Linux Microsoft VMware

Monday, September 3, 2012

Redhat / CentOS Iptables Firewall Configuration


H
ow do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?
Icon reference for Firewall


Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Posted by 0 comments
Read More

What is sysctl.conf in Linux


sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:
1.      Limit network-transmitted configuration for IPv4
2.      Limit network-transmitted configuration for IPv6
3.      Turn on execshield protection
4.      Prevent against the common 'syn flood attack'
5.      Turn on source IP address verification
6.      Prevents a cracker from using a spoofing attack against the IP address of the server.
7.      Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

sysctl command

The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:

# sysctl -a

# sysctl -A

# sysctl mib

# sysctl net.ipv4.conf.all.rp_filter

To load settings, enter:

# sysctl -p

Sample /etc/sysctl.conf

Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):
# The following is suitable for dedicated web server, mail, ftp server etc. 
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
 
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
 
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
 
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
 
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# TCP and memory optimization 
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
 
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
 
# increase system file descriptor limit    
fs.file-max = 65535
 
#Allow for more PIDs 
kernel.pid_max = 65536
 
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

Posted by 0 comments
Read More

Friday, August 31, 2012

Red Hat / CentOS VSFTPD FTP Server Configuration


Vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
1.                  Setup vsftpd to Provide FTP Service.
2.                  Configure vsftpd.
3.                  Configure Firewalls to Protect the FTP Server.
4.                  Configure vsftpd with SSL/TLS.
5.                  Setup vsftpd as Download Only Anonymous Internet Server.
6.                  Setup vsftpd With Virtual Users and Much More.

VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
1.                  Virtual IP configurations
2.                  Virtual users
3.                  Run as standalone or inetd / xinetd operation
4.                  Per-user configuration
5.                  Bandwidth throttling
6.                  Per-source-IP configurability
7.                  Per-source-IP limits
8.                  IPv6 ready
9.                  Encryption support through SSL integration
10.              And much more.

Install Vsftpd FTP Server

Install the vsftpd package via yum command:

# yum install vsftpd

Vsftpd Defaults

1.                  Default port: TCP / UDP - 21 and 20
2.                  The main configuration file: /etc/vsftpd/vsftpd.conf
3.                  Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server

Open the configuration file, type:

# vim /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format:

xferlog_std_format=NO

Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES

Above to directive es will enable logging of all FTP transactions. Lock down users to their home directories:

chroot_local_user=YES

Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS
Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.

Turn On Vsftpd Service

Turn on vsftpd on boot:

chkconfig vsftpd on

Start the service:

# service vsftpd start

# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server

Open file /etc/sysconfig/iptables, enter:

# vim /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Open file /etc/sysconfig/iptables-config, enter:

# vim /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"

Save and close the file. Restart firewall:

# service iptables restart

Tip: View FTP Log File


Type the following command:

# tail -f /var/log/vsftpd.log

Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530
Please login with USER and PASS."
Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER
vivekda"
Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108
", "331 Please specify the password."
Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108"
, "PASS "
Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108
", "230 Login successful."

Tip: Restrict Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO

Tip: Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5  /ftp   ext3 defaults,nosuid,nodev,noexec,usrquota 1 2


Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

Create An FTP User Account


Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:

adduser -c 'FTP USER mike' -m mike
# passwd mike

Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf

local_enable=YES

Restart the vftpd:

# service vsftpd restart

Allow anonymous access ftp access

Edit the vsftpd configuration file, enter:

# vi /etc/vsftpd/vsftpd.conf

Add or correct the following configuration option:
Only allow anonymous access ftp access:

anonymous_enable=YES

Disable local users login to ftp server:

local_enable=NO

Disable upload files and writing permission on the FTP server:

write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

Only allow file reading permission to the rest of the world:

anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=40000
pasv_max_port=60000

Turn on log features

xferlog_enable=YES
# Do not allow the use of "ls -R" to avoid consume a lot of resources
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES

Set performance option:

# Uses one process per connection to gain performance.
# This is used to supports huge numbers of simultaneously connected users.
one_process_model=YES
# The timeout, in seconds, which is the maximum time a remote client may spend
# between FTP commands.  If the timeout triggers, the remote client is kicked off.
idle_session_timeout=120
# The timeout, in seconds, which is roughly the maximum time we permit data
# transfers to stall for with no progress. If the timeout triggers,the remote client
# is kicked off.
data_connection_timeout=300
# The timeout, in seconds, for a remote client to establish connection with
# a PASV style data connection.
accept_timeout=60
# The timeout, in seconds, for a remote client to respond to our PORT
# style data connection.
connect_timeout=60
# The maximum data transfer rate permitted, in bytes per second,
# for anonymous clients.
anon_max_rate=50000

Restart the ftp server:

# service vsftpd restart

Pluggable Authetication Module

# vim /etc/pam.d/vsftpd

sense = allow or deny (default in deny state)

If its in deny then users in vim /etc/vsftpd/ftpusers are unable to access
If its in allow the users in vim /etc/vsftpd/ftpusers are able to access
Posted by 0 comments
Read More
Subscribe to: Posts (Atom)
Powered by Blogger.