Hardening Linux with Iptables and disabling uneeded services

|

Hardening Linux with Iptables and disabling uneeded services









Preface
Many methode to secure your linux box, such as: audit your SELinux, scanning for rootkits, optimizing kernel, adding iptables, disabling uneeded services, user and group policies etc.
This time I will share You about Hardening Linux with Iptables and disabling uneeded services .
FTP Services by default on Linux Fedora are disable, so I will pass it.
The usualy vulnerable services that discovered by IT Auditor such as:
-Send Mail,
An Attacker can send fake email to sender
-Bluetooth
Anonymous User can send harm content to your Linux Box
-NFS (Network File Sharing)
NFS can be a hole by attacker to gain access to your Linux Box
-RPC (Remote Procedure Calls)
If this services activated, someone can monitoring remotely to your Linux Desktop
-HTTPD (Http Server)
The commonly attacked service is Http Web Server, better to disable this service If You not using this services
-SSHD (SSH Server)
SSHD service is used to connect securely on remote devices.
If Your Linux using SSH-1 Better to disable this service If You don't want your Linux Box got "man in the middle attack".
-Open VPN
Some Linux Box are vulnerable to this services, USN-612-3 "A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system."
Securityfocus.org said that "An attacker can use the standard OpenVPN server application to exploit this issue."

The commonly open port used by attacker, such as:
-2049 , Network File System
-6000:6009 , X11
-7100, x font service, Used by rootkit and trojan backdoors
-631, CUPS (Common Unix Printing System)
-515, Printer Daemon
-445, SMB file sharing
-443, Https
-161, SNMP , this is optional, you can enable it if your snmp community string are used to monitor any trap messages.
-137 – 139, NetBIOS over TCP/IP
-135, RPC
-111, SunRPC
-110, Pop3
-80, HTTP
-20-21, FTP
-22, SSH
-23, TELNET
-25, SMTP


How to Hardening Linux with Iptables and disabling uneeded services ?
Here are the steps:
1. Copy this scripts using your text editor, and save it @ /usr/local/src, with name myrules.sh,

#!/bin/bash
service sendmail stop
service bluetooth stop
service cups stop
service nfs stop
service nfslock stop
service openvpn stop
service rpcbind stop
service rpcgssd stop
service rpcidmapd stop
service rpcsvcgssd stop
service rsyslog stop
service httpd stop
service sshd stop
chkconfig sendmail off
chkconfig bluetooth off
chkconfig cups off
chkconfig nfs off
chkconfig nfslock off
chkconfig openvpn off
chkconfig rpcbind off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcsvcgssd off
chkconfig rsyslog off
chkconfig httpd off
chkconfig sshd off
iptables -I INPUT -p udp --dport 2049 -j DROP
iptables -I INPUT -p tcp --dport 6000:6009 -j DROP
iptables -I INPUT -p tcp --dport 7100 -j DROP
iptables -I INPUT -p tcp --dport 631 -j DROP
iptables -I INPUT -p udp --dport 631 -j DROP
iptables -I INPUT -p tcp --dport 515 -j DROP
iptables -I INPUT -p tcp --dport 445 -j DROP
iptables -I INPUT -p tcp --dport 161 -j DROP
iptables -I INPUT -p udp --dport 161 -j DROP
iptables -I INPUT -p tcp --dport 137:139 -j DROP
iptables -I INPUT -p udp --dport 137:139 -j DROP
iptables -I INPUT -p tcp --dport 135 -j DROP
iptables -I INPUT -p udp --dport 135 -j DROP
iptables -I INPUT -p tcp --dport 111 -j DROP
iptables -I INPUT -p udp --dport 111 -j DROP
iptables -I INPUT -p tcp --dport 110 -j DROP
iptables -I INPUT -p tcp --dport 20 -j DROP
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -I INPUT -p tcp --dport 22 -j DROP
iptables -I INPUT -p udp --dport 22 -j DROP
iptables -I INPUT -p tcp --dport 23 -j DROP
iptables -I INPUT -p tcp --dport 25 -j DROP
iptables -I INPUT -p all -s localhost -i eth0 -j DROP

2. Modify /etc/rc.local
You will see something like this:










type /usr/local/src/myrules.sh before touch /var/lock/subsys/local .

3. Finish, now reboot your Linux box ^_^

Notes:
I used -I option on Iptables to executed at first sequence before default iptables script.
chkconfig used to disable services, it's not enough if only stopping the uneeded services.
Always thinking out of the box, about myrules.sh is based on my system requirement rules, you can adjust or modifying this script depend on your requirement.
I'm not disabling http and https port because I connect to internet without using any proxy.

source:
-Hardening Linux with Iptables and disabling uneeded services, therachmat.blogspot.com/
-securityfocus.org/
-ubuntu.com/
-fedoraproject.org/
-en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Thanks for reading my simple article about Hardening Linux with Iptables and disabling uneeded services, any advices to complete this article I will appreciate.

4 comments:

HTC said...

salam kenal sob dan sebagai salam persahabatan ane sudah follo di blog ente no 312,, ditunggu follow backnya sob...
terima kasih..

Dea Punya | Blogger Ciamis said...

Hmm jago nihh linuxnya.. perlu belajar disini nihh.. cz sebentar lagi saya Ujikom, bikin email server pake squirrelmail di linux debian..
ckckck

Free Your Mind said...

@HTC, sudah dfollow and link sobat sudah sy add di friends link
@dea, masih belajar gan :). knp ga pke zimbra aj?

Willyo Alsyah P. Isman said...

gerilya pagi2 disini...selamat weekand

Post a Comment

leave comment here, thanks for visiting
[Friends Link] [Facebook] [Twitter]