Security :: Iptables Configuration Causes Web Content To Be Delivered 'slow'
Apr 26, 2011
In December 2009 I switched my web-hosting package with 1and1 to their best VPS package. What a difference! At this time I knew absolutely NOTHING about Linux sys admin stuff. Now, I know a little more I now run 'several' VPS instances (all with 1and1). Back to the problem then... On all my boxes I run CentOS 5.5 (Linux 2.6.18-028stab070.4) with various different versions of Plesk (9.5.2 and 10.2.0) The VPS instances themselves are on Virtuozzo nodes. As you may know, Virtuozzo has a firewall GUI allowing modification of iptables. I only use this when I make a mistake and cannot SSH. My 'original' iptables: (the VZ chains are controlled by the Virtuozzo container)
Code:
Chain INPUT (policy DROP)
target prot opt source destination
VZ_INPUT all -- anywhere anywhere
Chain FORWARD (policy DROP)
[code]....
if this iptables chain limits the number of connections to 3 per second and 100 per second respectively, is this still secure or is there no point in having this rule? If the rule is a good one to have, then how can I allow http connections to bypass this chain/rule?
View 6 Replies
ADVERTISEMENT
Aug 8, 2010
Is possible blocking web with content for adults with iptables?
View 3 Replies
View Related
Dec 23, 2010
What is the best IPtables configuration for bind DNS server.
View 3 Replies
View Related
Mar 30, 2011
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
View 3 Replies
View Related
Mar 22, 2011
Quote:One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites.Firefox users don?t have to do anything in order to gain this protection. Simply install Firefox 4 and you will instantly receive all of the benefits that Content Security Policy has to offer. Easy!
View 1 Replies
View Related
Feb 26, 2016
I had directory inside www that is gone. I am not sure if I removed it my mistake somehow or there is something weird going on. How would I track down what happened to this directory?
View 2 Replies
View Related
Jun 17, 2010
I am traveling outside US and trying to watch netflix from my computer.
However, it is blocked in my region. Is there a way to fake the IP address to looks like i am viewing the content from the US?
View 2 Replies
View Related
Jun 22, 2009
I have already developed file type filtering functions through squid. Now I want to deal with content filtering aspects... What tools are available there for so in linux?
View 6 Replies
View Related
Sep 27, 2010
I have ubuntu server 10.4 installed on an Intel SS4200-E, which I have configured without any RAID. This machine acts as a media server to another PC. The other PC runs Windows 7 Ultimate. I have 3 1TB hard disks connected to it, and the file system on all the 3 are NTFS. I have mounted the hard disks as ntfs. I have made the folders on all the 3 hard disks shareable. I have configured Samba to make the folders on the hard disks "visible".
The ubuntu machine is in a headless configuration (it doesn't have any VGA card where can connect a monitor). I can configured SSH on it, so I can use putty from the Windows machine to logon to the ubuntu machine, but it is text based only. I am able to see all the 3 disks from the Windows machine. I am able to read/write into 2 of the disks. I am able to read, copy and delete from the 3rd disk, but not write new content to it.
Following is the snippet from /etc/fstab:
Code:
/dev/sda3 /media/Media1 ntfs-3g defaults,locale=en_US.utf8 0 0
/dev/sdb1 /media/Media2 ntfs-3g defaults,locale=en_US.utf8 0 0
/dev/sdc1 /media/Media3 ntfs-3g defaults,locale=en_US.utf8 0 0
Following are the lines which I have added to the end of /etc/samba/smb.conf:
Code:
[Media1]
path = /media/Media1
writable = yes
guest ok = yes
[code]....
View 9 Replies
View Related
Jun 1, 2010
What is the easiest way to encrypt plain text content with a password only? I need to encrypt client login information, but I hate dealing with all the unnecessary complexities of Linux's encryption systems.
I know I am going to get a bunch of people telling me how perfect Seahorse and whatever is, but Seahorse and the default /home directly encryption have both given me too many problems when decrypting my information. I prefer to preserve my data rather than using these methods.
View 9 Replies
View Related
Aug 6, 2010
We have approximately 100 retail locations that will have split vpn tunneling. Intranet traffic will flow over the vpn to the corporate headquarters, voip traffic will tunnel to a regional hub and internet bound traffic will go over the local isp. The retail locations are small with 1-8 users and no enterprise grade equipment (servers, etc). This setup in effect will render our current content filtering solution useless.
The locations will be equipped with Cisco ASA 5505 Firewalls. The original plan was to use a Websense server and the url filtering feature to act as a content filter. I just found out that pricing for Websense was not included in the budget will be a show stopper.There may also be some performance issues with this method. Putting a proxy server at each location is not really an option. We do not have the resources to place a server at each location, plus the users could simply unplug an inline device or go around it. There is minimal supervision at most of these locations.
Ideally, I would like to find a way to use something like Dansguardian with an ldap interface and the url filtering feature of the ASA firewalls. I found a program called n2h2p, but I can find 0 documentation for it. It is also 2 years old with no updates. I also need to be able totrally manage this as trying to keep up with 100 different configurations for 400 users would be virtually impossible for the amount of time I will have available
View 9 Replies
View Related
Feb 22, 2011
Recently I've tried installing Calibre from the Software Centre, but it seemed to be glitching as when I press Update Source, the 'In Progress' icon shows up, but when it finishes nothing changes - the Update Source button is still Should I report this?Anyways, I've installed Calibre from their website to .calibre in Home Folder. However, the folder is 'locked' as it requires root priveleges and I can't drop files there without being the admin. I'd like to reduce 'open as root' files to minimum, so I was wondering if there is a way to change the permissions of all the content in one operation, preferably using GUI, and not the terminal?
In addition I've noticed that other folders in my Home Folder like Pictures/Wallpapers require root privileges. This is really annoying as when I 'experiment' with Ubuntu I use Live CD to make sure I don't screw up the main system. When I do I can't open some files from hard disk because of those root inconsistencies
View 5 Replies
View Related
Apr 12, 2010
I have been assigned a task to implement a free open source content filter having feature of web, email, instant messaging etc. If any one has the information or worked on this type of product please share it.
View 8 Replies
View Related
Mar 15, 2011
I have server with Debian and Apache installed. Webpage content located in /var/www folder. For failserver I have Windows server 2003, which runs Mysql service thats needed for library software. And on this machine theres Inetpub/wwwroot with library webcontent. Sofar its only accessible localy. How can make Apche webserver to take content from this local server machine and show it publicly.
View 14 Replies
View Related
Oct 1, 2010
For Ubuntu 10.04, I can configure the network by "Network Connections". This configuration is done by doing the following operation sequences(System->Preferences->Network Connections->wired->auto eth0). Then I can connet to and browse the internet. If I type the command "ifconfig", I can see the ip I configured for eth0. Part of the content is as blow:
Quote:
ifconfig
eth0
inet addr:192.168.28.31 Bcast:192.168.28.255 Mask:255.255.255.0
But in the "interfaces" file, there is no eth0 content. The whole content is simply as below:
Quote:
cat /etc/network/interfaces
auto lo
iface lo inet loopback
I think there should be other files that keep the eth0 configuration content.
View 1 Replies
View Related
Oct 31, 2010
For Ubuntu 10.04, I can configure the network by "Network Connections". This configuration is done by doing the following operation sequences(System->Preferences->Network Connections->wired->auto eth0). Then I can connect to and browse the internet. If I type the command "ifconfig", I can see the ip I configured for eth0. Part of the content is as blow:
[Code]...
I think there should be other files that keep the eth0 configuration content. What are they?
View 3 Replies
View Related
May 21, 2010
I have a slow machine, mainly a Celeron with 250gb HD.This machine is not being used, so I was planning to install a Linux distro and create a bunch of VMs for development.Which distro should I choose? I plan to use this machine mainly as a small "hypervisor" to other vms.Is it possible? What do you suggest? (Buying another machine is out of question, since I would like to know if it's possible give a purpose like this to the Celeron)
View 4 Replies
View Related
Jan 24, 2010
Why would this iptables cause this mail delivery error? I think it's to do with dns lookups not being routed properly... if remove the last rule, mail works fine.
ssh is also very slow to connect when the last rule is enabled.
postfix mail error:
Code:
Jan 24 11:32:18 xxxx postfix/smtp[15065]: 9F2162C519: to=<xxxxx@hotmail.com>, relay=none, delay=1005, delays=965/0.01/40/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again) iptables
[Code]....
View 1 Replies
View Related
Oct 5, 2010
I am using find to search for .tgz files modified more than 7 days ago and delete them.find /directory/ -iname backup*.tgz -daystart -mtime +7 -exec rm -rf {} My problem is that find will go through the content of tarball as well and list all content. I want to only search main tarball and delete it if older than 7 days.
View 4 Replies
View Related
Feb 1, 2009
I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
View 13 Replies
View Related
Dec 14, 2009
Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Feb 25, 2010
I have a problem with iptables, when I execute
[code]....
View 5 Replies
View Related
Apr 4, 2010
I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.
My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)
View 12 Replies
View Related
Dec 5, 2010
I am using Fedora on my desktop pc. I want to know how can i protact my PC from outside world. What firewall policy should i implement in iptables to keep it more secure.
View 5 Replies
View Related
Jan 5, 2010
I'm following an openvpn installtion how to and it says to add this to the iptables:
Quote:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
[Code]....
Any thoughts as the whole formatting is separate and has the addition of FORWARD rules, etc. I need the VPN running on the .199 address
View 16 Replies
View Related
Jun 3, 2010
i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :
[Code]...
The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no?
how do i have to modify the rules? what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message. I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?
View 7 Replies
View Related
Mar 19, 2010
I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:
Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server.
Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.
This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure. As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.
View 14 Replies
View Related
Mar 6, 2010
Is this how I would do that?
iptables -A INPUT -p tcp --destination-port 21 -d ! 168.192.1.2 -j DROP
This should block all incoming connections on port 21 from 192.168.1.2, correct? Thus preventing that IP from logging into my FTP.
View 1 Replies
View Related
Apr 28, 2011
I am configuring the iptables in the debain squeeze and then running the: iptables-save
View 4 Replies
View Related
Jul 11, 2011
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
View 3 Replies
View Related
