Vous êtes ici: start » notes:start » notes:securite
Table des matières
Sécurité Réseaux
IPTABLES : la commande du pare-feu linux NETFILTER
Pour bien commencer, voilà la page du manuel en français : http://jp.barralis.com/linux-man/man8/iptables.8.php
Exemple script firewall (jean)
#!/bin/sh
# firewall v1.0.1 Oct 13 09:48:57 PDT 2003 written by : Kernel <kernel@trustonme.net>
# this script is free software according to the GNU General Public License (see http://www.gnu.org/licenses/gpl.html)
# Start/stop/restart/status firewall:
firewall_start() {
echo "[D�marrage du firewall]"
############################### REGLES PAR DEFAUT ###########################
echo "[Initialisation de la table filter]"
iptables -F
iptables -X
echo "[Politique par d�faut de la table filter]"
# On ignore tout ce qui entre ou transite par la passerelle
iptables -P INPUT DROP
iptables -P FORWARD DROP
# On accepte, ce qui sort
iptables -P OUTPUT ACCEPT
# Pour �viter les mauvaises suprises, on va
# autoriser l'acc�s � la loopback, c'est vital !
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
############################### LOCAL-INTERNET ###########################
echo "[On autorise les clients � acc�der � internet ]"
#On cr�� une nouvelle cha�ne, le nom est indiff�rent
# appelons-la "local-internet"
iptables -N local-internet
# On d�finit le profil de ceux qui appartiendront � "local-internet"
# "local-internet" concerne toutes les connections sauf celles venant d'internet ( ! = non)
# En gros avec �a, vous rendez, vos serveurs inaccessibles depuis internet.
# Pas de panique, certains serveurs seront autoris�s explicitement dans la suite.
iptables -A local-internet -m state --state NEW -i ! eth0 -j ACCEPT
#Evidemment, une fois accept�es comme "local-internet", les connections peuvent continuer
# et faire des petits :-)
iptables -A local-internet -m state --state ESTABLISHED,RELATED -j ACCEPT
# On termine en indiquant que les connections appartenant � "local-internet"
# acc�dent � internet de mani�re transparente.
iptables -A INPUT -j local-internet
iptables -A FORWARD -j local-internet
############################### LES TABLES NAT ET MANGLE #############################
echo "[Initialisation des tables nat et mangle]"
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
#################################### LE MASQUERADING ########################################
# Commentez ces 2 lignes, si vous ne fa�tes pas du masquerading (nat)
echo "[Mise en place du masquerading]"
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
################################# ACTIVATION DE LA PASSERELLE ##################
echo "[Activation de la passerelle]"
echo 1 > /proc/sys/net/ipv4/ip_forward
################################# PAS DE SPOOFING ############################
echo "[Pas de spoofing]"
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
########################## PAS DE SYNFLOOD ####################
echo "[Pas de synflood]"
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
################################## PAS DE PING ###############################
# commentez ces 6 lignes, si vous autorisez les pings sur votre passerelle
echo "[Pas ping]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
############################ Fonctionnalit�s serveurs #####################################
echo "[Etude des fonctionalit�s serveurs, visibles depuis internet ]"
# A ce stade, tous vos clients du r�seau local et de la passerelle ont acc�s � internet. Mieux,
# vos clients du r�seau local, ont acc�s � vos serveurs apache, proftp ... localement. Mais personne
# depuis internet ne peux acc�der � l'un des serveurs que vous h�berg�s.
# Il est bien-s�r possible de d�v�rrouiller pontuellement l'acc�s � un serveur depuis internet,
# en d�commentant les 2 ou 3 lignes correspondantes.
echo "[autorisation du serveur ssh(22) ...]"
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#echo "[autorisation du serveur smtp(25) ...]"
#iptables -A INPUT -p tcp --dport smtp -j ACCEPT
echo "[autorisation du serveur http(80) ...]"
iptables -A INPUT -p tcp --dport www -j ACCEPT
#echo "[autorisation du serveur https(443) ...]"
#iptables -A INPUT -p tcp --dport https -j ACCEPT
#echo "[autorisation du serveur DNS(53) ...]"
#iptables -A INPUT -p udp --dport domain -j ACCEPT
#iptables -A INPUT -p tcp --dport domain -j ACCEPT
#echo "[autorisation du serveur irc(6667) ...]"
#iptables -A INPUT -p tcp --dport ircd -j ACCEPT
#echo "[autorisation du serveur cvs (2401) ...]"
#iptables -A INPUT -p tcp --dport cvspserver -j ACCEPT
echo "[autorisation du serveur FTP(21 et 20) ...]"
iptables -A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -m state --state RELATED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport ftp-data -m state --state RELATED,ESTABLISHED -j ACCEPT
# echo "[autorisation du serveur FTP s�curis� (990 et 989) ...]"
# iptables -A INPUT -p tcp --dport ftps -j ACCEPT
# iptables -A INPUT -p tcp --dport ftps-data -j ACCEPT
#echo "[autorisation du serveur eDonkey d'etienne ...]"
#iptables -A local-internet -d 192.168.10.4 -p tcp --dport 4662 -j ACCEPT
#iptables -A local-internet -d 192.168.10.4 -p udp --dport 4672 -j ACCEPT
# Ne pas d�commenter les 3 lignes qui suivent.
# Plus g�n�ralement :
#echo "[autorisation du serveur Mon_truc(10584) ...]"
#iptables -A INPUT -p tcp --dport 10584 -j ACCEPT
echo "[firewall activ� !]"
}
firewall_stop() {
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
echo " [firewall desactiv�! ]"
}
firewall_restart() {
firewall_stop
sleep 2
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
'status')
iptables -L
iptables -t nat -L
iptables -t mangle -L
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
esac
Des ressources sur la sécurité en général
Le site dédié aux outils open source réseaux et sécurités
Des commandes pour surveiller les débits / accès sur les interfaces de réseaux :
CLI Magic: No-nonsense network monitoring tools
Un billet de blog très intéressant avec des conseils pour la sécurisation d'un serveur Ubuntu (valable pour Debian) : http://www.prendreuncafe.com/blog/post/2007/02/05/Securiser-son-Ubuntu-server
Un article sympa sur l'intrusion réseau: http://forum.ubuntu-fr.org/viewtopic.php?id=101748
Divers commandes
Pour faire un diagnostique sur les ports ouverts :
$ sudo netstat -plut $ sudo netstat -lataupen
Avec une autre commande :
$ sudo nc -v -w2 -z localhost 1-65534
Outils pour récupérer des informations sur des machines en réseau: ping / hpin / nmap etc ...
- nmap -O ⇒ pour avoir une détection de l'OS de la machine
- nessus
Wifi
- Crack de WPA/WPA2 : http://aircrack-ng.org/doku.php?id=cracking_wpa
- Gestionnaire alternatif de réseaux (meilleur si utilisation wifi avec ndiswrapper): http://wicd.sourceforge.net/download.php
Mise en oeuvre d'un pare-feu
* Script très pratique pour Ubuntu (et probablement Debian) : Ubuntu Firewall et un paramétrage complémentaire contre les attaques par BrutForce : http://jujuseb.com/dotclear/?2006/04/29/10-ubuntu-firewall-contre-l-attaque-par-brute-force
- Autre script “clef en main” pour Debian / Ubuntu :
Arno's iptables firewall - Ce script est présent dans les repository (Debian/testing & Ubuntu-Edgy/Universe) mais vous pouvez utiliser la dernière version stable présent sur le site de l'auteur (tar.gz) sans prendre trop de risques…
- voir aussi ipkungfu : http://packages.debian.org/stable/net/ipkungfu (également présent sur UBUNTU)
Lutter contre les rootkits
Vérifier régulièrement la présence de rootkits.
