Read all CentOS based posts

Read all CentOS based posts

Read all Ubuntu based posts

Read all Ubuntu based posts.

Read all Microsoft Windows based posts

Read all Microsoft Windows based posts

Read all Fedora based posts

Read all Fedora based posts.

Read all Debian based posts

Read all Debian based posts

Read all Redhat based posts

Read all Redhat based posts.

Showing posts with label Linux Security. Show all posts
Showing posts with label Linux Security. Show all posts

Howto Open Port Range In iptables Firewall

Author No comments

FREQUENTLY ASKED QUESTIONS (Firewall/iptables)
Q: How to open a port range in iptables firewall?


Opening a port range in iptables firewall for example open TCP ports40 to port 50. Run the below commands from terminal as root user.


Open a Port Range in iptables
[root@server~]# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 40:50 -j ACCEPT


[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

[root@server ~]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]


Test the Opened ports
Check the opened ports by connecting to appropriate ports of the server. And also check all the changes are written to the iptables configuration file located in  etc/sysconfig/iptables
[root@server ~]# cat /etc/sysconfig/iptables 

Sample output displayed below


None


Check Related Posts:
Read more »

How to Open ports in iptables firewall

Author No comments

FREQUENTLY ASKED QUESTIONS (Firewall/iptables)
Q: How to open a port in Firewall or iptables in Linux ?

The default iptables rules in a freshly installed linux OS (Fedora, Redhat, CentOS, etc) will allow only incomming SSH (Secure Shell) connections on port 22 TCP. And not allowing any FORWARD connections and allowing all OUTPUT connections. Check the below iptables example screenshot of a freshly installed Linux(CentOS 6)

[root@server ~]# cat /etc/sysconfig/iptables
Click on image to enlarge

To open port 80 TCP in linux iptables 

After installing a web server in linux using Apache, you need to open port 80/TCP to listening to web requests. Run the commands below as root user. 
[root@server ~]# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT


[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


[root@server ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Check the screenshot below: Here the port 80 TCP is opened in server and listen to all requests from all clients.
[root@server ~]# cat /etc/sysconfig/iptables
Click on image to enlarge 
Check Related Posts:
Read more »

Change iptables Default Policy to DROP

Author 1 comment

FREQUENTLY ASKED QUESTIONS (Firewall/iptables)
Q: How to change iptables default policy to DROP?


Default Iptables Chain Policy
The Default linux iptables chain policy is ACCEPT for all INPUT, FORWARD and OUTPUT policies. You can easily change this default policy to DROP with below listed commands.
You must login as a root user to run all the commands.
[root@server ~]# iptables -P INPUT DROP
[root@server ~]# iptables -P FORWARD DROP
[root@server ~]# iptables -P OUTPUT DROP

After changing the INPUT, FORWARD, OUTPUT policies to DROP, All the incomming/outgoing/forwarding connections are dropped(Denied) by firewall. So you need to open every  INPUT, FORWARD, OUTPUT connections in firewall/iptables with rules. If you change the default OUTPUT policy to DROP you cannot communicate with other systems/networks .


Allow All Outgoing connections
Allow all outgoing connections from the Linux machine. This applicable to all connections/packets generated from the system itself.
[root@server ~]# iptables -A OUTPUT -j ACCEPT


[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


[root@server ~]# service iptables restart

iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Open Ports for incoming connections
For example open port 21 in iptables for allowing ftp connections from all networks.
[root@server~]# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT


[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


[root@server ~]# service iptables restart

iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Related Posts:
Read more »

How to Secure a Linux Server from Hackers

Author No comments

FREQUENTLY ASKED QUESTIONS  (Linux Server Security)
Q: How to secure a Linux server from attacks and hacks?


Server security is an important term in IT infrastructure.This post includes Some useful tips to secure your Linux server. To apply a powerful and a complete security settings on a linux server is not a simple task. However hope the below points will strengthen your Linux box's security.


Enable and configure firewall(iptables)
        A perfect firewall is highly recommended for every linux server. Firewall always filters all the incoming/outgoing/forwarding packets as per the rules in the iptables configuration. It always protect from all attacks from remote or internet. In linux iptables you can specify the allowed incoming connections in each port and reject/drop the all the other connections. Same way can specify the source/destination ipaddress, ethernet interfaces, tcp/udp port numbers, protocols and many more functions.  


Use secure-shell(SSH)
       Always use SSH instead of insecure telnet and rlogon protocols. SSH is a secure protocol and that use end to end encryption technologies. So all the communications between server and ssh client is encrypted. All the automated attacks to SSH by robots is to its default port(22/TCP). So it will be more secure if you change the default SSH listening port from 22/TCP to any other higher port numbers.


