Following list summaries the common attack on any type of Linux computer:
Syn-flood protection
In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.
Force SYN packets check
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
XMAS packets
Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop all NULL packets
Incoming malformed NULL packets:
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP
Block Spoofing and bad addresses
Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.
Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.
Filter incoming ICMP, PING traffic
It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.
Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP
Further readings
- Man page : hping2(8), nmap(1), iptables(8)
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 18 comments… read them below or add one }
Cyberciti is the great.
Cyberciti had the answers I was looking for and the information is quite easy.
Many thanks – just what I was looking for.
Matt
This would block the more common XMAS packets.
iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
In Drop all NULL packets,
Please correct spelling.
Change INPIT to INPUT
Cyberciti is really very knowledgeable website i would like to say thank you for this.
A better way of doing this would be to just use connection tracking:
-A INPUT -m conntrack –ctstate INVALID -j DROP
-A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
And instead of blocking ICMP limiting is IMO a better way, -m limit.
I would like to share with you my iptables rules… I am not gonna explain it in details.
They are ready to be used with the iptables-restore command, Just check your ports and substitute xx.xx.xx.xx with your IP… If you have more IPs just add more IP chains. customise to your requirments.
*filter
#clear
-F
#clear custom
-X
#default rules
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
#allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#allow output for new, related and established connections
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#
# PACKETS chain
#
-N PACKET
-A PACKET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A PACKET -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
#limit ping to 1 per second
-A PACKET -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
#
# STATE_TRACK chain (connection tracking)
#
-N STATE_TRACK
-A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATE_TRACK -m state --state INVALID -j DROP
#
# PORTSCAN chain (drop common attacks)
#
-N PORTSCAN
-A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP
-A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#
# COMMON chain (everything passes through here)
#
-N COMMON
-A COMMON -j STATE_TRACK
-A COMMON -j PORTSCAN
#
# chains relations
#
-A INPUT -j COMMON
-A OUTPUT -j COMMON
-A FORWARD -j COMMON
-A FORWARD -j PACKET
#
# IP chain
#
-N IP1
-A INPUT -d xx.xx.xx.xx -j IP1
-A OUTPUT -d xx.xx.xx.xx -j IP1
-A FORWARD -d xx.xx.xx.xx -j IP1
#SSH On standard port
-A IP1 -p tcp --dport 22 -j ACCEPT
#HTTP HTTPS
-A IP1 -p tcp --dport 80 -j ACCEPT
-A IP1 -p tcp --dport 443 -j ACCEPT
#DNS
-A IP1 -p tcp --dport 53 -j ACCEPT
-A IP1 -p udp --dport 53 -j ACCEPT
Admin Panel (Webmin)
-A IP1 -p tcp --dport 10000 -j ACCEPT
# MORE IP CHAINS
#-N IP2
#-A INPUT -d xx.xx.xx.yy -j IP2
#-A OUTPUT -d xx.xx.xx.yy -j IP2
#-A FORWARD -d xx.xx.xx.yy -j IP2
#SSH
#-A IP2 -p tcp --dport 22 -j ACCEPT
#HTTP HTTPS
#-A IP2 -p tcp --dport 80 -j ACCEPT
#-A IP2 -p tcp --dport 443 -j ACCEPT
#DNS
#-A IP2 -p tcp --dport 53 -j ACCEPT
#-A IP2 -p udp --dport 53 -j ACCEPT
COMMIT
Very nice, thank you for posting this!
Completely blocking ICMP may result in a Black Hole situation (RFC 2923) since ICMP is vital to the PMTUD process. This may lock out clients coming over a congested link with MTU sizes below 1500 (e.g. tunnels).
i was wondering if there is a way you can do this in windows as well. i get alot of these attacks and i tried the blocking the ICMP rule in my firewall. it worked for a few days but the attacks continued.
I am still able to get pinged using another computer running Ubuntu 11.04 and using nmap with those commands.
Great info, was getting molested with SYN attacks now things are stable!
Just want to correct a spelling mistak, for users like myself, who copy & paste everything into ssh
Drop null packets:
iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP
Should be
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
I knows its no biggie, but its easy to just copy & paste the mistake in and not check
Cheers!
Hi guy
nice tut,
but what about “HTTP Slow Post” attacks?
This tip is great, but it has flaws:
- typos
- grammar errors
- missing other types of attacks, like those told in comments
kunoichi, GREAT SHARE!! This is a great iptables setup… and it works great with psad… so far best one that I have seen and liked… takes care of everything..
iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP
typo
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
anyway, thanks for sharing <3
Hi,
You have a typo:
iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP