The chflags utility modifies the file flags of the listed files as specified by the flags operand.
FreeBSD offers write protection, you need to to set special bit call immutable. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit.
You must be a root user to setup or clear the immutable bit.
Setup file immutable bit
Use chflags command as follows:
# chflags schg /tmp/test.doc
Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc
rm: /tmp/test.doc: Operation not permitted
Now root user is not allowed to remove or modify file. This is useful to protect important file such as /etc/passwd, /etc/master.passwd etc.
Display if file immutable bit is on or off
ls -lo /tmp/test.doc
-rw-r--r-- 1 root wheel schg 19 Jun 29 22:22 /tmp/test.doc
Clear or remove file immutable bit
#chflags noschg /tmp/test.doc
Now you can remove or modify file. Please note that immutable flag can be set by root user only. chflags also supports few other interesting flags.
- arch: set the archived flag
- nodump: set the nodump flag
- sappnd: set the system append-only flag
- schg: set the system immutable flag
- sunlnk: set the system undeletable flag
- uappnd: set the user append-only flag
- uchg: set the user immutable flag
- uunlnk: set the user undeletable flag
Putting the letters no before an option causes the flag to be turned off.
Please note Linux also supports immutable flag to write protect files using chattr command.
See man page chflags and ls commands for more information.
Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
All incoming connection are allowed till limit is reached:
- –limit 1/s: Maximum average matching rate in seconds
- –limit-burst 3: Maximum initial number of packets to match
Open our iptables script, add the rules as follows:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection.
- â€â€limit rate: Maximum average matching rate: specified as a number, with an optional â€˜/secondâ€™, â€˜/minuteâ€™, â€˜/hourâ€™, or â€˜/dayâ€™ suffix; the default is 3/hour.
- â€â€limitâ€burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
You need to adjust the â€“limit-rate and â€“limit-burst according to your network traffic and requirements.
Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
More information on recent patch can be found here
You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.
Sometime it is necessary to block incoming connection or traffic from specific remote host. iptables is administration tool for IPv4 packet filtering and NAT under Linux kernel. Following tip will help you to block attacker or spammers IP address.
How do I block specific incoming ip address?
Following iptable rule will drop incoming connection from host/IP 220.127.116.11:
iptables -A INPUT -s 18.104.22.168 -j DROP
iptables -A OUTPUT -d 22.214.171.124 -j DROP
A simple shell script to block lots of IP address
If you have lots of IP address use the following shell script:
A) Create a text file:
# vi /root/ip.blocked
Now append IP address:
# Ip address block file
B) Create a script as follows or add following script line to existing iptables shell script:
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
C) Save and close the file.
Recently we had lot of discussion regarding this issue. How to remove files securely so that it cannot be undeleted. Peter Gutmann paper “Secure Deletion of Data from Magnetic and Solid-State Memory” has very good information. Here are some commands/tools available under Debian GNU/Linux (it should work with other Linux distributions) to delete file securely.
srm: Securely remove files or directories
This command is a replacement for rm command. It works under Linux/BSD/UNIX-like OSes. It removes each specified file by overwriting, renaming, and truncating it before unlinking. This prevents other people from undelete or recovering any information about the file from the command line. Because it does lots of operation on file/directory for secure deletion, it also takes lot of time to remove it. Download srm from http://sourceforge.net/projects/srm (RPM file is also available for RPM based Linux distributions)
i) Untar and install the srm:
# make install
ii) How to use srm?
srm syntax is like rm command. Read man srm. Here is simple example:
$ srm privateinfo.doc
wipe: It is a secure file wiping utility
Download wipe from http://wipe.sourceforge.net/
i) Untar and install the wipe
# make install
ii) How to use wipe?
$ wipe filename
Read man page of wipe for information.
shred: Delete a file securely, first overwriting it to hide its contents.
It is available on most of Linux distributions including Debian GNU/Linux. To remove file called personalinfo.tar.gz :
$ shred -n 200 -z -u personalinfo.tar.gz
- -n: Overwrite N (200) times instead of the default (25)
- -z: Add a final overwrite with zeros to hide shreddin
- -u: Truncate and remove file after overwriting
Read the man page of shred(1) for more information. Most of these utilities are not effective (read as useless) only if :
- File system is log-structured or journaled filesystems, such as JFS, ReiserFS, XFS, Ext3 etc
- Your filesystems is RAID-based, compressed filesystem etc
- In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed by these utilities.