Drop access to unused ports
This commit is contained in:
Bob Mottram
parent
41d9636d16
commit
b86389bd99
|
|
@ -447,7 +447,7 @@ apt-get install fail2ban
|
|||
-- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/
|
||||
#+END_VERSE
|
||||
|
||||
A basic firewall limits the maximum rate at which connections can be made, and this helps to defend against various kinds of DDOS attack.
|
||||
A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack.
|
||||
|
||||
#+BEGIN_SRC: bash
|
||||
apt-get install portsentry
|
||||
|
|
@ -483,10 +483,10 @@ Enter the following:
|
|||
#+BEGIN_SRC: bash
|
||||
#!/bin/bash
|
||||
|
||||
# enable syn cookies
|
||||
# Enable syn cookies
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||||
|
||||
# other settings
|
||||
# Other settings
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
|
||||
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
|
||||
|
|
@ -497,6 +497,44 @@ iptables -P INPUT ACCEPT
|
|||
iptables -F
|
||||
iptables -X
|
||||
|
||||
# Drop access to unused ports
|
||||
iptables -A INPUT -p tcp --destination-port 1 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 7 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 109:111 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 995 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 139 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 9 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 79 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 515 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 4001 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 1524 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 1080 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 512:514 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 31337 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 12345 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP
|
||||
iptables -A INPUT -p tcp --destination-port 4000 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 1 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 7 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 109:111 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 995 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 139 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 9 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 79 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 515 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 4001 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 1524 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 1080 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 512:514 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 31337 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 12345 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP
|
||||
iptables -A INPUT -p udp --destination-port 4000 -j DROP
|
||||
|
||||
# Make sure NEW incoming tcp connections are SYN packets
|
||||
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
|
||||
|
|
@ -511,11 +549,11 @@ iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
|||
# Incoming malformed NULL packets:
|
||||
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
|
||||
# drop UDP to used ports
|
||||
# Drop UDP to used ports
|
||||
iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6670,993,5060,5061,25 -j DROP
|
||||
iptables -A INPUT -p udp --match multiport --dports 465,22,5222,5223,5269,5280,5281,8444 -j DROP
|
||||
|
||||
# limit ssh logins
|
||||
# Limit ssh logins
|
||||
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
||||
|
||||
# Limit web connections
|
||||
|
|
@ -525,6 +563,9 @@ iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1
|
|||
# Limit number of XMPP connections
|
||||
iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||||
|
||||
# Limit NNTP connections
|
||||
iptables -A INPUT -p tcp --dport 119 -m limit --limit 5/minute --limit-burst 1 -j ACCEPT
|
||||
|
||||
# Limit IRC connections
|
||||
iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue