[Klug-general] iptables (firewall), usermode linux, digital camera

Enquiries enquiries at thedumbterminal.co.uk
Fri Aug 19 06:47:42 BST 2005 

On Friday 19 Aug 2005 00:17, Athon Solo wrote:
> Hi all,
>
> Just thought I'd post what I've been  doing recently with Gentoo.
>
> Primarily I've been securing my PC and laptop ready for uni. This mostly
> involves learning iptables, which is pretty easy once you've learnt the
> commands.
>
> My current rules-save file with comments (I edit this by hand so I can
> add comments - the syntax is basically the same as the commandline
> commands)
>
> # Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
> *raw
>
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> COMMIT
> # Completed on Wed Aug 10 19:27:09 2005
> # Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
> *nat
>
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> # 2005-08-17 Masquerading for UML
> [0:0] -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Wed Aug 10 19:27:09 2005
> # Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
> *mangle
>
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
>
> COMMIT
> # Completed on Wed Aug 10 19:27:09 2005
> # Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
> *filter
>
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
>
> [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> # 2005-08-10 Disable explicit allowing of anything from local machines
> #  I want to be able to tell whether the other rules are working or not
> # [0:0] -A INPUT -s 192.168.1.7 -j ACCEPT
> # [0:0] -A INPUT -s 192.168.1.3 -j ACCEPT
> [0:0] -A INPUT -i lo -j ACCEPT
> # 2005-08-10 Allow incoming SSH connections
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22   -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 22   -s
> 192.168.0.0/16 -j ACCEPT
> # 2005-08-10 Allow incoming NFS connections
> #  Ref: http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 111  -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 111  -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 2049 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 4001 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 4001 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 32764:32767 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 32764:32767 -s
> 192.168.0.0/16 -j ACCEPT
> # 2005-08-10 Allow bittorrent to work correctly
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j
> ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 6881:6889 -j
> ACCEPT
> # 2005-08-11 Allow incoming VNC connections
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5901 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 5900:5901 -s
> 192.168.0.0/16 -j ACCEPT
> # 2005-08-11 Allow incoming connections to our CUPS printer
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -s
> 192.168.0.0/16 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 631 -s
> 192.168.0.0/16 -j ACCEPT
> # 2005-08-17 Allow incoming UDP connection to 137 (used by Windows file
> & print servers)
> [0:0] -A INPUT -p udp -m state --state NEW -m udp --sport 137 -s
> 192.168.0.0/16 -j ACCEPT
> # 2005-08-17 Allow TUNTAP connections (used by UML)
> [0:0] -A INPUT -p tcp -m state --state NEW -m tcp -i tap0 -j ACCEPT
> [0:0] -A INPUT -p udp -m state --state NEW -m udp -i tap0 -j ACCEPT
> [0:0] -A INPUT -p icmp -m state --state NEW -m icmp -i tap0 -j ACCEPT
> # 2005-08-17 LOG packets
> #[0:0] -A INPUT -j LOG
>
> ## Forwarding Rules
> # 2005-08-17 Forwarding for UML - basically let it handle itself
> [0:0] -A FORWARD -i tap0 -j ACCEPT
> [0:0] -A FORWARD -o tap0 -j ACCEPT
> #[0:0] -A FORWARD -j LOG
> COMMIT
> # Completed on Wed Aug 10 19:27:09 2005
>
> It's a bit messy as when I started I added both udp and tcp entries for
> everything. I'll go through and clean these up sometime.
>
> When you want to see what port something is trying to use, uncomment the
> 2 "-j LOG" lines and restart iptables, then use "tail -f
> /var/log/everything/current" (file may be /var/log/messages for others -
> I use metalog)
>
>
> I've also been looking at running Usermode Linux. For the uninitiated,
> this is simply where you can run linux on top of linux. This can be used
> for a wide range of things, from learning about security (set up a UML
> then you can attempt to hack it like any other box), testing
> installations (one of the things I intend to test is upgrading my Qmail
> Rocks installation), etc.
>
> Because the 'partitions' that a UML instance uses can be files, you can
> easily back it up before you start, and if you mess up, start over from
> scratch as quickly as it takes you to bring down the UML, copy your
> backup and restart the UML with the backed-up copy.
>
> You can see my notes on Usermode linux at:
> http://gentoo-wiki.com/Talk:HOWTO_User_Mode_Linux
>
> Basically I have had a fully working (as far as I can tell) UML running,
> but the AMD64 memory bug I've mentioned in the notes means that it
> doesn't run for long.
>
> I've tried compiling on an x86 (32-bit) machine I have, but so far
> haven't been able to create a running UML guest kernel on it (despite
> using the same .config as I used to create the successful guest kernel
> on my amd64 box.
>
>
> On other tid-bits, I got myself a Canon Powershot A400, which worked
> immediately using Digikam (which users gphoto2) using the "USB PTP Class
> Camera" model. Unfortunately it doesn't pretend to be a USB Mass Storage
> device, so I haven't found a way to access its filesystem directly
> without using gphoto2 / digikam. I also haven't tried downloading videos
> recorded using the camera yet.
>
> I have also got a new mp3 player (my old Creative DAP was having battery
> life problems, and is a biit bulky by todays standards) -
> http://www.aria.co.uk/ProductInfoComm.asp?ID=17250 - which supports the
> same SD cards that my camera uses. This does pretend to be a USB Mass
> Storage device, so I can always access my videos using that if I can't
> via my camera.
>
> My HP nx9105 laptop has a built-in multi-format (SD/MMC/SM/MS/Pro) card
> reader. I briefly tried to get this running by enabling things which
> looked related in the kernel, and following a tip that I found that it
> might, like a USB mass storage device, pretend to be a SCSI drive
> (/dev/sd*), but I didn't have any success (the LED next to the card
> reader never switched on - which may indicate the need for a driver of
> some type. I've also just had a thought to check that it isn't switched
> off in my BIOS).
>
> In case someone wants to know what the cardreader might be, here's my
> lspci output:
> 0000:00:00.0 Host bridge: nVidia Corporation nForce3 Host Bridge (rev a4)
> 0000:00:01.0 ISA bridge: nVidia Corporation nForce3 LPC Bridge (rev a6)
> 0000:00:01.1 SMBus: nVidia Corporation nForce3 SMBus (rev a4)
> 0000:00:02.0 USB Controller: nVidia Corporation nForce3 USB 1.1 (rev a5)
> 0000:00:02.1 USB Controller: nVidia Corporation nForce3 USB 1.1 (rev a5)
> 0000:00:02.2 USB Controller: nVidia Corporation nForce3 USB 2.0 (rev a2)
> 0000:00:06.0 Multimedia audio controller: nVidia Corporation nForce3
> Audio (rev a2)
> 0000:00:06.1 Modem: nVidia Corporation: Unknown device 00d9 (rev a2)
> 0000:00:08.0 IDE interface: nVidia Corporation nForce3 IDE (rev a5)
> 0000:00:0a.0 PCI bridge: nVidia Corporation nForce3 PCI Bridge (rev a2)
> 0000:00:0b.0 PCI bridge: nVidia Corporation nForce3 AGP Bridge (rev a4)
> 0000:00:18.0 Host bridge: Advanced Micro Devices [AMD] K8
> [Athlon64/Opteron] HyperTransport Technology Configuration
> 0000:00:18.1 Host bridge: Advanced Micro Devices [AMD] K8
> [Athlon64/Opteron] Address Map
> 0000:00:18.2 Host bridge: Advanced Micro Devices [AMD] K8
> [Athlon64/Opteron] DRAM Controller
> 0000:00:18.3 Host bridge: Advanced Micro Devices [AMD] K8
> [Athlon64/Opteron] Miscellaneous Control
> 0000:01:00.0 VGA compatible controller: nVidia Corporation NV17
> [GeForce4 440 Go 64M] (rev a3)
> 0000:02:00.0 FireWire (IEEE 1394): Texas Instruments TSB43AB21
> IEEE-1394a-2000 Controller (PHY/Link)
> 0000:02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
> RTL-8139/8139C/8139C+ (rev 10)
> 0000:02:02.0 Network controller: Broadcom Corporation BCM4306 802.11b/g
> Wireless LAN Controller (rev 03)
> 0000:02:04.0 CardBus bridge: Texas Instruments PCI1620 PC Card
> Controller (rev 01)
> 0000:02:04.1 CardBus bridge: Texas Instruments PCI1620 PC Card
> Controller (rev 01)
> 0000:02:04.2 System peripheral: Texas Instruments PCI1620 Firmware
> Loading Function (rev 01)vvvvvvvv
>
> I believe the card reader is either going to be the CardBus Bridge (the
> PCMCIA slot is directly below) or the SMBus (since I have no clue what
> else the SMBus might be).
>
> That's another item I need to check - whether I've enabled and installed
> PCMCIA related items (I have a PCMCIA network card I should be able to
> test this with).
>
>
> On my TODO list this coming week is getting SSMTP up and running on my
> webserver, since University of Kent at Canterbury, where I'll
> (hopefully) be for the majority of 3 of the next 4 years (studying
> Computer Science with a year in industry) don't allow standard SMTP
> through.
>
>
> Which reminds me, if anyones looking for a method of securing SSH or a
> similar service so that an IP is automatically banned after a given
> number of login attempts, I've been pointed to http://fail2ban.sf.net/
> (please note that I haven't tried it myself yet), which basically
> monitors log files for failed login attempts and can automatically add
> entries to iptables after a configurable number of failures.
>
>
> I also want to get my wireless LAN configured on my laptop at some
> point, but without any wireless at home to test it, and no networks
> being picked up in Windows (darn those neighbours for not running  a
> wireless network so I can test mine), I guess it'll have to wait until
> I'm actually at uni.
>
>
>
> Regards
>
> Allen
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/kent

your not doing any checking on your output chain.

a quick way to stop nearly all of the ssh login attempts from zombie hosts is 
to change the port to something higher eg above 1024. as these zombie hosts 
mostly check if port 22 is open and start a wordlist attack. to stop them all 
together you should not use password based authentication but private keys 
instead, you could carry this key on your memory stick etc.

-- 
--------------------------------
http://www.thedumbterminal.co.uk

More information about the Kent mailing list