Use complex passwords
      Use complex passwords(not dictionary words) for each and every users in the server,especially for the users with shell access, mail, etc. Enableing password ageing and disable reusing old passwords. Enable account locking after a number of password failures.


Users management
           Protect the "root"(super user) account. Creat all the users with appropriate shells. Only give the shell access to required users only. Restrict the use of sudo command for unauthorized users. Monitor the user activity with any monitoring tools like psacct.


Keep Server updated (kernel,tool,applications,etc)
          Always keep the Kernel version, applications, utilities upto date. Should apply security updates/patches regularly when available.


Physical server security
         Disable the physical console access. Set a BIOS password. Disable booting from CD/DVD/FLASH Drives. Set a password for Grub menu is highly recommented. Une data Encryption methods for data security.  


Block unwanted ports from web
        Deny the access to unwanted tcp/udp ports from internet by using iptables or any other firewall utilities.


SE Linux
       Turn on SE-Linux security policies. SE-Linux allows the security of files, sockets, ports, devices, processes, etc.


Deny access by using hosts.deny/hosts.allow
       Specify the allowed services and ipaddress or ipaddress range in the hosts.allow file in "/etc/" directory like sshd:192.168.10.100. Finally deny all the other services/ipaddress in hosts.deny file like ALL:ALL. When an incoming packet receives to the server, first check the source address/service by matching the  hosts.allow/deny files. Then only the packet filtered by the firewall. So high level security can be applied by hosts.allow/deny files. 


Turn off unwanted services
         Always turnoff the unwanted services and daemons. Remove unnecessary services from start-up.


Check log files regularly
          Check all the log files on a regular basis to detect a attack attempt. Check system log file var/log/messages. Check every daemons log file located in "/var/log/". Monitor the output of the following commands netstat , top , etc


some usefull log files in /var/log/ directory
/var/log/messages    -The whole system log 
/var/log/lastlog        -Recent user login information
/var/log/maillog       -Mail server logs
/var/log/boot.log      -Logs of system boots
/var/log/yumlog      -Yum utility logs
/var/log/audit/audit.log -Audit logs
Add your valuable comments which will make my posts better.....
Read more »

How to secure SSH Server

Author No comments

(Secure Shell) is a most secure and designed to replace telnet, rlogin, rsh protocols. Now SSH is widely used as remote login protocol.  And a Linux Administrator must apply tough security for ssh connections by allowing authorized access and restrict unauthorized accesses. 


Disable root logins
Disable the root login via ssh is a first step to securing ssh service. So the no one can login as root (super user) from other networks via ssh protocol while allowing all other user accounts to login. Edit the server's ssh config file (example based on RPM based distributions like Redhat,CentOS,Fedora,etc.)
[root@server ~#]vi /etc/ssh/sshd_config
And in the 42nd Line, uncomment and disable the root login by...
PermitRootLogin no
[root@server ~#]service sshd restart


Block access by ipaddress filtering 
[root@server ~#]vi /etc/ssh/sshd_config
#In the 15th line uncomment and add the allowed apaddress or ipaddress range
ListenAddress 192.168.10.0/24           
(Here the connections from 192.168.10.0 to 192.168.10.255 will be accept and all the other connections will be blocked)
[root@server ~#]service sshd restart


Blocking unwanted access by iptables
Its possible to block unwanted access to ssh's port number in iptables(firewall). Add iptables rules to allow connection to allowed ipaddress and reject all other addresses
Here i allowed only accepting ssh connections on port 22/tcp from system 192.168.10.50.
Add the below lines to "iptables" config file
[root@server ~#]vi /etc/sysconfig/iptables
-A INPUT -s 192.168.10.50/255.255.255.255 -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT
#(you can add more iptables rules to block unwanted accesses)
[root@server ~#]service iptables restart


Blocking unwanted access by hosts.allow file
[root@server ~#]vi /etc/hosts.allow
#Here add the ssh access allowed ipaddress like below (add to bottom)
sshd:192.168.10.100/255.255.255.255
#and finaly block all other access in "hosts.deny" file
[root@server ~#]vi /etc/hosts.deny
ALL:ALL                                               (add to bottom)


Change default SSH Port number
Most of the unknown ssh attacks will be to the SSH's default port 22/tcp. By changing the SSH port number from 22/tcp to a different port it will strengthen the ssh security.
[root@server ~#]vi /etc/ssh/sshd_config
Uncomment the 13th line and change port number
Port 1500          (now the ssh server will listen on port 1500/tcp)
[root@server ~#]service sshd restart


Disable TCP and X11 forwarding 
[root@server ~#]vi /etc/ssh/sshd_config
AllowTcpForwarding no
X11Forwarding no
#(save the ssh config file and restart ssh service)
[root@server ~#]service sshd restart
Read more »

Related Posts Plugin for WordPress, Blogger...

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons