Sécurité Réseaux

IPTABLES : la commande du pare-feu linux NETFILTER

Pour bien commencer, voilà la page du manuel en français : http://jp.barralis.com/linux-man/man8/iptables.8.php

Exemple script firewall (jean)

#!/bin/sh
# firewall v1.0.1 Oct 13 09:48:57 PDT 2003 written by : Kernel <kernel@trustonme.net>
# this script is free software according to the GNU General Public License (see http://www.gnu.org/licenses/gpl.html)
# Start/stop/restart/status firewall:

firewall_start() {

        echo "[D�marrage du firewall]"

        ############################### REGLES PAR DEFAUT ###########################

        echo "[Initialisation de la table filter]"
        iptables -F
        iptables -X

        echo "[Politique par d�faut de la table filter]"

        # On ignore tout ce qui entre ou transite  par la passerelle
        iptables -P INPUT DROP
        iptables -P FORWARD DROP

        # On accepte, ce qui sort
        iptables -P OUTPUT ACCEPT

        # Pour �viter les mauvaises suprises, on va
        # autoriser l'acc�s � la loopback, c'est vital !
        iptables -A INPUT  -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        ############################### LOCAL-INTERNET ###########################

        echo "[On autorise les clients � acc�der � internet ]"

        #On cr�� une nouvelle cha�ne, le nom est indiff�rent
        # appelons-la "local-internet"
        iptables -N local-internet

        # On d�finit le profil de ceux qui appartiendront � "local-internet"
        # "local-internet" concerne toutes les connections sauf celles venant d'internet ( ! = non)
        # En gros avec �a, vous rendez, vos serveurs inaccessibles depuis internet.
        # Pas de panique, certains serveurs seront autoris�s explicitement dans la suite.
        iptables -A local-internet -m state --state NEW -i ! eth0 -j ACCEPT

        #Evidemment, une fois accept�es comme "local-internet", les connections peuvent continuer
        # et faire des petits :-)
        iptables -A local-internet -m state --state ESTABLISHED,RELATED -j ACCEPT

        # On termine en indiquant que les connections appartenant � "local-internet"
        # acc�dent � internet de mani�re transparente.
        iptables -A INPUT -j local-internet
        iptables -A FORWARD -j local-internet

        ############################### LES TABLES NAT ET MANGLE #############################

        echo "[Initialisation des tables nat et mangle]"

        iptables -t nat -F
        iptables -t nat -X
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT

        iptables -t mangle -F
        iptables -t mangle -X
        iptables -t mangle -P PREROUTING ACCEPT
        iptables -t mangle -P OUTPUT ACCEPT

        #################################### LE MASQUERADING ########################################

        # Commentez ces 2 lignes, si vous ne fa�tes pas du masquerading (nat)
        echo "[Mise en place du masquerading]"
        iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

        ################################# ACTIVATION DE LA PASSERELLE ##################

        echo "[Activation de la passerelle]"
        echo 1 > /proc/sys/net/ipv4/ip_forward

        ################################# PAS DE SPOOFING ############################

        echo "[Pas de spoofing]"
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
        for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
        do
        echo 1 > $filtre
        done
        fi

        ########################## PAS DE SYNFLOOD ####################

        echo "[Pas de synflood]"
        if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
                echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        fi

        ################################## PAS DE PING ###############################

        # commentez ces 6 lignes, si vous autorisez les pings sur votre passerelle
        echo "[Pas ping]"
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
                echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        fi

        ############################ Fonctionnalit�s serveurs #####################################

        echo "[Etude des fonctionalit�s serveurs, visibles depuis internet ]"

        # A ce stade, tous vos clients du r�seau local et de la passerelle ont acc�s � internet. Mieux,
        # vos clients du r�seau local, ont acc�s � vos serveurs apache, proftp ... localement. Mais personne
        # depuis internet ne peux acc�der � l'un des serveurs que vous h�berg�s.

        # Il est bien-s�r possible de d�v�rrouiller pontuellement l'acc�s � un serveur depuis internet,
        # en d�commentant les 2 ou 3 lignes correspondantes.

        echo "[autorisation du serveur ssh(22) ...]"
        iptables -A INPUT -p tcp --dport ssh -j ACCEPT

        #echo "[autorisation du serveur smtp(25) ...]"
        #iptables -A INPUT -p tcp --dport smtp -j ACCEPT

        echo "[autorisation du serveur http(80) ...]"
        iptables -A INPUT -p tcp --dport www -j ACCEPT

        #echo "[autorisation du serveur https(443) ...]"
        #iptables -A INPUT -p tcp --dport https -j ACCEPT

