[plug] Lock the box - ipchains recipe etc

Tue Nov 16 15:30:47 WST 1999

Brad Campbell wrote:
> Is there an easy way, using ipchains maybe, to deny all
> incomming connections, probably the easy way to do it,
> is block incomming from ppp0 ?

You do need some to operate...

/sbin/ipchains -P input deny
/sbin/ipchains -A input -i eth0 -j ACCEPT
/sbin/ipchains -N uplink
/sbin/ipchains -A input -i ppp0 -j uplink
/sbin/ipchains -A uplink -s 0/0 -d 0/0 auth -j ACCEPT
/sbin/ipchains -A uplink -p tcp -s 0/0 -d 0/0 ftp-data -j ACCEPT
/sbin/ipchains -A uplink -s 0/0 -d 0/0 ssh -j ACCEPT
/sbin/ipchains -A uplink -s 0/0 -d 0/0 6000 -j DENY
/sbin/ipchains -A uplink -s 0/0 -d 0/0 5432 -j DENY
/sbin/ipchains -A uplink -s 0/0 -d 0/0 3333 -j DENY
# and any other high ports you want to protect, netstat will tell
/sbin/ipchains -A uplink -s 0/0 -d 0/0 1025:65535 -j ACCEPT

Something like this works for me. (-:

If you're running an internal subnet, firewall as carefully against any
machines on it as you would against the world, most definitely so if
they run Windows, and also block incoming connects to port 12345
(NetBus), plus 7th Sphere and BackOrifice's default ports.

Consider running something like the Deception Toolkit (DTK).

Put everything that you are able to in separate partitions and mount as
many as possible readonly (ro). Mount any that SUID programs will not be
run from, or only run from by the root user, as nosuid. Mount partitions
that aren't normally executed from (such as /var) noexec, and anything
not containing /dev as nodev.

Before you mount anything readonly, chattr +i anything which will never
change (/etc/passwd, /etc/shadow, contents of /sbin and /usr/sbin are
good candidates on a system where users and passwords won't change
often), and remove the chattr program (e.g. put it into a gzipped tar
named soilsamples.jpg with a real jpeg of known size prepended; you can
use dd if=soilsamples.jpg ibs=originaljpgsize skip=1 | tar xz to get it
back). You will want chattr back when it comes time to update a software
package that you've immuted.

Rebuild your kernel and modules to contain only those drivers and
features which you actually use.

Route all unencrypted user traffic (notably FTP and X) through ssh,
never remotely access in clear.

If you really like work, install the kernel security patches and
recompile *everything* without trampolines (-: it is beyond the scope of
this message to explain trampolining! :-) - you may as well build for a
latest-model Pentium while you're there.

Unplug your floppy and CDROM drives, put a Faraday cage over your
monitor, copper foil under your keyboard and work in a steel-lined
underground office... hey, am I getting _too_ paranoid here? (-: