Friday, March 16, 2012

How to secure your Kloxo for iptables

Stop iptables service:
/etc/init.d/iptables stop

Disable iptables service:
chkconfig iptables off


Copy this code to /etc/init.d/firewall (Reminder: Disable "word wrap" in your text editor. Ex.: nano -w /etc/init.d/firewall)

#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall

case "$1" in
start)

# Clear rules
iptables -t filter -F
iptables -t filter -X
echo - Clear rules : [OK]

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - SSH : [OK]

# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - established connections : [OK]

# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Block all connections : [OK]

# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo - SYN-Flood Protection : [OK]

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Loopback : [OK]

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]

# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - FTP : [OK]

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - HTTP/HTTPS : [OK]

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - SMTP : [OK]

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo - POP : [OK]

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - IMAP : [OK]

# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
echo - Kloxo : [OK]

echo - Firewall [OK]
exit 0
;;

stop)
echo "Stopping Firewall... "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
echo "Firewall Stopped!"
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac


chmod 700 /etc/init.d/firewall

add firewall service:
chkconfig --add firewall

auto start firewall:
chkconfig --level 2345 firewall on

start firewall:
/etc/init.d/firewall start


If you have slave server, add this on the master

iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT

Note: replace SLAVE_IP with your Slave server IP.

Add this on slave server

iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT

Note: replace MASTER_IP with your Master server IP.

Thursday, March 15, 2012

Cron running job / script every 5 second

crontab -e

add this on your crontab

*/1 * * * * /scripts/5secondrotatorscript.sh

#! /bin/bash
LOGFILE=/root/username/logs/log_`date +%H%M%S`.log

x=60
while [ ${x} -gt 0 ]
do
/usr/bin/php /home/username/public_html/scripts/file.php >> $LOGFILE
x=$((x-5))
sleep 5
done

save as 5secondrotatorscript.sh

Chức năng NAT của iptables

iptables -t nat -A PREROUTING -p tcp --dport 80 -d 1.1.1.1 -i eth0 -j DNAT --to 2.2.2.2:80

iptables -t nat -A POSTROUTING -p tcp --dport 80 -o eth0 -j SNAT --to 1.1.1.1

Ghi chú:
- 1.1.1.1 là IP address của eth0 trên reverse proxy, 2.2.2.2 là IP address của eth0 trên web-server.

- 2 lệnh này được chạy trên reverse proxy và chúng chỉ "redirect" traffic đến cổng 80, nếu bạn cần redirect traffic đến các cổng khác như 443 chẳng hạn, bạn phải thêm vào các lệnh tương ứng.
- Lệnh số 1 có tác dụng chuyển destination IP address (hence DNAT) của tất cả TCP packet đến cổng 80 của IP 1.1.1.1 thành cổng 80 của IP 2.2.2.2. Lệnh này nằm ở chain PREROUTING, nghĩa là nó được apply trước giai đoạn routing.

- Lệnh số 2 có tác dụng chuyển source IP address (hence SNAT) của tất cả TCP packet đi ra bằng đường eth0 có destination port là 80 thành 1.1.1.1. Lệnh này nằm ở chain POSTROUTING, nghĩa là nó được apply sau giai đoạn routing.

Giải thích:

1. client 3.3.3.3 gửi một packet (src=3.3.3.3, dst=1.1.1.1) đến reverse proxy 1.1.1.1

2. Lệnh thứ nhất sẽ chuyển packet này thành (src=3.3.3.3, dst=2.2.2.2).

3. Lệnh thứ hai sẽ chuyển packet này thành (src=1.1.1.1, dst=2.2.2.2).

3. Sau khi web-server 2.2.2.2 nhận được packet này, nó sẽ tạo ra một packet (src=2.2.2.2, dst=1.1.1.1) và gửi lại cho reverse proxy 1.1.1.1.

4. reverse proxy 1.1.1.1 sẽ nhìn vào NAT table của lệnh thứ hai để chuyển packet này thành (src=2.2.2.2, dst=3.3.3.3)

5. reverse proxy 1.1.1.1 tiếp tục nhìn vào NAT table của lệnh thứ nhất để chuyển packet này thành (src=1.1.1.1, dst=3.3.3.3)

6. reverse proxy 1.1.1.1 gửi packet (src=1.1.1.1, dst=3.3.3.3) lại cho client 3.3.3.3

Wednesday, March 14, 2012

Apache 2.2.x security tricks (CentOS) - Bảo vệ an toàn cho apache 2.2.x

Install httpd-devel and gcc:
yum install httpd-devel gcc

        Download this modules (you'll need the .c files)
        mod_allowmethods: http://www.apachelounge.com/viewtopic.php?t=4238
        mod_antiloris: http://sourceforge.net/projects/mod-antiloris/
        mod_reqtimeout: https://github.com/apache/httpd/blob/2.2.x/modules/filters/mod_reqtimeout.c

Upload those files to your server (secure ftp via ssh port should be a good way to do so).


        Build and install the modules

        apxs -cia mod_allowmethods.c
        apxs -cia mod_antiloris.c
        apxs -cia mod_reqtimeout.c


        Go to /etc/httpd/conf.d and add a file named 3rdparty.conf with:


TraceEnable Off
TraceEnable Off
<Directory />
    LimitRequestBody 8388608
    <IfModule allowmethods_module>
        AllowMethods GET HEAD OPTIONS POST
    </IfModule>
</Directory>

<IfModule antiloris_module>
    IPReadLimit 20

</IfModule>

<IfModule reqtimeout_module>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>


Please note that LimitRequestBody will disallow uploading/posting more than 8MB (8388608 bytes) but for most websites it should be ok.

$ service httpd fullstatus | grep antiloris mod_antiloris/0.4

Tuesday, March 13, 2012

Install mod_security in Kloxo (Lxadmin) on Centos 5.3




First of all make sure you switched the default webserver to Apache2. This can be done in the Kloxo admin console under the Server > Switch server tab.

Retrieve the mod_security binary for your platform. You can find detailed information here, but below are the key steps assuming you're running a Centos 5.3 VPS.

1. Validate the packages by installing the GPG key:

rpm --import http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka

2. Add the following to your '/etc/sysconfig/rhn/sources' file:

yum utterramblings http://www.jasonlitka.com/media/EL5/$ARCH

3. Type:

vi /etc/yum.repos.d/utterramblings.repo

... and then paste the following into the editor:

[utterramblings]
name=Jason's Utter Ramblings Repo
baseurl=http://www.jasonlitka.com/media/EL$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka

4. Update your yum repository by typing yum update and accepting the update. This might take a bit of time depending on when you did your last update.

5. Install modsecurity by typing: yum install mod_security

6. Restart the Apache webserver: service httpd restart.

That's it!

Note that a default ruleset is included and activated during the installation. If you want to edit the configuration, the following can be useful:

/etc/httpd/conf.d: all files in this directory are loaded during Apache startup
/etc/httpd/conf.d/mod_security.conf: default configuration loading the mod_security module and the default rule set
/etc/httpd/modsecurity.d: default rule set


Tham khao: http://www.clientcentral.info/knowledgebase.php?action=displaycat&catid=1015

Tuesday, March 6, 2012

Dùng iptables để band IP

Liệt kê tất cả các IP đang band
/etc/init.d/iptables status

- Band một IP
iptables -A INPUT -s 123.42.168.250 -j DROP
iptables -A OUTPUT -p tcp -d 123.42.168.250 -j DROP


Lệnh trên để band IP tức thời thôi, khi restart lại service iptables, thì tất cả các IP đã band sẽ mất
Nếu muốn không mất ta phải save nó lại
 
/etc/init.d/iptables save


[root@ns ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    DROP       all  --  112.213.95.11       0.0.0.0/0          
3    DROP       all  --  123.42.168.250       0.0.0.0/0          

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    DROP       tcp  --  0.0.0.0/0            112.213.95.11     
2    DROP       tcp  --  0.0.0.0/0            123.42.168.250     


Để remove IP đã band, ta phải xác định IP band đang ở num mấy

[root@ns ~]# iptables -D INPUT 2
[root@ns ~]# iptables -D OUTPUT 1


Các lệnh view log
iptables -L INPUT -v -n --line-numbers
iptables -L OUTPUT -v -n --line-numbers


Có thể dùng lệnh sau để drop
iptables -D INPUT -s 113.161.207.117 -j DROP