# Title: Linux Security Startup-Script # # File: security # Version: 1.1 # Date: May, 2003 # Changes: none # # Written by Impriser # # Contributors: NONE # # ======================================= # Copyright (C) 2003 by Impriser # ======================================= # # USAGE: # # ./security # # Variables IPTABLES=/sbin/iptables ECHO=/bin/echo # Disable response to ping. $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts. $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing # tables, possibly to a bad end. for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do $ECHO "0" > ${interface} done # Enable bad error message protection. $ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Turn on reverse path filtering. This helps make sure that packets use # legitimate source addresses, by automatically rejecting incoming packets # if the routing table entry for their source address doesn't match the network # interface they're arriving on. This has security advantages because it prevents # so-called IP spoofing, however it can pose problems if you use asymmetric routing # (packets from you to a host take a different path than packets from that host to you) # or if you operate a non-routing host which has several IP addresses on different # interfaces. (Note - If you turn on IP forwarding, you will also get this). for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do $ECHO "1" > ${interface} done # Log spoofed packets, source routed packets, redirect packets. $ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians # Make sure that IP forwarding is turned off. We only want this for a multi-homed host. $ECHO "0" > /proc/sys/net/ipv4/ip_forward # FLUSH $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j LOG --log-prefix "IPT Web: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j LOG --log-prefix "IPT SWeb: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --dport 3306 -j LOG --log-prefix "IPT MySQL: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 3306 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --dport 6000 -j LOG --log-prefix "IPT X: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 6000 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --dport 111 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 111 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --dport 32768 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p tcp --dport 32768 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p udp --dport 111 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p udp --dport 111 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 32768 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p udp --dport 32768 -j LOG --log-prefix "IPT 111: " $IPTABLES -A INPUT -i eth0 -p udp --dport 793 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 793 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 631 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 631 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 68 -j DROP $IPTABLES -A INPUT -i eth0 -p udp --dport 68 -j DROP