Challenge:
As a system engineer your expertise is asked to create a firewall ruleset for a hosting server.
The server is provided with the following services: Apache, ProFTPd and bind9. Please, do not allow zonetransfers (think twice). Also protect the server against ping flooding. The server is not allowed to make outgoing connections, except for the installation of security updates.
Present your result through a git commit on Gitlab or Github.
Ubuntu VM Details:
- ubuntu-20.04.2.0
- desktop
- amd64
Install the following required packages for this challenge.
- Apache: Is an opensource web server.
apt-get install apache2 -y
- ProFTPd: Is an opensource FTP server for Unix/Linux servers.
apt-get install proftpd -y
- Bind9: Provides an open source implementation of DNS.
apt-get install bind9 -y
Edit the primary configuration file for bind9, located in /etc/bind/named.conf.options.
Append allow-transfer {"none"; }; to disable all zone transfers.
Next, restart the service using the following command, service bind9 restart.
You have 2 options to defend against ping flooding:
Remark: In a few cases there is a drop all statement at the end, ALL packets get denied by default if we haven't allowed them yet.
-
Disable ping-packets:
iptables -A INPUT -p icmp -j DROP --icmp-type echo-request iptables -A OUTPUT -p icmp -j DROP --icmp-type echo-reply
Or
iptables -A INPUT -j DROP
-
Limit ping-packets (4 pings/min):
iptables -A INPUT -p ICMP -m limit --limit 4/minute --limit-burst 8 -j ACCEPT iptables -A INPUT -j DROP
At the start we installed a few services, which are now blocked by the iptables due to the iptables -A INPUT -j DROP entry.
We need to define a new set of rules, which are added before the drop statement.
- Allow http traffic (apache):
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
- Allow ftp traffic (ProFTPd):
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
- Allow dns traffic (Bind9):
iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
Since we only need to allow apt-get to make updates, we need to allow those services thru the firewall.
Most of these services are already allowed (http, ftp & dns), from the previous step.
- Allow incoming connections, which were already open:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- Drop outgoing connections:
iptables -A OUTPUT -j DROP
We now end up with the following configuration, if the commands were executed in the right order.
All commands in order:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p ICMP -m limit --limit 4/minute --limit-burst 8 -j ACCEPT
iptables -A OUTPUT -p ICMP -m limit --limit 4/minute --limit-burst 8 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP