Rabu, 2008 Juni 11

HP launches broad array of redesigned notebooks, displays

In one of its largest product releases, HP unveiled a bevy of PCs and displays, zeroing in on key trends such as touch-screen technology and compact laptops for business and consumer users.

HP made the announcements during its "Connecting Your World" conference in Berlin on Tuesday.

HP brought out 16 laptops, including fresh models for its Compaq "b" and "s" series for business users as well as the Compaq Presario and Pavilion line. The company also introduced a new series, EliteBook.

EliteBook models have a brushed anodized aluminum casing with a magnesium alloy chassis, which HP says complies with military-standard durability. The hard drive is shock-resistant, and the keyboard is spill-resistant. One version of the EliteBook, the 6930p, has up to 15 hours of battery life with an optional ultracapacity battery, HP said.

Some of HP's new laptops have the latest chips from Advanced Micro Devices, such as that company's Turion 64x2 ultra dual-core mobile processor. Other models have Intel's Centrino 2 and Centrino 2 with vPro, HP said.

HP said it has put some features previously only in business-class notebooks into consumer models. One is HP's ProtectSmart Hard Drive Protection, which can stop a hard drive from spinning if the computer senses the laptop is falling. That feature has been incorporated in the consumer-focused Pavilion line.

HP also rolled out the Voodoo Omen desktop and the Voodoo Envy 133 laptop, which are aimed at gamers and other demanding consumers.

The Voodoo Omen can support up to four graphics processors. Omen also has copper cooling pipes, and since it is liquid cooled, HP said it runs quietly even when pushed hard. Omen starts at $7,000 and will only initially be available to those who bought a Voodoo PC before, HP said, although it will be more broadly available in around three months.

The Voodoo Envy laptop, which costs $2,099, has a carbon-fiber casing, a backlight keyboard and a "multigesture" touchpad, supporting pinch-like movements.

On the desktop, HP has launched a line that features touch-screen interfaces. Users can tap or drag a finger across the screen of the TouchSmart series of PCs to access basic features such as playing music or manipulating audio or video files.

TouchSmart PCs have a 22-inch diagonal wide-screen display, built-in DVD burner, wireless keyboard, and sport an Intel Core 2 Duo processor.

HP said its new DreamColor display -- an LCD (liquid-crystal display) that supports 1 billion colors -- costs just a quarter of competing displays. DreamColor will sell for US$3,499.

The company said DreamColor will accurately display colors for people where color matching has been a tricky task, such as the animation, game development and graphics arts industries. DreamColor, HP claims, cuts down on the need for multiple proofs, redesigns and color checks.



Read More......

Diposkan oleh Techno di 13:22 0 komentar

Sun Solaris going on Fujitsu's Intel servers

Sun Microsystems is announcing an agreement Tuesday with Fujtisu Siemens Computers to have Sun's Solaris operating system distributed with select Fujitsu Primergy servers.

Solaris 10 will be offered on Intel x/86/x64 boxes. The two companies plan to work together to certify solutions based on Solaris and Primergy hardware.

Sun touted Solaris capabilities in scalability, reliability, and virtualization. Multi-core deployments are supported as well.

"We are essentially one of the three big OSes that run on the Intel architecture right now, the other two being the Microsoft family and the Linux family," said Herb Hinstoff, Sun director of Solaris marketing.

But Fujitsu users would not get capabilities offered in the open-source version of Solaris, called OpenSolaris, such as Image Packaging System, for simplifying installation and integration with third-party applications.

Solaris 10, though, is the enterprise-strength version of Solaris, while OpenSolaris is considered more as a platform for developers to build next-generation applications, according to Hinstoff. The plan, however, is that OpenSolaris bits eventually would become the next major enterprise version of Solaris.

Previously, Fujitsu has supported Solaris on SPARC-based servers, Sun said. Primergy users will gain access to the 10 5/08 update of Solaris, featuring power management capabilities for x86 processors from AMD and Intel.

Other companies bundling Solaris on Intel-based systems include Intel, IBM, Dell and Sun itself, Hinstoff said.



Read More......

Diposkan oleh Techno di 13:20 0 komentar

Label:

Mac security gets a business boost

Businesses often thwart Macs from infiltrating their laptop ranks, and one reason given is that there's no good way of encrypting data. A lost personal Mac may bring a few tears to the hapless owner, but a corporate Mac with sensitive data falling into the wrong hands is a lawsuit in the making and potential headline-grabber.

Lack of good Mac encryption, though, is quickly becoming a bugaboo.

Yesterday, PGP Corp., a well-known vendor of enterprise data protection, said it plans to ship a full-disk encryption product for Mac OS X next month. This comes on the heels of a similar announcement: Check Point Software said in late May that it has shipped the industry's first full-disk encryption for Mac OS X.

There's no question tech vendors that serve businesses are swooning over the Mac. "The Mac is starting to make its appearance in the enterprise to a greater extent," says Jon Oltsik, analyst at the Enterprise Strategy Group. "There's definitely demand for more enterprise-class systems management, desktop operations, and security tools."

Forrester Research figures Mac adoption in businesses tripled last year to 4.2 percent, largely due to grassroots efforts by small workgroups to bring Macs to work. As more employees demand Macs, business can no longer turn a blind eye.

Jon Allen, information security officer at Baylor University in Texas, has seen first-hand the pendulum shift a couple of times. Nearly all students and faculty worked on Macs until the mid-1990s when Windows PCs began to take over. By 2005, "we were a 95-percent PC shop," Allen says. "But now we're definitely seeing an increase in our Mac population on campus."

Today, Allen supports 580 Windows PCs and some 150 Macs. Securing Mac data through encryption hasn't been easy. Mac OS X comes with FileVault, an encryption tool for the home directory -- a tool Allen dislikes.

For starters, FileVault can have lawyers fuming. If a Mac is lost, attorneys don't have assurances that sensitive data actually resided in the home directory and thus was encrypted. And so they can't make their case when fronted with Texas law concerning loss of sensitive information. What they need is full-disk encryption to ensure everything on the Mac wasn't accessible.

Another problem with FileVault: Some Mac users at Baylor had forgotten their FileVault passwords and lost data. That's a problem with a client-only solution. A business, on the other hand, needs centralized management of encryption tools for installation and backup, as well as repairs -- that is, technicians and help desk need a pathway to get into the computer. "We encouraged people not to turn on FileVault until we have an enterprise solution," Allen says.

Allen currently doesn't encrypt data on Macs, but he's been beta testing PGP's full-disk encryption and plans to roll it out when the product becomes available. Not only will full-disk encryption better protect the university, but PGP's centralized management tools should make his job easier.

Centralized IT management is key for businesses, agrees analyst Oltsik. "There will be smaller companies who do encryption for the Mac that will be a great fit for the consumer but that is not going to make it in the enterprise," he says. "Enterprises want big names and central management ... and the PGPs of the world supporting the Mac is an important step."

Read More......

Diposkan oleh Techno di 12:55 0 komentar

Label:

Sabtu, 2008 Mei 24

List of Linux Security Audit and Hacker Software Tools

Security Audit Tools:

Perform a "Security Risk Assessment" on your system with the following tools.

System Audits:

  • Chkrootkit (YoLinux tutorial) - Scan system for trojans, worms and exploits.
  • Root kit detection:
    • checkps - detect rootkits by detecting falsified output and similar anomalies. The ps check should work on anything with /proc. Also uses netstat.
    • Rootkit hunter - scans for rootkits, back doors and local exploits

    • Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.
  • fsaudit - Perl script to scan filesystems and search for suspicious looking directories
  • COPS: Computer Oracle and Password System - UNIX security checks. Programs and shell scripts which perform security checks. Checks include file and directory permissions, passwords, system scripts, SUID files, ftp configuration check, ...
  • SARA - Security Auditor's Research Assistant - network security vulnerability scanner for SQL injections, remote scans, etc. (follow-on to the SATAN analysis tool)
  • TAMU - Texas A&M University developed tools

Network Vulnerability Audits:

  • Nessus (YoLinux tutorial) - Remote security scanner - This is my favorite security audit tool!! Checks service exploits and vulnerabilities.
  • ISIC - IP Stack Integrity Checker
  • Argus - IP network transaction auditing tool. This daemon promiscuously reads network datagrams from a specified interface, and generates network traffic status records
    Argus 2
  • SAINT - Finds computers on the network, port scans and does a vulnerability check and outputs a report. - Commercial product.
  • InterSect Alliance - Intrusion analysis. Identifies malicious or unauthorized access attempts.
  • Linuxforce: AdminForce CGI Auto Audit - CGI script analyzer to find security deficiencies.

Wireless:

Port Scanners:

Used to identify computer network services available for exploit.

  • nmap - Port scanner and security scanning and investigation tool
    • NmapFe - GUI front-end to NMAP
    • KNmap - KDE front-end
    • pbnj - Diff nmap scans to find changes to systems on the network.
    • nmap3d - nmap post processing to 3-d VRML
    • nmap-sql - log scans to database
  • portscan - C++ Port Scanner will try to connect on every port you define for a particular host.
  • pof - passive OS fingerprinting.
  • Web/http scan:
    • Nikto - web server scanner. CGI, vulnerability checks. Not a stealthy tool. For security tests.

Portscanning Information:

Network Sniffers:

Linux Tools for Network Examination.

  • DSniff - network tools for auditing and penetration testing.
  • Wireshark - full network protocol sniffer/analyzer
    (Ethereal - legacy. Now Wireshark)
  • IPTraf - curses based IP LAN monitor
  • TcpDump - network monitor and data acquisition
    • VOMIT - Voice Over Misconfigured Internet Telephones - Use TCP dump of VOIP stream and convert to WAV file.
      Cisco Call Manager depends on MS/SQL server and are thus vulnerable to SQL Slammer attacks.
  • KISMET - 802.11a/b/g wireless network detector, sniffer and intrusion detection system.
  • DISCO - Passive IP discovery and fingerprinting tool. Sits on a segment of a network to discover unique IPs and identify them.
  • Yersina - Framework for analyzing and testing the deployed networks and systems. Designed to take advantage of some weakness in different Layer 2 protocols: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
  • YoLinux.com List of network monitoring tools and example tcpdump sessions

Hacker Tools:

Password crackers:

(can also be part of a vulnerability audit)
  • John the Ripper - weak password detection. crypt, Kerberos AFS, MS/Windows LM, ...
  • lCRACK - password hacker, dictionary, brute force incremental, ...

Exploits:

Other Links:

Security Infrastructure Software Tools:

Commercial Vendors:

Online Web Based Tools:

Software Updates and Security fixes:

Forensic and Data Recovery Tools:

Anti-Virus Software:

This has typically been the domain of the Microsoft Windows and Outlook products and NOT Linux but Linux administrators running SAMBA file servers often must be aware of these viruses. There are according to Symantec 68 Linux specific viruses and worms including the Ramen worm which attempts to attack unpatched rpc.statd, wuftpd, and LPRng.

Anti-Virus products:

Virus info:

Virus email alert:

Attacks:

Honeypots:

How to bait and catch the evil hackers:

DoD/DoE NISPOM Chapter 8 computer security configuration for Linux:

NISPOM (National Industry Security Program Operating Manual) chapter 8 is a computer security requirement developed by the US DoD (Department of Defense - US) and DoE (Department of Energy) and published by the DSS (Defense Security Service) which US defense contractors are required to meet when processing classified data on computers in a classified environment. Linux as issued by major distros defaults do not meet this requirement. Use the following software packages/configurations:

  1. Use central authentication server (LDAP or NIS) with the proper security policies. See YoLinux LDAP authentication tutorial.
  2. Meet reporting requirements: This auditing and reporting requirement can be met using Snare. This requires a kernel patch (or use of one of the kernels [RHEL3 or RHEL4] downloaded from the Snare home page.) and the running of a Snare audit daemon. It meets C-2 reporting requirements and records logins/logoffs, file and directory access, access denial, ...
    Newer Linux distributions running auditd (RHEL4, FC3+) can get compliant results.
    Snare home page. For more aggressive reporting requirements, see Computer Associates eTrust Security Information Management.
  3. Grant admin privileges without giving root password. Granular delegation of root privileges. File and directory access control. Symark.com: PowerBroker
  4. Virus scanner. (See above list)


Read More......

Diposkan oleh Techno di 16:50 0 komentar

Label:

Using Linux iptables or ipchains to set up an internet gateway / firewall / router for home or office

Methods of connecting your network to the internet:

* Use Linux ipchains / iptables and IP forwarding to configure Linux as a firewall and router. This is the method covered in this tutorial.
* The Linux router project has produced a specialized version of Linux just to run ipchains / iptables and IP masquerading.
See LinuxRouter.org.
* Use SOCKS gateway proxy software running on Linux.
For more information see the SOCKS5/e-Border home page.
* Use a CISCO router - Configuration tutorial. (Note: PIX series are preferred for firewall use.)

This tutorial will cover using a linux computer as a gateway between a private network and the internet. Any internet connection whether it be a dial-up PPP, DSL, cable modem or a T1 line can be used. In the case of most dial-up PPP connections and cable modem connections, only a single IP address is issued allowing only one computer to connect to the internet at a time. Using Linux and iptables / ipchains one can configure a gateway which will allow all computers on a private network to connect to the internet via the gateway and one external IP address, using a technology called "Network Address Translation" (NAT) or masquerading and private subnets. Iptables/ipchains can also be configured so that the Linux computer acts as a firewall, providing protection to the internal network.

Methods of connecting your network to the internet:

  • Use Linux ipchains / iptables and IP forwarding to configure Linux as a firewall and router. This is the method covered in this tutorial.
  • The Linux router project has produced a specialized version of Linux just to run ipchains / iptables and IP masquerading.
    See LinuxRouter.org.
  • Use SOCKS gateway proxy software running on Linux.
    For more information see the SOCKS5/e-Border home page.
  • Use a CISCO router - Configuration tutorial. (Note: PIX series are preferred for firewall use.)
This tutorial will cover using a linux computer as a gateway between a private network and the internet. Any internet connection whether it be a dial-up PPP, DSL, cable modem or a T1 line can be used. In the case of most dial-up PPP connections and cable modem connections, only a single IP address is issued allowing only one computer to connect to the internet at a time. Using Linux and iptables / ipchains one can configure a gateway which will allow all computers on a private network to connect to the internet via the gateway and one external IP address, using a technology called "Network Address Translation" (NAT) or masquerading and private subnets. Iptables/ipchains can also be configured so that the Linux computer acts as a firewall, providing protection to the internal network.
Firewall versions vs Linux versions:

Note: References to ipfwadm and ipchains refer to older deprecated software.

Firewall Command Linux Kernel Version Red Hat Version
iptables 2.4.x, 2.6.x 7.1 - 9.0, Fedora 1,2,3
ipchains 2.2.x 6.x, 7.0
ipfwadm 2.0.x 5.x

Note: Red Hat 7.1-9.0 and the default Linux 2.4 kernel may use ipchains or iptables but not both. Iptables is the preferred firewall as it supports "state" and can recognize if a network connection has already been "ESTABLISHED" or if the connection is related to the previous connection (required for ftp which makes multiple connections on different ports). Ipchains can not. Ipchain rules take precedence over iptables rules. During system boot, the kernel attempts to activate ipchains, then attempts to activate iptables. If ipchain rules have been activated, the kernel will not start iptables.

Red Hat 7.1 will not support ipchains unless that option is configured (during install or later). If during install you select "Disable Firewall - no protection" then ipchains will not be available and you must rely upon iptables for a manual firewall configuration. (iptables only. ipchains will be unavailable)

GUI configuration:

  • iptables: The GUI configuration tool /usr/bin/redhat-config-securitylevel can be used to choose a preconfigured firewall (High, Medium or no firewall) or it can be used to manually configure rules based on the network services your server will offer. The init script /etc/rc.d/init.d/iptables will use rules stored in /etc/sysconfig/iptables.
  • ipchains: The tool that does this is lokkit (or /usr/bin/gnome-lokkit), which uses ipchains to configure firewall options for High and Low security options. To support ipchains after install, run /usr/bin/gnome-lokkit and configure a firewall. It will configure ipchains to activate the firewall. Lokkit will generate the file /etc/sysconfig/ipchains. (Used by init script /etc/rc.d/init.d/ipchains which calls /sbin/ipchains-restore)

    To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: 

        chkconfig --list | grep ipchains

The default Red Hat 7.1+ Linux 2.4 kernel is compiled to support both iptables and ipchains. Kernel support for ipchains is available during a kernel configuration and compilation. During make xconfig or make menuconfig turn on the feature: "IP: Netfilter Configuration" + "ipchains (2.2-style) support".

Check your installation by using the command: rpm -q iptables ipchains
These packages must be installed. The commands iptables and ipchains are the command interfaces to configure kernel firewall rules. The default Red Hat 7.1 kernel supports iptables and ipchains. (But not both at the same time.)

[Potential Pitfall]: When performing an upgrade instead of a new install, the upgrade software will not install iptables as did not exist on the system previously. It will perform an upgrade to a newer version of ipchains. If you wish to use iptables, you must manually install the iptables RPM.
i.e.: rpm -ivh iptables-XXX.i386.rpm

[Potential Pitfall]: The Linux operating system kernel may load or not load what you had expected. Use the command lsmod to see if ip_tables or ip_chains were loaded.

