Saturday, December 29, 2007

Swami Vivekananda

When I Asked God for Brain & Brown
He Gave Me Puzzles in Life to Solve

When I Asked God for Happiness
He Showed Me Some Unhappy People

When I Asked God for Wealth
He Showed Me How to Work Hard

When I Asked God for Favors
He Showed Me Opportunities to Work Hard

When I Asked God for Peace
He Showed Me How to Help Others

God Gave Me Nothing I Wanted
He Gave Me Everything I Needed

All that is real in me is God; all that is real in God is I. The gulf between God and human beings is thus bridged. Thus we find how, by knowing God, we find the kingdom of heaven within us.

Are you unselfish? That is the question. If you are, you will be perfect without reading a single religious book, without going into a single church or temple.

Be strong! … You talk of ghosts and devils. We are the living devils. The sign of life is strength and growth. The sign of death is weakness. Whatever is weak, avoid! It is death. If it is strength, go down into hell and get hold of it! There is salvation only for the brave. "None but the brave deserves the fair." None but the bravest deserves salvation.

Take up one idea. Make that one idea your life - think of it, dream of it, live on idea. Let the brain, muscles, nerves, every part of your body, be full of that idea, and just leave every other idea alone. This is the way to success.

You cannot believe in God until you believe in yourself.

- Swami Vivekananda

Thursday, December 20, 2007

Tunnel TCP connections over ICMP echo-reply/echo-request

You can tunnel TCP connections over ICMP echo-reply/echo-request packets.
You need a PingTunnel Server(called proxy) and a client both with the application PingTunnel installed on it .
It is useful behind firewall.

Follow this URL. Its all there
PingTunnel

Wednesday, December 19, 2007

SecureServer.sh

#!/bin/bash
########### SysCTL Hardening #########
# Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker
sysctl -w net.ipv4.conf.all.accept_redirects=0
#sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
#sysctl -w net.ipv6.conf.all.send_redirects=0

#Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
# sysctl -w net.ipv4.conf.all.mc_forwarding=0

#Enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived.
sysctl -w net.ipv4.conf.all.rp_filter=1

#Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars). These days most hosts have a default route, meaning that there would be no such thing as a Martian packet, but to be safe and complete...
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_max_syn_backlog=1280

# Enable TCP_SYNCOOKIES to prevent SYN Flood Attack
#A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
sysctl -w net.ipv4.tcp_syncookies=1
#########################################

INET_IF=eth0
LAN_IF=eth1
LAN=192.168.0.0/24
INTERNET=NET.WRK.RAN.GE/SUB.NET.MAS.KKK

# Flush all the Existing rules
iptables -F
iptables -t nat -F

#Log and DROP SYN Flood Attack Attempts and Related
#Block IP Spoofed-Sequence Number Prediction Attack.Referhttp://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "SYN Flood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

# NEW but not SYN
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not SYN:"
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

# Block SYN Flood
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SYNFlood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name synflood --rsource
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j LOG --log-prefix "SYNFLOOD"
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j DROP

# Accept RESET Flagged Packets
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

# Drop FIN packets that is not accompanied with any ACK
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

########iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG,FIN,SYN,RST,PSH,ACK,URG -m state --state NEW-j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

#Block NetBIOS and Samba Broadcast Floods
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 135:139 -j DROP
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 67:68 -j DROP

# Control over ICMP requests
# Allow time-exceeded
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Allow echo Request
#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Limit PING to 3 times/Minute .But burstable to a maximum of 10 Pings/Minute
iptables -A INPUT -p icmp -m limit --limit 3/min --limit-burst 10 -j ACCEPT

# Log PING Traffic Analysis details 10 times/minute
iptables -A INPUT -p icmp -m limit --limit 10/min --limit-burst 1 -j LOG --log-prefix "Ping DROP:"

# DROP Address mask request(ICMP Type 17)
iptables -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
#DROP Timestamp request(ICMP Type 13)
iptables -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
#Disable ICMP router solicitations and advertisements, and ICMP subnet mask requests and replies. An attacker might be able to use unsolicited advertisements and replies to misadjust host routing tables. An attack also might be able to use solicitations and requests to reverse engineer some details of your network infrastructure. It appears that you will have to do this with packet-filtering rules on the host.
# Router Advertisement (ICMP Type 9)
iptables -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
# Router Solicitation(ICMP Type 10)
iptables -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
#Drop all ICMP
#iptables -A INPUT -p icmp -j DROP

# Accept all ESTABLISHED and RELATED connections.Don't do a double check
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Custom ACCEPT Rules for specific ports
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443,3306,25,143,110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 10/sec -j ACCEPT

# IP Spoofing preventions
#iptables -A INPUT -s $LAN -i $LAN_IF -j ACCEPT
#iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A INPUT -s $LAN -i lo -j ACCEPT
# Drop packets from Internet/LAN arriving at Loopback
iptables -A INPUT -s $INTERNET -i lo -j DROP
iptables -A INPUT -s $LAN -i lo -j DROP
# Drop packets arriving at Internet Interface that are not from Internet
iptables -A INPUT -s $LAN -i $INET_IF -j DROP
iptables -A INPUT -s ! $INTERNET -i $INET_IF -j DROP
# Drop packets at LAN Interface if they are not from LAN
iptables -A INPUT -s ! $LAN -i $LAN_IF -j DROP
iptables -A INPUT -s $INTERNET -i $LAN_IF -j DROP

# Drop DHCP requests
iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP

#If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
iptables -A INPUT -i $INET_IF -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.
iptables -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7

#Drop Packets in INVALID State
iptables -A INPUT -m state --state INVALID -j DROP

# Anyone who tried to portscan us is locked out for an entire day.

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
#iptables -A INPUT -m recent --name portscan --remove
#iptables -A FORWARD -m recent --name portscan --remove

# Block all aother know Attacks
# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP

iptables -A INPUT -p tcp -m tcp --dport 6670 -m limit --limit 3/hour -j LOG --log-prefix "Deepthroat scan"
iptables -A INPUT -p tcp -m tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6711 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6712 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6713 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"

iptables -A INPUT -p tcp -m tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12346 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20034 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 20034 -j DROP

iptables -A INPUT -p tcp -m tcp --dport 31337 -m limit --limit 3/hour -j LOG --log-prefix "Back orifice scan"
iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6000 -m limit --limit 3/hour -j LOG --log-prefix "X-Windows Port"
iptables -A INPUT -p tcp -m tcp --dport 6000 -j DROP
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
iptables -A OUTPUT -m state --state INVALID -j DROP
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -j DROP
#iptables -A INPUT -p tcp -j DROP
# iptables -A INPUT -p udp -j DROP

##### Stop IP Spoofing ##########
SERVER_IP=122.167.53.54
# Add your IP range/IPs here,
#SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 224.0.0.0/3"
#SPOOF_IPS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
iptables -A INPUT -s $SERVER_IP -j DROP
for ip in $SPOOF_IPS
do
iptables -A INPUT -s $ip -j DROP
done
## Now add net.ipv4.conf.all.rp_filter = 1 to sysctl.conf
sysctl -w net.ipv4.conf.all.rp_filter=1

References
Cromwell-intl.com
iptables-tutorial.frozentux.net
iptables-tutorial.frozentux.net/other/ip-sysctl.txt
cyberciti.biz
cyberciti.biz
faqs.org
newartisans.com

Tuesday, December 18, 2007

Limit number of Shell logins by a USER or GROUP

To limit multiple Shell login by the same user on a Linux box you have to set a maximum number of logins in /etc/security/limits.conf for a user or a group.

For example:
# groupadd salesgroup
# useradd -G salesgroup salesman1
# useradd -G salesgroup salesmanager
# echo "@salesgroup - maxlogins 10" >> /etc/security/limits.conf
# echo "salesman1 - maxlogins 5" >> /etc/security/limits.conf


Here the group salesgroup can make a maximum of 10 logins at a time.
And the user salesman1 is limited to 5 simultaneous logins.

Monday, December 10, 2007

Starting httpd: execvp: No such file or directory [FAILED]

I downloaded the source for the latest Apache HTTP and installed it

1. ./configure --enable-so
2. make
3. make install

When I ran
# /usr/local/apache2/bin/apachectl start
it was fine.
But it began to show errors when I tried to run
# /etc/init.d/httpd start

My /etc/init.d/httpd is as follows

. /etc/rc.d/init.d/functions
case "$1" in
start)
echo -n "Starting httpd: "
daemon httpd -DSSL
echo
touch /var/lock/subsys/httpd
;;
stop)
echo -n "Shutting down http: "
killproc httpd
echo
rm -f /var/lock/subsys/httpd
rm -f /usr/local/apache2/logs/httpd.pid
;;
status)
status httpd
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reloading httpd: "
killproc httpd -HUP
echo
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0


I have done
# chkconfig --add httpd
# chkconfig httpd on
# service httpd start

This command returned the following error:
[root@localhost conf]# service httpd start
Starting httpd: execvp: No such file or directory [FAILED]
I've double checked the path of apache installation and the one that I have specified in the init script.It was fine.
The solution is just simple
You can work on it in two ways.

1. Create a soft link to /usr/local/apache/bin/httpd under some System PATH
# ln -s /usr/local/apache/bin/httpd /usr/sbin/httpd
Then start httpd using the service command
2. Include the Apache Binary PATH into the /etc/init.d/functions file
Append /usr/local/apache/bin to the line similar to
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin"
Thereafter it should look like
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/apache2/bin"
Then start httpd using the service command

Apart from this always be aware of Permission too.
Follow ups
Plug.Org
mail-archives.apache.org

Friday, December 7, 2007

How to Disable Alt+Ctrl+Bksp and Ctrl+Alt+Function Keys

System administrators should be aware that now there is the ability to turn off switching to text mode virtual terminals via CTL-ALT-FunctionKey. This can come in handy when locking down a system (such when a Linux box is used as a kiosk) when used in conjunction with disabling CTL-ALT-BKSP (forceful kill of the X server). To do this, edit your /etc/X11/XF86Config or /etc/X11/xorg.conf and add the following:

Section "ServerFlags"
# prevent the use of CTL-ALT-F1, etc
Option "DontVTSwitch" "On"
# prevent the use of CTL-ALT-BKSP
Option "DontZap" "On"
EndSection


Here the Vitrual Consoles can be locked in /etc/inittab also

Open /etc/inittab and comment the following

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

You can shift the Virtual Consoles from Alt+Ctrl+F1 -> F6 to Alt+Ctrl+F8 -> F12
To do so edit /etc/securetty.And rename the tty entries by the number of Virtual Terminal you want to use

eg :
console
vc/1
#vc/2
#vc/3
#vc/4
#vc/5
#vc/6
#vc/7
#vc/8
#vc/9
#vc/10
#vc/11
#tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11
tty12

This will enable a single Console at tty12 ie, Alt+Ctrl+F12 Keystroke
Reboot the machine to get affected by the changes made.