Installer pour cela les paquets (un devrait suffir mais les 3 pour un max. de sécurité) :
- rkhunter
- tiger
Serveur WEB
Sécuriser APACHE
Lu sur : http://www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html
Hide Apache Information
To hide the information, add the following two apache directives in Apache configuration file /etc/apache2/apache2.conf
ServerTokens ProductOnly ServerSignature Off
Now you need to restart your web server using the following command
# /etc/init.d/apache2 restart
Now the output for apache header looks like below
Server: Apache
Autres ressources :
Sécuriser PHP
Lire avant tout : http://www.lesnouvelles.net/articles/attaques/870-php-code-inclusion-et-phpsecinfo.html?nid=1
- Hide PHP Version Details
If you want to hide the PHP version you need to edit the /etc/php4/apache/php.ini(For php4 users) file and /etc/php5/apache/php.ini (For php5 users)
Change the following option
expose_php On
to
expose_php Off
Now you need to restart your web server using the following command
# /etc/init.d/apache2 restart
After making this change PHP will no longer add it’s signature to the web server header.
If you are running php from cli against a php file, the output is a html file (as seen by a browser). In some distributions (like Debian) the php-cli is controlled by a different php.ini file (/etc/php[4,5]/cli/php.ini).
- Vérifier le bon paramétrage à l'aide de PHPSecInfo
Installation et paramétrage de mod-security :
Sécuriser un serveur Linux (cas général)
28 Steps on how to harden your linux server..
If you run your own Linux server here are some tips on server hardening, liberally stolen from the CFS security GUI script for cPanel/WHM per Doug’s Dynamic Drivel:
- On your firewall (you do have one don’t you?) check the incoming MySQL port and if 3306 is open, close it. If this port is left open it can pose both a security and server abuse threat since not only can hackers attempt to break into MySQL, any user can host their SQL database on your server and access it from another host and so (ab)use your server resources
- Check /tmp permissions. /tmp should be chmod 1777
- Check /tmp ownership /tmp should be owned by root:root
- Check /etc/cron.daily/logrotate for /tmp noexec workaround. Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don’t do this syslog may not restart correctly and will write to the wrong (older) log files.
- Check /var/tmp permissions. /var/tmp should be chmod 1777
- Check /var/tmp ownership. /var/tmp should be owned by root:root
- Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted as a filesystem
- Check /var/tmp is mounted noexec,nosuid. /var/tmp isn’t mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /var/tmp with those options
- Check /usr/tmp permissions. /usr/tmp should be chmod 1777
- Check /usr/tmp ownership. /usr/tmp should be owned by root:root
- Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp. /usr/tmp should either be symlinked to /tmp or mounted as a filesystem. Check /etc/resolv.conf for localhost entry. You should not specify 127.0.0.1 or localhost as a nameserver in /etc/resolv.conf - use the servers main IP address instead
- Check /etc/named.conf for recursion restrictions. If you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf this is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only. Unrestricted recursive lookups are as good as a DDoS attack against your system. They will eat up all your system resources
- Check server runlevel. For a secure server environment you should only run the server at runlevel 3. You can fix this by editing /etc/inittab and changing the initdefault line to:
id:3:initdefault: and then rebooting the server
- Check nobody cron. You have a nobody cron log file - you should check that this has not been created by an exploit
- Check Operating System support. Make certain that your OS version is still supported by the manufacturer and that upgrades continue to be available
- Check SSHv1 is disabled. You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2 (remove the hash # from in front of the line and edit out the 1.1)
- Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans. Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don’t forget to open the port in the firewall first!
- Check SSH PasswordAuthentication. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication.
- Check telnet port 23 is not in use. Close this port in your firewall. Telnet is an insecure protocol and you should disable the telnet daemon if it is running
- Check shell resource limits. You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this. If you are using cPanel/WHM set Shell Fork Bomb Protection.
- Disable all instances of IRC - BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the Background Process Killer.
- Check apache for mod_security if not installed install it from source
- Check apache for mod_evasive. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality
- Check apache for RLimitCPU. You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this.
- Check apache for RLimitMEM. You should set a value RLimitMEM to prevent runaway scripts from consuming server resources - DOS exploits can typically do this
- Check php for enable_dl. You should modify /usr/local/lib/php.ini and set:
enable_dl = off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in php.ini
- Check php for disable_functions. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
- Check phpsuexec. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php. Note that there are side effects when enabling phpsuexec on a server and you should be aware of these before enabling it
Piste: » securite
