Security :: Advanced Firewall And Testing - Block Certain Kinds Of Attacks?
Dec 14, 2010
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies
ADVERTISEMENT
Apr 12, 2010
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
View 7 Replies
View Related
Nov 9, 2010
I would like to test my firewall rules. Is there some app or web service where I can do that ?
View 6 Replies
View Related
Oct 2, 2010
I have noticed interesting problem. I use two browsers - Firefox and Konqueror. Konqueror is configured to use tor, Firefox not. Using Gufw I block all incoming and outgoing traffic and it works while using Firefox, I mean that I can't view any www site and it is ok. But if I use Konqueror I can establish any conection. How to understand this? Should I have different firewall while using tor?
View 5 Replies
View Related
Dec 9, 2010
I manage a linux-based network, where some projects are currently under development. Our IT policy states that any email attachment shall be encrypted using GPG. Can I block other attachments using a firewall?
Note: Currently our mail server is not in campus. So I can only use a firewall for this security issue.
View 5 Replies
View Related
May 18, 2010
I am learning to setup firewall in my home for that i have selected four system(sys1,sys2....sys4) for testing .I have configured sys2 to act as a firewall with two NIC. sys3 and sys4 are inside the firewall . sys1 is not connected to firewall for testing purpose.
the IP assignments are follows :
sys1 : ( fedora, not connected to firewall i am thinking, But i am not sure )
IP : 192.168.2.1 ,
gateway : blank
dns1 : blank
dns2 : blank
sys2 firewall ,IPTABLES )
code....
what happened is that sys1(not connected to firewall) can ssh to sys4(connected,inside firewall),since the rules are written not to ssh form sys1 to sys4..
then I came to know whatever the request I give, It directly goes as sys1 --> sys4. Not as sys1-----> sys2(firewall)---> sys4 .and the firewall is not filtering and processing anything for both inbound and outbound (i think it's my mistake some where). the requests are directly going inside without firewall.
View 3 Replies
View Related
Sep 14, 2011
I have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50 %CPU each.
I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped. I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.
What can I do? Can I at least find the IP of the attacker? I have strong experience with Linux, but almost zero experience with being a server admin.
View 2 Replies
View Related
Jun 24, 2009
I would like to know the blocking methode In a Firewall or a Router.whether i will be done by Protocol wise, ho? or it will done through Host wise, How ?
View 2 Replies
View Related
Jun 1, 2011
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies
View Related
Dec 30, 2008
I fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies
View Related
Jan 25, 2011
recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies
View Related
Jan 6, 2011
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies
View Related
Nov 10, 2010
With the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies
View Related
Jan 21, 2011
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
View 4 Replies
View Related
Jan 27, 2011
I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies
View Related
May 6, 2011
I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
View 14 Replies
View Related
Jun 1, 2010
I want to test LVM+Raid. When I was testing ZFS on Solaris, I was able to create regular files, and use those as disks for testing.I tried creating a regular file full of zeros w/ dd, then partitioning that. fdisk seemed to be able to create a partition on the regular file, but mkfs and parted couldn't work with it. Is there any way to create fake block devices for testing?
View 4 Replies
View Related
May 9, 2011
Can we use iptables as firewall instead of Juniper firewall
View 2 Replies
View Related
Mar 11, 2011
How I can refuse an outgoing connection on opensuse firewall by default outbound policy is permissive, and the p2p I explicitly deny an outgoing, according to protocol, remote port and local port.
But I can add rules as how to run opensuse firewall rules are permissive only for inbound traffic and so I can not specifically deny an outgoing connection.
Before using fwbuilder is very powerful and configurable but now I'm with suse for convenience but want to know if you can do what I want, if not I will have to use fwbuilder.
View 5 Replies
View Related
May 28, 2010
Link 1 = my network [url]
My network:
Subnet 1
Subnet 2
When someone creates a network loop (a cat 5 cable is plugged into two ports on a switch), the 2 subnet get flooded and become very slow.
How can I prevent subnet 1 from getting flood if someone create a loop on subnet 2.
- eth2 go offline automatically until the network loop is canceled.
View 2 Replies
View Related
Jan 5, 2010
I've been all around the net and can't find a "simple" answer how to block our LAN users from downloading torrents. Is it really that difficult?
Here's our setup:
1. The Server's Configs:
2. sudo gedit /etc/squid/squid.conf
3. sudo gedit /etc/rc.local (to start Firewall rules on bootup)
4. Server NOT a DHCP Server
5. No other iptables rules are configured, just the above ones.
Before in a 1 NIC setup, I blocked Workstations MAC addresses in the Router + Squid Proxy Server (Not Transparent), it worked, but some Online Java Apps didn't work and users can't send/receive email so I abandoned the method.
Now, I installed transparent Squid Proxy with 2 NIC cards, it works, but workstations can still download torrents! I know Squid doesn't block ports, right? So the answer must lie in Iptables Firewall? I basically use Squid just to deny access to Facebook, Friendster, or other "unproductive sites".
Quote:
How to block torrent downloading by using a Firewall? Or is there another "simple" way?
I've heard that it's better just to allow regular ports (80, 22, 465, etc...) then block all the rest, this way, you can prevent unnecessary ports.
I'm not an Iptables/Firewall expert so can you pls. explain it a bit more detailed if that's the case.
I'm also aware of just telling our users NOT to download torrents, but I just want to prohibit it entirely.
I know I will be the most "uncool" employee in our office.
View 9 Replies
View Related
May 2, 2010
I have a ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and gateway on eth1.
I'm trying to get it to basically block everything incoming except for the ports i specify, but also allow outgoing traffic. I've found, tried, modified som examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)
These are the rules, and i can't figure out why it wont block:
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -I INPUT -i eth1 -j DROP
[Code].....
View 1 Replies
View Related
Apr 19, 2011
I want to set up Ubuntu Server as a firewall in which I want to direct my internet connection through where Ubuntu Server will block, filter, and monitor anything that come into either three of my computers using the same internet connection. Is this easy to do? sum up the steps that I will have to go through to establish this, and any relevant information, and where I might be able to find necessary information etc. I plan to use ubuntu-10.04.2-server-i386.
View 3 Replies
View Related
Jan 26, 2010
I already have Linux Enterprise 5 system installed with some server packages such as Webmin, Active Directory, Web Server which also act as Internet gateway. Now I want to add firewall functionality to block clients ip accessing internet.
View 14 Replies
View Related
Jul 4, 2010
I am still new to ubuntu and I use firestarter as my firewall tool and I was told that its just ufw in a gui. Well anyways I noticed a connection to 174.129.241.144 using https and python, I didn't have any scripts running and my browser was closed, I read the man files for ufw and it said to do something like deny from 174.129.0.0/12 and I want to block all incoming and outgoing connections to this IP range and I was wondering how to do that, I heard of iptables that it would be able to do this but I dont know anything about it. What I should learn so I can handle these kinds of situation in the future and how I can block this ip subnet or also what does the /8, /12, and /16 stand for?
View 7 Replies
View Related
Mar 10, 2011
tell me the command for iptable rule to add in Chain RH-Firewall-1 to block ftp port & the ftp server was configured in public ip address,i searched in google but i did'nt get the exact command for iptables rule in Chain RH-Firewall-1.
View 3 Replies
View Related
Sep 23, 2010
I have a Suse11 box with 2 network cards:
I have squid as a proxy on the Suse box, and with the default firewall I have to enable masquerading to allow clients on the eth3:1-3 to send and receive mail through the Suse box. I found the Suse firewall completely inadequate (all P2P software/connections are allowed once you enable masquerading) and had to install ConfigServer Security & Firewall. In die configuration of csf I could get my way around getting smtp to work for the eth3:1-3 clients, but pop3 connections does not go through the box. I know I need to allow port 110 and 995 to masquerade of NAT (or something) and then the same for port 22
View 2 Replies
View Related
Aug 12, 2010
I'm trying to create a user account for my children in Ubuntu 10.04
When creating their account, I have turned off the 'Connect to ethernet and wireless' option of the Advanced Settings.
However, when I log into their accounts, they still have full access to the internet through both the wireless and ethernet connections. Is this option for some other purpose?
Is there an alternate way to limit internet access for childrens' accounts in Ubuntu? (I'm used to MS Family Safety as a filter for internet access - is there an eqivalent for Ubuntu?)
View 2 Replies
View Related
Feb 23, 2011
I tried installing F-prot's linux scanner but it doesn't seem to want to install and I am tired of messing with it.
So I am wondering if I even need it or if there is something else.
I am behind a firewall already with my router if that helps any.
I guess I am having trouble understanding why virus protection is less necessary.
Do people not write viruses for linux systems?
View 7 Replies
View Related
Sep 29, 2010
I need to set up my centOS computer as a firewall in my home network. Ive got 2 interfaces, eth0 and eth1. I want to allow and forward all traffic on eth0 and block all traffic on eth1 except ssh, ping(icmp) and DNS. How do I do this? Ive tried some editing in /etc/sysconfig/iptables but no luck.
View 1 Replies
View Related
