Friday, October 28, 2005

iptables - network firewall

First log the ip address if it matches criteria


/sbin/iptables -A INPUT -p tcp -s 59.104.0.0/15 --dport 25 -j LOG
## and then reject
#BLOCK / REJECT
/sbin/iptables -A INPUT -p tcp -s 59.104.0.0/15 --dport 25 -j DROP




Get the current firewall rules


[root@plain iptables]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 59.104.0.0/15 anywhere tcp dpt:smtp LOG level warning
DROP tcp -- 59.104.0.0/15 anywhere tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





Go to and run those commands on your server. Following are the changes I recommend:




# In addition to default REJECT entries, add the rules for LOG chain (before DROP/REJECT)
# Block the following lists IF YOU DON'T GET TRAFFFIC FROM THESE COUNTRIES ON THESE PORTS
# PORTS
# smtp 25(tcp), ssh 22(tcp),ftp 20,21(tcp),http 80(tcp),dns 53(udp),53(tcp)
# COUNTRIES
# TAIWAN, 22


REJECT tcp -- 210.244.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 211.20.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 211.72.0.0/13 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.32.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.34.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.160.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.184.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 218.187.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.68.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.80.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.84.0.0/14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.90.0.0/18 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 219.91.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.128.0.0/12 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.228.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 220.247.128.0/19 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.120.0.0/18 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.120.64.0/19 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 221.169.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.156.0.0/15 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.250.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.251.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 222.251.0.0/17 0.0.0.0/0 reject-with icmp-port-unreachable


-

Nessus - Network Administrators

I tried compiling Nessus but kept getting errors. Then I found atrpm.net and downloaded (and verified sigs) the RPMs. The installation was a breeze from that point onwards.


[root@plain nasl]# rpm --checksig libnessus-2.2.5-16.el3.at.i386.rpm
libnessus-2.2.5-16.el3.at.i386.rpm: (sha1) dsa sha1 md5 gpg OK
[root@plain nasl]# rpm -ivh nessus-server-2.2.5-19.el3.at.i386.rpm nessus-2.2.5-19.el3.at.i386.rpm libnasl-2.2.5-21.el3.at.i386.rpm nasl-2.2.5-21.el3.at.i386.rpm libnessus-2.2.5-16.el3.at.i386.rpm
Preparing... ########################################### [100%]
1:libnessus ########################################### [ 20%]
2:libnasl ########################################### [ 40%]
3:nessus-server ########################################### [ 60%]
4:nessus ########################################### [ 80%]
5:nasl ########################################### [100%]



verify signatures using GPG



wget http://atrpms.net/RPM-GPG-KEY.atrpms
rpm --import RPM-GPG-KEY.atrpms
rpm --checksig *.rpm




Virtual Memory - VMSTAT

vmstat displays virtual memory information.


vmstat reference


vmstat: invalid option -- ?
usage: vmstat [flags] [delay [count]]
--noheaders, -n do not reprint the headers
--active, -a print active/inactive page stats
--bytes, -b print statistics in bytes
--kb, -k print statistics in KB
--mb, -m print statistics in MB
--gb, -g print statistics in GB
--version, -V print version and exit
--help, -h display this help and exit

delay is the delay in seconds between each update
count is the number of updates to display before exiting
The default delay is zero and count is one


For more information about virtual memory


man vmstat
# or
vmstat -?


vmstat [flags] [delay [count]]

DESCRIPTION
The vmstat(8) utility reports statistical information about process
status, memory consumption, paging activity, block I/O operations,
interrupts, context switches, and processor usage.

The vmstat(8) utility is most commonly used to produce a continuous
report every delay seconds. In this mode, the first report given is
the average of the statistics since system boot. Each subsequent line
pertains to that sampling period (that is, the last delay seconds). If
no delay value is given, only one report is given, which is the average
since system boot.

The optional count value specifies a maximum number of reports to print
before terminating. By default (that is, when no count value is given)
vmstat(8) will continue to print reports every delay seconds until
interrupted.

OPTIONS
Normal invocation of vmstat(8) does not require any options. The out-
put, however, can be fine-tuned by specifying one or more of the fol-
lowing flags:



Computers -

Linux Network Security - Host Routing table using netstat

netstat is a handy utility for network administrators as it provides a lot of information about network infrastructure for your server. The following comand will display host routing table for your server.


netstat -r


To view all open ports


netstat -a


To view all open ports listening on your web servers without resolving the IP addresses in to domain names


netstat -an

# abbreviated help output for netstat follows:

usage: netstat [-veenNcCF] [] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [ ...]
netstat { [-veenNac] -i[] | [-cnNe] -M | -s } [delay]

-r, --route display routing table
-i, --interfaces=[] display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections

-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing

-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB

: Name of interface to monitor/list.
={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
=Use '-A ' or '--'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)





- , computer security -

Network Security - Port scan on your server for open ports

Scan your web server for open ports that are currently listening


nmap -p 1-65535 localhost


Running nmap for the first time to scan your listening ports may take a few moments.

After scanning all the open ports on your linux web server, nmap will return output similar to following.


Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65528 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
113/tcp open auth
443/tcp open https
631/tcp open ipp
3306/tcp open mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 111 seconds



It's imperative that you scan your computer regularly to look for vulnerabilities.