Security :: Iptables Configuration Causes Web Content To Be Delivered 'slow'
Apr 26, 2011
In December 2009 I switched my web-hosting package with 1and1 to their best VPS package. What a difference! At this time I knew absolutely NOTHING about Linux sys admin stuff. Now, I know a little more I now run 'several' VPS instances (all with 1and1). Back to the problem then... On all my boxes I run CentOS 5.5 (Linux 2.6.18-028stab070.4) with various different versions of Plesk (9.5.2 and 10.2.0) The VPS instances themselves are on Virtuozzo nodes. As you may know, Virtuozzo has a firewall GUI allowing modification of iptables. I only use this when I make a mistake and cannot SSH. My 'original' iptables: (the VZ chains are controlled by the Virtuozzo container)
if this iptables chain limits the number of connections to 3 per second and 100 per second respectively, is this still secure or is there no point in having this rule? If the rule is a good one to have, then how can I allow http connections to bypass this chain/rule?
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535 code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
Quote:One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites.Firefox users don?t have to do anything in order to gain this protection. Simply install Firefox 4 and you will instantly receive all of the benefits that Content Security Policy has to offer. Easy!
I had directory inside www that is gone. I am not sure if I removed it my mistake somehow or there is something weird going on. How would I track down what happened to this directory?
I am traveling outside US and trying to watch netflix from my computer. However, it is blocked in my region. Is there a way to fake the IP address to looks like i am viewing the content from the US?
I have already developed file type filtering functions through squid. Now I want to deal with content filtering aspects... What tools are available there for so in linux?
I have ubuntu server 10.4 installed on an Intel SS4200-E, which I have configured without any RAID. This machine acts as a media server to another PC. The other PC runs Windows 7 Ultimate. I have 3 1TB hard disks connected to it, and the file system on all the 3 are NTFS. I have mounted the hard disks as ntfs. I have made the folders on all the 3 hard disks shareable. I have configured Samba to make the folders on the hard disks "visible".
The ubuntu machine is in a headless configuration (it doesn't have any VGA card where can connect a monitor). I can configured SSH on it, so I can use putty from the Windows machine to logon to the ubuntu machine, but it is text based only. I am able to see all the 3 disks from the Windows machine. I am able to read/write into 2 of the disks. I am able to read, copy and delete from the 3rd disk, but not write new content to it.
What is the easiest way to encrypt plain text content with a password only? I need to encrypt client login information, but I hate dealing with all the unnecessary complexities of Linux's encryption systems.
I know I am going to get a bunch of people telling me how perfect Seahorse and whatever is, but Seahorse and the default /home directly encryption have both given me too many problems when decrypting my information. I prefer to preserve my data rather than using these methods.
We have approximately 100 retail locations that will have split vpn tunneling. Intranet traffic will flow over the vpn to the corporate headquarters, voip traffic will tunnel to a regional hub and internet bound traffic will go over the local isp. The retail locations are small with 1-8 users and no enterprise grade equipment (servers, etc). This setup in effect will render our current content filtering solution useless.
The locations will be equipped with Cisco ASA 5505 Firewalls. The original plan was to use a Websense server and the url filtering feature to act as a content filter. I just found out that pricing for Websense was not included in the budget will be a show stopper.There may also be some performance issues with this method. Putting a proxy server at each location is not really an option. We do not have the resources to place a server at each location, plus the users could simply unplug an inline device or go around it. There is minimal supervision at most of these locations.
Ideally, I would like to find a way to use something like Dansguardian with an ldap interface and the url filtering feature of the ASA firewalls. I found a program called n2h2p, but I can find 0 documentation for it. It is also 2 years old with no updates. I also need to be able totrally manage this as trying to keep up with 100 different configurations for 400 users would be virtually impossible for the amount of time I will have available
Recently I've tried installing Calibre from the Software Centre, but it seemed to be glitching as when I press Update Source, the 'In Progress' icon shows up, but when it finishes nothing changes - the Update Source button is still Should I report this?Anyways, I've installed Calibre from their website to .calibre in Home Folder. However, the folder is 'locked' as it requires root priveleges and I can't drop files there without being the admin. I'd like to reduce 'open as root' files to minimum, so I was wondering if there is a way to change the permissions of all the content in one operation, preferably using GUI, and not the terminal?
In addition I've noticed that other folders in my Home Folder like Pictures/Wallpapers require root privileges. This is really annoying as when I 'experiment' with Ubuntu I use Live CD to make sure I don't screw up the main system. When I do I can't open some files from hard disk because of those root inconsistencies
I have been assigned a task to implement a free open source content filter having feature of web, email, instant messaging etc. If any one has the information or worked on this type of product please share it.
I have server with Debian and Apache installed. Webpage content located in /var/www folder. For failserver I have Windows server 2003, which runs Mysql service thats needed for library software. And on this machine theres Inetpub/wwwroot with library webcontent. Sofar its only accessible localy. How can make Apche webserver to take content from this local server machine and show it publicly.
For Ubuntu 10.04, I can configure the network by "Network Connections". This configuration is done by doing the following operation sequences(System->Preferences->Network Connections->wired->auto eth0). Then I can connet to and browse the internet. If I type the command "ifconfig", I can see the ip I configured for eth0. Part of the content is as blow:
For Ubuntu 10.04, I can configure the network by "Network Connections". This configuration is done by doing the following operation sequences(System->Preferences->Network Connections->wired->auto eth0). Then I can connect to and browse the internet. If I type the command "ifconfig", I can see the ip I configured for eth0. Part of the content is as blow:
[Code]...
I think there should be other files that keep the eth0 configuration content. What are they?
I have a slow machine, mainly a Celeron with 250gb HD.This machine is not being used, so I was planning to install a Linux distro and create a bunch of VMs for development.Which distro should I choose? I plan to use this machine mainly as a small "hypervisor" to other vms.Is it possible? What do you suggest? (Buying another machine is out of question, since I would like to know if it's possible give a purpose like this to the Celeron)
Why would this iptables cause this mail delivery error? I think it's to do with dns lookups not being routed properly... if remove the last rule, mail works fine.
ssh is also very slow to connect when the last rule is enabled.
postfix mail error:
Code: Jan 24 11:32:18 xxxx postfix/smtp[15065]: 9F2162C519: to=<xxxxx@hotmail.com>, relay=none, delay=1005, delays=965/0.01/40/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again) iptables
I am using find to search for .tgz files modified more than 7 days ago and delete them.find /directory/ -iname backup*.tgz -daystart -mtime +7 -exec rm -rf {} My problem is that find will go through the content of tarball as well and list all content. I want to only search main tarball and delete it if older than 7 days.
I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module modprobe ip_conntrack iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
I am using Fedora on my desktop pc. I want to know how can i protact my PC from outside world. What firewall policy should i implement in iptables to keep it more secure.
i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :
[Code]...
The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no?
how do i have to modify the rules? what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message. I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?
I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:
Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server. Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.
This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure. As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
