From fe8a27dbed462a55c7f5cdfd993664abb07ce997 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 8 Feb 2017 21:36:43 +0000 Subject: core network revision --- core/conf/iptables/rules.v4 | 88 +++++++++++++++++++++++++++------------------ 1 file changed, 53 insertions(+), 35 deletions(-) (limited to 'core/conf/iptables/rules.v4') diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 848603c..419962f 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -48,43 +48,49 @@ COMMIT # # Allow established from dns server -#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - +#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # INPUT accept passive --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT -# Allow established from http server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT + + +# Allow irc +-A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow xmmp +-A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established from https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow established from http server +-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from rsync server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from pop3s server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from smtps server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ntp server --A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from whois server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ftp server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT ################################################################################## # INPUT # New and established connections to local servers # # INPUT accept from wlp7s0 to dns server --A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to ssh server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 @@ -97,35 +103,47 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -# Allow dns -#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ssh clients +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow from dns server +#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow irc +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow xmmp +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + # Allow to rsync server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to pop3s server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to smtps server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ntp server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ftp server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to https server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to http server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ################################################################################## # Output # Connections from local servers # -# Allow from ssh server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT + -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 COMMIT -- cgit 1.4.1-2-gfad0 From 3c09bd81cd3d2a9732545795fb57901181fc5ad2 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Tue, 21 Feb 2017 13:56:33 +0000 Subject: core iptables revision --- core/conf/iptables/iptables-lan.sh | 277 +++++++++++++++++++++++++++++++++++++ core/conf/iptables/rules.v4 | 227 ++++++++++++------------------ core/network.html | 4 +- 3 files changed, 367 insertions(+), 141 deletions(-) create mode 100644 core/conf/iptables/iptables-lan.sh (limited to 'core/conf/iptables/rules.v4') diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh new file mode 100644 index 0000000..fae7345 --- /dev/null +++ b/core/conf/iptables/iptables-lan.sh @@ -0,0 +1,277 @@ +#!/bin/sh + +#------------------------------------------------------------------------------ +# +# File: iptables_mint17.sh +# +# http://www.hardenedlinux.org +# +# Reference: Ruslan Abuzant , http://www.hackersgarage.com/ +# Changed by: Silvino Silva +# +# License: GNU GPL (version 2, or any later version). +# +# Configuration. +#------------------------------------------------------------------------------ + +# For debugging use iptables -v. +IPTABLES="/usr/sbin/iptables" +IP6TABLES="/usr/sbin/ip6tables" +MODPROBE="/sbin/modprobe" +RMMOD="/sbin/rmmod" +ARP="/usr/sbin/arp" + +# NIC interfaces +NIC_NAME="enp8s0 wlp7s0" + +# Logging options. +#------------------------------------------------------------------------------ +LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" +LOG="$LOG --log-ip-options" + + +# Defaults for rate limiting +#------------------------------------------------------------------------------ +RLIMIT="-m limit --limit 3/s --limit-burst 8" + + +# Unprivileged ports. +#------------------------------------------------------------------------------ +PHIGH="1024:65535" +PSSH="1000:1023" + + +# Load required kernel modules +#------------------------------------------------------------------------------ +$MODPROBE ip_conntrack_ftp +$MODPROBE ip_conntrack_irc + + +# Mitigate ARP spoofing/poisoning and similar attacks. +#------------------------------------------------------------------------------ +# Hardcode static ARP cache entries here +# $ARP -s IP-ADDRESS MAC-ADDRESS + + +# Default policies. +#------------------------------------------------------------------------------ + +# Drop everything by default. +$IPTABLES -P INPUT DROP +$IPTABLES -P FORWARD DROP +$IPTABLES -P OUTPUT ACCEPT + +# Set the nat/mangle/raw tables' chains to ACCEPT + +$IPTABLES -t mangle -P PREROUTING ACCEPT +$IPTABLES -t mangle -P INPUT ACCEPT +$IPTABLES -t mangle -P FORWARD ACCEPT +$IPTABLES -t mangle -P OUTPUT ACCEPT +$IPTABLES -t mangle -P POSTROUTING ACCEPT + +# Cleanup. +#------------------------------------------------------------------------------ + +# Delete all +$IPTABLES -F +$IPTABLES -t mangle -F + +# Delete all +$IPTABLES -X +$IPTABLES -t mangle -X + +# Zero all packets and counters. +$IPTABLES -Z +$IPTABLES -t mangle -Z + +# Completely disable IPv6. +#------------------------------------------------------------------------------ + +# Block all IPv6 traffic +# If the ip6tables command is available, try to block all IPv6 traffic. +if test -x $IP6TABLES; then +# Set the default policies +# drop everything +$IP6TABLES -P INPUT DROP 2>/dev/null +$IP6TABLES -P FORWARD DROP 2>/dev/null +$IP6TABLES -P OUTPUT DROP 2>/dev/null + +# The mangle table can pass everything +$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null +$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null +$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null +$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null +$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null + +# Delete all rules. +$IP6TABLES -F 2>/dev/null +$IP6TABLES -t mangle -F 2>/dev/null + +# Delete all chains. +$IP6TABLES -X 2>/dev/null +$IP6TABLES -t mangle -X 2>/dev/null + +# Zero all packets and counters. +$IP6TABLES -Z 2>/dev/null +$IP6TABLES -t mangle -Z 2>/dev/null +fi + +# Custom user-defined chains. +#------------------------------------------------------------------------------ + +# LOG packets, then ACCEPT. +$IPTABLES -N ACCEPTLOG +$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " +$IPTABLES -A ACCEPTLOG -j ACCEPT + +# LOG packets, then DROP. +$IPTABLES -N DROPLOG +$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " +$IPTABLES -A DROPLOG -j DROP + +# LOG packets, then REJECT. +# TCP packets are rejected with a TCP reset. +$IPTABLES -N REJECTLOG +$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " +$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset +$IPTABLES -A REJECTLOG -j REJECT + +# Only allows RELATED ICMP types +# (destination-unreachable, time-exceeded, and parameter-problem). +# TODO: Rate-limit this traffic? +# TODO: Allow fragmentation-needed? +# TODO: Test. +$IPTABLES -N RELATED_ICMP +$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT +$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT +$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT +$IPTABLES -A RELATED_ICMP -j DROPLOG + +# Make It Even Harder To Multi-PING +$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT +$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: +$IPTABLES -A INPUT -p icmp -j DROP +$IPTABLES -A OUTPUT -p icmp -j ACCEPT + +# Only allow the minimally required/recommended parts of ICMP. Block the rest. +#------------------------------------------------------------------------------ + +# TODO: This section needs a lot of testing! + +# First, drop all fragmented ICMP packets (almost always malicious). +$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG +$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG +$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG + +# Allow all ESTABLISHED ICMP traffic. +$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT +$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT + +# Allow some parts of the RELATED ICMP traffic, block the rest. +$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT +$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT + +# Allow incoming ICMP echo requests (ping), but only rate-limited. +$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT + +# Allow outgoing ICMP echo requests (ping), but only rate-limited. +$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT + +# Drop any other ICMP traffic. +$IPTABLES -A INPUT -p icmp -j DROPLOG +$IPTABLES -A OUTPUT -p icmp -j DROPLOG +$IPTABLES -A FORWARD -p icmp -j DROPLOG + +# Selectively allow certain special types of traffic. +#------------------------------------------------------------------------------ + +# Allow loopback interface to do anything. +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A OUTPUT -o lo -j ACCEPT + +# Allow incoming connections related to existing allowed connections. +$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Allow outgoing connections EXCEPT invalid +$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# Miscellaneous. +#------------------------------------------------------------------------------ + +# We don't care about Milkosoft, Drop SMB/CIFS/etc.. +# ^ person before me; my label = psychogreedyevilsoft +$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP + +# Explicitly drop invalid incoming traffic +$IPTABLES -A INPUT -m state --state INVALID -j DROP + +# Drop invalid outgoing traffic, too. +$IPTABLES -A OUTPUT -m state --state INVALID -j DROP + +# If we would use NAT, INVALID packets would pass - BLOCK them anyways +$IPTABLES -A FORWARD -m state --state INVALID -j DROP + +# PORT Scanners (stealth also) +$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP +$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP + +# TODO: Some more anti-spoofing rules? For example: +$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG +$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG + +$IPTABLES -N SYN_FLOOD +$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD +$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN + +$IPTABLES -A SYN_FLOOD -j DROP + +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP + +$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +$IPTABLES -A INPUT -f -j DROP + + +# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... + +# Selectively allow certain inbound connections, block the rest. +#------------------------------------------------------------------------------ + +# Allow incoming SSH requests. +$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT + +# Explicitly log and reject everything else. +#------------------------------------------------------------------------------ +# Use REJECT instead of REJECTLOG if you don't need/want logging. +$IPTABLES -A INPUT -j REJECTLOG +$IPTABLES -A OUTPUT -j REJECTLOG +$IPTABLES -A FORWARD -j REJECTLOG + +# Counter hits + +for i in $NIC_NAME +do + iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set + iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP +done + +#------------------------------------------------------------------------------ +# Testing the firewall. +#------------------------------------------------------------------------------ + +# You should check/test that the firewall really works, using +# iptables -vnL, nmap, ping, telnet, ... + +# Exit gracefully. +#------------------------------------------------------------------------------ + + exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 419962f..5a2ffe8 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,158 +1,105 @@ -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 *security -:INPUT ACCEPT [6:2056] +:INPUT ACCEPT [3624:2121853] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] +:OUTPUT ACCEPT [3590:999020] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 *raw -:PREROUTING ACCEPT [7:2092] -:OUTPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [5432:2268406] +:OUTPUT ACCEPT [3623:1011362] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +*nat +:PREROUTING ACCEPT [1808:146553] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [322:28410] +:POSTROUTING ACCEPT [289:16068] +COMMIT +# Completed on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 *mangle -:PREROUTING ACCEPT [7:2092] -:INPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] -:POSTROUTING ACCEPT [6:2056] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT DROP [0:0] +:OUTPUT ACCEPT [0:0] +:ACCEPTLOG - [0:0] +:DROPLOG - [0:0] +:REJECTLOG - [0:0] +:RELATED_ICMP - [0:0] +:SYN_FLOOD - [0:0] +-A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP +-A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP +-A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" +-A INPUT -p icmp -j DROP +-A INPUT -p icmp -f -j DROPLOG +-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -j DROPLOG -A INPUT -i lo -j ACCEPT --A INPUT -i br0 -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -m state --state INVALID -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -A INPUT -f -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -################################################################################# -# INPUT -# Established connections and passive -# - -# Allow established from dns server -#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# INPUT accept passive --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT - - -# Allow irc --A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow xmmp --A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT -# Allow established from https server --A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow established from http server --A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from rsync server --A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from pop3s server --A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from smtps server --A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ntp server --A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from whois server --A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ftp server --A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -################################################################################## -# INPUT -# New and established connections to local servers -# - -# INPUT accept from wlp7s0 to dns server -#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -# INPUT accept from wlp7s0 to https server --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# INPUT accept from wlp7s0 to ssh server --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT - - --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 - -################################################################################## -# Output -# Connections to remote servers -# +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECTLOG +-A FORWARD -p icmp -f -j DROPLOG +-A FORWARD -p icmp -j DROPLOG +-A FORWARD -m state --state INVALID -j DROP +-A FORWARD -j REJECTLOG +-A OUTPUT -p icmp -j ACCEPT +-A OUTPUT -p icmp -f -j DROPLOG +-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -j DROPLOG -A OUTPUT -o lo -j ACCEPT --A OUTPUT -o br0 -j ACCEPT - -# Allow to ssh clients --A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow from dns server -#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow irc --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow xmmp --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - - -# Allow to rsync server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -################################################################################## -# Output -# Connections from local servers -# - - --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT - - --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 -*nat -:PREROUTING ACCEPT [1:36] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] +-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state INVALID -j DROP +-A OUTPUT -j REJECTLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A ACCEPTLOG -j ACCEPT +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -j DROP +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset +-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable +-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT +-A RELATED_ICMP -j DROPLOG +-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN +-A SYN_FLOOD -j DROP COMMIT -# Completed on Sat Oct 15 17:20:41 2016 +# Completed on Tue Feb 21 13:55:04 2017 diff --git a/core/network.html b/core/network.html index ebea495..bcf52f5 100644 --- a/core/network.html +++ b/core/network.html @@ -118,7 +118,9 @@ arch wiki. You can use /etc/iptables/rules.v4 - as template, replace interface by the one facing the router/gateway. + or + /etc/iptables/iptables-lan.sh + as a template, replace interfaces by correct ones. This configuration file is used at boot time by iptables-restore command, if you use a script or change the rules of running system you can use iptables-save command to save configuration to a file.

-- cgit 1.4.1-2-gfad0 From d26a4e12deafade205d37a9fda748a6b78dfdb6a Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 25 Feb 2017 18:40:03 +0000 Subject: overall revesion --- core/bash.html | 10 +- core/conf/iptables/iptables-lan.sh | 143 ++++++++++++++++++--------- core/conf/iptables/rules.v4 | 76 +++++++------- core/conf/sysctl.conf | 148 +++++++++++++++------------- core/dash.html | 4 +- core/exim.html | 33 ++++--- core/grsecurity.html | 85 ++++++++++++++++ core/hardening.html | 197 +++++++++++++++++++++++++++++++++++++ core/index.html | 51 +++++----- core/linux.html | 71 +++++++------ core/network.html | 16 +-- core/package.html | 16 +-- core/ports.html | 8 +- core/reboot.html | 11 ++- core/scripts/setup-install.sh | 2 +- core/tmux.html | 6 +- core/tty-terminal.html | 4 +- tools/conf/etc/rc.d/dnscrypt-proxy | 5 +- tools/dnsmasq.html | 7 +- tools/gitolite.html | 3 +- tools/index.html | 6 -- tools/mutt.html | 10 +- tools/qemu.html | 18 ++-- tools/x.html | 28 ++++-- 24 files changed, 671 insertions(+), 287 deletions(-) create mode 100644 core/grsecurity.html create mode 100644 core/hardening.html (limited to 'core/conf/iptables/rules.v4') diff --git a/core/bash.html b/core/bash.html index 2c1f6e9..353d7df 100644 --- a/core/bash.html +++ b/core/bash.html @@ -2,12 +2,12 @@ - 2.4.2. Bash + 2.5.2. Bash Core OS Index -

2.4.2. Bash

+

2.5.2. Bash

Just to be sure, setup bash as default login;

@@ -32,7 +32,7 @@ alias, editor. -

2.4.2.1. Profile

+

2.5.2.1. Profile

Example of ~/.profile;

@@ -43,7 +43,7 @@ export SSH_AUTH_SOCK # enable gpg-agent for ssh -

2.4.2.2. Bash RC

+

2.5.2.2. Bash RC

Example of ~/.bashrc;

@@ -106,7 +106,7 @@ fi -

2.4.2.3. Bash profile

+

2.5.2.3. Bash profile

Example of ~/.bash_profile;

diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index fae7345..58d92c3 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -26,8 +26,7 @@ NIC_NAME="enp8s0 wlp7s0" # Logging options. #------------------------------------------------------------------------------ -LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" -LOG="$LOG --log-ip-options" +LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" # Defaults for rate limiting @@ -59,9 +58,9 @@ $MODPROBE ip_conntrack_irc # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -P OUTPUT DROP -# Set the nat/mangle/raw tables' chains to ACCEPT +# Set the nat/mangle/raw tables' chains to DROP $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT @@ -89,53 +88,58 @@ $IPTABLES -t mangle -Z # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. -if test -x $IP6TABLES; then +#if test -x $IP6TABLES; then # Set the default policies # drop everything -$IP6TABLES -P INPUT DROP 2>/dev/null -$IP6TABLES -P FORWARD DROP 2>/dev/null -$IP6TABLES -P OUTPUT DROP 2>/dev/null - -# The mangle table can pass everything -$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null +#$IP6TABLES -P INPUT DROP +#$IP6TABLES -P FORWARD DROP +#$IP6TABLES -P OUTPUT DROP +# +## The mangle table can pass everything +#$IP6TABLES -t mangle -P PREROUTING ACCEPT +#$IP6TABLES -t mangle -P INPUT ACCEPT +#$IP6TABLES -t mangle -P FORWARD ACCEPT +#$IP6TABLES -t mangle -P OUTPUT ACCEPT +#$IP6TABLES -t mangle -P POSTROUTING ACCEPT # Delete all rules. -$IP6TABLES -F 2>/dev/null -$IP6TABLES -t mangle -F 2>/dev/null - -# Delete all chains. -$IP6TABLES -X 2>/dev/null -$IP6TABLES -t mangle -X 2>/dev/null - -# Zero all packets and counters. -$IP6TABLES -Z 2>/dev/null -$IP6TABLES -t mangle -Z 2>/dev/null -fi +#$IP6TABLES -F 2>/dev/null +#$IP6TABLES -t mangle -F 2>/dev/null +# +## Delete all chains. +#$IP6TABLES -X 2>/dev/null +#$IP6TABLES -t mangle -X 2>/dev/null +# +## Zero all packets and counters. +#$IP6TABLES -Z 2>/dev/null +#$IP6TABLES -t mangle -Z 2>/dev/null +#fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " +$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " +$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " +$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT +# Allow loopback interface to do anything. +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A OUTPUT -o lo -j ACCEPT + + # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? @@ -185,10 +189,6 @@ $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -199,7 +199,7 @@ $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ person before me; my label = psychogreedyevilsoft +# ^ greedyevilsoft $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -234,12 +234,13 @@ $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP - -$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -$IPTABLES -A INPUT -f -j DROP +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +#$IPTABLES -A INPUT -f -j DROP +$IPTABLES -A INPUT -f -j DROPLOG # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... @@ -247,22 +248,67 @@ $IPTABLES -A INPUT -f -j DROP #------------------------------------------------------------------------------ # Allow incoming SSH requests. -$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT + +# Allow incoming https server +#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT + + +# Selectively allow certain outbound connections, block the rest. +#------------------------------------------------------------------------------ +# + +# Allow ping +$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to ssh clients +$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow irc +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to xmmp +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to rsync server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Selectively allow certain outbound server connections, block the rest. +#------------------------------------------------------------------------------ + +# Allow from https server +#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT + +# Allow from dns server +#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j REJECTLOG -$IPTABLES -A OUTPUT -j REJECTLOG +$IPTABLES -A INPUT -j DROPLOG +$IPTABLES -A OUTPUT -j DROPLOG $IPTABLES -A FORWARD -j REJECTLOG # Counter hits -for i in $NIC_NAME -do - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -done +#for i in $NIC_NAME +#do +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP +#done #------------------------------------------------------------------------------ # Testing the firewall. @@ -273,5 +319,4 @@ done # Exit gracefully. #------------------------------------------------------------------------------ - - exit 0 +exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 5a2ffe8..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *security -:INPUT ACCEPT [3624:2121853] +:INPUT ACCEPT [4559:2307887] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [3590:999020] +:OUTPUT ACCEPT [4459:962215] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *raw -:PREROUTING ACCEPT [5432:2268406] -:OUTPUT ACCEPT [3623:1011362] +:PREROUTING ACCEPT [18446:3412851] +:OUTPUT ACCEPT [4467:962535] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *nat -:PREROUTING ACCEPT [1808:146553] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [322:28410] -:POSTROUTING ACCEPT [289:16068] +:PREROUTING ACCEPT [13936:1107904] +:INPUT ACCEPT [49:2940] +:OUTPUT ACCEPT [504:40037] +:POSTROUTING ACCEPT [504:40037] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,21 +27,18 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:OUTPUT DROP [0:0] :ACCEPTLOG - [0:0] :DROPLOG - [0:0] :REJECTLOG - [0:0] :RELATED_ICMP - [0:0] :SYN_FLOOD - [0:0] --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" -A INPUT -p icmp -j DROP @@ -50,7 +47,6 @@ COMMIT -A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A INPUT -p icmp -j DROPLOG --A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -68,31 +64,41 @@ COMMIT -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -j REJECTLOG +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG +-A INPUT -j DROPLOG -A FORWARD -p icmp -f -j DROPLOG -A FORWARD -p icmp -j DROPLOG -A FORWARD -m state --state INVALID -j DROP -A FORWARD -j REJECTLOG +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -f -j DROPLOG -A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -j DROPLOG --A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -j REJECTLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -A REJECTLOG -j REJECT --reject-with icmp-port-unreachable -A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT @@ -102,4 +108,4 @@ COMMIT -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN -A SYN_FLOOD -j DROP COMMIT -# Completed on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b60d3e6..d17c0c6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,9 +2,13 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 15 1 1 4 -kernel.randomize_va_space = 1 -kernel.shmmax = 500000000 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -16,14 +20,13 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -#kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. -#kernel.grsecurity.deter_bruteforce = 1 +kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -58,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 +kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -#kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1 # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -#kernel.grsecurity.fifo_restrictions = 1 +kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1 # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. -kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 0 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to @@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. -#kernel.grsecurity.resource_logging = 1 -kernel.grsecurity.resource_logging = 0 +kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 -kernel.grsecurity.audit_ptrace = 0 +kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 +kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. -#kernel.grsecurity.audit_mount = 1 -kernel.grsecurity.audit_mount = 0 +kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. -kernel.grsecurity.signal_logging = 0 +kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 -kernel.grsecurity.forkfail_logging = 0 +kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. -#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. -#kernel.grsecurity.rwxmap_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 1 +#kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -#kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 +kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 101 +kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1 # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 0 +kernel.grsecurity.tpe_restrict_all = 1 + +kernel.grsecurity.harden_tty = 1 -#kernel.grsecurity.harden_tty = 1 # # Network Protections # @@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 -# Avoid a smurf attack +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 + +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. -#kernel.grsecurity.ip_blackhole = 1 -#kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -#kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. -#kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. -#kernel.grsecurity.socket_server_gid = 204 +kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. -#kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # -#kernel.grsecurity.grsec_lock = 1 - - +kernel.grsecurity.grsec_lock = 0 # End of file diff --git a/core/dash.html b/core/dash.html index ed6dbab..a926ce7 100644 --- a/core/dash.html +++ b/core/dash.html @@ -2,13 +2,13 @@ - 2.4.1. Dash + 2.5.1. Dash Core OS Index -

2.4.1. Dash

+

2.5.1. Dash

By default dash installed as /bin/sh, if not relink;

diff --git a/core/exim.html b/core/exim.html index c1fd494..e922789 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,24 +2,33 @@ - 2.5. Exim + 2.6. Exim Core OS Index -

2.5. Exim

+

2.6. Exim

-

2.5.1. Exim Configuration

+

2.6.1. Exim Configuration

Exim come with default configuration we will change to mach system settings /etc/exim/exim.conf.

-

2.5.2. Certificates

+
+        $ sudo prt-get depinst mailx
+        
-

Create private key, this example issues a certificate to - core.privat-server.net, if you wish get a subdomain from - afraid.org - pointing to your public ip. -

+

2.6.2. Certificates

+ +

Exim creates a key for you if you just copy exim.conf and start daemon;

+ +
+        # cp /home/silvino/data/git/c9/c9-doc/core/conf/exim/exim.conf /etc/exim/exim.conf
+        # sh /etc/rc.d/exim start
+        SSL certificate /etc/ssl/certs/exim.crt with key /etc/ssl/keys/exim.key for host c9.core created
+        #
+        
+ +

Manually create a private key;

 	$ sudo mkdir /etc/ssl/keys
@@ -55,7 +64,7 @@
 	# chmod 644 /etc/ssl/certs/exim.cert
 	
-

2.5.3. Aliases

+

2.6.3. Aliases

Exim come with default aliases we will change to mach system settings /etc/exim/aliases;

@@ -100,7 +109,7 @@ #### -

2.5.4. Smarthost

+

2.6.4. Smarthost

Tony Finch publish a nice configuration reference. @@ -124,7 +133,7 @@ # exim -bt bob@remote.com -

2.5. Fetchmail

+

2.6. Fetchmail

         $ prt-get depinst fetchmail
diff --git a/core/grsecurity.html b/core/grsecurity.html
new file mode 100644
index 0000000..cda9bfb
--- /dev/null
+++ b/core/grsecurity.html
@@ -0,0 +1,85 @@
+
+
+    
+        
+        Grsecurity
+    
+    
+
+        Tools Index
+
+        

Grsecurity

+ +

Grsecurity utilities are installed and configured in + hardening, kernel witch grsecurity + patch is installed using + linux port.

+ + +

Special Groups

+
+        getent group tpe >/dev/null || groupadd -g 200 tpe
+        getent group audit >/dev/null || groupadd -g 201 audit
+        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        
+ +

Pax

+ +

Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.

+ + /usr/bin/grub-script-check + /usr/sbin/grub-probe + /usr/sbin/grub-mkdevicemap + +

Gradm

+ +

Gradm is grsecurity access control lists administration utility. Gradm + have a + learning mode + per-subject, per-role or system-wide. Learning mode gather information that + RBAC system supports, it reduces policy size, increase readability and enforces + that is configurable. Protected resources can be added to /etc/grsec/learn_cong + to learning system.

+ +

Entering in learning mode;

+ +
+        # gradm -F -L /etc/grsec/learning.log
+        
+ +

To perform administrative tasks while system learning is running, + authenticate to admin role;

+ +
+        # gradm -a admin
+        
+ +

When learning system have gather sufficient data disable RBAC system;

+ +
+        # gradm -D
+        
+ +

Now that RBAC is disable data collected can be used to generate ACLs;

+ +
+        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+        
+ +

Start RBAC with policy;

+ +
+        # gradm -E
+        
+ + Tools Index +

This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

+ + + diff --git a/core/hardening.html b/core/hardening.html new file mode 100644 index 0000000..478c911 --- /dev/null +++ b/core/hardening.html @@ -0,0 +1,197 @@ + + + + + Hardening + + + + Tools Index + +

Hardening

+ +

Kernel in ports have upstream linux kernel and + grsecurity patch, it should break some functionality + for the user and pkgmk user if tpe protection is active.

+ +
+        $ sudo prt-get depinst gradm paxtest paxd checksec lynis
+        
+ +

Check grsecurity on how to setup + kernel, pax and gradm.

+ +

Lynis tries to give system overall configuration, without + changing default profile run irrelevant tests. Create a lynis + profile by coping default one and run lynis;

+ +
+        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
+        $ sudo lynis configure settings color=yes
+        $ sudo lynis show settings
+        $ sudo lynis show profile
+        
+ +
+        $ lynis audit system > lynis_report
+        $ mv /tmp/lynis.log .
+        $ mv /tmp/lynis-report.dat .
+        
+ +

Add unnecessary tests to profile to have less noise.

