November 2018
M T W T F S S
« Oct    
 1234
567891011
12131415161718
19202122232425
2627282930  

Categories

WordPress Quotes

A real decision is measured by the fact that you've taken a new action. If there's no action, you haven't truly decided.
Tony Robbins

Recent Comments

November 2018
M T W T F S S
« Oct    
 1234
567891011
12131415161718
19202122232425
2627282930  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (34)
Ansibile (18)
Apache (133)
Asterisk (2)
cassandra (2)
Centos (209)
Centos RHEL 7 (258)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (28)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (2)
Ldap (5)
Linux (189)
Linux Commands (167)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (22)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (30)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (60)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

21 visitors online now
5 guests, 16 bots, 0 members

Hit Counter provided by dental implants orange county

Extending Swap on an LVM2 Logical Volume

Extending Swap on an LVM2 Logical Volume

1)Check swap space and its utilization
cat /proc/swaps # free

2) Scan (all disks) for Logical Volumes
lvscan
[root@localhost ~]# lvscan
ACTIVE ‘/dev/VolGroup/lv_root’ [47.44 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_home’ [46.19 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_swap’ [5.88 GiB] inherit

3) Disable devices and files for paging and swapping
swapoff -v /dev/VolGroup/lv_swap

4) Resize a logical volume Adding 1 GB
lvm lvresize /dev/VolGroup/lv_swap -L +1G

5) Set up a Linux swap area
mkswap /dev/VolGroup/lv_swap

6) Enable devices and files for paging and swapping
swapon -va

7) Check swap space and its utilization
cat /proc/swaps # free

8) Scan (all disks) for Logical Volumes
lvscan

Reducing Swap on an LVM2 Logical Volume

Reducing Swap on an LVM2 Logical Volume
1) Check swap space and its utilization
cat /proc/swaps # free

2) Scan (all disks) for Logical Volumes
lvscan

[root@localhost ~]# lvscan
ACTIVE ‘/dev/VolGroup/lv_root’ [47.44 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_home’ [46.19 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_swap’ [5.88 GiB] inherit

3) Disable devices and files for paging and swapping
swapoff -v /dev/vg0/lv_swap

4)Reduce the size of a logical volume
lvm lvreduce /dev/VolGroup/lv_swap -L -1G

5) Set up a Linux swap area
mkswap /dev/VolGroup/lv_swap

6) Enable devices and files for paging and swapping

swapon -va

7) Check swap space and its utilization
cat /proc/swaps # free
8) Scan (all disks) for Logical Volumes
lvscan

Centos 6 SFTP chroot Jail

Centos 6 SFTP chroot Jail

User and Group setup

First you will want to establish the sftponly group

groupadd sftponly

Then create the user with the correct home directories and group

useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob

Don’t forget at this point to also add password to these new accounts.

SSHd configuration changes

Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.

Comment out the following line in /etc/ssh/sshd_config:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace it with this line:

Subsystem sftp internal-sftp

Then add the following set of lines to the very bottom of the file:

Match Group sftponly

ChrootDirectory /var/www/vhosts/%u

X11Forwarding no

AllowTCPForwarding no

ForceCommand internal-sftp

This creates a special login group that then chroot jailed all users in that group into their own home directory.

Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:

service sshd restart

Permissions cleanup and testing

Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.

chown root /var/www/vhosts/bob
ls -la
chmod go-w /var/www/vhosts/bob
chown bob:sftponly /var/www/vhosts/bob/fileupload/
chown bob:sftponly /opt/app/vhosts/rbc/writable/
chown bob:sftponly /opt/app/vhosts/rbc/codeupload/
chmod ug+rwx codeupload fileupload writable

tail -f /var/log/secure
tail -f /var/log/audit/audit.log

Shorewall – Firewall

CentOS – Install and Configure Shorewall

Add repository EPEL that is provided from Fedora project.
wget http://ftp.riken.jp/Linux/fedora/epel/RPM-GPG-KEY-EPEL-6
rpm –import RPM-GPG-KEY-EPEL-6
rm -f RPM-GPG-KEY-EPEL-6
vi /etc/yum.repos.d/epel.repo
# create new
[epel]
name=EPEL RPM Repository for Red Hat Enterprise Linux
baseurl=http://ftp.riken.jp/Linux/fedora/epel/6/$basearch/
gpgcheck=1
enabled=0
# when you use the repository, input yum command like follows

yum –enablerepo=epel install shorewall

Backup and Edit System Control

cp /etc/sysctl.conf /etc/sysctl.conf.org

sed -i ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf

Backup and Edit Shorewall Zones
cp /etc/shorewall/zones /etc/shorewall/zones.org
vi /etc/shorewall/zones

##
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

Backup and Edit Shorewall Interfaces
cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ori
vi /etc/shorewall/interfaces

#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Policy
cp /etc/shorewall/policy /etc/shorewall/policy.ori
vi /etc/shorewall/policy

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — DO NOT REMOVE

Backup and Edit Shorewall Rules

cp /etc/shorewall/rules /etc/shorewall/rules.orig

vi /etc/shorewall/rules

# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
#######################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the “bad” net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc->net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Configuration
[root@localhost ~]# cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig
[root@localhost ~]# vi /etc/shorewall/shorewall.conf
sed -i ‘s/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/g’ /etc/shorewall/shorewall.conf
Check Shorewall Configuration
shorewall check
Create Auto Start and Restart Shorewall
chkconfig shorewall on
service shorewall restart
or
shorewall restart

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate

Advanced Policy Firewall

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

Features:
– detailed and well commented configuration file
– granular inbound and outbound network filtering
– user id based outbound network filtering
– application based network filtering
– trust based rule files with an optional advanced syntax
– global trust system where rules can be downloaded from a central management server
– reactive address blocking (RAB), next generation in-line intrusion prevention
– debug mode provided for testing new features and configuration setups
– fast load feature that allows for 1000+ rules to load in under 1 second
– inbound and outbound network interfaces can be independently configured
– global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
– configurable policies for each ip on the system with convenience variables to import settings
– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
– prerouting and postrouting rules for optimal network performance
– dshield.org block list support to ban networks exhibiting suspicious activity
– spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
– any number of additional interfaces may be configured as trusted or untrusted
– additional firewalled interfaces can have there own unique firewall policies applied
– intelligent route verification to prevent embarrassing configuration errors
– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
– configurable type of service options to dictate the priority of different types of network traffic
– intelligent default settings to meet every day server setups
– dynamic configuration of your servers local DNS revolvers into the firewall
– optional filtering of common p2p applications
– optional filtering of private & reserved IP address space
– optional implicit blocks of the ident service
– configurable connection tracking settings to scale the firewall to the size of your network
– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
– advanced network control such as explicit congestion notification and overflow control
– helper chains for FTP DATA and SSH connections to prevent client side issues
– optional rate limited event logging
– logging subsystem that allows for logging data to user space programs or standard syslog files
– comprehensive logging of every rule added
– detailed startup error checking
– if you are familiar with netfilter you can create your own rules in any of the policy files
– pluggable and ready advanced use of QoS algorithms provided by the Linux
– 3rd party add-on projects that compliment APF features

Install Procedure

mkdir /software
cd software
wget -c http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxvf apf-current.tar.gz
cd apf-9.7-2/
./install.sh
cp /etc/apf/conf.apf /etc/apf/conf.apf.bk
vi /etc/apf/conf.apf

DEVEL_MODE=”0”
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,3306”
IG_UDP_CPORTS=”53,67,68,111,5353,48443”
USE_AD=”1”

/etc/init.d/apf restart

Brute Force Detection (BFD)

Brute Force Detection (BFD)

1) Download and Install Brute Force Detection (BFD)
wget -c http://rfxnetworks.com/downloads/bfd-current.tar.gz
tar xvfz bfd-current.tar.gz
cd bfd-*
./install.sh
Backup and Edit BFD Configuration
cp /usr/local/bfd/conf.bfd /usr/local/bfd/conf.bfd.ori
vi /usr/local/bfd/conf.bfd

EMAIL_ALERTS=”0″
EMAIL_ADDRESS=”admin@email.com”
Backup and Edit BFD Ignore Hosts
cp /usr/local/bfd/ignore.hosts /usr/local/bfd/ignore.hosts.ori
vi /usr/local/bfd/ignore.hosts

192.168.1.108
Run BFD
bfd -s

DDoS Deflate

Download and Install DDoS Deflate
wget -c http://www.inetbase.com/scripts/ddos/install.sh

sh install.sh
Backup and Edit DDOS Configuration
cp /usr/local/ddos/ddos.conf /usr/local/ddos/ddos.conf.ori
vi /usr/local/ddos/ddos.conf

EMAIL_TO=”test@email.com”
Run DDOS
/usr/local/ddos/ddos.sh -c

Open a port in apf firewall and add trusted IP

Apf is a policy based iptable firewall which is very useful for blocking DDoS attack on heavily traffic servers.
The issue is when we developrs/testers are using the same server which will deny all the traffic from their static Ip given.
This is a major headache in most cases.

1. Opening port in apf firewall
Edit the file
“/etc/apf/conf.apf”

and find the entry of IG_TCP_CPORTS”

and added the ports to be opened in it.

