MrAnderson
New Member
Hallo ISPConf Gemeinde.
Ich benötige mal Eure Hilfe.
Das Enviroment:
VMWare Workstation 10.
OpenSuSe 13.1 gemäß The Perfect Server - OpenSUSE 13.1 x86_64 (Apache2, MySQL, PHP, Postfix, Dovecot and ISPConfig 3) | HowtoForge - Linux Howtos and Tutorials installiert.
fail2ban, rkhunter, awstats, dns nicht installiert.
Approach: Reiner pop3/imap Server
Über die Webconsole habe ich die Bastille FW aktiviert (genauer Bastille hat dann IPTables angepasst). Dazu habe ich zunächst die von ISPConfig vorgeschlagene verwendet.
Port 22 und 8080 sind enthalten.
20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000
Danach kann man den Server nicht mehr von außen erreichen. Auch kein Ping. Über die locale console dann Bastille gestoppt. Zugriff funktioniert wieder.
Dabei hat der Start einen Fehler gemeldet:
touch: can not touch /var/lock/subsys/bastille-firewall ... does not exist.
Hier iptables -L nach dem Einschalten von Bastille:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PAROLE (16 references)
target prot opt source destination
Chain PUB_IN (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:submission
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dptop3s
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:sunproxyadmin
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain PUB_OUT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Ich benötige mal Eure Hilfe.
Das Enviroment:
VMWare Workstation 10.
OpenSuSe 13.1 gemäß The Perfect Server - OpenSUSE 13.1 x86_64 (Apache2, MySQL, PHP, Postfix, Dovecot and ISPConfig 3) | HowtoForge - Linux Howtos and Tutorials installiert.
fail2ban, rkhunter, awstats, dns nicht installiert.
Approach: Reiner pop3/imap Server
Über die Webconsole habe ich die Bastille FW aktiviert (genauer Bastille hat dann IPTables angepasst). Dazu habe ich zunächst die von ISPConfig vorgeschlagene verwendet.
Port 22 und 8080 sind enthalten.
20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000
Danach kann man den Server nicht mehr von außen erreichen. Auch kein Ping. Über die locale console dann Bastille gestoppt. Zugriff funktioniert wieder.
Dabei hat der Start einen Fehler gemeldet:
touch: can not touch /var/lock/subsys/bastille-firewall ... does not exist.
Hier iptables -L nach dem Einschalten von Bastille:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PAROLE (16 references)
target prot opt source destination
Chain PUB_IN (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:submission
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dptop3s
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:sunproxyadmin
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain PUB_OUT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere