Gentoo Archives: gentoo-user

From: Willie Wong <wwong@××××××××××××××.edu>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Making sure I am a good netizen and secure.
Date: Tue, 08 Sep 2009 10:59:39
Message-Id: 20090908110002.GB18485@princeton.edu
In Reply to: [gentoo-user] Re: Making sure I am a good netizen and secure. by James
1 On Mon, Sep 07, 2009 at 03:27:56PM +0000, Penguin Lover James squawked:
2 > Willie Wong <wwong <at> math.princeton.edu> writes:
3 >
4 >
5 > > On my setup, I just block almost everything (except ssh) by default
6 > > and maintain a white-list of IPs.
7 >
8 >
9 > Can you share with us how you "white-list" IPs via your
10 > iptables setup? That is your code you add to your startup
11 > script and your iptables syntax on those white/black listed
12 > IPs?
13
14 Hum? the init script for iptables automatically saves and loads the
15 policy, at least with SAVE_ON_STOP="yes" in /etc/conf.d/iptables, so I
16 don't have any special configs in any start-up scripts.
17
18 I built my tables using the commandline. A good quick intro guide is
19 at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5.
20
21 The static part of the table looks something like this
22
23 Chain INPUT (policy ACCEPT)
24 target prot opt source destination
25 ACCEPT all -- 192.168.0.0/16 anywhere
26 ACCEPT all -- localhost anywhere
27 general_port_block all -- anywhere anywhere
28 ssh_blacklist all -- anywhere anywhere
29
30 Chain general_port_block (1 references)
31 target prot opt source destination
32 DROP tcp -- anywhere anywhere tcp dpt:ftp
33 DROP tcp -- anywhere anywhere tcp dpt:urd
34 DROP tcp -- anywhere anywhere tcp dpt:smtp
35 DROP tcp -- anywhere anywhere tcp dpt:http
36 DROP tcp -- anywhere anywhere tcp dpt:http-alt
37 DROP tcp -- anywhere anywhere tcp dpt:https
38 DROP tcp -- anywhere anywhere tcp dpt:783
39 DROP tcp -- anywhere anywhere tcp dpt:ipp
40
41 If you know iptables at all, you can probably figure out what I did to
42 set it up(*). The 'general_port_block' chain is to just make things
43 tidier. So you see, I set the default policy to allow connections. I
44 whitelist first the LAN and localhost. Then I filter everything
45 through the two chains. The general_port_block chain is static, and
46 it blocks a bunch of services, some of which I run (but which I only
47 want my family to access from the LAN), some I don't.
48
49 As you can see, I don't block ssh, because I sometimes travel a bit.
50 So instead, I have a separate chian that helps a bit in slowing down
51 brute force attacks.
52
53 The ssh_blacklist chain is dynamically generated via a perl script.
54 The script monitors the ssh logs and blocks IPs for a certain period
55 of time after either an attempt to log-in as root, or five failed
56 log-in attempts. (I have locked myself out once or twice from a hotel
57 when I accidentaly hit the capslock...) Basically you just add a
58 target to be blocked to the iptables and use atd to remove it some
59 time later.
60
61 (*)If you don't know iptables, man iptables.
62
63 > What do you use to maintain these white/black lists of IPs,
64 > tools and philosophy.....?
65
66 My philosophy is common sense. I white list those ips that I want to
67 be able to access the services. I black list those I don't. For
68 services like ssh, I pray that my efforts are secure enough.
69
70 HTH,
71
72 W
73 --
74 I am so happy that Willetta is in my life. What would I do without her?
75 Probably go insane. In fact, I am insanely in love with Willetta, so I am
76 insane right now... but...
77 Sortir en Pantoufles: up 1005 days, 9:25

Replies

Subject Author
[gentoo-user] Re: Making sure I am a good netizen and secure. James <wireless@×××××××××××.com>