[TriLUG] httpd probe issues

Tue Aug 12 08:50:45 EDT 2008

Ron;

Typically if you wanted to do this with iptables, then one would setup iptables rules such that you initially list those entities that you want to allow in, followed by a general DROP rule to weed out everything else. Whenever I do this I always start with hosts firsts (permitting specific hosts complete access) followed by specific ports that I permit from anywhere.

For example, here is a snippet of my /etc/sysconfig/iptables file that illustrates this concept. Note that first I have a list of hosts that may do anything, then I have a list of ports that I expose to the internet, then I LOG and DROP everything else. I have kept more advanced topics out of this snippet (like ICMP rules) for clarity. Remember that the first couple of times you try this, that you will probably lock yourself out. So, it's typically a good idea to have a cronjob that keeps opening up a door for you from the inside every few minutes while you are testing.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Loopback
[0:0] -A INPUT -i lo -j ACCEPT
# T20 laptop
[0:0] -A INPUT -s 192.168.1.101 -j ACCEPT
# Some machine
[0:0] -A INPUT -s 10.25.62.14 -j ACCEPT
# Some other machine
[0:0] -A INPUT -s 10.25.62.24 -j ACCEPT

# Allow SSH protocol
[0:0] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow auth protocol
[0:0] -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
# Allow stunnel protocol
[0:0] -A INPUT -p tcp -m tcp --dport 444:445 -j ACCEPT

# Log all other input requests and drop
[0:0] -A INPUT -i eth0 -p tcp --syn -j LOG --log-prefix "Hacker probe (DROP'ed): " --log-level warning
[0:0] -A INPUT -i eth0 -p tcp --syn -j DROP

 Joe Horvath
jkhorvath at yahoo.com

----- Original Message ----
From: Ron Young <ronyoung at nc.rr.com>
To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
Sent: Tuesday, August 12, 2008 8:32:29 AM
Subject: Re: [TriLUG] httpd probe issues

Shawn,

Thanks.  How do I do that?  Deny to 0.0.0.0-255.255.255.255 ?

And if I am at a new client site and want to demo something on my web site
here I could ssh tunnel a VNC connection and edit my router tables to allow
his IP address.

Is this what you meant?

-- 
Ron Young
919-621-9015

On Tue, Aug 12, 2008 at 8:23 AM, Shawn Taylor <shtaylor at gpi.com> wrote:

> Ron,
>
> Can you not deny everybody and allow the few you would like through? This
> is
> a more common practice.
>
> Shawn
>
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf
> Of Ron Young
> Sent: Tuesday, August 12, 2008 7:52 AM
> To: Triangle Linux Users Group General Discussion
> Subject: [TriLUG] httpd probe issues
>
> All,
>
> I hope someone can help me understand and fix what I think is a security
> breach on my CentOS 4.x box.  Even though I have blocked ranges of IP
> addresses at the DLink DI-634M router with the following entries in the
> firewall section:
>
> Name Action Source IP Range
> Deny
>
> [image: Edit] <javascript:tryToEdit (0)>
> [image: Delete] <javascript:tryToDelete (0)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (1)>
> [image: Delete] <javascript:tryToDelete (1)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (2)>
> [image: Delete] <javascript:tryToDelete (2)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (3)>
> [image: Delete] <javascript:tryToDelete (3)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (4)>
> [image: Delete] <javascript:tryToDelete (4)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (5)>
> [image: Delete] <javascript:tryToDelete (5)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (6)>
> [image: Delete] <javascript:tryToDelete (6)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (7)>
> [image: Delete] <javascript:tryToDelete (7)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (8)>
> [image: Delete] <javascript:tryToDelete (8)>
>  http_error_log6 Deny 63.64.0.0-63.127.255.255 [image:
> Edit]<javascript:tryToEdit (9)> [image:
> Delete] <javascript:tryToDelete (9)> http_error_log5 Deny
> 60.166.0.0-60.175.255.255 [image: Edit] <javascript:tryToEdit (10)> [image:
> Delete] <javascript:tryToDelete (10)> http_error_log4 Deny
> 63.127.0.0-63.127.255.255 [image: Edit] <javascript:tryToEdit (11)> [image:
> Delete] <javascript:tryToDelete (11)> http_error_log3 Deny
> 60.172.0.0-60.172.255.255 [image: Edit] <javascript:tryToEdit (12)> [image:
> Delete] <javascript:tryToDelete (12)> http_error_log2 Deny
> 66.249.0.0-66.249.255.255 [image: Edit] <javascript:tryToEdit (13)> [image:
> Delete] <javascript:tryToDelete (13)> Dlink Log 2 Deny 208.77.12.13[image:
> Edit] <javascript:tryToEdit (14)> [image: Delete] <javascript:tryToDelete
> (14)> Dlink Log 1 Deny 59.63.157.211 [image: Edit] <javascript:tryToEdit
> (15)> [image: Delete] <javascript:tryToDelete (15)>
> I also have Port Forwarding on the router set up to forward port 22 to this
> server and I have http port 80 to this server's address configured as a
> Virtual Server on the router.  These are the only two entries configured in
> either section.
>
> I still get entries like below in the Logwatch email I have sent to myself
> every morning:
>
> --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
>  69.58.178.37
>  72.44.39.129
>
> Previously when I got 'probes' like this I would open the DLink and add
> another line to the firewall for that address range.  The next morning
> there
> would be probes from a different address.  Seems like there ought to be a
> better way.
>
> Being a relative noob with Linux and never strong with network issues I was
> hoping someone could help me devise a better security installation than I
> now have.
>
> Thanks in advance for your time!
> --
> Ron Young
> 919-621-9015
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions