ba-zoo-ra

This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers. Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed. TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service. You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.
Back to the top
How to configure TCP/IP security
loadTOCNode(2, 'summary');

To configure TCP/IP security:
Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .
Right-click the interface on which you want to configure inbound access control, and then click Properties .
In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .
In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced .
Click the Options tab.
Click TCP/IP filtering , and then click Properties .
Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
There are three columns with the following labels:
TCP PortsUDP PortsIP ProtocolsIn each column, you must select either of the following options:
Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated. Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box. If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17. Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1. TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

Configure user account. logout and relogin as user. su wherever required.
useradd
eg. useradd myodduser

passwd myodduser

Configure Default runlevel to runlevel 3
Use your favorite text editor to edit /etc/inittab
Find a line that is similar to the following:
id:3:initdefault:

Verify the no. after “id:” id-colon is 3. If it is not make it three.

To restrict virtual terminals to two:
Find out following stanza to enable only two virtual terminals available:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

Make it to:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

Save /etc/inittab and exit

Edit /etc/fstab . For the file systems /tmp, /var, and /home replace the "defaults" with "noexec,nodev,nosuid"

noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system!
nosuid : Blocks the operation of suid, and sgid bits.
nodev : Prevent any user to mount the file system.


Disable unused services in order to save on resources and minimize potential security holes.
These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.


NetworkManager
NetworkManagerDispatacpid
apmd
autofs
avahi-daemon
avahi-dnsconfd
bluetooth
conman
cpuspeed
cups
dc_client
dc_server
dhcdbd
dund
firstboot
gpm
haldaemon
hidd
ibmasm
ip6tables
ipmi
irda
irqbalance
kdump
kudzu
mcstrans
mdmonitor
mdmpd
microcode_ctl
netfs
netplugd
nfs
nfslock
nscd
oddjobd
pand
pcscd
portmap
rdisc
restorecond
rpcgssd
rpcidmapd
rpcsvcgssd
saslauthd
setroubleshoot
smartd
smb
squid
tux
winbind
wpa_supplicant
xfs
ypbind
yum-updatesd



With following command format:

chkconfig –level 12345 off

To stop if any of the service is running:
service stop

check /etc/hosts
It must be in the format. (See the 127.0.0.1 line)
127.0.0.1 localhost.localdomain localhost
IP.AD.DR.ESS machine.domain.name machine



Edit /etc/host.conf
order bind,hosts
multi on
nospoof on


Edit /etc/sysctl.conf - tighten
1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection
2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing
3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance
4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification
5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request
6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection
7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets

Edit /etc/hosts.deny
portmap: ALL

Edit /etc/hosts.allow
portmap: localhost
portmap: 127.0.0.1

SSH:
Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups )
Protocol 2
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
AllowUsers admin user1 user2 user3 (put actual users here in place of userN)

Stripping It Down

Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)


xkeyboard-config-0.8-7.fc6
dosfstools-2.11-6.2.el5
finger-0.17-32.2.1.1
dos2unix-3.1-27.1
esound-0.2.36-3
system-config-securitylevel-1.6.29.1-1.el5
NetworkManager-0.6.4-6.el5
OpenIPMI-2.0.6-5.el5.3
apmd-3.2.2-5
acpid-1.0.4-5
system-config-network-1.3.99-1.el5
gnome-python2-gtkhtml2-2.14.2-4.fc6
gnome-python2-bonobo-2.16.0-1.fc6
xorg-x11-drv-mouse-1.1.1-1.1
system-config-display-1.0.48-2.el5
xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5
xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5
gnome-mime-data-2.4.2-3.1
centos-release-notes-5.0.0-2
xorg-x11-filesystem-7.1-2.fc6
xorg-x11-xauth-1.0.1-2.1
xorg-x11-xkb-utils-1.0.2-2.1
talk-0.17-29.2.2
cpuspeed-1.2.1-1.45.el5
hicolor-icon-theme-0.9-2.1
alsa-lib-1.0.12-3.el5
GConf2-2.14.0-9.el5
xorg-x11-utils-7.1-2.fc6
bluez-gnome-0.5-5.fc6
xorg-x11-xinit-1.0.2-13.el5
ypbind-1.19-7.el5
firstboot-tui-1.4.27.2-1.el5.centos.1
system-config-soundcard-2.0.6-1.el5
yp-tools-2.9-0.1
system-config-samba-1.2.39-1.el5
system-config-kdump-1.0.9-3.el5
tux-3.2.18-9.fc6
xorg-x11-fonts-base-7.1-2.1.el5
gnome-python2-canvas-2.16.0-1.fc6
gnome-mount-0.5-3.el5
xorg-x11-drv-vesa-1.2.1-5.2.el5
xorg-x11-drv-keyboard-1.1.0-2.1
xorg-x11-drv-evdev-1.0.0.5-2.el5
samba-common-3.0.23c-2.el5.2.0.2
xorg-x11-xfs-1.0.2-4
samba-client-3.0.23c-2.el5.2.0.2
xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5
samba-3.0.23c-2.el5.2.0.2
gpm-1.20.1-74.1
xorg-x11-server-utils-7.1-4.fc6
redhat-menus-6.7.8-1.el5
metacity-2.16.0-8.el5
alsa-utils-1.0.12-3.fc6
OpenIPMI-libs-2.0.6-5.el5.3
portmap-4.0-65.2.2.1
nfs-utils-1.0.9-16.el5
system-config-nfs-1.3.23-1.el5
subversion-1.4.2-2.el5
gnome-python2-gconf-2.16.0-1.fc6
gnome-python2-extras-2.14.2-4.fc6
gnome-python2-gnomevfs-2.16.0-1.fc6
xorg-x11-drv-void-1.1.0-3.1

Security and management tool installations and fine tuning:

Security Tools Download, install and run:

a. chkrootkit - http://www.chkrootkit.org/download/
Download to /usr/local/src
Extract using "tar -zxf"
Compile & Install using "make sense"
Run chkrootkit

b. rkhunter - http://www.rootkit.nl/projects/rootkit_hunter.html
Download to /usr/local/src
Extract using "tar -zxf"
Install using ./install.sh
./installer.sh --layout /usr/local –install
rkhunter --update
Run "rkhunter -c --createlogfile"



Management Tool:. Download, install, configure: Webmin with SSL

Package Dependencies
Ensure openssl and openssl-devel are installed
rpm -q openssl
rpm -q openssl-devel
If they are not installed, install them using:
yum install openssl openssl-devel -y
(Mention ONLY those packages that need to be installed).

Download the Webmin RPM - http://www.webmin.com/
Download the RPM to /usr/local/src
Install using rpm -Uvh
Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password
1. Under Webmin -> Users -> Edit the root user. Rename root user to "admin"
2. Under Logging ensure all events by all users are logged
3. Change the port from 10000 to a suitable one above 50000 (and below 60000).
4. Under Authntication - set the idle time-out to 5 minutes.

d. Perl Libraries

Net::SSLeay - http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz
Download to /usr/local/src/
Extract with tar -xzf
Prepare with "perl Makefile.PL"
Compile & Install with "make install"
Test installation with "perl -e 'use Net::SSLeay'". You should be returned to the prompt. If you get errors, the installation did not succeed.



e. Portsentry -ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm
Download the RPM to /usr/local/src
Install using rpm -Uvh
Edit /etc/portsentry/portsentry.conf
Edit /etc/portsentry/portsentry.modes
Edit /etc/portsentry/portsentry.ignore
Start portsentry.

f. Checksuite - http://checksuite.sourceforge.net/
Download the RPM to /usr/local/src
Install using rpm -Uvh


g. Fine Tuning IPTABLES:
edit /etc/sysconfig/iptables

Insert rules for trusted ip addresses only which should access ssh port.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s -j ACCEPT

These rules are to be added before following rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)

Exporting Your PuTTy Configuration

Putty stores its settings in the Windows registry. To save a backup of your Putty settings, you'll need to export this registry key to a file.

HKEY_CURRENT_USER\Software\SimonTatham

(Simon Tatham is the original developer responsible for PuTTy)

1. Click Start->Run and type "RegEdt32" in the "Open" dialog. Click "Ok"


2. One RegEdt32 starts, you'll be presented with an application which looks something like:


3. Press "Ctrl+F" to bring up the Find dialog. Enter the name of the key, "SimonTratham" in the "Find What" field, and make sure only "Keys" is checked in the "Look At" section of the dialog. Finally, click "Find Next"



That's all you need to know about moving your PuTTy configuration from one machine to another. This can be really useful information when upgrading to a new PC or, if you're an office IT guy where your users all have a standard list of servers they need to connect via SSH, you can create a reference configuration on once machine and "share" it between every computer in the office.


source: http://www.downloadsquad.com/2007/02/01/howto-transfer-your-putty-settings-between-computers/

www kernel: printk: 1 messages suppressed.
www kernel: ip_conntrack: table full, dropping packet.


Reason behind this error:

Iptables under Linux maintains a list of connections passing
through the router. Each connection tracking entry contains defined
characteristics of the packet, including the source and destination
IP address and port number. The connection tracking entries are
ultimately stored in a hash table with a fixed size. If the router
reaches the maximum number of connection tracking entries,it will
log an error:

"ip_conntrack: table full, dropping packet"

The maximum size of the connection tracking table can be increased.
The maximum size value is stored in the router's proc filesystem
in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the
maximum size of the connection tracking table to a value larger than
the total number of connections will eliminate the error message
and prevent the router from dropping connections due to a lack of
space in the connection tracking table.


# This tell you how many sessions arte open right now.
cat /proc/net/ip_conntrack | wc -l
# This tells you the maximum number of conntrack entries you can have
in total
cat /proc/sys/net/ipv4/ip_conntrack_max

Once the previous number hits beyond the latter, you should start
seeing these messages. I would increase the latter number by calling:

echo "" > /proc/sys/net/ipv4/ip_conntrack_max

or if you want it to span reboots, you can place the following in
/etc/sysctl.conf

sys.net.ipv4.ip_conntrack_max =3D 

Use yum command as follows:
# yum install squid

Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
--> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
squid                   i386       7:2.6.STABLE6-4.el5  updates           1.2 M

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)       

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: squid                        ######################### [1/1]

Installed: squid.i386 7:2.6.STABLE6-4.el5
Complete!

Squid Basic Configuration

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
# vi /etc/squid/squid.conf
At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks 192.168.1.0/24 and 192.168.2.0/24. Make sure you adapt to list your internal IP networks from where browsing should be allowed:
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks

Save and close the file. Start squid proxy server:
# chkconfig squid on
# /etc/init.d/squid start

init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

Verify port 3128 is open:
# netstat -tulpn | grep 3128

tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN      20653/(squid)

Open TCP port 3128

Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
# /etc/init.d/iptables restart

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Client configuration

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.

Use wget command to retrieve file and store to /etc/bind/db.root (Debian / Ubuntu Linux), enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root

Under Red Hat / CentOS / Fedora Linux, default location is /var/named/named.root, enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root

Reload rndc to update information, enter:
# rndc reload

Another option is run dig command to fetch information:
# dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.root

The root zone's nameservers change over time, don't assume this list is current. Always download a new version of db.cache once or twice year is sufficient. You can also schedule cron jon to update file. The best place to get update about this file is bind-users mailing list.

Sample updated root hints data file

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/db.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Feb 04, 2008
;       related version of root zone:   2008020400
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803f:235
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of File