        #echo "[autorisation du serveur DNS(53) ...]"
        #iptables -A INPUT -p udp --dport domain -j ACCEPT
        #iptables -A INPUT -p tcp --dport domain -j ACCEPT

        #echo "[autorisation du serveur irc(6667) ...]"
        #iptables -A INPUT -p tcp --dport ircd -j ACCEPT

        #echo "[autorisation du serveur cvs (2401) ...]"
        #iptables -A INPUT -p tcp --dport cvspserver -j ACCEPT

        echo "[autorisation du serveur FTP(21 et 20) ...]"
        iptables -A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT
        iptables -A INPUT -p tcp --dport ftp-data -m state --state RELATED -j ACCEPT
#    iptables -A OUTPUT -p tcp --sport ftp -m state --state RELATED,ESTABLISHED -j ACCEPT
#    iptables -A OUTPUT -p tcp --sport ftp-data -m state --state RELATED,ESTABLISHED -j ACCEPT

#    echo "[autorisation du serveur FTP s�curis� (990 et 989) ...]"
#    iptables -A INPUT -p tcp --dport ftps -j ACCEPT
#    iptables -A INPUT -p tcp --dport ftps-data -j ACCEPT

        #echo "[autorisation du serveur eDonkey d'etienne ...]"
        #iptables -A local-internet -d 192.168.10.4 -p tcp --dport 4662 -j ACCEPT
        #iptables -A local-internet -d 192.168.10.4 -p udp --dport 4672 -j ACCEPT

        # Ne pas d�commenter les 3 lignes qui suivent.
        # Plus g�n�ralement :
        #echo "[autorisation du serveur Mon_truc(10584) ...]"
        #iptables -A INPUT -p tcp --dport 10584 -j ACCEPT

        echo "[firewall activ� !]"

}

firewall_stop() {


        iptables -F
        iptables -X
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT

        iptables -t nat -F
        iptables -t nat -X
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT

        iptables -t mangle -F
        iptables -t mangle -X
        iptables -t mangle -P PREROUTING ACCEPT
        iptables -t mangle -P OUTPUT ACCEPT

        echo " [firewall desactiv�! ]"
}

firewall_restart() {
        firewall_stop
        sleep 2
        firewall_start
}

case "$1" in
        'start')
                firewall_start
        ;;
        'stop')
                firewall_stop
        ;;
        'restart')
                firewall_restart
        ;;
        'status')
                iptables -L
                iptables -t nat -L
                iptables -t mangle -L
        ;;
        *)
                echo "Usage: firewall {start|stop|restart|status}"
esac

Des ressources sur la sécurité en général

Le site dédié aux outils open source réseaux et sécurités

Des commandes pour surveiller les débits / accès sur les interfaces de réseaux :
CLI Magic: No-nonsense network monitoring tools

Un billet de blog très intéressant avec des conseils pour la sécurisation d'un serveur Ubuntu (valable pour Debian) : http://www.prendreuncafe.com/blog/post/2007/02/05/Securiser-son-Ubuntu-server

Un article sympa sur l'intrusion réseau: http://forum.ubuntu-fr.org/viewtopic.php?id=101748

Divers commandes

Pour faire un diagnostique sur les ports ouverts :

$ sudo netstat -plut
$ sudo netstat -lataupen

Avec une autre commande :

$ sudo nc -v -w2 -z localhost 1-65534

Outils pour récupérer des informations sur des machines en réseau: ping / hpin / nmap etc ...

Wifi

Mise en oeuvre d'un pare-feu

* Script très pratique pour Ubuntu (et probablement Debian) : Ubuntu Firewall et un paramétrage complémentaire contre les attaques par BrutForce : http://jujuseb.com/dotclear/?2006/04/29/10-ubuntu-firewall-contre-l-attaque-par-brute-force

  • Autre script “clef en main” pour Debian / Ubuntu :

Arno's iptables firewall - Ce script est présent dans les repository (Debian/testing & Ubuntu-Edgy/Universe) mais vous pouvez utiliser la dernière version stable présent sur le site de l'auteur (tar.gz) sans prendre trop de risques…

Lutter contre les rootkits

Vérifier régulièrement la présence de rootkits.
Installer pour cela les paquets (un devrait suffir mais les 3 pour un max. de sécurité) :

Serveur WEB

Protection contre le spam web

Sécuriser APACHE

Lu sur : http://www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

Hide Apache Information

To hide the information, add the following two apache directives in Apache configuration file /etc/apache2/apache2.conf

ServerTokens ProductOnly
ServerSignature Off

Now you need to restart your web server using the following command

# /etc/init.d/apache2 restart

Now the output for apache header looks like below

Server: Apache

Autres ressources :

Sécuriser PHP

Lire avant tout : http://www.lesnouvelles.net/articles/attaques/870-php-code-inclusion-et-phpsecinfo.html?nid=1

  • Hide PHP Version Details

If you want to hide the PHP version you need to edit the /etc/php4/apache/php.ini(For php4 users) file and /etc/php5/apache/php.ini (For php5 users)

Change the following option

expose_php On

to

expose_php Off

Now you need to restart your web server using the following command

# /etc/init.d/apache2 restart

After making this change PHP will no longer add it’s signature to the web server header.

If you are running php from cli against a php file, the output is a html file (as seen by a browser). In some distributions (like Debian) the php-cli is controlled by a different php.ini file (/etc/php[4,5]/cli/php.ini).

  • Vérifier le bon paramétrage à l'aide de PHPSecInfo

http://phpsec.org/projects/phpsecinfo/

Installation et paramétrage de mod-security :

Sécuriser un serveur Linux (cas général)

28 Steps on how to harden your linux server..

If you run your own Linux server here are some tips on server hardening, liberally stolen from the CFS security GUI script for cPanel/WHM per Doug’s Dynamic Drivel:

  1. On your firewall (you do have one don’t you?) check the incoming MySQL port and if 3306 is open, close it. If this port is left open it can pose both a security and server abuse threat since not only can hackers attempt to break into MySQL, any user can host their SQL database on your server and access it from another host and so (ab)use your server resources
  2. Check /tmp permissions. /tmp should be chmod 1777
  3. Check /tmp ownership /tmp should be owned by root:root
  4. Check /etc/cron.daily/logrotate for /tmp noexec workaround. Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don’t do this syslog may not restart correctly and will write to the wrong (older) log files.
  5. Check /var/tmp permissions. /var/tmp should be chmod 1777
  6. Check /var/tmp ownership. /var/tmp should be owned by root:root
  7. Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted as a filesystem
  8. Check /var/tmp is mounted noexec,nosuid. /var/tmp isn’t mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /var/tmp with those options
  9. Check /usr/tmp permissions. /usr/tmp should be chmod 1777
  10. Check /usr/tmp ownership. /usr/tmp should be owned by root:root
  11. Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp. /usr/tmp should either be symlinked to /tmp or mounted as a filesystem. Check /etc/resolv.conf for localhost entry. You should not specify 127.0.0.1 or localhost as a nameserver in /etc/resolv.conf - use the servers main IP address instead
  12. Check /etc/named.conf for recursion restrictions. If you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf this is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only. Unrestricted recursive lookups are as good as a DDoS attack against your system. They will eat up all your system resources
  13. Check server runlevel. For a secure server environment you should only run the server at runlevel 3. You can fix this by editing /etc/inittab and changing the initdefault line to:
     id:3:initdefault: and then rebooting the server 
  14. Check nobody cron. You have a nobody cron log file - you should check that this has not been created by an exploit
  15. Check Operating System support. Make certain that your OS version is still supported by the manufacturer and that upgrades continue to be available
  16. Check SSHv1 is disabled. You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2 (remove the hash # from in front of the line and edit out the 1.1)
  17. Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans. Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don’t forget to open the port in the firewall first!
  18. Check SSH PasswordAuthentication. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication.
  19. Check telnet port 23 is not in use. Close this port in your firewall. Telnet is an insecure protocol and you should disable the telnet daemon if it is running
  20. Check shell resource limits. You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this. If you are using cPanel/WHM set Shell Fork Bomb Protection.
  21. Disable all instances of IRC - BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the Background Process Killer.
  22. Check apache for mod_security if not installed install it from source
  23. Check apache for mod_evasive. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality
  24. Check apache for RLimitCPU. You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this.
  25. Check apache for RLimitMEM. You should set a value RLimitMEM to prevent runaway scripts from consuming server resources - DOS exploits can typically do this
  26. Check php for enable_dl. You should modify /usr/local/lib/php.ini and set:
     enable_dl = off 

    This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in php.ini

  27. Check php for disable_functions. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
     disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 

    Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list

  28. Check phpsuexec. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php. Note that there are side effects when enabling phpsuexec on a server and you should be aware of these before enabling it

Utilisation de Wireshark

Liste de filtres les plus usuelles :

  1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
  2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]
  3. http or dns [sets a filter to display all http and dns]
  4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
  5. tcp.flags.reset==1 [displays all TCP resets]
  6. http.request [displays all HTTP GET requests]
  7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]
  8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
  9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]
  10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

QR Code
QR Code notes:securite (generated for current page)