Solved

security

Posted on 2006-11-16
4
197 Views
Last Modified: 2010-04-22
hi i need to apply the following rules on my fedora core 5 box.

I am an apprentice at this computer company and my head IT guy as told me to do the following. And i am not comfortable with it at all.
please help.

Using Iptables.


Blacklist (drop packets from) any host that performs a port scan
Blacklist any host that attempts to use an illegal HTTP method (such as PUT or DELETE)

Limit packets to any one host to a maximum of 10% of the available bandwidth
Log information about any host which transfers more than 100 kb in one connection (do not block the transfer)

Permit ssh connections only from the local network in the day, and only from host not on the local network at night and on weekends
Fingerprint and log the machine type of any host sending a packet to a port on which we are not running a service
Prevent the MySQL server from sending any packets to the network on any port


thanks

theitguy
0
Comment
Question by:theitguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 17972162
> Blacklist (drop packets from) any host that performs a port scan
please define port scan, in particular the time slice to be used to detect the scan

> Blacklist any host that attempts to use an illegal HTTP method (such as PUT or DELETE)
don't do that with iptables, iptables is a packet filter, not an application level firewall
If you relly want to make your iptables firewall the performance bottleneck, the you have to use the string module (if you kernel supports it).

> Limit packets to any one host to a maximum of 10% of the available bandwidth
please define bandwidth

> .. local network in the day, and only from host not on the local network at night  ..
not possible with iptables (execpt call external scripts/programs, don't do that!)

> Fingerprint and log the machine type of any host sending a packet to a port on which we are not running a service
see iptables log target

> Prevent the MySQL server from sending any packets to the network on any port
iptables -A FORWARD -s ip-of-MySQL-sever -j DROP
0
 
LVL 8

Assisted Solution

by:jako
jako earned 250 total points
ID: 18047225
As I see it, you have been given a trying stone and you've failed. Failed to see that it was a test ;) Nobody in their right mind will ever give an apprentice the access to their firewall and an opportunity to mess up their infra. not because of the (falsely) assumed lack of the knowhow, no. rather because of the responsibility.

Before you execute the crontab scripts to modify the ssh related iptables rules or any of the solutions you come up with, to prove that you are up to snuff, ask your superior if he really meant all that and he wants you to implement IDS+traffic_shaping+scripting_magic or it was a joke that he pulled so that they can laugh their a**es off when they see you all worked up and excited working on a "special assignment".

look up snort (http://www.snort.org) and read up on traffic shaping patches for linux kernel (http://lartc.org/) to impress your superior with solutions to some of the tasks from the list.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question