Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

security

Posted on 2006-11-16
4
195 Views
Last Modified: 2010-04-22
hi i need to apply the following rules on my fedora core 5 box.

I am an apprentice at this computer company and my head IT guy as told me to do the following. And i am not comfortable with it at all.
please help.

Using Iptables.


Blacklist (drop packets from) any host that performs a port scan
Blacklist any host that attempts to use an illegal HTTP method (such as PUT or DELETE)

Limit packets to any one host to a maximum of 10% of the available bandwidth
Log information about any host which transfers more than 100 kb in one connection (do not block the transfer)

Permit ssh connections only from the local network in the day, and only from host not on the local network at night and on weekends
Fingerprint and log the machine type of any host sending a packet to a port on which we are not running a service
Prevent the MySQL server from sending any packets to the network on any port


thanks

theitguy
0
Comment
Question by:theitguy
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 17972162
> Blacklist (drop packets from) any host that performs a port scan
please define port scan, in particular the time slice to be used to detect the scan

> Blacklist any host that attempts to use an illegal HTTP method (such as PUT or DELETE)
don't do that with iptables, iptables is a packet filter, not an application level firewall
If you relly want to make your iptables firewall the performance bottleneck, the you have to use the string module (if you kernel supports it).

> Limit packets to any one host to a maximum of 10% of the available bandwidth
please define bandwidth

> .. local network in the day, and only from host not on the local network at night  ..
not possible with iptables (execpt call external scripts/programs, don't do that!)

> Fingerprint and log the machine type of any host sending a packet to a port on which we are not running a service
see iptables log target

> Prevent the MySQL server from sending any packets to the network on any port
iptables -A FORWARD -s ip-of-MySQL-sever -j DROP
0
 
LVL 8

Assisted Solution

by:jako
jako earned 250 total points
ID: 18047225
As I see it, you have been given a trying stone and you've failed. Failed to see that it was a test ;) Nobody in their right mind will ever give an apprentice the access to their firewall and an opportunity to mess up their infra. not because of the (falsely) assumed lack of the knowhow, no. rather because of the responsibility.

Before you execute the crontab scripts to modify the ssh related iptables rules or any of the solutions you come up with, to prove that you are up to snuff, ask your superior if he really meant all that and he wants you to implement IDS+traffic_shaping+scripting_magic or it was a joke that he pulled so that they can laugh their a**es off when they see you all worked up and excited working on a "special assignment".

look up snort (http://www.snort.org) and read up on traffic shaping patches for linux kernel (http://lartc.org/) to impress your superior with solutions to some of the tasks from the list.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question