Wednesday, December 19, 2007

SecureServer.sh

#!/bin/bash
########### SysCTL Hardening #########
# Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker
sysctl -w net.ipv4.conf.all.accept_redirects=0
#sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
#sysctl -w net.ipv6.conf.all.send_redirects=0

#Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
# sysctl -w net.ipv4.conf.all.mc_forwarding=0

#Enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived.
sysctl -w net.ipv4.conf.all.rp_filter=1

#Log and drop "Martian" packets. A "Martian" packet is one for which the host does not have a route back to the source IP address (it apparently dropped in from Mars). These days most hosts have a default route, meaning that there would be no such thing as a Martian packet, but to be safe and complete...
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_max_syn_backlog=1280

# Enable TCP_SYNCOOKIES to prevent SYN Flood Attack
#A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
sysctl -w net.ipv4.tcp_syncookies=1
#########################################

INET_IF=eth0
LAN_IF=eth1
LAN=192.168.0.0/24
INTERNET=NET.WRK.RAN.GE/SUB.NET.MAS.KKK

# Flush all the Existing rules
iptables -F
iptables -t nat -F

#Log and DROP SYN Flood Attack Attempts and Related
#Block IP Spoofed-Sequence Number Prediction Attack.Referhttp://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "SYN Flood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

# NEW but not SYN
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not SYN:"
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

# Block SYN Flood
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SYNFlood Attempt:"
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name synflood --rsource
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j LOG --log-prefix "SYNFLOOD"
iptables -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 60 --name synflood --rsource -j DROP

# Accept RESET Flagged Packets
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

# Drop FIN packets that is not accompanied with any ACK
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

########iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG,FIN,SYN,RST,PSH,ACK,URG -m state --state NEW-j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

#Block NetBIOS and Samba Broadcast Floods
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 135:139 -j DROP
iptables -A INPUT -d 122.167.53.54 -i $INET_IF -p tcp -m tcp --dport 67:68 -j DROP

# Control over ICMP requests
# Allow time-exceeded
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Allow echo Request
#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Limit PING to 3 times/Minute .But burstable to a maximum of 10 Pings/Minute
iptables -A INPUT -p icmp -m limit --limit 3/min --limit-burst 10 -j ACCEPT

# Log PING Traffic Analysis details 10 times/minute
iptables -A INPUT -p icmp -m limit --limit 10/min --limit-burst 1 -j LOG --log-prefix "Ping DROP:"

# DROP Address mask request(ICMP Type 17)
iptables -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
#DROP Timestamp request(ICMP Type 13)
iptables -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
#Disable ICMP router solicitations and advertisements, and ICMP subnet mask requests and replies. An attacker might be able to use unsolicited advertisements and replies to misadjust host routing tables. An attack also might be able to use solicitations and requests to reverse engineer some details of your network infrastructure. It appears that you will have to do this with packet-filtering rules on the host.
# Router Advertisement (ICMP Type 9)
iptables -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
# Router Solicitation(ICMP Type 10)
iptables -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
#Drop all ICMP
#iptables -A INPUT -p icmp -j DROP

# Accept all ESTABLISHED and RELATED connections.Don't do a double check
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Custom ACCEPT Rules for specific ports
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443,3306,25,143,110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 10/sec -j ACCEPT

# IP Spoofing preventions
#iptables -A INPUT -s $LAN -i $LAN_IF -j ACCEPT
#iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A INPUT -s $LAN -i lo -j ACCEPT
# Drop packets from Internet/LAN arriving at Loopback
iptables -A INPUT -s $INTERNET -i lo -j DROP
iptables -A INPUT -s $LAN -i lo -j DROP
# Drop packets arriving at Internet Interface that are not from Internet
iptables -A INPUT -s $LAN -i $INET_IF -j DROP
iptables -A INPUT -s ! $INTERNET -i $INET_IF -j DROP
# Drop packets at LAN Interface if they are not from LAN
iptables -A INPUT -s ! $LAN -i $LAN_IF -j DROP
iptables -A INPUT -s $INTERNET -i $LAN_IF -j DROP

# Drop DHCP requests
iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP

#If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
iptables -A INPUT -i $INET_IF -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.
iptables -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7

#Drop Packets in INVALID State
iptables -A INPUT -m state --state INVALID -j DROP

# Anyone who tried to portscan us is locked out for an entire day.

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
#iptables -A INPUT -m recent --name portscan --remove
#iptables -A FORWARD -m recent --name portscan --remove

# Block all aother know Attacks
# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp -m recent --name portscan --set -j DROP
iptables -A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP

iptables -A INPUT -p tcp -m tcp --dport 6670 -m limit --limit 3/hour -j LOG --log-prefix "Deepthroat scan"
iptables -A INPUT -p tcp -m tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6711 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6712 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6713 -m limit --limit 3/hour -j LOG --log-prefix "Subseven scan"
iptables -A INPUT -p tcp -m tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG
iptables -A INPUT -p tcp -m tcp --dport 12345 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"

iptables -A INPUT -p tcp -m tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 12346 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20034 -m limit --limit 3/hour -j LOG --log-prefix "Netbus scan"
iptables -A INPUT -p tcp -m tcp --dport 20034 -j DROP

iptables -A INPUT -p tcp -m tcp --dport 31337 -m limit --limit 3/hour -j LOG --log-prefix "Back orifice scan"
iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6000 -m limit --limit 3/hour -j LOG --log-prefix "X-Windows Port"
iptables -A INPUT -p tcp -m tcp --dport 6000 -j DROP
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
iptables -A OUTPUT -m state --state INVALID -j DROP
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -j DROP
#iptables -A INPUT -p tcp -j DROP
# iptables -A INPUT -p udp -j DROP

##### Stop IP Spoofing ##########
SERVER_IP=122.167.53.54
# Add your IP range/IPs here,
#SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 224.0.0.0/3"
#SPOOF_IPS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
iptables -A INPUT -s $SERVER_IP -j DROP
for ip in $SPOOF_IPS
do
iptables -A INPUT -s $ip -j DROP
done
## Now add net.ipv4.conf.all.rp_filter = 1 to sysctl.conf
sysctl -w net.ipv4.conf.all.rp_filter=1

References
Cromwell-intl.com
iptables-tutorial.frozentux.net
iptables-tutorial.frozentux.net/other/ip-sysctl.txt
cyberciti.biz
cyberciti.biz
faqs.org
newartisans.com

No comments: