|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
December 28th, 2001, 09:09 PM
|
|||
|
|||
|
co-location and /etc/services
I am going to be doing co-location and eventually a virtual hosting provider myself.
I take away and leave only 3306,80,443,21 and a SSH ports in /etc/services. I will take away port 21 since SSH ftp will be implemented. In the ISP side, they provide me 1 cable that connects to CISCO 6509 and a real IP address. I do not know whether what further files I should to take care of in RH 7.1???? In the same server, I think I will install "squid" to do NAT and firewall. Am I on the right tracks?????
__________________
regards, wish to use AT 89c51 single chip computer to do remote sensing and send the data back from woods to office via nokie 3330 and internet. HOW? first I must revise C program thro' example, what's next? Last edited by pentium5 : December 28th, 2001 at 10:11 PM.
|
|
#2
December 29th, 2001, 09:33 AM
|
|||
|
|||
|
>> I take away and leave only 3306,80,443,21 and a SSH ports in /etc/services
Why are you doing this? Do you know whta /etc/services is for? You shoud NEVER take away any line or else any daemon that depends on port reference will fail to start. You could only edit/add entry to /etc/services. >> I think I will install "squid" to do NAT and firewall Squid doesn't do NAT or firewall at all. You need a packet filter like ipchains (stateless) or iptables (stateful). Stateless firewall is very insecure and Linux been using that for years. In BSDs, firewall is always stateful.
|
|
#3
December 29th, 2001, 03:04 PM
|
|||
|
|||
|
pentium5: despite what freebsd's "daily flame" says, Linux is not less secure than *BSD, unless misconfigured, which is fatal (and well possible) on any OS. If you've got a 2.4 kernel, just use iptables fot NAT/fw. You can also use it to block ports (e. g. everything with the exception of 21, 80, 443, 3306).
__________________
PHP manual | MySQL manual | Apache docs | Linux Documentation Project | Free Software Foundation Smart Questions HOWTO | PHP security | PHP FAQ | Posting HOWTO Wikipedia | English dictionary | Google | News | RFCs Thus Spoke Zarathustra | A Skeptic's Guide to Christianity | Project Gutenberg | Skeptic's Annotated Bible ParEcon | Marxists Internet Archive | The Memory Hole | Landover Baptist | DHMO Research Universal Declaration of Human Rights | UN Charter | Geneva Conventions Sinfest | Chopping Block | Filthy Lies | Bob the Angry Flower | How to Shoot Yourself In the Foot
|
|
#4
December 29th, 2001, 06:31 PM
|
|||
|
|||
|
>> unless misconfigured
Not only that, don't forget most (expecially Redhat) Linux distributions are less secure than BSD by default. When it's less secure by default, the users have to know how to update/appy patches but 90% of Linux users don't, because they mostly are desktop users and UNIX-illiterate. When you are no longer a newbie, there is a far more better alternative to Linux, the BSD, which makes Linux obsolete.
|
|
#5
December 29th, 2001, 06:40 PM
|
|||
|
|||
|
smtp 25/tcp mail
smtp 25/udp mail http 80/tcp www www-http # WorldWideWeb HTTP http 80/udp www www-http # HyperText Transfer Protocol # unfortunately the poppassd (Eudora) uses a port which has already # been assigned to a different service. We list the poppassd as an # alias here. This should work for programs asking for this service. # (due to a bug in inetd the 3com-tsmux line is disabled) #3com-tsmux 106/tcp poppassd #3com-tsmux 106/udp poppassd pop3 110/tcp pop-3 # POP version 3 pop3 110/udp pop-3 exec 512/tcp https 11443/tcp # MCom https 11443/udp # MCom I used 443 port and I do not know why it has "11" in front of 443 I have not done any thing there. these are the "most of the port" leave behind after I "dd" via vi. I have two copies of the original services files in /etc/ nmap show me that hackers are using unnecessary port to attack server. http://defaced.alldas.de/?did=28136&xid=1 Interesting ports on voluxxxxxxxops.com (209.x.173.159): (The 1537 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 820/tcp open unknown 841/tcp open unknown 846/tcp open unknown 851/tcp open unknown 3306/tcp open mysql if I do not delete these service port I will be totally expose to hacker. can u design "iptable" for me and only the above port can pass through and at the same I read my text on iptable? If co-location is apply and I can't do false NAT since I will no be inside to control. for normal NAT port 23 port - telnet, I change to port A in services but router is B. so when I am at "non-location", I used port A for telnet. hacker sniffer and the router tell them to use port B and they are being divert to false port. SO in co-location I am no being "inside" , iptables are important now!!!!! currently the server is in office. I checked out /etc/rc.d/init.d/ I have 99ipchains and 99iptables while there is an empty firewall in /etc/sysconfig. I renamed them with 99 myself many months ago. is there a need to have both ipchains and iptables. I hope I can put some rules in firewall in the /sysconfig/firewall if I am right. I am below newbie for firewall stuff. need assistance. Last edited by pentium5 : December 29th, 2001 at 06:55 PM.
|
|
#6
December 29th, 2001, 07:08 PM
|
|||
|
|||
|
>> f I do not delete these service port I will be totally expose to hacker.
You still don't know what /etc/services is for. Why don't you man 5 services? It's a official service name and port number mapping database for local use. You can add the official service name to the port when it says unknown so your local system knows the service name rather than the non-human-recognizible IP number when it's referenced by service name. Say you telnet localhost 80, you also can telnet localhost www instead. /etc/services has nothing to do with remote side.
|
|
#7
December 29th, 2001, 07:46 PM
|
|||
|
|||
|
http://groups.google.com/groups?q=i...ting.google.com
I have one nic = 3com in that server, I will try to tailor this. guide me help, please! Code:
#!/bin/sh
# Set the location of iptables (default).
IPTABLES=/sbin/iptables
# This is the WAN interface that is our link to the outside world.
WAN_IFACE="eth0"
# Local Area Network (LAN) interface.
LAN_IFACE="eth2"
# Our private LAN address(es), for masquerading.
LAN_NET="192.168.1.0/24"
# For static IP, set it here!
WAN_IP="216.231.50.19"
# Set a list of public server port numbers here.
PUBLIC_PORTS="22 80 443 554 7070"
# If we want to do port forwarding, this is the host
# that will be forwarded to.
FORWARD_HOST="192.168.1.2"
# A list of ports that are to be forwarded.
FORWARD_PORTS="554 7070"
## end user configuration options #################################
###################################################################
# Any and all addresses from anywhere.
ANYWHERE="0/0"
# These modules may need to be loaded:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Start building chains and rules #################################
#
# Let's start clean and flush all chains to an empty state.
$IPTABLES -F
$IPTABLES -X
# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that IPTABLES uses.
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
# Accept localhost/loopback traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Get our dynamic IP now from the Inet interface. WAN_IP will be the
# address we are protecting from outside addresses.
[ -z "$WAN_IP" ] &&\
WAN_IP=`/sbin/ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d
\ -f 1`
# Bail out with error message if no IP available! Default policy is
# already set, so all is not lost here.
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." &&
exit 1
WAN_MASK=`/sbin/ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4`
WAN_NET="$WAN_IP/$WAN_MASK"
## Reserved IPs:
#
# We should never see these private addresses coming in from outside
# to our external interface.
$IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4 -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5 -j DROP
# Bogus routing
$IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP
# Unclean
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \
--limit 15/minute -j LOG --log-prefix "Unclean: "
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP
## LAN access and masquerading
#
# Allow connections from our own LAN's private IP addresses via the
LAN
# interface and set up forwarding for masqueraders if we have a
LAN_NET
# defined above.
if [ -n "$LAN_NET" ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT
# $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j
MASQUERADE
fi
# Port Forwarding
#
# Which ports get forwarded to which host. This is one to one
# port mapping (ie 80 -> 80) in this case.
[ -n "$FORWARD_HOST" ] &&\
for i in $FORWARD_PORTS; do
$IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \
--dport $i -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP --dport $i \
-j DNAT --to $FORWARD_HOST:$i
done
# Open up Public server ports here (available to the world):
for i in $PUBLIC_PORTS; do
$IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP --dport $i -j
ACCEPT
done
## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
-s $ANYWHERE -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
-s $ANYWHERE -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-s $ANYWHERE -d $WAN_IP -j ACCEPT
# Identd Reject
#
# Special rule to reject (with rst) any identd/auth/port 113
# connections. This will speed up some services that ask for this,
# but don't require it. Be careful, some servers may require this
# one (IRC for instance).
#$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with
tcp-reset
###################################################################
# Build a custom chain here, and set the default to DROP. All
# other traffic not allowed by the rules above, ultimately will
# wind up here, where it is blocked and logged, unless it passes
# our stateful rules for ESTABLISHED and RELATED connections. Let
# connection tracking do most of the worrying! We add the logging
# ability here with the '-j LOG' target. Outgoing traffic is
# allowed as that is the default policy for the 'output' chain.
# There are no restrictions placed on that in this script.
# New chain...
$IPTABLES -N DEFAULT
# Use the 'state' module to allow only certain connections based
# on their 'state'.
$IPTABLES -A DEFAULT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A DEFAULT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
# Enable logging for anything that gets this far.
$IPTABLES -A DEFAULT -j LOG -m limit --limit 30/minute --log-prefix
"Dropping: "
# Now drop it, if it has gotten here.
$IPTABLES -A DEFAULT -j DROP
# This is the 'bottom line' so to speak. Everything winds up
# here, where we bounce it to our custom built 'DEFAULT' chain
# that we defined just above. This is for both the FORWARD and
# INPUT chains.
$IPTABLES -A FORWARD -j DEFAULT
$IPTABLES -A INPUT -j DEFAULT
echo "Iptables firewall is up `date`."
##-- eof iptables.sh
Last edited by pentium5 : December 29th, 2001 at 09:04 PM.
|
|
#8
December 30th, 2001, 06:37 AM
|
|||
|
|||
|
pentium5, plz care to read stuff b4 u do stuff. And NG posts are not neccessarily the best source of information.
Try these fine manuals: http://www.linuxsecurity.com/resour...dhat/index.html http://www.telematik.informatik.uni...bles-HOWTO.html After you've read them, think carefully about what you actually want to do. Then read again to find out how to do it.
|
|
#9
December 30th, 2001, 07:15 AM
|
|||
|
|||
|
I read but I have to php programming , I am close very finish a project. I must concentrate a point. If the world shaking, I still to conentrate until all progamming. Do not say I do not care or I do answer.
Then I read,If I do not understand, I will ask. OK???? thanks! Last edited by pentium5 : February 22nd, 2002 at 06:38 AM.
|
|
#10
February 22nd, 2002, 06:35 AM
|
|||
|
|||
|
does people use ONE NIC or two in CO-location environment?
eth0 goes to router of the ISP ( co-location providers) but the eth1 will go unplugged and just sit in the motherboard with no stp cable. I wonder if remote monitor or sshd will work I have one nic = 3com in that server, I will try to tailor this. guide me help, please! Last edited by pentium5 : February 22nd, 2002 at 05:16 PM.
|
|
#11
February 22nd, 2002, 04:07 PM
|
|||
|
|||
|
please, donīt post this script again! i donīt think anyone here will read it...
as told earlier, /etc/services is just a LOCAL database for mapping service names to port numbers. you can have as many nics in you pc as you want. if you donīt connect them, they are useless  co-location says, i think, you have your server at your IPSīs place. nothing else. so you can connect using 4 100MBit NICs to get 4x 100MBit if he allows you to. you need some load balancing software though... and probably several IPīs. having a short glance at your script, since you are using iptables, do you want to setup a firewall or what is your problem actually?
|
|
#12
February 23rd, 2002, 12:33 AM
|
|||
|
|||
|
it seems that my os has a problem there??
I know there should have any other parameter! #\sbin\iptables -L #\sbin\iptables -F would u please guide me? my problem is I do not have a testing environment to make "daring testing". Quote:
|
|
#13
February 23rd, 2002, 02:45 AM
|
|||
|
|||
|
red hat 7.1 installs ipchains as the default firewall, and iptables can't run while ipchains is running. i can't remember the error messages it prints, but that could be your problem.
|
|
#14
February 23rd, 2002, 03:41 AM
|
|||
|
|||
|
[root@myserver /lib]# find / -name "iptable_filter.o*" -print
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/iptable_filter.o [root@server /lib]# [root@server /lib]# /sbin/lsmod Module Size Used by autofs 11264 1 (autoclean) 3c59x 25344 1 (autoclean) ipchains 38976 0 (unused) usb-uhci 20720 0 (unused) usbcore 49664 1 [usb-uhci] [ root@myserver /lib]# I do not know which parameter to used remove module, and "IF reboot" the ipchains will remains there - I am afraind.... what should I used /sbin/rmmod/something???????
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
