[olug] Building a Hellacious Firewall

Jason Ferguson jferguson3 at home.com
Wed Jun 27 11:30:12 UTC 2001 

Jon,

For once, I think someone needs to point out... telnet and ftp are not 
inherently evil. They are simply tools. I once made a point to my class 
about programs like NMAP using chainsaws as an example. They can be used 
to make firewood, or in one old 70s horror movie, they can be used to 
make chili.  Its just a tool, its the owner that has the ultimate 
decision on its use (and consequences of its use).

Now, I do happen to agree: allowing telnet access into your network from 
the outside is asking for trouble: passwords and any data coming across 
the connection are fair game for anyone with a sniffer along the route. 
But I have used telnet on my internal network before (blocking it from 
the outside, some spoofing protection) for communications with Windows 
machines that I didnt want to go through the trouble of setting up SSH 
clients on.

FTP: well, its still one of two standards for creating a file dump, the 
other being HTTP.  But this time I fully agree, if someone is crazy 
enough to set up a FTP server, make sure its not you. I find web servers 
are actually easier to configure than FTP servers (more people working 
on Apache than on WU-FTP?). And on my internal network, I'll use Samba 
to set up shares accessible by my network.

But my original question remains: WHAT do we 
block/allow/reject/mark/mangle/mutilate to have my so-called 
"Hellacious" firewall?  Another problem area I came up with: ports 
666X-6670 are often used for irc communication. This is why you dont IRC 
as root... if someone comes in through those systems with an exploit, 
they'll have root access. Again, DROP/REJECT any traffic not coming from 
a known irc server.

Any other ideas? Remember, the idea of firewalls: stop the kiddies, and 
delay the pros long enough for them to find a less protected computer.

Jason


Jon wrote:

>This was really a good read for me.  I agree with what you are saying.  I don't know if there are many inexperienced linux users on this list but thought I would share my minor insights into running a secure server.
>1. no telnet / ftp
>2. see number 1
>3. openssh with certificates so I can get connections without prompts.
>4. edit my /etc/inetd.conf and remove all services I don't use.
>
>I have only read one issue of 2600 but found the information to be invaluable.  It is really good to see how many mistakes people make.  There was an article describing how to take someones email and searching the net for any uses of it.  At first thought this seems futile but they point out that if someone is active in usenet than with the awesome cataloging of message lists you can get some hits possibly.  It then pointed out that if someone ever posted live information to a usenet list you could get system info such as os and maybe even a config file or too if the admin got frustrated.  Anyway just some thoughts.
>
>-Jon W
>
>On Tue, Jun 26, 2001 at 04:33:23PM -0500, Jason Ferguson wrote:
>
>>Okay, iptables isnt tough:
>>
>>iptables -A INPUT --source (addy-of-bad-guy) -J LOG
>>iptables -A INPUT --source (same-addy) -J DROP
>>
>>Or something like that.
>>
>>However, we talk so much about the HOW to firewall, with ipchains or 
>>iptables, that we miss what I feel is even more important... WHAT to 
>>firewall.
>>
>>Now, for example... Ive heard it said that AUTH (usually port 113, check 
>>your /etc/services) is a security risk to run: it lets people gather 
>>info about your computer. However, try connecting to IRC without it... 
>>you wont get far. Solution: deny AUTH requests from anyone besides the 
>>IRC servers. Just LOG all of your requests for awhile to get the IP 
>>address of the servers, then modify your rules. Same goes for any one 
>>the other services; firewalls can block access to your services except 
>>for select IP addresses. This could allow something as bad as TELNET on 
>>your internal network without being angerous to the outside (gotta be 
>>careful of spoofing, of course).
>>
>>I prefer to build my firewall script myself, rather than use some 
>>generator program. This is because if you just use a generator, do you 
>>REALLY know what you're blocking and/or allowing? Probably not.
>>
>>
>>IPTABLES brings new stuff to the table. I personally dont know how to 
>>use things like MARK. So, to get to the point of this email (finally), 
>>can some of the old pros here share some of their experience in the art 
>>of building firewalls rather than the science?
>>
>>Jason
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>>For additional commands, e-mail: olug-help at bstc.net
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>For additional commands, e-mail: olug-help at bstc.net
>
>




---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list