A sample entry like this, I add the port ’9091? in it
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,3306″

Then restart the firewall
[root@host.mydomain.com] ~ >> apf -r

Trusting our ip’s on Apf firewall

Add our ip information on ”
/etc/apf/allow_hosts.rules

“. A sample entry like this
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1#
# outbound to destination port 23 to destination host 192.168.2.1
# out:d=23:d=192.168.2.1#
# inbound to destination port 3306 from 192.168.5.0/24
# d=3306:s=192.168.5.0/24
# my IP ranges
10.0.4.0/24
10.0.5.0/24
10.0.6.0/24
tcp:in:d=22:s=192.168.2.1#
out:d=23:d=192.168.2.1#
d=3306:s=192.168.5.0/24

IPTABLES Firewall on Centos

Firewall on Centos OS

#!/bin/sh
#
#

## Set your IP address
MYIP=”192.168.1.108″
#
## Flush rules & reset counters
/sbin/iptables -F
/sbin/iptables -Z
#
## Set policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
#
## Drop all incoming fragments
/sbin/iptables -A INPUT -i eth0 -f -j DROP
#
## Drop outside packets with local addresses – anti-spoofing measure
/sbin/iptables -A INPUT -s $MYIP -i ! lo -j DROP
/sbin/iptables -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 10.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 192.168.0.0/16 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/4 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 255.255.255.255 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 169.254.0.0/16 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
#
## Pass all locally-originating packets
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
## Accept ICMP ping echo requests
## (this allows other people to ping your machine, among other things),
/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
#
## Accept all traffic from a specific machine with IP x.x.x.x
## replace x.x.x.x with the desired IP, then uncomment the line.
#/sbin/iptables -A INPUT -p tcp -m tcp –syn -s xxx.xxx.xxx.xxx -j ACCEPT
#
## Accept traffic on port p from a specific machine with IP x.x.x.x
## replace p with the desired port number, and replace x.x.x.x with
## the desired IP, then uncomment the line.
#/sbin/iptables -A INPUT -p tcp -m tcp –syn -s x.x.x.x –dport p -j ACCEPT
#
## Accept ftp-data and ftp (ports 20 & 21)
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 21 -j ACCEPT
#
## Accept ssh (port 22)
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 22 -j ACCEPT
#
## Accept telnet (port 23)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 23 -j ACCEPT
#
## Accept smtp (port 25)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 25 -j ACCEPT
## Accept dns (port 53)
/sbin/iptables -A INPUT -p udp -m udp -s 0/0 –dport 53 -d 0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s 0/0 –dport 53 -d 0/0 -j ACCEPT
#
## Accept http (port 80)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 80 -j ACCEPT
#
## Accept pop3 (port 110)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 110 -j ACCEPT
#
## Accept inbound identd (port 113)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 113 -j ACCEPT
## or you can reject and send back a TCP RST packet instead
#/sbin/iptables -A INPUT -p tcp -m tcp –dport 113 -j REJECT –reject-with tcp-reset
#
## Accept imap (port 143)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 143 -j ACCEPT
#
## Accept https (port 443)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 443 -j ACCEPT
#
## Accept smtps (port 465)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 465 -j ACCEPT
## Accept msp (port 587)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 587 -j ACCEPT
#
## Accept SpamAssassin (port 783)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 783 -j ACCEPT
#
## Accept imaps (port 993)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 993 -j ACCEPT
#
## Accept pop3s (port 995)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 995 -j ACCEPT
#
## Accept mysql (port 3306)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 3306 -j ACCEPT
#
## Allow inbound established and related outside communication
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#
## Drop outside initiated connections
/sbin/iptables -A INPUT -m state –state NEW -j REJECT
#
## Allow all outbound tcp, udp, icmp traffic with state
/sbin/iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
#
## Save rules
service /sbin/iptables save
#
#
echo “/sbin/iptables configuration is complete”
echo “”
echo “Check your rules – /sbin/iptables -L -n”
echo “”

Redhat Linux IPTABLES

==============================================================================================
==============================================================================================
# Generated by iptables-save v1.3.5 on Sat Dec 10 05:28:35 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:18308]
:RH-Firewall-1-INPUT – [0:0]
:SSH_CHECK – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF A: ”
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF B: ”
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF C: ”
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP MULTICAST D: ”
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF E: ”
-A INPUT -d 127.0.0.0/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP LOOPBACK: ”
-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j SSH_CHECK
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
-A SSH_CHECK -m recent –set –name SSH –rsource
-A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH –rsource -j DROP
COMMIT
# Completed on Sat Dec 10 05:28:35 2011
==============================================================================================
==============================================================================================

Block Incomming Port 80 except for IP Address 192.168.3.0/24

# /sbin/iptables -A INPUT -p tcp -i eth0 -s ! 192.168.3.0/24 –dport 80 -j DROP

# Generated by iptables-save v1.3.5 on Sat Dec 10 06:17:00 2011
*filter
:INPUT ACCEPT [80:5760]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:12568]
-A INPUT -p tcp -m tcp –dport 80 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s ! 192.168.3.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 80 -j DROP
COMMIT
# Completed on Sat Dec 10 06:17:00 2011
==============================================================================================
==============================================================================================

FTP FIREWALL

# Generated by iptables-save v1.3.5 on Wed Jun 10 21:13:16 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [423:45748]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp –dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
==============================================================================================
==============================================================================================

Redhat Basic Firewall

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8009 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5902 -j ACCEPT
A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 10050 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

==============================================================================================
==============================================================================================

SSH Rules

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here’s a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state –state NEW –source 193.180.177.13 –dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp –dport 22 -j DROP

~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -j DROP

Conclusion

iptables -N SSH_CHECK
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent –set –name SSH
iptables -A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP