Simple Firewall Randie ----------------------------------------------- -------------------------------------------------1 To learn this chapter 2. Why do you need a firewall 3. Cognitive and ability to have a network management personnel 4. Simple firewall hardware configuration and abstaining skills 5. Draft of the firewall rules 6. Easy explain iptables rules 7. Simple explanation TCP_WrapPERS setting 8. Other related tests -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---- Studying the essential skills of this chapter: Welcome everyone to come to the "broken cluster time", huh! It is necessary to have a lot of books! In this chapter, we will mention a lot of basic fire safety measures and concepts, please understand your system! There are also a few commonly used instructions, you need to pay special attention! Otherwise, it is easy to do it! Remember to remember! · Learn VI · Know Bash Shell · Shell Scripts · System Directory Configuration · Understanding System Services · Network Basics · Limiting Linux Panel Port · Know Iptables and TCP_Wrappers, or an older story! Learn Linux Basics!
Back to top
-------------------------------------------------- --------------------------------------------- Why do you need a firewall: · Start: Because I don't want to see it in the network, I'm going to see it! I set up a Linux host according to the information frame of a certain page. After a week, I can't log in to my host with root password? There is still a saying "唉呦! Why is my Linux host not to query the login file? Why is it warned by the ISP that my mail server is listed as a blacklist, why is it detected that I have an attack? I have not made a bad thing! ? "Ha ha! It's very hurt, it's right ~ no mistake! Network security is really troublesome! I have to take care of him every day, I have to update to the latest version of the suite at any time! Hey ~ trouble! However, network security is a basic knowledge of network management personnel, a host with good firewall measures, you can make a net management personnel more happy! What to know is, we are a general small family, so even if the host is invaded by Cracker, as long as you use our IP to do it, you can turn it off, you can also protect yourself, but if you are a The host of large enterprises, but also provides information about credit card, personal user information, etc., then can't say that it is shut down, how to do this time, if you don't set an emergency response, There is no good login archive analysis habit, and there is no real-time return system to help you detect your host, hehe! In addition to the amount, the total loss includes the company's reputation, that is terrible! From the abroad analysis, it can be found that after the host is invaded, the loss is outside the money, and the time maintenance is maintained, the cost of hardware and software is reset, and a considerable fee ~ So! It is also quite important to set up a safe host. What is it important to us? Don't think that we are a general ADSL station, it doesn't matter! After you are really invaded, then your host is used to make a bad thing, then use your host to make a bad thing to kill his login information, let people can't find him, hehe! It will be you when you eat the lawsuit! Don't think that the frequency width of the ADSL dial is insufficient! Don't need much bandwidth to do things using your host, as long as you can connect to the Internet, just spread out of your host, hehe! Someone will use it again! "Do not look at the security of the system ~" Cracker's common intrusion technology: here first provide a few possible intrusion methods, then let's talk about how to prevent our host: · Use the tool program invading your host : Don't doubt, there are too many invasive detection type attack software on the Internet! As long as the protection above your host is not good enough, he can get the root permission of your host by the function of the attack software, further manipulate your host! And, in order to be afraid of being discovered by some of your tools, it is generally, he will modify several files inside your host, such as WHO, W, Last, Top, PS, NetStat, Find, etc. ,
Let you never find if he is in your system! What are you afraid? ! Hurry and prepare your job! · Trojan Horse (Trojan Horse): Taken from Trojan Tucheng, Trojans will take the initiative to open your host a back door (you can think of port is activated), so that attackers can easily enter Your host! How can the Trojans will be on your system? Very simple! If you have downloaded a unclear program today, he will install him, he may be stationed in your memory! So don't install the files of unidentified sources! For example, the one of the famous software is placed on his own website, and the program with Trojans is in the original kit ~ Yeah! It's awesome ~ In addition, the worm is also terrible, he will breed yourself, such as the pretty nameless Nimda and Code Red virus, will make your network bandwidth! ! · DOS attack method: This kind of attack method is also very important, there are many ways, the most common sense is the SYN FLOOD attack method! He will continue to send a data package to let the host wait for a response, let your host turn on port, the result is exhausted system resources! A! It is also a machine! · IP deception: This is a trick that is more high-spirited. He changed the file header of the package that sent to your host, and announced a part of your internal network! If you don't block this package, then you will usually become "accept him!" The result is that the other party can easily enter your host .... Hey! Really difficult to prevent ~ · Port Scan: This is most annoying! Because there are a lot of distribution to measure your own vulnerabilities, you will attach a scanning software similar to NMAP! This kind of software doesn't matter if you play yourself, you can check what port you have opened your host! But once used to attack someone host, it is not fun .... If you have this opportunity, don't use the host's host! Very dangerous! · Several important ways to maintain maintenance: Oh! So, come with you to talk about how to set up a simple firewall! Please pay special attention, before your Linux host is online, please first: o Turn off several unsafe services; o Upgrade several kits that may have problems; o Establish minimum security protection - firewall - other related Information, please go to the host protection A. Let's take a look at how to add your own safety! Back to top
-------------------------------------------------- ---------------------------------------------- network management personnel need Cognitive and capabilities: From the above situation, 嘿嘿! It is really difficult to be a competent network management person! Basically, you must have these capabilities: • Understand what is needed: my day, I have to know what is needed! ? Ha ha! Yes, just so! It's not difficult to understand from the host invasion method just we know, as long as someone is sitting in front of your host, then anything may happen! So if your host is quite important, please don't let anyone get close! "You can refer to Tom Cruz in the" impossible task "to steal the difficulties in a computer! ! o Hardware: You can lock it! o Software: Also contain the most important information! ! · Prevention of Black Hats's invasion: This is not a joke, what is hacker! This is because the bad guys wearing a black hat, so the previous people say that the network attacker is Black Hats! In addition to the attackers in this area, in addition to strictly control the login of the network, it also needs to specifically control the characters in your host! For our small website, don't think that good friends will just mention him! He said that you want to specify the password is the same as his account, you will promise him! When people use his password to log in to your host, and destroy your host, it will not pay! If it is a big business, then employees use the network, they also want to level! · Host environmental safety: there is nothing to talk about, in addition to more concern, still care! Carefully analyze login files, often access the Internet to see the latest security notices, this is the most basic! Also included with the fastest speed update kit! Because, the faster you update your suite, the faster you can eliminate hackers! · The formation of firewall rules: This is more troublesome! Because you must need a constant test test and then test! To achieve optimized network security settings! how to say? What to know is that if your firewall rules set too much, then a data package will pass through the level of level to completely pass the firewall to enter the host! Hey! This is quite spent! Will cause the host's effectiveness! Pay special attention to this! · Maintaining your host in real time: Just like, you must maintain your host at any time, because the firewall is not used after it is set! Because, a rigorous firewall will also have a vulnerability! These vulnerabilities include poor fire rules, using newer detection intrusion technology, using your old software service vulnerability, etc.! So, you must maintain your host in real time! In addition to analyzing Log Files, this work can also be made by real-time detection! For example, PortSentry inside Open Linux is a very good set of software! · Good education training course: Not all people are computer network masters, especially although the information exploded now,
But there are still a lot of opportunities to encounter computer idiot! At this time, what should we know that we usually do not have much specifications for internal domains, then what if he uses internal computers to do bad things? ! Sometimes I am still unintentional ~ dig 哩 ~ So, I need special education training courses! · Perfect backup plans: There is no wind cloud, people have a good blessings! Who didn't know when there would be a big earthquake, we also don't know when you suddenly hang it ~ So, the perfect backup plan is quite important! ! Please refer to the contents of the Linux host backup! Anyway, it is to have a lot of effort to be above! Otherwise, I will really receive your supervisor one day, your users, your customers call! Back to top
-------------------------------------------------- -------------------------------------------- Simple firewall hardware configuration With the resistance: We mention the related network crisis in the article knowing the network security, and also analyzes the possibility of the TCP / IP architecture, the package may be invaded, OK! So then, the natural thing to understand is the firewall setting! Please pay special attention to the firewall, in addition to helping us to resist the external active online, and can help us control the network traffic, and in a simple local network plan, FireWall is equally common. A plan! This plan has a certain degree of protection for the security of internal private domains! Ok, now we need to do the foundation firewall measures. Here, we will provide firewalls in the simplest Router (ie, the NAT host) frame (that is, the above icon instructions), then all internal PC will pass In this Linux host connection, the benefits of this design are: · Safety maintenance can be open internally open! · The security mechanism can be maintained for Linux hosts! · Only look at the Linux host, so it can achieve effective security protection within the interior! Then follow the contents of a data packet, as shown below: Since the firewall can analyze the data package transferred on the network, and obtain the file header of the package, you can analyze the destination and source in the above icon. IP, Port, other information with it! Therefore, after analyzing this information, we can find a few actions of the resistance: · Refuse to make the package to enter the host, some port: this should not be difficult to understand! For example, your port 20-21 This FTP-related port, you only have to open it to the internal network, so don't open the Internet, then when the Internet is packaged, you can packetize the information. Drop! Because we can analyze the PORT number of the package! · Refuse to make some source IP package access: For example, you have found an IP mainly from the host of attacking behavior, then as long as the information package from the IP is packet, you will discard him! This can also achieve the foundation safety! · Refuse to make a package with some special flag (FLAG) to enter: The most often refused is the flag of SYN's active online! As long as you find it, hehe! You can discard the package! Of course there are still many skills, here we haven't mentioned! Let's talk about how to build a simple firewall host! In addition, I expect two-layer firewall, IPTables and TCP_WrapPers, where the correlation is: Let's first talk about the draft firewall rules! Back to top
-------------------------------------------------- -------------------------------------------- firewall rules: Here, there is a very simple firewall plan, and my hardware online is as shown in the icon above, the network is set to: • External network Using PPP0: Due to the dial, the actual external is the interface of PPP0; · Interior Network uses eth0: This ETH0 is used on the internal network connection, and the domain is 192.168.1.0/24 this C class; · Host open service: At present, although I only open NAT, but will add some services in the future. At present, I assume that my host is expected to be enabled on the Internet: o Nat o WWW O SSH O SMTP O POP3 O IMAP O DNS O FTP, TELNET, DHCP, NFS are only open to internal domains! Our rules are: "Closes all, open-specific" mode, but in the policy, first select Accept, and then close all the services in the last line of New, INVALID! Unfair, the rules set by iptables are one analysis comparison, so we are very important above the rules of the firewall! In order to prevent certain movements, we must use this simple firewall to make a further set plan, so we need to use a simple flow chart! Special attention: Here we have used three files, I placed inside / usr / local / virus / iptables, file names are: · iptables.rule: Setting rules, including clearing firewall rules, loading modules Setting up some service logins or wait! · Iptables.deny: Set the file of malicious IP or network segment, which is completely resistant to the IP paragraph syntax! · Iptables.allow: You can think of it is some back door you set! Because we don't know which day will go out! At this time, a strict firewall may stop himself, so I need to add some IP open! Note: Every time you have modified any file, if you take effect right, please do iptables.rule! The whole process is a bit like this: the above is my personal suggestion small process, in principle, the internal and host has a high openness, because Output and Forward are completely unreasonable! The host of the small family is acceptable because there is not much to our internal computers, and people are familiar, so they don't need to control it! But: "In the inside of the big business, such planning is very unqualified, because you can't guarantee all people within the inside to use the NetWork in accordance with your regulations! That is to say "the thief is difficult to prevent"! Therefore, even Output and Forward need special management! Back to top
-------------------------------------------------- -------------------------------------------- Easy explanation iptables rules: Regarding the grammar of iptables, and basic usage, we have already mentioned it in understanding the network security, and it is no longer repeated here! Only some Script of the above process is performed! Please note that our files are basically placed in / usr / local / virus / iptables! Let's take a look at what the rules of iptables.rule is? Let's take a look at what is the content of iptables.allow? If I want a 140.116.44.0/24, the content of this file can be written like this: Please pay special attention to it, if you have a new Port or not open some port, please Add additions to other port services in your iptables.rule, you can! However, it is still as mentioned earlier, this firewall can only provide basic security protection, other related issues, it also needs to test the test! In addition, if you want to execute this script, please write the full file of this file to /etc/rc.d/rc.local, it is a bit like this: three files can be taken down: iptables.rule iptables.deyl iptables.allow Back to top
-------------------------------------------------- ---------------------------------------------- 简 易 说明 TCP_WrapPERS Ding: Ok! The foundation firewall equipment is OK! Then, we have to discuss the next layer of TCP_Wrappers after the IPTABLES packet filter is complete, and after entering the host. Ha ha! He is actually very simple! Related grammar You can first refer to the instructions inside to know network security, this place is after IPTables, so we can control it for the package that can enter the host! For example, it is good to be ftp! When a TCP packet enters our host: 1. iptables will first check the relevant settings. From the example above, the package from the Internet will be abutted, and the only network segment that can enter is internal. 192.168.1.0/24 This private network segment; 2. After the private network segment of the internal private network is entered, it starts to get to TCP_WrapPers, because we don't open all people, assuming only 192.168.1.1 ~ 192.168. 1.3 You can enter the service of the FTP, so you need to set the setting of /etc/hosts.allow and /etc/hosts.deny! It's rough to this way! In addition, SSH as an example, if you only want to "trust hosts", you can also plan it in it! All right! Here we use private network sections 192.168.1.0/24 You can take Telnet and FTP Hosts with 192.168.1.2, 192.168.1.10, 192.168.1.20 These three computers, and the host from the Internet, you can take the SSH host to XXX.YYY .zzz.qqq This host, and 192.168.1.0/24 all computer! Then your two files can be written: there is a more high /etc/hosts.deny, this is about the way to record the IP when there is a touch from unknown people! As a result, when there is a legal IP from the non-you specified by Telnet, FTP, and SSH, the system will send the IP to Root to ROOT! However, this has a hurtful place. After the IP last successful login, you may cut the root's mailbox, causing this role without effectiveness! So, this time, please change the above root @ localhost to another non-host mailbox! This will be safe to secure! ^ _ ^ This slamming is set up immediately! So don't care if you don't care! But should you always pay attention to whether your setting is correct! -------------------------------------------------- ---------------------------------------------- Other related tests: Although this is a little bit a little, your firewall is built! But no one knows how the firewall effect does this? So, you need to spend more time for testing! The steps to test can be:
