Security

Basic firewall

Tags:


#!/bin/bash

# IP interfaces
eth0=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut -d: -f2`

# Change to 1 to enable logging of dropped packets
LOG=0

flush() {
iptables --flush
iptables --delete-chain
}

start() {

# Flush just in case 'start' has been called twice without stop or restart
flush

# Default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Accept all on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept all packets that are part of an established connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Pings
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $eth0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
iptables -I INPUT -d $eth0 -p tcp --dport 22 -j ACCEPT
# HTTP
iptables -A INPUT -d $eth0 -p tcp --dport 80 -j ACCEPT
# DNS
iptables -A INPUT -d $eth0 -p udp --dport 53 -j ACCEPT

if [ $LOG -eq 1 ]; then
# Create a LOGDROP chain to log and drop packets
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
# Drop and log all other traffic inbound
iptables -A INPUT -j LOGDROP
else
# Drop all other traffic inbound
iptables -A INPUT -j DROP
fi
}

stop() {
flush
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
;;
esac

Nmap Conficker Check

Tags:

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d (IP)

PCI Compliance and general good security

Tags:

SSL:
/etc/apache2/mods-enabled/ssl.conf


SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH

Squid
When SSL terminates at a Squid reverse proxy, instead make changes to the squid.conf likeso:

https_port 443 vhost cert=whatever.ssl key=whatever.key cafile=whatever.cer defaultsite=<a href="http://www.examplecom">www.examplecom</a> cipher=DEFAULT:!EXPORT:!LOW options=NO_SSLv2

Other Squid changes:

# PCI Verizon scan results
reply_header_access X-Cache-Lookup deny all
reply_header_access X-Cache deny all
reply_header_access All allow all
via off
httpd_suppress_version_string on

PHP:

/etc/php5/apache2/php.ini

expose_php = Off

This gets rid of those horrible mountains of 'safe_mode' vulnerabilities reported to exist in versions of PHP 5.2.8 or lower, because it hides the version number. Hiding information like this that is sent back in HTTP headers is a good idea and also something else that the scan complains about.
Kind of a dodgy fix, obviously in a better world we'd be upgrading to newer version of PHP but maybe that isn't an option for whatever reason.

Don't leave any pages that call phpinfo() without checking the requestor's IP too:

if( $_SERVER['REMOTE_ADDR'] == '1.2.3.4' )
{
        phpinfo();
}

Apache:

/etc/apache2/apache2.conf


ServerTokens Prod

(hides apache/php/ssl versions in the footer of pages, i.e when you hit a 404, probably headers too)

In any vhost, including the 000-default, prevent TRACE with mod_rewrite


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

The TRACE method is an HTTP command used for debugging purposes. A client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers. It is possible for a malicious user to obtain sensitive information from the headers, such as cookies or authentication data.