Saturday, June 16, 2001

How To IPtables

How To IPTABLES


1) How do I forward port 21 request from external interface(202.54.1.10- eth1)/(192.168.0.3-eth0) to a Internal System on my LAN- 192.168.0.10 ?


ie. whenever a request for port 21 comes on external interface it should be forwarded to 192.168.0.10 on my local LAN.


#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.10


Alternatively,


iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1:80-192.168.1.10


here packets will be forwarded from 15.45.23.67 for port 80 to range of ipaddress

192.168.1.1 to 192.168.1.10



The above command will forward request coming for 202.54.1.10 on port 21 on a different system on lan(192.168.0.10)


The same way you can add a rule for eth0


You can also redirect to a different port number –to-destination 192.168.0.10:321


Redirect ports on internal machine


#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080


ie. request coming on 80 will be forwarded to 8080

Thursday, June 14, 2001

Hardenning a UNIX System


How-TO Harden Linux System


  1. First Step Make sure nobody is able to change any important System Files


Like /etc/passwd, /etc/shadow


#chattr +i /etc/passwd

#chattr +i /etc/shadow

#chattr +i /etc/group

#chattr +i /etc/gshadow

#chattr +i /etc/services

#chattr +i /etc/xinetd.conf or /etc/inetd.conf

#chattr +i /etc/login.defs


#lsattr /etc/passwd

This will list if any chattr permission is set to /etc/passwd file


The +i option immutes the file /etc/passwd ... which means u wont be able to edit the file.

To remove the immute option use

#chattr -i /etc/passwd


After setting the above pemission to passwd and shadow file you wont be able to add any user.


Note : Make sure you run the chattr -i /etc/passwd if you want to add any user or if you run a script that adds users.


Or else it will throw a error like

useradd: Unable to open the passwd file.


  1. Step No 2 : Disable root access


Do not allow root access from any terminal :


Edit the file /etc/securetty

Hash out all the terminals mentioned, this will not allow root access from any terminal.


Will have to login through any normal user then do su to root.


  1. Step No 3 – Reslover Library


If you are not running a DNS server then make sure it resolves /etc/hosts file first then via dns.


For this edit /etc/host.conf file


#Lookup names via /etc/hosts then fall back to DNS

order hosts,bind


#If you have machines with multiple IP Addresses

multi on


#The above option – multi on - specfies if the /etc/hosts file can have multiple IP addresses


# Check for IP Address Spoofing

nospoof on


# The nospoof on specifies not to allow spoofing on this machine. This option must be set to on for all servers.


STEP 4 - Configure TCP WRAPPERS



TCP WRAPPERS is controlled from two files and the search stops at the first match

/etc/hosts.allow

/etc/hosts.deny


Edit - /etc/hosts.deny


#Deny Access to everyone.

ALL: ALL@ALL, PARANOID


which means all services, all locations is blocked unless mentioned in hosts.allow


Note: With the option PARANOID, If you intend to run TELNET or FTP service on your server do not forget to add the clients machine name and IP Address in your /etc/hosts file on the server or you can expect to wait several minutes for DNS lookup

to timeout, before you get the login prompt.



Now if you want to allow access for ssh, ftp from particular IP Address


Edit /etc/hosts.allow

sshd: 10.10.0.20

ftpd: 10.10.0.22

telnetd: ALL : deny : twist /bin/echo “ Sriram Says Connection Refused”


Run tcpdchk


#tcpdchk


tcpdchk is the tcpd wrapper configuration checker. It examines TCP Wrapper configurations and reports any real problems it can find run this after configuring TCP Wrappers


Also check tcpdmatch – Test program


/etc/issue file carries the message displayed while doing a ftp or telnet from outside.

You may change this to reflect something else

STEP 5 – Stopping Unnecessary services like telnet

Services like telnet are run by xinetd, inetd

All the latest linux distribution carries xinetd

#cd /etc/xinetd.d

vi telnet


First line disable should be set to yes

disable = yes


service xinetd restart


If you are still using inetd

Edit /etc/inetd.conf

Hash out any particular service you may not need

Change the permission of this file to chmod 600

#killall -HUP inetd


STEP 6 - Disable root access after particular time if logged in from terminal :

As a Security measure set login timeout for all users including ROOT if inactive.


Edit /etc/profile

add the following line somewhere after the line that read

HISTFILESIZE=

TMOUT=7200

7200= 2 hrs

60*60=3600*2=7200 seconds

This will timeout for all users.

If you want to put it for individual users then put it in their individual .bashrc file


STEP 7 – SET minimum password length to 10

Edit /etc/login.defs

PASS_MIN_LEN 10


STEP 8 – Disable RPM installation for all users

chmod 700 /bin/rpm and rename the file to a different directory say /home/cmd

mv /bin/rpm /home/cmd/mpr as this will disallow users from installing trojans.


STEP 9 – Disable SETUID and SETGID for unnecessary files

Find files with SETUID and SETGID enabled

find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls {} \;


SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled


To remove

chmod a-s


STEP 10 – Prevent your system responding to ping


echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To turn it back on replace with 0

Put the same in /etc/rc.d/rc.local to take effect during reboot

Edit the /etc/sysctl.conf file and add the following line:

            # Enable ignoring ping request             net.ipv4.icmp_echo_ignore_all = 1  Restart the network services  service network restart  Refuse responding to broadcast request   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

add the same to rc.local

Edit the /etc/sysctl.conf file and add the following line:

# Enable ignoring broadcasts request

              net.ipv4.icmp_echo_ignore_broadcasts = 1   Best way of doing a Port Forward is to use Rinetd Services   Install rinetd and then make the following changes in its config file   /etc/rinetd.conf   192.168.0.1 80 10.10.0.4 80  This will forward all the tcp packets for port 80 to 10.10.0.4's 80 port  Its a very simple to use package  

Instead of port numbers, you can also use service names as defined in /etc/services. Therefore, the above mentioned example could also be written like this:

192.168.0.1 www 10.10.0.4 www


Wednesday, June 13, 2001

Email Attachment in UNIX

email attachment in UNIX

Okay, you want to send an email with an attachment.
Here is how:

uuencode filename attachment_name mailx -s "Report" -r from_email_id to_email_id

example:
uuencode myfile.csv myfile.csv mailx -s "Here is your report" -r chagan@yahoo.com toyou@hotmail.com

Sunday, June 03, 2001

Converting First Name, Middle Name and Last Name to Email ID's

I had a List in Which First, Middle and Last Names were mentioned, Our email ID's are Created based on Firstname.lastname pattern

So I needed to Convert this First, Middle and last name in to Email id format.

Arranging First Name, Middle Name Last Name to email ID.

Converting a Upper case Letter case to Lower case in Vi Editor

Open the file name in vi and give this command to convert all uppercase to
lower case :

Solution

:%s/.*/\L&/

Replacing Double Space with Single Space

:%s/2space/1space/g

Now use Awk Variables to list only first and last names in the files

awk '{print $1,$NF }' filename > outputfile.txt

Replacing space with dot

:%s/1space/./g

Adding @wnsgs.com to Last line

cat file.txt | awk '{ print $0"@wnsgs.com" }' > newfile.txt

thats it !!!