ArchLinux:Security: Difference between revisions
From Wiki³
m (→Firewall) |
mNo edit summary |
||
| Line 6: | Line 6: | ||
This is geared at providing a checklists one can walk through after setting up a new Arch Linux installation that has an open connection to the internet. Whether it is a server or just a machine at home that you have ports open on; some if not all of this information might be useful to you. | This is geared at providing a checklists one can walk through after setting up a new Arch Linux installation that has an open connection to the internet. Whether it is a server or just a machine at home that you have ports open on; some if not all of this information might be useful to you. | ||
{{Warning|While I have administered BSD and Linux machines for many years now, I am not a security expert!}} | {{Warning|While I have administered BSD and Linux machines for many years now, I am not a security expert!}} | ||
= {{Icon24|sitemap | = {{Icon24|sitemap}} Firewall = | ||
Uncomplicated Firewall or [[archwiki:Uncomplicated Firewall|ufw]] is a great choice and it's simple to setup. | |||
Uncomplicated Firewall or [[archwiki:Uncomplicated Firewall|ufw]] is a great choice and it's simple to setup | |||
Install | Install the package. | ||
{{Console|1=pacaur -S | {{Console|1=pacaur -S ufw}} | ||
Setup some basic rules that will allow SSH but deny everything else. | Setup some basic rules that will allow SSH but deny everything else. | ||
{{Console|1=sudo ufw default deny|2=sudo ufw allow SSH}} | {{Console|1=sudo ufw default deny|2=sudo ufw allow SSH}} | ||
| Line 26: | Line 25: | ||
This would create a custom application filter on ports {{mono|11000-11005}} using {{mono|tcp}} and port {{mono|11010}} using {{mono|udp}}. It would then merely need to be enabled. | This would create a custom application filter on ports {{mono|11000-11005}} using {{mono|tcp}} and port {{mono|11010}} using {{mono|udp}}. It would then merely need to be enabled. | ||
{{Console|1=sudo ufw allow mycustomapp}} | {{Console|1=sudo ufw allow mycustomapp}} | ||
== | == {{Icon|notebook}} Blacklisting IPs == | ||
It might be desirable to blacklist an IP address, maybe you have seen brute force attempts from it or maybe you just want to block it. This can be done by editing {{mono|/etc/ufw/before.rules}}. Add the blacklisting to the end of the file before {{mono|COMMIT}}. | It might be desirable to blacklist an IP address, maybe you have seen brute force attempts from it or maybe you just want to block it. This can be done by editing {{mono|/etc/ufw/before.rules}}. Add the blacklisting to the end of the file before {{mono|COMMIT}}. | ||
{{Console|1=sudo vim /etc/ufw/before.rules}}<br/> | {{Console|1=sudo vim /etc/ufw/before.rules}}<br/> | ||
{{Console|1={{BlackBold|## blacklist section}}<br/>{{BlackBold|# block just 8.8.8.8}}<br/>-A ufw-before-input -s 8.8.8.8 -j DROP<br/>{{BlackBold|# block 8.8.*.*}}<br/>-A ufw-before-input -s 8.8.0.0/16 -j DROP<br/><br/>{{BlackBold|# don't delete the 'COMMIT' line or these rules won't be processed}}<br/>COMMIT|prompt=false}} | {{Console|1={{BlackBold|## blacklist section}}<br/>{{BlackBold|# block just 8.8.8.8}}<br/>-A ufw-before-input -s 8.8.8.8 -j DROP<br/>{{BlackBold|# block 8.8.*.*}}<br/>-A ufw-before-input -s 8.8.0.0/16 -j DROP<br/><br/>{{BlackBold|# don't delete the 'COMMIT' line or these rules won't be processed}}<br/>COMMIT|prompt=false}} | ||
== | == {{Icon|notebook}} Disable Remote Ping == | ||
Change {{mono|ACCEPT}} to {{mono|DROP}} in the following lines of {{mono|/etc/ufw/before.rules}}. | Change {{mono|ACCEPT}} to {{mono|DROP}} in the following lines of {{mono|/etc/ufw/before.rules}}. | ||
{{Console|1={{BlackBold|# ok icmp codes}}<br/>-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT|prompt=false}} | {{Console|1={{BlackBold|# ok icmp codes}}<br/>-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT<br/>-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT|prompt=false}} | ||
Revision as of 00:46, 25 July 2017
 | UNDER CONSTRUCTION: The document is currently being modified! |
Back to Category:Arch Linux
Introduction
IntroductionThis is geared at providing a checklists one can walk through after setting up a new Arch Linux installation that has an open connection to the internet. Whether it is a server or just a machine at home that you have ports open on; some if not all of this information might be useful to you.
 | WARNING: While I have administered BSD and Linux machines for many years now, I am not a security expert! |
Firewall
Uncomplicated Firewall or ufw is a great choice and it's simple to setup.
Install the package.
| # pacaur -S ufw |
Setup some basic rules that will allow SSH but deny everything else.
| # sudo ufw default deny # sudo ufw allow SSH |
| WARNING: It is highly recommended to open a new SSH window at this point (without closing the current) and verify SSH access still works. |
Enable ufw on boot and then start the service.
| # sudo systemctl enable ufw # sudo ufw enable |
To query the rules being applied use the status command argument.
| # sudo ufw status |
To see a list of all applications in the ufw database use the app argument.
| # sudo ufw app list |
If the creation of a custom application is needed, make one in the /etc/ufw/applications.d directory.
| # sudo vim /etc/ufw/applications.d/mycustomapp |
| [mycustomapp] title=My Custom App description=Custom App for Blah ports=11000:11005/tcp|11010/udp |
This would create a custom application filter on ports 11000-11005 using tcp and port 11010 using udp. It would then merely need to be enabled.
| # sudo ufw allow mycustomapp |
Blacklisting IPs
Blacklisting IPsIt might be desirable to blacklist an IP address, maybe you have seen brute force attempts from it or maybe you just want to block it. This can be done by editing /etc/ufw/before.rules. Add the blacklisting to the end of the file before COMMIT.
| # sudo vim /etc/ufw/before.rules |
| ## blacklist section # block just 8.8.8.8 -A ufw-before-input -s 8.8.8.8 -j DROP # block 8.8.*.* -A ufw-before-input -s 8.8.0.0/16 -j DROP # don't delete the 'COMMIT' line or these rules won't be processed COMMIT |
Disable Remote Ping
Change ACCEPT to DROP in the following lines of /etc/ufw/before.rules.
| # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT |
If IPv6 is being used the same can be done inside of /etc/ufw/before6.rules as well.
