iptables output examples, configuration for outgoing connections, Red Hat/CentOS or Ubuntu

As an extension of the post “Configuring iptables firewall RedHat/CentOS 6 from command line“,  this time we will see how to secure outbound connections to our server.

Limiting outgoing connections may seem a little paranoid, but in case of an attack your machine will be used to “jump” to others or send mails. I know this may still sound even more paranoid, but these things happen and are very real, I want to do a post later trying a real case.

Come to the point, we start from an initial situation:

[root@oradb ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Continue reading

Apache SSL client certificate, configuring Apache to allow access only SSL certificate installed on client

Let’s configure Apache (on an Ubuntu 12) to allow access to clients with an installed SSL certificate personnel, first we have to create some structures to later work with revocation lists.

The first is to have openssl installed:

ubuntu@ip-10-112-31-82:~$ sudo aptitude install openssl

We will create a directory structure that conforms to the expected paths for the configuration file openssl.cnf:

ubuntu@ip-10-112-31-82:~$ mkdir -p /vol/apache2_certs
ubuntu@ip-10-112-31-82:~$ cd /vol/apache2_certs/
ubuntu@ip-10-112-31-82:/vol/apache2_certs$ sudo cp /etc/ssl/openssl.cnf .

The openssl.cnf file defines a directory structure to work among other things with lists of denial of certificates, will edit and modify the line:

Continue reading

iptables ddos configuring recent, prevent denial of service attacks (DOS Denial Of Service) Linux (Match recent extension)

Recently has contacted me a companion called Miguel Angel (greetings) to see if he could help out with attacks that are suffering. Obviously I will not use your data for anything in this entry.

In this post we will make a more accurate filtering of incoming communications, to prevent DOS attacks.

In the previous post “iptables ddos limit configuration, prevent denial of service attacks on Linux (Match extension limit)” is shown as filter limiting the number of hits. The great improvement in recent vs limit extension is that recent maintains a list of source IPs communication and limits are set by source IP. The limits imposed limit extension regardless of origin, is an overall limit.


Continue reading

Linux volume encryption (LUKS, Linux Unified Key Setup) in RedHat/CentOS 6

In this post we will create an encrypted volume, which is useful if you work with a laptop and want to ensure your data against theft.

You can do interesting things, as we ask the key to start or hold the key for example in a USB. It seems to me very good choice of a USB device with the key to start.

Let the matter, the steps are:

1- make sure we have the kernel module loaded with dm_crypt :

[root@test ~]# lsmod | grep dm_crypt
dm_crypt 10848 2
dm_mod 63859 11 dm_crypt

Continue reading

iptables ddos limit configuration, prevent denial of service attacks on Linux (Match extension limit)

When we operate a web server, it should apply basic protection to avoid any possibility that a “good” person (with all the sarcasm), is dedicated to run JMeter (excellent software designed for load tests) with the idea of saturate our server.

These are things that really happens, it is nothing paranoid.

One way to avoid these attacks is through iptables (I have a broader input on iptables), a configuration example would be:

Continue reading

Configuring iptables firewall RedHat/CentOS 6 from command line

IPTABLES is the firewall kernel-level included in Linux distributions, it’s very powerful (once understood its operation), very useful and flexible. This post has been made on a CentOS 6 (clone of RedHat), almost all should be able to apply to any distribution.

The basic operation of iptables is the following:

  1. Exist chains of rules. Basically 3: INPUT, OUTPUT and FORWARD.
  2. The rules within a chain are evaluated in order. This is where there is a multitude of filtering options.
  3. When a rule is evaluated positively, it is directed at a TARGET. It can be accepted, rejected, deleted, written in a log or other much more (see man TARGET EXTENSIONS iptables).

We can list the current rules:

Continue reading

Linux acl tutorial, working with Access Control List

Working with ACL (Access Control List), it is useful when you want to allow or remove a user or group on directories and objects. I personally do not like too much, is all too “hidden” and whimsical for my taste. Though admittedly that in certain situations it may be the best solution.

A requirement to work with ACL is to have the volume mounted with the appropriate option. This is possible without dismounting or restart with the command:

Continue reading

Linux file attributes and directories

In linux you can assign attributes to files, this allows to increase the security level. It is possible for example, to protect a file so that can not be removed.

To view the attributes of a file:

[root@tester1 prueba]# lsattr
-------------e- ./fich.txt
-------------e- ./fich2.txt

Continue reading