Linux Security 7166

If you run redhat-fedora there is a program system-config-securitylevel you can use to configure a firewall rather easily. In the Gnome menus it's called security level or something similar.

Otherwise, the following commands in a script could get you going quite well initially:

# Remove all existing rules iptables -F iptables -t nat -F iptables -t mangle -F iptables -t raw -F

# default: drop incoming packets iptables -P INPUT DROP # don't worry about output, giv'em free reins. iptables -p OUTPUT ACCEPT

# Accept packets not coming from the internet conncetion (provided you have # a ppp or pppoe connection to the internet). If you are using eg. eth0 for # the internet, subsbreastute that after that bang character. iptables -A INPUT -j ACCEPT -i !ppp0 # Accept packets that are related to something you sent out iptables -A INPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED

Then check what server programs you are running.

lsof grep LISTEN

Firefox only connects after a ping
I wonder if any of you kind people could please solve a little mystery for...

You will get some lines like this:

sshd 2165 root 3u IPv4 6229 TCP *:ssh (LISTEN) xinetd 2174 root 5u IPv4 6617 TCP *:swat (LISTEN) ^^^^^^

Look at the address after TCP (or UDP). That is the address your server is listening to. If instead of a "*" you find something like "localhost", its OK. It will only accept connections from other processes on the same computer. (But why would you have an ssh server running if you are not going to use is?) Find out what the protocols (the part after the colon) are, and stop all servers you don't need.

Check the output of "chkconfig --list" (um, is this a fedora speciality?) If you find a server you want to shutdown, with "5:on", then prevent it in the list under xinetd, look in the config files of xinetd. Consider

If there is a service you want to make accessible from outside, without you first establishing a connection, you must add a line to the script, like this:

iptables -A INPUT -j ACCEPT -m state --state NEW -m tcp --dport ssh ^^^

Linux Security 7168
I–aki Silanes I understood it easily enough. I only said viri because virii was manifestly wrong. And it is true that our knowledge of Latin is based...

Grub Installation Mini HowTo
I wrote a guide called the "Hard Disk Upgrade Mini How-To". Part of this document explains how to install...

If you run ntpd, the startup scripts may add rules to iptables that open for udp port 123 ("ntp"), perhaps with the additional requirement that the source be one of the configured peer servers. If not, you may have to do that yourself:

awk '$1=="server" && $2!="127.127.1.0"{print $2}'etc-ntp.conf while read server do iptables -A INPUT -j ACCEPT -p udp -s "$server" --dport ntp done

Now, with some peace in mind, google for "rusty's remarkably unreliable guides", and read "Linux 2.4 Packet Filtering HOWTO". You may be on 2.6, but never mind, there are no important differences I know about.

Linux Security 7167
E11 It depends on what distribution you have used and how you installed it. Well, Robert Morris wrote a worm over 10 years ago...

Important file lost how to avoid in the future
Had a background job that was outputing log file entries to a disk parbreastion that was nearing full. During this process, I vi'ed an important source...

If you have a local network with other computers, and your linux box will be the firewall and gateway to the internet, search the howto for MASQUERADE and "ipforward".

-Enrique

List | Previous | Next

Linux Security 7167

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

Escaping backslash programming question

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		Linux Security 7166 If you run redhat-fedora there is a program system-config-securitylevel you can use to configure a firewall rather easily. In the Gnome menus it's called security level or something similar. Otherwise, the following commands in a script could get you going quite well initially: # Remove all existing rules iptables -F iptables -t nat -F iptables -t mangle -F iptables -t raw -F # default: drop incoming packets iptables -P INPUT DROP # don't worry about output, giv'em free reins. iptables -p OUTPUT ACCEPT # Accept packets not coming from the internet conncetion (provided you have # a ppp or pppoe connection to the internet). If you are using eg. eth0 for # the internet, subsbreastute that after that bang character. iptables -A INPUT -j ACCEPT -i !ppp0 # Accept packets that are related to something you sent out iptables -A INPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED Then check what server programs you are running. lsof grep LISTEN Firefox only connects after a ping I wonder if any of you kind people could please solve a little mystery for... You will get some lines like this: sshd 2165 root 3u IPv4 6229 TCP :ssh (LISTEN) xinetd 2174 root 5u IPv4 6617 TCP :swat (LISTEN) ^^^^^^ Look at the address after TCP (or UDP). That is the address your server is listening to. If instead of a "*" you find something like "localhost", its OK. It will only accept connections from other processes on the same computer. (But why would you have an ssh server running if you are not going to use is?) Find out what the protocols (the part after the colon) are, and stop all servers you don't need. Check the output of "chkconfig --list" (um, is this a fedora speciality?) If you find a server you want to shutdown, with "5:on", then prevent it in the list under xinetd, look in the config files of xinetd. Consider If there is a service you want to make accessible from outside, without you first establishing a connection, you must add a line to the script, like this: iptables -A INPUT -j ACCEPT -m state --state NEW -m tcp --dport ssh ^^^ Linux Security 7168 I–aki Silanes I understood it easily enough. I only said viri because virii was manifestly wrong. And it is true that our knowledge of Latin is based... Grub Installation Mini HowTo I wrote a guide called the "Hard Disk Upgrade Mini How-To". Part of this document explains how to install... If you run ntpd, the startup scripts may add rules to iptables that open for udp port 123 ("ntp"), perhaps with the additional requirement that the source be one of the configured peer servers. If not, you may have to do that yourself: awk '$1=="server" && $2!="127.127.1.0"{print $2}'etc-ntp.conf while read server do iptables -A INPUT -j ACCEPT -p udp -s "$server" --dport ntp done Now, with some peace in mind, google for "rusty's remarkably unreliable guides", and read "Linux 2.4 Packet Filtering HOWTO". You may be on 2.6, but never mind, there are no important differences I know about. Linux Security 7167 E11 It depends on what distribution you have used and how you installed it. Well, Robert Morris wrote a worm over 10 years ago... Important file lost how to avoid in the future Had a background job that was outputing log file entries to a disk parbreastion that was nearing full. During this process, I vi'ed an important source... If you have a local network with other computers, and your linux box will be the firewall and gateway to the internet, search the howto for MASQUERADE and "ipforward". -Enrique List \| Previous \| Next



		Linux Security 7167 Linux groups from Newsgroups The #1 Usenet Provider on the Internet Escaping backslash programming question