Shorewall e fail2ban
Ho recentemente attivato un piccolo server di sviluppo, riporto di seguito la configurazione usata per shorewall e fail2ban, un setup minimale dal quale si può partire per configurazioni più complesse.
Shorewall
Shorewall è uno script (recentemente riscritto in perl, un tempo era solo bash) per la gestione e configurazione del firewall/networking di linux. L’utilizzo di shorewall è incredibilmente semplice e permette di configurare da iptables per il firewall a QOS/Traffic Shaping e persino openvpn e ipsec. Questa è la configurazione base del server di sviluppo:
/etc/shorewall/interfaces:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
int eth0
/etc/shorewall/zones:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
int ipv4
/etc/shorewall/policies:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw int ACCEPT
int fw DROP
/etc/shorewall/rules:
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT int fw tcp ssh
ACCEPT int fw tcp http
ACCEPT int fw tcp https
Questo è il risultato:
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
int2fw all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Drop all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2int all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Reject all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
reject all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain Drop (2 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain Reject (2 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
dropBcast all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */
dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
reject udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
reject udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
reject tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
DROP all -- 0.0.0.0/0 224.0.0.0/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
Chain dynamic (2 references)
target prot opt source destination
Chain fw2int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain int2fw (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Drop all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
target prot opt source destination
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain reject (9 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP 2 -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
DROP all -- 224.0.0.0/4 0.0.0.0/0
Fail2ban
Fail2ban è un’altro software scritto in python che controlla i tentativi di accesso al sistema ed in base alla configurazione esegue determinate operazioni, ad esempio può essere configurato per bloccare l’indirizzo ip usando shorewall. Essendo nel sistema aperta solo la porta SSH, sono sufficienti le seguenti modifiche alla configurazione base:
/etc/fail2ban/jail.conf (un estratto):
[DEFAULT] banaction = shorewall [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Social Networks