+ +

Rebuild Toolchain

+ +

Add flags to pkgmk configuration and change specific ports that + don't build with hardening flags. More information about + arch security, + gentoo security, + gcc instrumentation-options + and glibc + configuring and compiling. Edit /etc/pkgmk.conf;

+ +
+        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS="-z relro"
+        
+ +

Core

+ +

Ports in core collection that need to be changed in order + to build with pkgmk harden configuration.

+ +

Glibc

+ + + +
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
+ +
+        ../$name-${version:0:4}/configure --prefix=/usr \
+                --libexecdir=/usr/lib \
+                --with-headers=$PKG/usr/include \
+                --enable-kernel=3.12 \
+                --enable-add-ons \
+                --enable-static-nss \
+                --disable-profile \
+                --disable-werror \
+                --without-gd \
+                --enable-obsolete-rpc \
+                --enable-multi-arch \
+                --enable-stackguard-randomization \
+                --enable-stack-protector=strong
+        
+ +

Gcc

+ + + +
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
+ +

libcap

+ + + +

bzip2

+ + + +

hdparm

+ + + +

Opt

+ +

lsof

+ + + +

python

+ + + +

zip

+ + + +

glew

+ + + +

dmenu

+ + + +

Boost

+ + + +
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        
+ +

Contrib

+ +

gsl

+ + + + + Tools Index +

This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

+ + + diff --git a/core/index.html b/core/index.html index 6859376..97376f4 100644 --- a/core/index.html +++ b/core/index.html @@ -79,41 +79,46 @@
  • 2.1.5. Sysctl
  • - -
  • 2.2. Network +
  • 2.2. Hardening + +
  • +
  • 2.3. Network
  • -
  • 2.3. Package Management +
  • 2.4. Package Management
  • -
  • 2.4. Terminals and shells +
  • 2.5. Terminals and shells
  • -
  • 2.5. Exim +
  • 2.6. Exim
  • diff --git a/core/linux.html b/core/linux.html index 903d9e2..888b916 100644 --- a/core/linux.html +++ b/core/linux.html @@ -164,9 +164,8 @@ kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 - kernel.kptr_restrict = 2 # Shared Memory - kernel.shmmax = 500000000 + #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 @@ -188,7 +187,6 @@ # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. - #kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -207,7 +205,7 @@ # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. - #kernel.grsecurity.deter_bruteforce = 1 + kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -223,7 +221,7 @@ # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 1 + kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -237,7 +235,7 @@ # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. - #kernel.grsecurity.enforce_symlinksifowner = 1 + kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -245,7 +243,7 @@ # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. - #kernel.grsecurity.fifo_restrictions = 1 + kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -280,14 +278,14 @@ # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. - kernel.grsecurity.chroot_deny_chmod = 1 + kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking # out of a chroot jail and should not be allowed. If the sysctl # option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 + kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -400,7 +398,7 @@ # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. - #kernel.grsecurity.resource_logging = 1 + kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain @@ -412,8 +410,7 @@ # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. - #kernel.grsecurity.audit_ptrace = 1 - kernel.grsecurity.audit_ptrace = 0 + kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -423,27 +420,26 @@ # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. - #kernel.grsecurity.audit_mount = 1 - kernel.grsecurity.audit_mount = 0 + kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. - kernel.grsecurity.signal_logging = 0 + kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 - kernel.grsecurity.forkfail_logging = 0 + kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. - #kernel.grsecurity.timechange_logging = 1 + kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when @@ -452,7 +448,7 @@ # is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. - #kernel.grsecurity.rwxmap_logging = 1 + kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -469,7 +465,7 @@ kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms - kernel.kptr_restrict = 1 + #kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you @@ -505,7 +501,7 @@ # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. - #kernel.grsecurity.consistent_setxid = 1 + kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -523,7 +519,7 @@ # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 1 + kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -531,7 +527,7 @@ # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 101 + kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -550,10 +546,11 @@ # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 0 + kernel.grsecurity.tpe_restrict_all = 1 - #kernel.grsecurity.harden_tty = 1 + kernel.grsecurity.harden_tty = 1 + # # Network Protections # @@ -687,14 +684,14 @@ # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. - #kernel.grsecurity.ip_blackhole = 1 - #kernel.grsecurity.lastack_retries = 4 + kernel.grsecurity.ip_blackhole = 1 + kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. - #kernel.grsecurity.socket_all = 1 + kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -708,13 +705,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_client = 1 + kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. - #kernel.grsecurity.socket_client_gid = 203 + kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -722,13 +719,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_server = 1 + kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. - #kernel.grsecurity.socket_server_gid = 204 + kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -744,12 +741,12 @@ # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. - #kernel.grsecurity.deny_new_usb = 0 + kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # - #kernel.grsecurity.grsec_lock = 1 + kernel.grsecurity.grsec_lock = 0 # End of file
    @@ -757,10 +754,10 @@ Core OS Index

    This is part of the c9-doc Manual. -Copyright (C) 2017 -c9 team. -See the file Gnu Free Documentation License -for copying conditions.

    + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

    diff --git a/core/network.html b/core/network.html index bcf52f5..4f1f20a 100644 --- a/core/network.html +++ b/core/network.html @@ -2,12 +2,12 @@ - 2. Network + 2.3. Network Core OS Index -

    2. Network

    +

    2.3. Network

    Operation of the network can be handle with init scripts;

    @@ -49,7 +49,7 @@ described scripts then proceed to update system.

    -

    2.2.1. Resolver

    +

    2.3.1. Resolver

    This example will use Chaos Computer Club @@ -65,7 +65,7 @@ # chattr +i /etc/resolv.conf -

    2.2.2. Static IP

    +

    2.3.2. Static IP

    Current example of /etc/rc.d/net;

    @@ -112,7 +112,7 @@ # ip route add default via ${GW} -

    2.2.3. Iptables

    +

    2.3.3. Iptables

    For more information about iptables read arch wiki. @@ -149,7 +149,7 @@

    -

    2.2.4. Wpa and dhcpd

    +

    2.3.4. Wpa and dhcpd

    There is more information on Wiki Wifi Start Scripts and @@ -167,7 +167,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 -

    2.2.4.1. Wpa Supplicant

    +

    2.3.4.1. Wpa Supplicant

    Configure wpa supplicant edit;

    @@ -197,7 +197,7 @@ init script to auto load wpa configuration and dhcp client.

    -

    2.2.4.2. Wpa Cli

    +

    2.3.4.2. Wpa Cli

             # wpa_cli
    diff --git a/core/package.html b/core/package.html
    index 3c59669..327029e 100644
    --- a/core/package.html
    +++ b/core/package.html
    @@ -2,13 +2,13 @@
     
         
             
    -        2.3. Package Management
    +        2.4. Package Management
         
         
     
             Core OS Index
     
    -        

    2.3. Package Management

    +

    2.4. Package Management

    For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion

    -

    2.3.1. Update System

    +

    2.4.1. Update System

    Before build software get latest version of port collections;

    @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) -

    2.3.2. Install port and dependencies

    +

    2.4.2. Install port and dependencies

    Installing using prt-get tool;

    @@ -111,7 +111,7 @@

    If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

    -

    2.3.3. Ports collections

    +

    2.4.3. Ports collections

    Clone this documentation;

    @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 -

    2.3.4. Show port information

    +

    2.4.4. Show port information

             $ prt-get info port_name
    @@ -164,13 +164,13 @@
             $ pkginfo -o filename
             
    -

    2.3.5. Show port dependencies

    +

    2.4.5. Show port dependencies

             $ prt-get depends port_name
             
    -

    2.3.6. Print information

    +

    2.4.6. Print information

    Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;

    diff --git a/core/ports.html b/core/ports.html index 98ccbba..9662e43 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,8 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk -

    You can add your self to group pkgmk, Members of this group will - not be under tpe protection.

    +

    You can add your self to group pkgmk. Check if members of this + group are under tpe protection.

             # usermod -a -G pkgmk c9admin
    @@ -62,7 +62,7 @@
             

    Edit fstab, change uid to id of pkgmk, this example 102;

    -        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults 0 0
    +        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults,mode=0750 0 0
             
    @@ -86,8 +86,6 @@ export CFLAGS="-O2 -march=native -mtune=native"
    -

    "-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen

    -

    Discover number of cores/cpus to hard code -j option.

    diff --git a/core/reboot.html b/core/reboot.html
    index 7bc22ea..23e2996 100644
    --- a/core/reboot.html
    +++ b/core/reboot.html
    @@ -33,13 +33,22 @@
     
             

    1.4.1. Linux Kernel

    -

    Core ports have two kernels, linux-libre and linux-blob. +

    Core ports have two + linux kernels, + linux-libre and + linux-blob. Port linux-libre kernel is a true source based kernel that respects your freedoms, is x86_64 but not generic configured, select modules (drivers) for your hardware, for example correct graphic driver and disk. Port linux-blob is dangerous, contain blobs (from bad corporations).

    +

    Addition to upstream kernel is applied a patch with + more cpu families gcc optimizations and grsecurity patch. + Check tpe protection configuration on + sysctl if breaks functionality + during initial configuration.

    +
             # cd /usr/ports/c9-ports/linux-libre
             # pkgmk -d
    diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh
    index 01e3bd1..0e0a720 100644
    --- a/core/scripts/setup-install.sh
    +++ b/core/scripts/setup-install.sh
    @@ -270,7 +270,7 @@ setup_ports() {
             PATH=/bin:/usr/bin:/sbin:/usr/sbin \
             /bin/bash -c "id pkgmk >> /etc/fstab"
     
    -    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0" >> $CHROOT/etc/fstab
    +    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults,mode=0750 0    0" >> $CHROOT/etc/fstab
     
         vim $CHROOT/etc/fstab
     
    diff --git a/core/tmux.html b/core/tmux.html
    index d1ab587..fe494b5 100644
    --- a/core/tmux.html
    +++ b/core/tmux.html
    @@ -2,13 +2,13 @@
     
         
             
    -        2.4.3. Tmux
    +        2.5.3. Tmux
         
     
         
     
             Core OS Index
    -        

    2.4.3. Tmux

    +

    2.5.3. Tmux

    Install tmux, improves cli work efficiency;

    @@ -79,7 +79,7 @@ key } swap pane
    -

    2.4.3.1. Copy paste

    +

    2.5.3.1. Copy paste

    This instructions are valid if tmux.conf file discribed in this document is used;

    diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 47f7bf0..1abf15e 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -2,13 +2,13 @@ - 2.4. Consoles, terminals and shells + 2.5. Consoles, terminals and shells Core OS Index -

    2.4. Consoles, terminals and shells

    +

    2.5. Consoles, terminals and shells

    Consoles
    diff --git a/tools/conf/etc/rc.d/dnscrypt-proxy b/tools/conf/etc/rc.d/dnscrypt-proxy index 0874fa6..db8cd77 100755 --- a/tools/conf/etc/rc.d/dnscrypt-proxy +++ b/tools/conf/etc/rc.d/dnscrypt-proxy @@ -12,7 +12,7 @@ # Authors: https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors # Project site: https://github.com/simonclausen/dnscrypt-autoinstall -USER=nobody +USER=net PATH=/usr/sbin:/usr/bin:/sbin:/bin DAEMON=/usr/sbin/dnscrypt-proxy NAME=dnscrypt-proxy @@ -24,7 +24,8 @@ PKEY1=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A case "$1" in start) echo "Starting $NAME" - $DAEMON --daemonize --ephemeral-keys --user=nobody --local-address=127.0.0.1:40 \ + $DAEMON --daemonize --ephemeral-keys --user=nobody \ + --local-address=127.0.0.1:40 \ --resolver-address=$ADDRESS3 \ --provider-name=$PNAME1 \ --provider-key=$PKEY3 \ diff --git a/tools/dnsmasq.html b/tools/dnsmasq.html index 2aa7b82..720979b 100644 --- a/tools/dnsmasq.html +++ b/tools/dnsmasq.html @@ -14,6 +14,11 @@ censorship there for respect your freedom and privacy. Read Tor Dns Resolver for more information.

    +
    +        $ sudo useradd -M -r -s /bin/false -g net net
    +        
    + +

    1. Dnscrypt

    @@ -28,7 +33,7 @@
             nobody user. Basic usage example;

    -        $ sudo -u nobody  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
    +        $ sudo -u net  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
             

    2. Dnsmasq

    diff --git a/tools/gitolite.html b/tools/gitolite.html index 94abda0..ab1ad3a 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -22,8 +22,7 @@

    Create user and home directory;

    -        # mkdir -p /srv/gitolite
    -        # useradd -r -s /bin/bash -m -d /srv/gitolite gitolite
    +        # useradd -r -s /bin/bash -U -m -d /srv/gitolite gitolite
             # chown gitolite:gitolite /srv/gitolite
             
    diff --git a/tools/index.html b/tools/index.html index da1cd40..2f84114 100644 --- a/tools/index.html +++ b/tools/index.html @@ -68,12 +68,6 @@

    System Administration

      -
    • Hardening - -
    • Network Tools
      • Dnscrypt and Dnsmasq
      • diff --git a/tools/mutt.html b/tools/mutt.html index ef7cdbd..5c72e0c 100644 --- a/tools/mutt.html +++ b/tools/mutt.html @@ -162,7 +162,15 @@

        2.1. System Email

        -

        Content of .mutt/system;

        +

        Check and point enviroment mail variable to new local maildir;

        + +
        +        $ echo "MAIL=$HOME/.mail/" >> ~/.bashrc
        +        $ source ~/.bashrc
        +        $ env | grep MAIL
        +        
        + +

        Content of .mutt/system;

                 color status green default
        diff --git a/tools/qemu.html b/tools/qemu.html
        index 1c58e49..c914d74 100644
        --- a/tools/qemu.html
        +++ b/tools/qemu.html
        @@ -43,22 +43,17 @@
                 this describes how to create a qcow2 type;

        -        $ qemu-img create -f qcow2 crux-img.qcow2 15G
        +        $ qemu-img create -f qcow2 crux-img.qcow2 20G
                 
        -

        You can mount disk image;

        +

        Qemu disk images can be treated as regular disks using + qemu disk network block device server;

                 $ sudo modprobe nbd
                 $ sudo qemu-nbd -c /dev/nbd0 /crux-img.qcow2
                 
        -

        To disconnect image disk (ndb);

        - -
        -        $ sudo qemu-nbd -d /dev/nbd0
        -        
        -

        Information about preparing partitions and storage administration. @@ -100,6 +95,13 @@ # mount $BLK_VAR $CHROOT/var

        +

        Before disconnecting image, clean dev mappings;

        + +
        +        $ sudo kpartx -d /dev/nbd0
        +        $ sudo qemu-nbd -d /dev/nbd0
        +        
        +

        2. Network

        Network configuration;

        diff --git a/tools/x.html b/tools/x.html index e01aaca..ad5ea6d 100644 --- a/tools/x.html +++ b/tools/x.html @@ -40,6 +40,12 @@ $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
    +

    From 6c37 collection;

    + +
    +        $ prt-get depinst otf-sourcecode
    +        
    +

    Configure

    Example of /etc/skel/.xinitrc;

    @@ -170,24 +176,26 @@

    Window Managers

    -

    Dwm

    -        $ sudo prt-get depinst dmenu \
    -            dwm \
    -            spectrwm \
    +        $ sudo prt-get depinst \
    +            alsa-utils \
    +            libdrm \
    +            mesa3d \
    +            ffmpeg \
    +            gstreamer \
    +            gstreamer-vaapi \
    +            gst-plugins-base \
    +            gst-plugins-good \
    +            adwaita-icon-theme \
    +            dmenu \
                 st \
                 conky \
                 dillo \
    -            adwaita-icon-theme \
    +            spectrwm \
                 gparted \
                 gimp \
                 libreoffice \
    -            ffmpeg \
    -            gstreamer \
    -            gstreamer-vaapi \
    -            gst-plugins-base \
    -            gst-plugins-good \
                 epiphany
             
    -- cgit 1.4.1-2-gfad0