How to: Linux Iptables block common attacks

26/11/2022 Categories: Sécurité, Système Tags: , Aucun commentaire

Source: nixCraft

Following list summaries the common attack on any type of Linux computer:

Syn-flood protection

In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Lire la suite…

Categories: Sécurité, Système Tags: ,

Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks

26/11/2022 Categories: Réseau, Sécurité Tags: , , Aucun commentaire

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules:

iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN

All incoming connection are allowed till limit is reached:

  • –limit 1/s: Maximum average matching rate in seconds
  • –limit-burst 3: Maximum initial number of packets to match

Open our iptables script, add the rules as follows:

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection.
Where,

  • ‐‐limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.
  • ‐‐limit‐burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

You need to adjust the –limit-rate and –limit-burst according to your network traffic and requirements.

Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
Categories: Réseau, Sécurité Tags: , ,

How To Find My Public IP Address From Command Line On a Linux

25/11/2022 Categories: Réseau, Système Tags: , Aucun commentaire

Source: nixCraft

How do I find out my public IP address on the Linux and OS X Unix command line to use with my own bash shell script without using third party web site? Is there command-line option which will show my dynamic IP address on a Ubuntu or Fedora Linux?

There are many ways to find out your public IP address or wan (Wide Area Network) IP on a Linux or Unix-like operating systems such as FreeBSD, OpenBSD, NetBSD, Apple OS X, and others.

Explain IP addresses

An IP is short for Internet Protocol. It is used to identify computers or mobile devices on the Internet. Each device connected to the Internet has an IP address. IP address can be used to personalize information.

Lire la suite…

Categories: Réseau, Système Tags: ,

Set Up SSH Tunneling on a Linux / Unix / BSD Server To Bypass NAT

25/11/2022 Categories: Réseau, Système Tags: , , Aucun commentaire

I‘m a new Linux / Unix system user. How can I set encrypted tunnel between my desktop/laptop computer and server in a remote data center to bypass the limits in a network? How do I create a reverse SSH tunnel on Unix-like systems?

SSH tunnelling can be thought as a poor-man’s-VPN. It is handy in situations where you would like to hide your traffic from any body who might be listening on the wire or eavsdropping.

You can use such tunnel between your computer and your Unix/BSD/Linux server to bypass limits placed by a network or to bypass NAT, and more.
Lire la suite…

Categories: Réseau, Système Tags: , ,

Heartbeat/mysql: Bascule esclave/maitre

heartbeat mysqlNous sommes dans la situation où il faut redémarrer le serveur maitre

connection ssh sur les deux serveurs:

sur le maitre
#ssh maitre@IP

Arrêt du service heartbeat sur les deux serveurs

# service heartbeat stop
ou
#/etc/init.d/heartbeat stop

Même chose sur l’esclave
A partir de là, plus personne n’a accès à l’application web

MySql:

on va se placer dans votre homedir sur les deux serveurs.
#cd /home

sur le serveur esclave, on va récupérer la base mysql et la copier sur le serveur maître:

[esclave]# mysqldump -u root -pMDP votre_bdd > votre_bdd.sql
[esclave]# scp votre_bdd.sql maitre@IP:/home

Passons sur le serveur maître:

[maitre]#cd /home

on injecte la base:
[maitre]# mysql -u root -pMDP votre_bdd.sql > votre_bdd.sql

Maintenant, on va activer la réplication de la base MySql du serveur maître sur l’esclave: sur le serveur maître: tout d’abord on va se connecter sur la base

[maitre]# mysql -u root -pMDP

Puis on bloque la base en lecture seule
mysql>: FLUSH TABLES WITH READ LOCK;

On repère la position de la base:

mysql > SHOW MASTER STATUS;
  ------------------ ---------- -------------- -------------------------- 
 | File             | Position | Binlog_Do_DB | Binlog_Ignore_DB         |
  ------------------ ---------- -------------- -------------------------- 
 | mysql-bin.000003 | 73       | test,bar     | foo,manual,mysql         |
  ------------------ ---------- -------------- -------------------------- 
 1 row in set (0.06 sec)

et on note:
mysql-bin.000003 ← le log bin à utiliser
73 ← la position du log
évidemment à adapter suivant le cas.

sur le serveur esclave:
on se connecte aussi à la base mysql
[esclave]# mysql -u root -pMDP

on stoppe la réplication en cours
mysql>stop slave;

on fait une RAZ de la réplication
mysql>reset slave;

On va positionner le serveur esclave comme le maître:
mysql> CHANGE MASTER TO MASTER_HOST = 'IP', MASTER_USER = 'repli', MASTER_PASSWORD = 'repli', MASTER_LOG_FILE = 'mysql-bin.000003', MASTER_LOG_POS = 73;

on démarre la réplication
mysql> start slave;

on vérifie qu’on n’a pas d’erreur

mysql> show slave statusG
 *************************** 1. row ***************************
 Slave_IO_State: Waiting for master to send event
 Master_Host: 10.94.8.58
 Master_User: repli
 Master_Port: 3306
 Connect_Retry: 60
 Master_Log_File: mysql-bin.000003
 Read_Master_Log_Pos: 73
 Relay_Log_File: GLPI_esclave-relay-bin.000024
 Relay_Log_Pos: 660186
 Relay_Master_Log_File: mysql-bin.000003
 Slave_IO_Running: Yes
 Slave_SQL_Running: Yes
 ******
 Last_Errno: 0
 Last_Error:
 ******
 Seconds_Behind_Master: 0
 1 row in set (0.00 sec)

on se déconnecte de mysql
mysql>exit;

sur le serveur maitre on déverrouille l’écriture sur la base
mysql> UNLOCK TABLES;

on se déconnecte de mysql
mysql>exit;

et pour finir on lance le script de lancement automatique des services heartbeat/mon/http/myslq:

[maitre]#./startHA

sur le serveur maitre c’est le même script sauf le service Mon en moins:
[esclave]#./startHA

on vérifie que l’IP virtuel est actif sur le serveur maitre:

[maitre]#ifconfig
eth0:0 Link encap:Ethernet HWaddr 00:22:19:D7:73:48
 inet adr:10.94.8.56 Bcast:10.94.15.255 Masque:255.255.248.0
 UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
 Interruption:16

et dans le navigateur firefox, on fait un test de connection:

http://appliweb.com

SI TABLE CRASHED :

d’après le log, on repère la table dite crashed

connexion à mysql :
#mysql -u root -pMDP ;

on sélectionne la base
mysql>use votre_bdd ;

on répare la table
mysql>repair table nomdelatable ;

on sort de mysql
mysql>exit;