With its long time discussing how to properly configure a firewall, it is better to use ready-made scripts written by me, I wrote the following script with comments to reinforcement of the Debian system, it limits the new launch of SSH, http, ssl connections for communications, in this case the IP address to the IP address of your server, and want to learn more about the details of the iptables available options, please refer to the help document, when you install your own firewall, do not forget only open in the iptables must port to reduce the attack surface of the target.
#!/Bin/s PATH =/usr/sbin:/sbin:/bin:/usr/bin # FLUSHPREVIOUSTABLEENTRIES iptables--flus # CHANGEDEFAULTPOLICIESROM # ACCEPTTODROP iptables-PINPUTDROP iptables-PFORWARDDROP iptables-POUTPUTDROP # ALLOWLOCALLOOPBACKTRAFIC iptables-AINPUT-ilo-jACCEPT iptables-AOUTPUT-olo-jACCEPT # ALLOWESTABLISHEDCONNECTIONS iptables-AINPUT-mstate--state\ ESTABLISHED, RELATED-jACCEPT iptables-AOUTPUT-mstate--state\ ESTABLISHED, RELATED-jACCEPT # ALLOWDEFINEDTRAFIC ## SSH-22 iptables-AINPUT-d192.168.1.2-ptcp\--dport22--sport1024: 65535-mstate\--stateNEW-jACCEPT # HTTP-APACHE-80 iptables-AINPUT-d192.168.1.2-ptcp\--dport80--sport1024: 65535-mstate\--stateNEW-jACCEPT # SSL-443 iptables-AINPUT-d192.168.1.2-ptcp\--dport443--sport1024: 65535-mstate\--stateNEW-jACCEPT you save these scripts to your local, and then copy or move to the/etc/network/if-up.d directory, when the system starts the network after it is turned on, if you use this configuration to Tibet a Redhat based systems, you can simply run the above script and iptables-save command to reset rules that do not have to restart the system. Although you can manually step by step, perform these steps, but there is a tool you can make it easier to do these things, he is Bastille (Figure 7 and Figure 8), it adopted in the form of a question/answer to your security settings are saved to the script, and then apply it to real systems, on the Internet you can find many for most distributions and applications are available for manual safety check list, check the list of the best from Internet Security Center completed inspection standards, these standards include the detailed settings and on specific operating systems and applications for a description of best practices, they are the best partners of the Bastille. Figure 7Debian in Bastille Figure 8 X in an environment of Fedora's Bastille step 5: monitoring/auditing best step is an ongoing process, constantly monitors your system to verify the implementation of your security objectives a timeout, the most useful tool to extract files from/var/log/messages system log, you can see many of the system and application security-related information, many applications has its own log file, please carefully review them, and if you have many systems, you should use a central log file server to gather log, in syslog.conf file can easily be configured. One new substitute called Splunk (Figure 9), it has a free version (daily limit size is 500M) and Enterprise version, most pleased that it is easier to install Super, and you can through an innovative Web-based interface, like using Google as a search log command. Figure 9Splunk is one of the best and most useful open source project and log usage, they also do not provide a complete on your security setting is working good graphics, just regular auditing to achieve its purpose, so I want to tell you if your security measures are appropriate and running, I do not recommend that you do for each system penetration testing, but the validation test your settings is a good insurance measures to create a checklist or script to test those who defend your system security objectives in setting is very important, instead of a check list, you can use — assess switch running Bastille to get one of your current configuration of the safety report, you can also use CIS inspection standards (it depends on the Bastille) as a benchmark to check list, if you can afford to buy it, you can get a consultancy service with his or her own test verifies that your security, you will be more calm, especially with you in a family of powerful management of enterprisesIndustry work.
No comments:
Post a Comment