These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Configure Firewall

Classnotes | UNIX03 | RecentChanges | Preferences

/etc/hosts.allow

The following should be placed on our hosts.allow file (note this is also on your CD-ROM):

 # Our default "ALL: ALL" which will cause that system to be blocked
 # permanently from all services (unless the start of this file later
 # is edited)
 #
 # NOTE: this entry must be in hosts.allow (not hosts.deny) and there also
 # must be a "ALL: ALL: deny" in hosts.deny for this script to work correctly
 # and not have a momentary security hole;
 # blockip might be located elsewhere.
 ALL: ALL: \
  spawn=((sleep 3;tail -10 /var/log/messages) | \
  /usr/sbin/blockip "%h" "%a" "%d" "%c" "%u") &: deny

 # End of hosts.allow.

This is a catch-all line which (in a real production environment) would follow all of the other ALLOW rules.

There is one note worthy of mentionning here: The above file will allow your system to be an observer only on the internet or network. With the above settings, your system cannot run the majority of network servers locally. This means, for example, if you have a MTA for the local delivery and sending of mail (or perhaps if you are running something like fetchmail to obtain mail remotely and deliver it locally) your MTA will likely become blocked with these default settings. Additionally, most of your remote connections (for example, if you SSH to a remote host) will become blocked by the same logic.

Thus, if you know that all traffic already on your local system will be safe, then the following line can be added to the beginning of the file:

 ALL : 127.0.0.1 LOCAL : ALLOW

/etc/hosts.deny

The following should be the only line in one's hosts.deny file when using blockip with this Adaptive Firewall.

 # The "DENIEDdefault" means denied by default.
 # This is very important as the auto-add (blockip) feature will cause the
 # /etc/hosts.allow file to vanish for subsecond windows of time
 #
 # If you have critical services that you cannot allow being disabled even
 # for less than a second then add an entry before here specifying ":allow"
 # NOTE that on some systems the mail program is /bin/mailx

 ALL: ALL:
  spawn=((sleep 3;tail -10 /var/log/messages) | \
  /bin/mail -s 'DENIEDdefault_%h/%d/%a/U=%u' \
  bob@homesys.com bob@pentacorp.com) &:deny

 # End of hosts.deny.

You will have to change the e-mail address to your own.

/etc/services

In the /etc/services file we will have to ensure that there is a mapping from numeric port numbers to service names which (many of which, we will want to trap). Your services file should come with a fairly reasonable default, and we have already (on day 1) gone in and disabled many of these. However, for our adaptive firewall we want as many enabled as possible. Thus, when someone requests port 31337/udp for Back Orifice, they get led into our Adaptive Firewall trap!

Rather than editting your services file, we will copy the one from the CD. Be sure to back up your existing services file in case anything goes wrong.

/etc/inetd.conf

The inetd.conf file specifies which ports inetd, the Internet super-server, should listen on. Again, this was something we editted on day 1 to close most of these ports down. Again, we will want to open them back up again for our Adaptive Firewall trap.

This is another situation where simply copying the inetd.conf file from the CD is advisable. Again, be sure to back up your existing one in case anything goes wrong.

NOTE: The book actually recommends using xinetd over inetd for security reasons. I do tend to agree with this, but in our situation (and in many production environments) we have not had the time to properly replace inetd. If we were to implement this Adaptive Firewall in production, we would want to read about the tcpd hanging problems that can be caused by agressive attacks on pages 572. We would also want to install the kill_tcpdz Perl script to handle this problem. Since we are just doing this as an excersize, we will skip this step.


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited July 13, 2003 10:37 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.