Search

Tuesday, August 15, 2017

iptables adventures

Supratim Sanyal's Blog: Linux iptables security reference example


I use iptables to secure my Linux-based internet-facing hobbyist servers. The current iptables, residing at one of these servers (sanyalnet-cloud-vps2.freeddns.org) at /etc/sysconfig/iptables, is as below.

This particular server runs on CentOS 7. The iptables rules provide basic network exploit protection from syn flood, nul, christmas and fragmented packets and adds rate-limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet), stunnel, syslog etc. ports that are usual for any internet-facing server providing public services. It has the following open ports for the services it provides:
  • ssh
  • telnet, forwarded to CLOUDY VAX - the hosted DECVAX-11/780 SIMH simulated Digital VAX server running OpenVMS 7.3
  • SMTP (authenticated, not public)
  • DNS - this DNS server blocks advertising and tracking websites as well as malware
  • http - a basic static web-site is hosted on this server; also reachable over the TOR network at fz2koi5kviaph4bl.onion)
  • POP (authenticated, not public)
  • NTP - this server is an official stratum-2 public NTP server listed ntp.org and is a member of the NTP Pool Project
  • IMAP (authenticated, not public)
  • https (currently unused)
  • STARTTLS / SMTPS (authenticated, not public)
  • IMAP SSL/TLS (authenticated, not public)
  • POP SSL/TLS (authenticated, not public)
  • Dovecot Sieve / ManageSieve
  • DECnet bridge connecting QCOCAL (SIMH MicroVAX 3900/OpenVMS 7.3 at home), JUICHI (SIMH DEC PDP-11/24 RSX-11M PLUS at home) and CLOUDY VAX (SIMH VAX-11/780 OpenVMS 7.3) to HECnet the global hobbyist DECnet network
  • TOR Proxy service (authenticated, not public)
  • stunnel (secure tunnel) service to syslog daemon for encrypted remote logging
  • syslog
  • TOR relay node (this server is a TOR relay-only node, not a TOR exit node; no TOR traffic is logged at all on this server)

#------------------------------------------
# /etc/sysconfig/iptables
# CentOS 7
# Supratim Sanyal, supratim at riseup dot net, https://supratim-sanyal.blogspot.com
# fail2ban and ip blocklist script adds entries after boot, extending this default filter rules
#------------------------------------------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#------------------------------------------
# Basic Network Exploit Protection from syn flood, nul, christmas and fragmented packets
#------------------------------------------
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -f -j DROP
#------------------------------------------
# Allow related and established connections and localhost traffic
#------------------------------------------
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#------------------------------------------
# Rate Limit ssh connections
# For fail2ban to work, the ssh rate limit must be at least maxretry for sshd jail in /etc/fail2ban/jail.local
#------------------------------------------
-A INPUT -p tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit 4/min --hashlimit-mode srcip --hashlimit-burst 6 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#------------------------------------------
# Rate Limit telnet connections (MIRAI and CNC worms send telnet floods all the time)
#------------------------------------------
-A INPUT -p tcp --dport 23 -m state --state NEW -m hashlimit --hashlimit 2/min --hashlimit-mode srcip --hashlimit-burst 3 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 23 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#------------------------------------------
# Rate Limit SMTP connections
#------------------------------------------
-A INPUT -p tcp --dport 25 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 25 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
#------------------------------------------
# Rate Limit TCP DNS connections
#------------------------------------------
-A INPUT -p tcp --dport 53 -m state --state NEW -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-burst 20 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 53 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
#------------------------------------------
# Rate Limit UDP DNS connections
# Poor Man's Anti-DNS Amplification Attack
# Ref: http://www.iplux.net/2015/01/17/Blocking-DNS-Amplification-attacks
#------------------------------------------
-A INPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j LOG --log-prefix "fw-dns " --log-level 7
#-A INPUT -p udp -m udp --dport 53 -j ACCEPT
#------------------------------------------
# Rate Limit HTTP connections
#------------------------------------------
-A INPUT -p tcp --dport 80 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#------------------------------------------
# Rate Limit POP3 connections
#------------------------------------------
-A INPUT -p tcp --dport 110 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 110 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
#------------------------------------------
# NTP Server
#------------------------------------------
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
#------------------------------------------
# Rate Limit IMAP connections
#------------------------------------------
-A INPUT -p tcp --dport 143 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 143 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
#------------------------------------------
# Rate Limit HTTPS connections
#------------------------------------------
-A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#------------------------------------------
# Rate Limit STARTTLS/SMTPS connections
#------------------------------------------
-A INPUT -p tcp --dport 465 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 465 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
#------------------------------------------
# Rate Limit SMTP connections
#------------------------------------------
-A INPUT -p tcp --dport 587 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 587 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
#------------------------------------------
# Rate Limit IMAP-SSL/TLS connections
#------------------------------------------
-A INPUT -p tcp --dport 993 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 993 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
#------------------------------------------
# Rate Limit POP-SSL/TLS connections
#------------------------------------------
-A INPUT -p tcp --dport 995 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 995 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
#------------------------------------------
# Rate Limit Dovecot ManageSieve connections
#------------------------------------------
-A INPUT -p tcp --dport 4190 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 4190 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 4190 -j ACCEPT
#------------------------------------------
# DECnet bridge
# Bridges QCOCAL MicroVAX 3900 and JUICHI PDP-11/24 on remote host with CLOUDY VAX-11/780 on this host
# Bridge software by Johnny Bilquist - http://www.update.uu.se/~bqt/hecnet.html
#------------------------------------------
-A INPUT -p udp -m udp --dport 4712 -j ACCEPT
#------------------------------------------
# Rate Limit TOR Proxy Port (Authentication Required to access proxy)
#------------------------------------------
-A INPUT -p tcp --dport 8080 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 8080 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
#------------------------------------------
# Rate Limit stunnel Port
#------------------------------------------
-A INPUT -p tcp --dport 65514 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 65514 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65514 -j ACCEPT
#------------------------------------------
# Rate Limit rsyslog Ports (TCP and UDP)
#------------------------------------------
-A INPUT -p tcp --dport 65515 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 65515 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65515 -j ACCEPT
#
-A INPUT -p udp -m udp --dport 65515 -m limit --limit 400/sec -j ACCEPT
#-A INPUT -p udp -m udp --dport 65515 -j ACCEPT
#------------------------------------------
# TOR Relay Port
#------------------------------------------
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65443 -j ACCEPT
#
#------------------------------------------
#------------------------------------------
# Reject everything else and commit
#------------------------------------------
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
# -- EOF --




Sunday, August 13, 2017

How to find Solaris device name of NTFS partition on external USB hard drive HDD storage

Instead of running GParted as described in my post on Oracle Solaris 11.3 64-bit installation steps, here is a quicker command-line way to identify the device name corresponding to a NTFS partition on an external USB hard drive connected to a Oracle Solaris 11.3 system.

Unlike my previous post that applies to OpenIndiana, this post applies to true Oracle Solaris 11.3 64 bit.

STEP 1 - Use rmformat and fdisk to identify the device name for the NTFS partition


$ rmformat -l
Looking for devices...
     1. Logical Node: /dev/rdsk/c1t1d0p0
        Physical Node: /pci@0,0/pci-ide@1,1/ide@0/sd@1,0
        Connected Device: VBOX     CD-ROM           1.0
        Device Type: <Unknown>
        Bus: IDE
        Size: <Unknown>
        Label: <Unknown>
        Access permissions: <Unknown>
     2. Logical Node: /dev/rdsk/c2t0d0p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,0
        Connected Device: WD       My Book 1110     1030
        Device Type: Removable
        Bus: USB
        Size: 1430.1 GB
        Label: <Unknown>
        Access permissions: <Unknown>
     3. Logical Node: /dev/rdsk/c2t0d1p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,1
        Connected Device: WD       Virtual CD 1110  1030
        Device Type: CD Reader
        Bus: USB
        Size: 668.0 MB
        Label: <None>
        Access permissions: <Unknown>
$ sudo fdisk /dev/rdsk/c2t0d0p0
Password:
             Total disk size is 60771 cylinders
             Cylinder size is 48195 (512 byte) blocks

                                               Cylinders
      Partition   Status    Type          Start   End   Length    %
      =========   ======    ============  =====   ===   ======   ===
          1                 IFS: NTFS         0  60771    60772    100

SELECT ONE OF THE FOLLOWING:
   1. Create a partition
   2. Specify the active partition
   3. Delete a partition
   4. Change between Solaris and Solaris2 Partition IDs
   5. Edit/View extended partitions
   6. Exit (update disk configuration and exit)
   7. Cancel (exit without updating disk configuration)
Enter Selection: 7


This tells us the NTFS partition is the first partition on raw device /dev/rdsk/c2t0d0p0. Therefore, the device name for our NTFS partition will be disk partition /dev/dsk/c2t0d0p1 (without the "r" for raw device under /dev).

STEP 2 - Mount it!

$ mkdir /media/USB-Storage
$ sudo /usr/bin/lowntfs-3g -o uid=21,gid=21 /dev/dsk/c2t0d0p1 /media/USB-Storage/

And presto, we can now see the NTFS partition files at /media/USB-Storage.

Installing ntfs-3g on Solaris without introducing instability and kernel panics is tricky. I ended up building ntfs-3g from sources to get a rock-solid stable Oracle Solaris 11.3 server with NTFS-3g; I have documented my approach in a separate post in the section Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11.



Thursday, August 10, 2017

My tshark cheat-sheet

Supratim Sanyal's Blog: Wireshark


Ever-evolving list of tshark command lines I use for various purposes, with a goal of avoiding trolling through wireshark and tcpdump man pages every time to find the filters. Generally adding a -V, -VV or -VVV switch increases verbosity levels. I also usually prepend the tshark command with nice -n 19 ionice -c3 to try to minimize processor (CPU) and disk I/O usage when running tshark.


  • Monitor DECnet-UDP bridged traffic to HECnet. The following is for the VPS hosting CLOUDY:: and JUICHI:: which bridges DECnet over UDP to HECnet update host and QCOCAL:: hosted on sanyalnet-openvms-vax.freeddns.org (described in my post here):
    # tshark -i ens33 -f "host psilo.update.uu.se" -f "host sanyalnet-openvms-vax.freeddns.org" -f "udp port 4711" -f "udp port 4712"
  • Capture all NTP traffic:
    # tshark -i ens33 -f "udp port 123"
  • Capture all NTP server traffic. This mostly logs NTP time served by this server to other hosts.
    # tshark -i ens33 -f "udp port 123" | grep "server"
  • To capture all NTP traffic for this host serving time to other hosts, grep like follows:
    # tshark -i ens33 -f "udp port 123" | egrep "64.137.162.139 ->" | grep server
  • Capture all NTP client traffic. This mostly logs NTP traffic that synchronizes this host from remote clock source hosts.
    # tshark -i ens33 -f "udp port 123" | grep "client"
  • Capture all traffic to SanyalCraft Minecraft server (on port 25565) and our experimental Minecraft server on port 25566:
    # tshark -i ens33 -f "tcp port 25565" -f "tcp port 25566" 

Recommended Products from Amazon