Switching a running system from ipchains to iptables: (Red Hat 7.1-9.0 - Linux kernel 2.4 specific)

Sequence Command Description
1 chkconfig --del ipchains Remove ipchains from system boot/initialization process
2 chkconfig --add iptables Add iptables to system boot/initialization process
3 ipchains -F Flush ipchains rules
4 service ipchains stop Stop ipchains. Also: /etc/init.d/ipchains stop
5 rmmod ipchains Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6 service iptables start Load iptables kernel module. Also: /etc/init.d/iptables stop

Network Address Translation (NAT):

An individual on a computer on the private network may point their web browser to a site on the internet. This request is recognized to be beyond the local network so it is routed to the Linux gateway using the private network address. The request for the web page is sent to the web site using the external internet IP address of the gateway. The request is returned to the gateway which then translates the IP address to computer on the private network which made the request. This is often called IP masquerading. The software interface which enables one to configure the kernel for masquerading is iptables (Linux kernel 2.4) or ipchains (Linux kernel 2.2)

The gateway computer will need two IP addresses and network connections, one to the private internal network and another to the external public internet.

A note on private network IP addresses: A set of IP addresses has been reserved by IANA for private networks. They range from 192.168.0.1 to 192.168.254.254 for a typical small business or home network and are often referred to as CIDR private network addresses. Most private networks conform to this scheme.

Block Range CIDR Notation Default Subnet Mask Number of hosts
24 bit block in class A 10.0.0.0 10.255.255.255 10.0.0.0/8 255.0.0.0 16,777,216
20 bit block in class B 172.16.0.0 172.31.255.255 172.16.0.0/12 255.240.0.0 1,048,576
16 bit block in class C 192.168.0.0 192.168.255.255 192.168.0.0/16 255.255.0.0 65,536
The actual number of hosts will be fewer that listed because addresses on each subnet will be reserved as a broadcast address, etc.

This is detailed in RFC 1918 - Address Allocation for Private Internets. For a description of class A, B, and C networks see the YoLinux Networking Tutorial class description.

The private networks may be subdivided into various subnets as desired. Examples:

Range CIDR Notation Default Subnet Mask Number of hosts
10.2.3.0 10.2.4.255 10.2.3.0/23 255.255.254.0 512
172.16.0.0 172.17.255.255 172.16.0.0/15 255.254.0.0 132608
192.168.5.128 192.168.5.255 192.168.5.128/25 255.255.255.128 128

CertGuide.com: Network Subnets

Example 1: Linux connected via PPP

This example uses a Linux computer connected to the internet using a dial-up line and modem (PPP). The Linux gateway is connected to the internal network using an ethernet card. The internal network consists of Windows PC's.

The Linux box must be configured for the private internal network and PPP for the dial-up connection. See the PPP tutorial to configure the dial-up connection. Use the ifconfig command to configure the private network. i.e. (as root) 

   /sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255

This is often configured during install or can be configured using the Gnome tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent settings are held in configuration scripts executed during system boot. (i.e. /etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning network addresses.

Run one of the following scripts on the Linux gateway computer:

iptables:

   iptables --flush                         - Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain                  - Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT         - Assuming one NIC to local LAN

echo 1 > /proc/sys/net/ipv4/ip_forward    - Enables packet forwarding by kernel

ipchains:

   #!/bin/sh
ipchains -F forward                                - Flush all previous rules and settings
ipchains -P forward DENY                           - Default set to deny packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ     - Use IP address of gateway for private network
ipchains -A forward -i ppp0 -j MASQ                - Sets up external internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward             - Enables packet forwarding by kernel

A PPP connection as described by the YoLinux PPP tutorial will create the PPP network connection as the default route.

Example 2: Linux connected via DSL, Cable, T1

High speed connections to the internet result in an ethernet connection to the gateway. Thus the gateway is required to possess two ethernet Network Interface Cards (NICs), one for the connection to the private internal network and another to the public internet. The ethernet cards are named eth and are numbered uniquely from 0 upward.

Use the ifconfig command to configure both network interfaces. 

/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255   - Internet
/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255     - Private LAN
Also see notes on adding a second NIC.

This is often configured during install or can be configured using the Gnome tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent settings are held in configuration scripts executed during system boot. (i.e. /etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning network addresses.

Run the appropriate script on the linux computer where eth0 is connected to the internet and eth1 is connected to a private LAN:

iptables:

   # Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
iptables --flush            - Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain     - Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward             - Enables packet forwarding by kernel

ipchains:

   #!/bin/sh
ipchains -F forward                                - Flush rules
ipchains -P forward DENY                           - Default set to deny packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ     - Use IP address of gateway for private network
ipchains -A forward -i eth1 -j MASQ                - Sets up external internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward

Create a route for internal packets: 

     route add  -net 192.168.10.0  netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth1
Where XXX.XXX.XXX.XXX is the internet gateway defined by your ISP. For more information on routing see the YoLinux networking tutorial

Note: While this configuration requires that the Linux gateway computer have two network cards, if you only have one PCI slot available you may use a card such as the Intel Pro 100 or Pro 1000 Dual Port which has two ethernet connections which reside on a single card. (This is what I use) Yolinux Hardware tutorial: More on Network interface cards

icon
Intel PCI Dual Pro 100 or Pro 1000 NIC card supports two physical ethernet connections (eth0, eth1) on one card.
Compliant Standards: IEEE 802.3-LAN, IEEE 802.3U-LAN , Plug and Play
Connectivity Technology: Cable - 10Base-T, 100Base-TX
Data Link Protocol: Ethernet, Fast Ethernet
Processor: 82550 - Intel

Iptables options: (Linux kernel 2.4/2.6 firewall)

General /sbin/iptables format to add rules:
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy

Six pre-defined "chain" rules are available:

  • INPUT
  • OUTPUT
  • INPUT
  • FORWARD
  • PREROUTING
  • POSTROUTING
  • User defined chains (just give it a new name instead of one of the pre-defined names)

iptables options:

--table
-t		 Description
filter Default table. This is used if not specified
nat Network address translation
mangle Used for Quality Of Service (QOS) and preferential treatment
raw Enables optimization. i.e. Ignore firewall state matching for port 80 for enhanced speed due to less processing. Requires kernel patch
Command
(Use one)		 Description
-A
--append		 Append rule to chain
-D
--delete		 Delete rule from chain
-I
--insert		 Insert rule at beginning or at specified sequence number in chain.
-R
--replace		 Replace rule
-F
--flush		 Flush all rules
-Z
--zero		 Zero byte counters in all chains
-L
--list		 List all rules.
Add option --line-numbers for rule number.
-N
--new-chain		 Create new chain
-X
--delete-chain		 Delete user defined chain
-P
--policy		 Set default policy for a chain
-E
--rename-chain		 Rename a chain
Command Option Description
-s
--source		 Source address of packet
-d
--destination		 Destination address of packet
-i
--in-interface		 Interface packet is arriving from
-o
--out-interface		 Interface packet is going to
-p
--protocol		 Protocol:
°tcp
--sport port[:port]
--dport port[:port]
--syn
°udp
°icmp
°mac
...
-j
--jump		 Target to send packet to
-f
--fragment		 Fragment matching
-c
--set-counters		 Set packet/byte counter
-m tcp
--match tcp		 °--source-port port[:port]
(port # or range #:#)
°--destination-port port[:port]
°--tcp-flags
-m state
--match state		 --state
°ESTABLISHED
°RELATED
°NEW
°INVALID
(Push content, not expected to recieve this packet.)
Defined Policies Description
ACCEPT Let packet through
DROP Deny packet with no reply
REJECT Deny packet and notify sender
RETURN Handled by default targets
MARK Used for error response.
Use with option --reject-with type
MASQUERADE Used with nat table and DHCP.
LOG Log to file and specify message:
°--log-level #
°--log-prefix "prefix"
°--log-tcp-sequence
°--log-tcp-options
°--log-ip-options
ULOG Log to file and specify userpace logging messages
SNAT Valid in PREROUTING chain. Used by nat.
REDIRECT Used with nat table. Output.
DNAT Valid in POSTROUTING chain. Output.
QUEUE Pass packet to userspace.

For the full info see the man page for iptables.

Ipchains options: (Linux kernel 2.2 firewall)

General /sbin/ipchains format to add rules:
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]]] [-d address [port[:port]]] -j policy [-l]

ipchains options:

Command Description
-A Add rule to chain
-D Delete rule from chain
-I Insert rule
-R Replace rule
-F Flush all rules
-L List all rules
-N Create new chain
-X Delete user defined chain
-P Set default targe
Command Option Description
-s Source address of packet
-d Destination address of packet
-i Interface packet is arriving from
-p Protocol
-j Target to send packet to
-y For -p tcp. Packet is SYN packet.
--icmp-type For -p icmp.
-l Log the packet to syslog.
/var/log/messages
Available in default Red Hat 6.0+ kernel
System targets
(policy) 		Description
ACCEPT Let packet through
DENY Deny packet
REJECT Deny packet and notify sender
MASQ Forward chain masquerade
REDIRECT Send to different port
RETURN Handled by default targets

Four chain rule types are available:

  • IP input chain
  • IP output chain
  • IP forwarding chain
  • User defined chains (just give it a new name instead of the built-in names: input, output or forward)

For the full info see the man page for ipchains. To add firewall rules read the links provided below.

Configuring PCs on the office network:
  • All PC's on the private office network should set their "gateway" to be the local private network IP address of the Linux gateway computer.
  • The DNS should be set to that of the ISP on the internet.

Windows '95 Configuration:

  • Select "Start" + Settings" + "Control Panel"
  • Select the "Network" icon
  • Select the tab "Configuration" and double click the component "TCP/IP" for the ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)
  • Select the tabs:
    • "Gateway": Use the internal network IP address of the Linux box. (192.168.XXX.XXX)
    • "DNS Configuration": Use the IP addresses of the ISP Domain Name Servers. (Actual internet IP address)
    • "IP Address": The IP address (192.168.XXX.XXX - static) and netmask (typically 255.255.255.0 for a small local office network) of the PC can also be set here.

Linux computers:

  • IP Address: Use ifconfig or netcfg commands to set the IP address and netmask.
    See Assigning an IP address portion of the Networking tutorial.
  • Gateway: The gateway is set with the route command. This can also be set by the GUI tool /usr/bin/netcfg or console tool /usr/sbin/netconfig. It is also stored by the system in the /etc/sysconfig/network file.
  • DNS: Configure file /etc/resolv.conf to set the DNS and default domain.
    See the Network configuration files portion of the Networking tutorial.
  • Simple firewall for the desktop Linux system: 
    iptables -P INPUT   DROP
    iptables -P FORWARD DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
    Allow network input/output from self (lo).

Adding more security rules to your gateway:

iptables:

Deny a specific host: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP

Block ports by adding the following firewall rules: 

# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT  - Rule for your computer to be able to access itself via the loopback
iptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP  - Deny packets which claim to be from your loopback interface.
These rules may be executed on their own to protect your system while attached to the internet or they may be appended to the end of the iptables gateway NAT scripts above.

Debugging and logging: 

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Add this to the end of your rules and you should be able to monitor dropped connections in /var/log/messages. I do NOT log in this method due to the outrageous volume of messages it generates. Use this for debugging or short term monitoring of the network.

Another approach to firewalls is to drop everything and then grant access to each port you may need. 

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT                       - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT - Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          - Open ftp port
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          - Open secure shell port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          - Open HTTP port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT   - Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP               - Drop all other connection attempts. Only connections defined above are allowed.

ipchains:

This script configures firewall rules for a Linux computer with two ethernet ports. One port connects the computer to the internet with an external address of XXX.XXX.XXX.XXX. The other ethernet port connects the computer to an internal network of 192.168.10.0 to 192.168.10.255. This script is more complex but preferred to the previous scripts because of the extra security that the extra firewall rules offer. The script does work with a system running portsentry. For more on portsentry see the YoLinux Internet Security: portsentry Tutorial.

Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT: 

   #!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input   DENY
ipchains -P output  DENY
ipchains -P forward DENY

# Add Rules

# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l

# Accept requests/responses from/to your own firewall machine
ipchains -A input   -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0
ipchains -A output  -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0

# Allow outgoing packets source (s) to destination (d)
ipchains -A input   -j ACCEPT -p all -s 192.168.10.0/24 -i eth1
ipchains -A output  -j ACCEPT -p all -s 192.168.10.0/24 -i eth1

# Deny and log (option -l) outside packets from internet which claim to be from your loopback interface
ipchains -A input  -j REJECT -p all -s localhost  -i eth0 -l

ipchains -A forward -s 192.168.10.0/24 -j MASQ
ipchains -A forward -i eth1 -j MASQ

# Enable  packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Notes:

  • For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
  • The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
  • localhost refers to your loopback interface on 127.0.0.1

Red Hat 7.1 will configure firewall rules as an option during installation. Note that the firewall rules are generated for ipchains. The configuration tool /usr/bin/gnome-lokkit was used to perform this setup.

Example of the security configuration: /etc/sysconfig/ipchains
This is the configuration file for the script /etc/rc.d/init.d/ipchains (which calls /sbin/ipchains-restore) which may be invoked during system boot. 

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT                - Allow WWW http access to web server
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT                - Allow SSH (Secure Shell) access
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT  - Allow DHCP/BOOTPC
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT  - eth1 internal network access OK. External eth0 goes through firewall rules
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT    - This shuts off telnet,FTP,bind...! Use for a workstation only
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT       - Workstation only or explicitly ports as above with 80, 22
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT         - Block NFS
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT - Block remote X-Window connections
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT      - Block remote font server connections
Note: Once ipchains have been invoked for kernel 2.4 (RH 7.1), one may NOT use iptables. You may use one or the other but not both.

Save/restore an tables/ipchains configuration:

  • IpTables: iptables-save man page
    /sbin/iptables-save > /etc/sysconfig/iptables.rules
    /sbin/iptables-restore < /etc/sysconfig/iptables.rules

  • IpChains: ipchains-save man page
    /sbin/ipchains-save > /etc/sysconfig/ipchains.rules
    /sbin/ipchains-restore < /etc/sysconfig/ipchains.rules

The system init script looks for the file name /etc/sysconfig/ipchains instead of /etc/sysconfig/ipchains.rules. This will make the rules accessible to the init script which will invoke the rules upon system boot. See the YoLinux Init process tutorial for more information on init scripts and system boot procedures.

Also see: how to turn off ICMP and look invisible to ping.

proc file settings:

  • Turning on Linux kernel support for spoof and DOS (Denial Of Service) protection: 

       echo 1 >/proc/sys/net/ipv4/tcp_syncookies
    Must first be compiled into kernel. (Included in Redhat default kernel) By default the Redhat install has this disabled (set to 0). This helps to prevent against the common 'syn flood attack'. A connecting computer (peer) may not receive reliable error messages from an over loaded server with syncookies enabled.

    For more on SYS cookies see: CERT Advisory CA-96.21

  • Turn on Source Address Verification: (Off by default on Red Hat install - set to 0) 
       echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter
    OR
    echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

    State the interface appropriate for your installation.
    The first example prevents spoofing attacks against your external networks only.

    IP spoofing is a technique where a host sends out packets which claim to be from another host. It is also used to hide the identity of the attacker.

The TCP Man page - Linux Programmer's Manual and /usr/src/linux/proc.txt [link] (Kernel 2.4) cover /proc/sys/net/ipv4/* file descriptions.

Also see:

IP Forwading Notes:

Choose one of the following to allow the Linux kernel to forward IP packets:

  1. Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself. 
        echo 1 > /proc/sys/net/ipv4/ip_forward

  2. Another method is to alter the Linux kernel config file: /etc/sysctl.conf
    Set the following value: 
        net.ipv4.ip_forward = 1
    This will configure the system to allow forwarding of packets upon system boot. It is stored in this configuration file and thus read and set upon system boot. If set to "0" then there will be no forwarding of packets.

  3. An alternate method is to alter the network script: /etc/sysconfig/network 
         FORWARD_IPV4=true
    Change the default "false" to "true".

All the above methods will result in a proc file value of "1" to allow TCP packet forwarding. Options 2 and 3 set boot configurations in a configuration file and will not take effect until system boot.
Test the current setting of the kernel: cat /proc/sys/net/ipv4/ip_forward

Note: The /proc directory is NOT on your hard drive but is present in the running kernel.

CIDR Notation:

The notation "/24" refers to the use of the first 24 bits of a 32 IP address. The is the equivalent of using the bitmask 255.255.255.0. To put it another way, it specifies a range of IP addresses: 0 to 255 for the last octet while the first three remain constant.

Example: 192.168.103.0/24 refers to the IP address range 192.168.103.0 to 192.168.103.255

The notation "/32" refers to a single IP address as it implies that all 32 bits of the IP address are significant.

Configuration Tools:

GUI tools and scripts exist to help you with the configuration of ipchains. See:

  • EasyFw - Tcl/Tk - RPM available from web site.
    RPM installs command: /usr/local/bin/easyfw
  • Firestarter - Configuration of firewall and real-time hit monitor for the Gnome desktop. Configures ipchains (kernel 2.2) and iptables (kernel 2.4)
  • Firewall Builder - iptables, ipfilter and OpenBSD PF. (GTK--)

Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)

Tools for iptables configuration:

Read More......

Diposkan oleh Techno di 16:27 0 komentar

Label: ,

Langgan: Entri (Atom)