-04-2012, 12:00 PM
Stephen Harris
 
Default iptables rule question for Centos 5

On Sat, Aug 04, 2012 at 02:37:54AM -0500, Johnny Hughes wrote:
> Moving the port to a non-standard port is better than nothing ... but
> only be a very slight bit. It might work on the least knowledgeable
> script kiddies who only look at port 22, but it will do nothing to hide
> the fact that it is an open to the world ssh port on an nmap scan, etc.

Depends on what problem you're trying to solve...

If you're being targetted by an attacker then, yes, a port scan will
expose the port anyway. BUT if you're just seeing random internet noise
then simply changing the port will stop this because your random zombie
doesn't port scan before hand (it takes too long, especially if you
DROP traffic to all other ports).

This means that you're not wasting CPU cycles negotiating SSL; you're
not wasting disk space on logs, CPU on fail2ban or similar, resources
on accepting connections etc etc.

Since I moved my port a year ago the number of random attacks on my host
has dropped to zero.

It's a very very small win, but it is a win :-)

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:53 PM
"Blackburn, Marvin"
 
Default iptables rule question for Centos 5

Thanks for the warning. I am aware of that, but some things an
administrator has no control over.
They are behind a firewall and we take some further precautions, but I
can get this restricted any further.


_____________________________________
"He's no failure. He's not dead yet."
William Lloyd George


-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf Of SilverTip257
Sent: Friday, August 03, 2012 11:21 PM
To: CentOS mailing list
Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5

Marvin,

You're leaving SSH open to the world with that.
If this is a box behind a firewall, then it's not _as much of a
concern_ ... otherwise you're opening that server up to ssh brute
force attempts.

Your existing configuration is probably set up to drop/reject if
traffic does not match any of your rules, so you've nearly solved the
"blocking all other traffic" from server2. But you really should put
a specific rule on server1 with source as server2 and dest port 22
being accepted.

-s server2 -p tcp --dport 22 -j ACCEPT

Best of luck,
---~~.~~---
Mike
// SilverTip257 //


On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin
<mblackburn@glenraven.com> wrote:
> We have a simple configuration so we could get by with this
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22
-j
> ACCEPT
> -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with
> icmp-host-prohibited
>
> it doesn't scale well but servies the purpose.
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Steve Clark
> Sent: Thursday, August 02, 2012 1:17 PM
> To: CentOS mailing list
> Cc: Blackburn, Marvin
> Subject: Re: [CentOS] iptables rule question for Centos 5
>
> On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
>> I have a server that allows incoming traffic for ssh and some other
>> things.
>>
>> I need to set up a rule that will drop/reject all traffic from a
>> particular server except ssh.
>>
>> How can I do that.
>>
>>
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Something like this first in your ruleset:
> -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d
> 10.0.1.90/32 ! --dport 22 -j DROP
>
> substitute your appropriate ips and interface
>
>
> --
> Stephen Clark
> *NetWolves*
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark@netwolves.com
> http://www.netwolves.com
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-08-2012, 06:54 PM
"Blackburn, Marvin"
 
Default iptables rule question for Centos 5

We do a better job for those things that are outside of our firewall.
And this is some of what we do.


_____________________________________
"He's no failure. He's not dead yet."
William Lloyd George


-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf Of Keith Roberts
Sent: Saturday, August 04, 2012 2:43 AM
To: CentOS mailing list
Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5

On Fri, 3 Aug 2012, SilverTip257 wrote:

> To: CentOS mailing list <centos@centos.org>
> From: SilverTip257 <silvertip257@gmail.com>
> Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5
>
> Marvin,
>
> You're leaving SSH open to the world with that.
> If this is a box behind a firewall, then it's not _as much of a
> concern_ ... otherwise you're opening that server up to ssh brute
> force attempts.
>
> Your existing configuration is probably set up to drop/reject if
> traffic does not match any of your rules, so you've nearly solved the
> "blocking all other traffic" from server2. But you really should put
> a specific rule on server1 with source as server2 and dest port 22
> being accepted.
>
> -s server2 -p tcp --dport 22 -j ACCEPT

Or move the SSH port to a non-standard one?

Keith
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org