Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] Production app or web server firewall set-up - questions
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 21 Jan 2002 06:01:44 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56CD3@xxxxxxxxxxxxxxxxx>
Steven,

> In a production environment what is the recommend security
> settings with
> performance in mind and only services that I will be providing is
> http, https, ssh2 - scp, smtp. (i.e. secure , but with as
> little overhead)
> Kernel 2.4.x and using iptables , postfix, stronghold apache.
>
> Q.1 What services can hosts.deny & hosts.allow secure?
> (mainly in regards to the services that I'm using above)

As Kurt already pointed out, those files are checked by tcpd (the TCP
Wrappers daemon). SuSE's OpenSSH hast support for it, as well as inetd, but
you won't want to use the latter, probably. I don't know if Apache or
Postfix do, but a little experimentation ought to tell you.

Now the word 'secure' is a little strong, though. The two files *affect*
some services, they give some degree of access control. Whether that means
securing them depends on your security posture.

> Q.2 Should I use stateful connection tracking on all ports or only the
> ssh,smtp and https ports? What is the stateful connection
> overhead like.

Your own call to make. The overhead of statefulness shouldn't be too great
and seeing the small number of connection types you want to allow, I'd
probably write specific rules. For more detailed info, check
http://www.samba.org/netfilter (URL unverified) or the (gasp) source code.

> Q3. What ICMP should you block and what must you answer directly or
> indirectly, so that you don't break other services or
> slow them down.

Well, you'd better decide about the utility ICMP types yourself, though I
try to be as restrictive as possible. You may want to allow the following
inbound:
* destination-unreachable
* source-quench
* time-exceeded
* parameter-problem

You probably want to drop the following:
* redirect
* router-advertisement
* router-solicitation
* timestamp-request
* address-mask-request

> Q4. What is recommend minimum ports and protocol that I must
> log, so that I
> can audit attacks , problems and keep logging overhead to
> a minimum.
> Given that our ISP environment has a lot of broadcast traffic.
> e.g.

Depends on how much work you're looking for. I often start with full
logging, then adapting my rules to filter out the 'usual noise'.

> Q5. What DOS of protection options are there with iptables
> and how do you
> workout the rate to limit @. I have syncookie protection enabled.

Well, the most effective DoS countermeasure in iptables ought to be rate
limiting. See the HOWTOs. As for rate calculation, you have to do that for
your server specifically.

> Q6. Is it still recommend to Reject mail server connections
> to port 113.
> Is the following setting correct:
> iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with
> tcp-reset

If you talk to mail servers running identd and issuing auth requests,
without running the service yourself, yes.

Cheers
Tobias

< Previous Next >
This Thread
  • No further messages