alexalmazan.com

IPTables and libwrap

Posted by alex almazan Sat, 03 May 2008 06:02:00 GMT

Secruing Services

NOTE choose the easiest otions first such as TCPwrappers to control service connections.

/etc/hosts.allow
/etc/hosts.deny

man page syntax identical:

basic syntax is : : ex. to allow ssh connections for SSH

sshd: 192.168.2.200

These files are parse in the following order:

/etc/hosts.allow	If the configuration of this file permits the requested connection, the connection is immediately allowed
/etc/hosts.deny	If the configuration of this file does not permit the requested connection, the connection is immediately refused.

TCP wrappers can only be run on packages compiled agains libwrap. ldd can be used to check if it has been compiled against libwrap.

example for checking with ‘ldd’

[root@station home]# ldd /usr/sbin/sendmail.sendmail |grep wrap
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x006a8000)

portmap is another service , but it is a bit convoluted:

[root@station home]# strings /sbin/portmap |grep hosts
hosts_access_verbose
hosts_allow_table
hosts_deny_table
/etc/hosts.allow
/etc/hosts.deny

here are others configured against libwrap:

ssh,sendmail,xinetd,vsftpd,stunnel - Two choices when configuring hosts.allow|deny in the following example. permit connections for vsftp from 10.1.1.1, but block from 10.0.0.0/255.0.0.0

you can make seperate entries in both:

hosts.deny

vsftpd: 10.0.0.0/255.0.0.0

hosts.allow

vsftpd: 10.1.1.1

Or you can add this to just the deny file as suggested with the keyword

‘EXCEPT’

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1

‘ALL’ can be used in the config as the service or the connecting source:

ALL:ALL EXCEPT 192.168.1.1

In /etc/hosts.deny to block all service affected by libwrap, but open to the one source or

ALL:ALL

In hosts.deny, with explicit service permissions in /etc/hosts.allow.

‘DenyHosts is a script from sourceforge that you can run from cron to parse /var/log/secure to review those that have attempted multiple brute force attacks’ (‘swatch’-‘pamABL’ are similar scripts, but modify iptables)

IPTables

Permits packet filterring at the kernel level. Netfilter is the kernel module that does the dirty work, iptables helps define the rules/chains to permit/deny through the kernels ip stack.

INPUT	responsible for inbound destined for the server
OUTPUT	responsible for outbound traffic leaving the server
FORWARD	across the servers interfaces

iptables -L

lists or prints the current rules in place

iptables -L -n -v -t nat

iptables-save writes to /etc/sysconfig/iptables. (keeping rules persistent,they must be apart of this file)

Configuration parsed from top to bottom. IPTables will response based on the first match. If there is no specific match, the chain policy will apply.

IPtables uses targets to determine what action will be taken if traffic matches an existing rule.

DROP	will drop package and send no info to the user
REJECT	will send a connection refused notice back to the sender
ACCEPT	will permit the connection
LOG	will log the connection attempt

IPTables syntax rule formulation help:-

What chain will the rule apply to?

-A INPUT

What patterns(s) would you like to check for?

-s 192.168.2.100

To make the rule active, you can add the following info to /etc/sysconfig/iptables

-A INPUT -s 192.168.2.100 -j REJECT

You can also configure the rule from CLI with

iptables -A INPUT -s 192.168.2.100 -j REJECT

What should IPTables do when a matching pattern is found?

-j REJECT

You can also match on the following criteria:

-i	incoming interface
-p	protocol
-s	source ip address
-d	destination ip address
-dport	destination port

Saving the rules service iptables-save

iptables -D INPUT 3

This command will delete the third rule in the INPUT CHAIN A quick means of identifying line number is:

iptables -L --line-numbers

iptables -D INPUT <rule>

This command will delete the specific rule from the INPUT chain.

iptables -F

This command will flush the IPTables rulesets

system-config-securitylevel utility used to create the following config

[root@station sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT                             
---(permit the loopback)
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
---(multicast/Avahi)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 837 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

created the following chain to apply the rules in /etc/sysconfig/iptables:

RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

This and the allowed outlined rules above where automagically put in place. Considered a mostly closed configuration based on the ‘ACCEPT’ policy. If you need to use the rulesets generated by ‘system’ utlities comment out the last rule to keep from failing the test

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

service iptables panic changes to a default drop policy

[root@station sysconfig]# service iptables panic
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy DROP: filter                      [  OK  ]
[root@station13 sysconfig]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Put these back in place to permit connections

[root@station sysconfig]# iptables -P INPUT ACCEPT
[root@station sysconfig]# iptables -P OUTPUT ACCEPT

[root@station sysconfig]# iptables -L -v
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

configure your mail server not to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host:

iptables example

[root@station etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  10.0.0.0/8           anywhere            reject-with
icmp-port-unreachable
ACCEPT     tcp  --  192.168.1.2          anywhere            tcp dpt:smtp
REJECT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:smtp
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT
--reject-with icmp-port-unreachable

tcp wrapper example ( since this said sendmail, it must be the MTA running, not postfix, as postfix is not compiled against libwrap)

alternatives—config mta

then /etc/hosts.deny:

[root@station etc]# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
#vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1
sendmail: 192.168.1.0/24 EXCEPT 192.168.1.2

followed with rules for governing port 110/143: -

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable

Tags iptables, libwrap
Meta permalink, rss, atom

DoveCot SSL

Posted by alex almazan Sat, 03 May 2008 05:42:00 GMT

In order to configure SSL for dovecot, the following is recommended

[root@station ]# cd /etc/pki/
[root@station pki]# ls
CA  dovecot  nssdb  rpm-gpg  tls
[root@station pki]# find . -name Makefile
./tls/certs/Makefile
[root@station pki]# cd tls/certs/
[root@station certs]# ls
ca-bundle.crt  localhost.crt  make-dummy-cert  Makefile
[root@station certs]# make
This makefile allows you to create:
  o public/private key pairs
  o SSL certificate signing requests (CSRs)
  o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add
SERIAL=num

Examples:
  make server.key
  make server.csr
  make server.crt
  make stunnel.pem
  make genkey
  make certreq
  make testcert
  make server.crt SERIAL=1
  make stunnel.pem SERIAL=2
  make testcert SERIAL=3

Dovecot requires a pem, which consists of a key and a cert. Once generated, place in the location that is outlined in the server configuration.

[root@station certs]# make dovecot.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  dovecot.pem ; \
        echo ""    >> dovecot.pem ; \
        cat $PEM2 >> dovecot.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to '/tmp/openssl.B21904'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:San Antonio
Organization Name (eg, company) [My Company Ltd]: SSL example 
Organizational Unit Name (eg, section) []:3rd shift
Common Name (eg, your name or your server's hostname)
[]:station.rhce.example.com
Email Address []:user@rhce.example.com
[root@station certs]# ls
ca-bundle.crt  dovecot.pem  localhost.crt  make-dummy-cert  Makefile

mailtips for checking email during the test utilize mutt

mutt -s imaps://user@@serverhost

mutt -f imaps://localhost for checking/displaying:

q:Exit  ?:Help
This certificate belongs to:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate was issued by:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate is valid
   from Aug  9 16:52:18 2008 GMT
     to Aug  8 16:52:18 2009 GMT

Fingerprint: B247 62D4 197F 401B 61EA BC83 8733 8D9A

Telnet test to port 110 and SSL mutt foo.

[root@station etc]# telnet 0 110
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
+OK Dovecot ready.
user mike
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 472
.
retr 472
-ERR There's no message 472.
retr 1
+OK 472 octets
Return-Path: <root@station.example.com>
X-Original-To: ru@station.example.com
Delivered-To: user@station.example.com
Received: by station.example.com (Postfix, from userid 0)
        id CFB341988BE; Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
To: ru@station.example.com
Subject: maildirdelivery
Message-Id: <20070809180910.CFB341988BE@station13.example.com>
Date: Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
From: root@station.example.com (root)

maildir lab example

additional notes post lab

edits to /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

the pem copied into these locations

##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

Postfix Maildir

Posted by alex almazan Fri, 02 May 2008 21:59:00 GMT

Rhel5 Postfix installations support the ‘mbox’ mailbox typically found in ’/var/spool/mail’ This default behavior can be changed to ‘Maildir’ if desired.

(You cannot revert back to ‘mbox’ once you have opted to change to Maildir, and you cannot switch back to Sendmail without losing all messages stored and delivered.)

postconf -e home_mailbox="Maildir/" 
postconf -e local_recipient_maps="unix:passwd.byname $alias_maps" 
postfix reload

These changes are required as per the following settings outlined in “/etc/postfix/main.cf”

---# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in
#   the $virtual_mailbox_maps files.

Locals Only Postfix

Posted by alex almazan Fri, 02 May 2008 21:56:00 GMT

The default Rhel5 Postfix installation does not have an interface assigned for use. This is similar to the default Rhel5 Sendmail defaulting to only serve localhost.

To over come this behavior, you can use the Postfix installed postconf utility as opposed to a direct edit to the file ’/etc/postfix/main.cf’

 
postconf -e "inet_interfaces=all"

Next issue either ‘postfix reload’ or ‘service postfix restart| stop | start’ as root.

Locals Only

Posted by alex almazan Fri, 02 May 2008 20:46:00 GMT

Sendmail default installations are established solely on localhost, please ensure that initial ‘.mc’ edits should include changes to the following line in the file ‘/etc/mail/sendmail.mc’

From this:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

To this:

DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl

Considerations for SMTP authentication should also be put forth in the initial edits. Remove each ‘dnl’ from the front of the lines in the file ‘/etc/mail/sendmail.mc’ that impact these listed configuration options:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN'')dnl
define(`confAUTH_MECHANISMS'', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN 
PLAIN'')dnl

Once your edits are in place, regenerate the configuration

[root@station mail]# service sendmail restart
Shutting down sm-client:                                   [  OK  ]
Shutting down sendmail:                                    [  OK  ]
Starting sendmail:                                         [  OK  ]
Starting sm-client:                                        [  OK  ]
[root@station mail]# telnet 192.168.0.1 25
Trying 192.168.0.1...
Connected to station.example.com (192.168.0.1).
Escape character is '220 station.example.com ESMTP Sendmail 8.13.8/8.13.8; Thu, 9 Aug 2008
10:36:18 -0500
quit
221 2.0.0 station.example.com closing connection

Connection closed by foreign host.

Older posts: 1 2

alexalmazan.com

atypical typo tech rhelish

IPTables and libwrap

DoveCot SSL

Postfix Maildir

Locals Only Postfix

Locals Only

Categories

Archives

Ma.gnolia Links (magnolia)

Recent Comments

Docs

Old School

Tags

Gallerias Almazan

Syndicate