Monday, October 29, 2007

Re: Port 80 Open

Hello,

Ansgar -59cobalt- Wiechers a écrit :
> On 2007-10-27 Telly Williams wrote:
>
>>-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
>>-A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT
>
> No other source address than 127.0.0.1/8 is supposed to appear at the
> loopback interface.

Wrong. Any local address, including the whole range 127.0.0.0/8 and all
addresses and aliases configured on local network interfaces may appear
in traffic involving the loopback interface. Besides, what's the use of
address-based filtering on the loopback interface ?

>>-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
>>-A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP
>> # With the above two rules, I thought it put me in stealth
>> # mode(?).
>
> Repeating myself: "stealth" is braindead marketing babble invented by
> people who failed to understand TCP/IP for people who fail to understand
> TCP/IP.

Anyway, "stealth" means that your box does not reply to any solicitation
from the outside, not that it only drops some ICMP types.

> Your host doesn't magically become "invisible" just because it
> drops packets.

Agreed.

> Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
> is a vital part of IP and required e.g. for troubleshooting connection
> problems. Rather do something like this:
>
> iptables -N icmp_packets
> # Allow ping, but limit it to 10 requests per second:
> iptables -A icmp_packets -p icmp --icmp-type echo-request \
> -m state --state NEW -m limit --limit 10/sec -j ACCEPT
> # Allow echo replies (pong) for accepted pings:
> iptables -A icmp_packets -p icmp --icmp-type echo-reply \
> -m state --state ESTABLISHED -j ACCEPT
> # Allow troubleshooting messages for all established connections:
> iptables -A icmp_packets -p icmp --icmp-type destination-unreachable \
> -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -p icmp --icmp-type source-quench \
> -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -p icmp --icmp-type time-exceeded \
> -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
> -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -j DROP

I used to accept source-quench, but not any more after reading that some
DoS attacks were based on it, and I'm not so sure it's really useful. I
acknowledge that destination-unreachable can be abused too, but this one
is really necessary.

>>-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
>>-A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed
>>-A tcp_packets -p tcp -m tcp --dport 25 -j allowed
>>-A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed
>
> Why are you ACCEPTing NTP packets based on the source port?

Besides, I'm not sure that NTP uses TCP transport. Conversely HTTP(S)
and SMTP(S) don't use UDP transport.

I globally agree with the other comments and suggestions.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment