Improving the firewall

beaglebone.txt

@@ -449,6 +449,13 @@ apt-get install fail2ban
 
 A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
 
+#+BEGIN_SRC: bash
+apt-get install portsentry
+emacs /etc/portsentry/portsentry.conf
+#+END_SRC
+
+Save and exit.
+
 #+BEGIN_SRC: bash
 emacs /tmp/firewall.sh
 #+END_SRC
@@ -457,6 +464,75 @@ Enter the following:
 
 #+BEGIN_SRC: bash
 #!/bin/bash
+
+# enable syn cookies
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+
+# other settings
+echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
+echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
+echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
+
+# First of all delete any existing rules.
+# This means you're back to a known state:
+iptables -P INPUT ACCEPT
+iptables -F
+iptables -X
+
+# Make sure NEW incoming tcp connections are SYN packets
+iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Drop packets with incoming fragments
+iptables -A INPUT -f -j DROP
+
+# Incoming malformed XMAS packets drop them
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+# Incoming malformed NULL packets:
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+# limit ssh logins to no more than 3 per min
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SSH-DROP
+
+# Limit web connections to 20 per min
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTP-DROP
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix HTTPS-DROP
+
+# Limit number of XMPP connections
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix XMPP-DROP
+
+# Limit IRC connections
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IRC-DROP
+
+# Limit gopher connections
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix GOPH-DROP
+
+# Limit IMAP connections
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix IMAP-DROP
+
+# Limit SIP connections
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix SIP-DROP
+
+# Limit SMTP/SMTPS connections
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTP-DROP
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix SMTPS-DROP
+
+# Limit Bitmessage connections
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
+iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j LOG --log-prefix BM-DROP
+
 # Limit the number of incoming tcp connections
 # Interface 0 incoming syn-flood protection
 iptables -N syn_flood
@@ -464,11 +540,17 @@ iptables -A INPUT -p tcp --syn -j syn_flood
 iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
 iptables -A syn_flood -j DROP
 
-#Limiting the incoming icmp ping request:
+# Limiting the incoming icmp ping request:
 iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
 iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
 iptables -A INPUT -p icmp -j DROP
 iptables -A OUTPUT -p icmp -j ACCEPT
+
+# Save the settings
+iptables-save > /etc/firewall.conf
+echo '#!/bin/sh' > /etc/network/if-up.d/iptables
+echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
+chmod +x /etc/network/if-up.d/iptables
 #+END_SRC
 
 Save and exit
@@ -476,10 +558,6 @@ Save and exit
 #+BEGIN_SRC: bash
 chmod +x /tmp/firewall.sh
 . /tmp/firewall.sh
-iptables-save > /etc/firewall.conf
-echo '#!/bin/sh' > /etc/network/if-up.d/iptables
-echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
-chmod +x /etc/network/if-up.d/iptables
 rm /tmp/firewall.sh
 #+END_SRC
 
@@ -3248,6 +3326,32 @@ make install
 pybitmessage
 #+END_SRC
 
+*** Connect to Email
+Surely Bitmessage is supposed to be a
+
+#+BEGIN_SRC: bash
+cd /tmp
+wget http://freedombone.uk.to/notbit.tar.gz
+#+END_SRC
+
+Verify it.
+
+#+BEGIN_SRC: bash
+sha256sum notbit.tar.gz
+972fdc9cbb8034141282337dcd5e557bce57969ff6bd1d607da89bd93cc7bb68
+#+END_SRC
+
+Extract and install it.
+
+#+BEGIN_SRC: bash
+tar -xzvf notbit.tar.gz
+cd notbit
+apt-get install dh-autoreconf
+./autogen.sh --prefix=/home/myusername
+make
+make install
+#+END_SRC
+
 ** Overcome restrictive environments
 
 #+BEGIN_VERSE