Search This Blog

Saturday, October 27, 2007

Re: Port 80 Open

Forgot to send this via distro:

> > > ports to see what's wrong with it. Only port 80 comes up as
> > > open, and, apparently, is a security violation.
> >
> > why?
>
It's what I got from the check at grc.com.
>
> > > ESTABLISHED,RELATED, the packets being dropped if they don't
> >
> > ... you want just these.
> >
OK, thanks.
>
> > > Also, I'm running in stealth (not allowing icmp echo replies or
> >
> > eh, not quite stealth
>
What do you mean by that? Ansgar said the same thing. Now I'm
feeling like a dummy.
>
> > > requests). Some of my ports (i.e., 25 and 443) are coming up as
> > > closed. Why are these ports showing up as closed at all?
> >
> > why should they be open? are you providing SMTP and HTTPS to the outside?
>
No, but I now understand what you're saying.
>
> > perhaps providing a bit more info would help (eg iptables-save, interfaces)
>
>
# Generated by iptables-save v1.3.6 on Sat Oct 27 17:51:42 2007
*filter
:INPUT DROP [8702:393937]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1175]
:All_flags - [0:0]
:Fragment - [0:0]
:Invalid - [0:0]
:No_flags - [0:0]
:Spoofs - [0:0]
:allowed - [0:0]
:bad_tcp - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp
-A INPUT -p tcp -f -j Fragment
-A INPUT -p tcp -m iprange --src-range 10.0.0.0-10.255.255.255 -j Spoofs
-A INPUT -p tcp -m iprange --src-range 172.16.0.0-172.31.255.255 -j Spoofs
-A INPUT -p tcp -m iprange --src-range 192.168.0.0-192.168.255.255 -j Spoofs
-A INPUT -p tcp -m iprange --src-range 169.254.0.0-169.254.255.255 -j Spoofs
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP
-A INPUT -d XX.XXX.XXX.XXX -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -j tcp_packets
-A INPUT -i eth1 -p udp -j udp_packets
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -p tcp -m multiport --sports ! 8002 -m limit --limit 6/min --limit-burst 6 -j LOG --log-prefix "INPUT pkt dead: " --log-level 7
#The above was for xmms. I couldn't get it to work otherwise,
#but I'm still figuring out iptables & tcp/ip.

-A OUTPUT -p tcp -j tcp_packets
-A OUTPUT -s XX.XX.XXX.XXX -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports ! 8002 -m limit --limit 6/min --limit-burst 6 -j LOG --log-prefix "OUTPUT pkt dead: " --log-level 7
# These numbers were arbitrary. I'm still trying to understand
# them enough to put in accurate numbers.

-A All_flags -j LOG --log-prefix "All Flags Set: " --log-level 5
-A All_flags -j DROP
-A Fragment -j LOG --log-prefix "Fragment: " --log-level 5
-A Fragment -j DROP
-A Invalid -j LOG --log-prefix "Packet not ID'd: " --log-level 5
-A Invalid -j DROP
-A No_flags -j LOG --log-prefix "No Flags Set: " --log-level 5
-A No_flags -j DROP
-A Spoofs -j LOG --log-prefix "Spoof: " --log-level 5
-A Spoofs -j DROP
-A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "No SYN/ACK: " --log-level 5
-A bad_tcp -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j All_flags
-A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j No_flags
-A bad_tcp -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " --log-level 5
-A bad_tcp -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp -p tcp -m state --state INVALID -j Invalid
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP
# With the above two rules, I thought it put me in stealth
# mode(?).

-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed
-A tcp_packets -p tcp -m tcp --dport 25 -j allowed
-A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed
-A tcp_packets -p tcp -m tcp --dport 465 -m comment --comment "SMTPS" -j allowed
-A udp_packets -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "DHCP Purposes" -j ACCEPT
-A udp_packets -p udp -m udp --dport 80 -j ACCEPT
-A udp_packets -p udp -m udp --sport 123 -m comment --comment "NTP" -j ACCEPT
-A udp_packets -p udp -m udp --dport 443 -j ACCEPT
-A udp_packets -p udp -m udp --dport 465 -m comment --comment "SMTPS" -j ACCEPT
-A udp_packets -s XX.XX.XX.XX -p udp -m udp --dport 53 -j ACCEPT
-A udp_packets -s XX.XX.XX.XX -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Sat Oct 27 17:51:42 2007

Hope this helps.

--------------------
Telly Williams
"Knowledge Is Power"


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: