[Cialug] Re: RE: Port blocking - and unwanted intruders

Dwight Hubbard cialug@cialug.org
Thu, 9 Dec 2004 11:50:28 -0600 (CST) 

I think multiple layers of security are the way to go and an external
firewall of a different os than the server is a good idea.

An IDS on the inside of the firewall is nice to have to let you know if
any sort of crap is getting past the firewall.  It also tends to give more
pertinant information than looking at the firewall logs.

With or without a firewall having both tcpwrappers and portsentry
installed and configured are extremly helpful.  I know at work we have
portsentry installed on all our hosts.  Yes, we do catch network probes on
boxes on the inside of our firewall on occasion.  Portsentry and our IDSes
make sure our suprise security audits aren't really a suprise to us ;-)

Also, it is very handy to have tripwire installed.  So you know what
changed if you ever get hacked.  Stuff like VMware and User Mode Linux are
also handy so you can run say the web server and the database under
different VMs or kernels and an exploit on one doesn't necessarly allow
them to exploit the other.  They also make it much easier to recover from
being hacked (just restore the VM or UML install from backup, patch the
exploit used and bring it back up).

Of course if you really are worried about security there are quite a few
things you can do on the host side.  Like booting from cdrom and mounting
all data filesystems with the noexec flag.

Here's an example of what my hosts.deny usually looks like on the boxes
where I have it automatically firewall out bad ssh connect attempts:

# Old version using a reject route, does not require ipchains or
firewalling being enabled
#sshd: ALL: spawn (/bin/logger -p auth.crit -t tcpwrappers "ssh connect
attempt from %h, address blocked";/sbin/route add %h reject) &

# New version
sshd: ALL: spawn (/bin/logger -p auth.crit -t tcpwrappers "ssh connect
attempt from %h, address blocked";/sbin/ipchains -I input -s %h -j DENY) &
ALL: ALL

Here's an example of the hosts.allow
# Allow imap connects from the following:
# 127.0.0.1   - the webmail software
# 117.215.13. - Home DSL connection, note there is a firewall rule on this
#               box blocking port 143, as a result remote imap is only
#               allowed via imaps on port 993.
imapd: 127.0.0.1, 117.215.13.

# Allow ssh connects from the following:
# 127.0.0.1   - For test purposes
# 117.215.13. - For my home DSL connection, my ISP gives out addresses
#               for my area in the 117.215.13.0/24 network.
# 65.37.      - Dial up ISP connection to allow connecting while I'm
#               out of town or if my DSL IP address suddenly changes
#               from the current class-b address block it is in.  This
#               address range is only for the ISP's Des Moines dial up
#               number.
sshd:   127.0.0.1, 117.215.13., 65.37.