Smurf attacks: This happens when an attacker spoofs your address and sends a ICMP packet to a broadcast address on a network - all hosts on this subnet then will potentially send an echo reply to the victim which could render the victims machine unusable due to the sheer amount of traffic. The following rules will help mitigate smurf attacks my limiting the amount of inbound ICMP traffic and restricting specific ICMP methods that are used to help the attacks:
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
or we can simply drop all inbound ICMP packets (recommended):
iptables -A INPUT -p icmp -j DROP
Invalid packets: We don't want to process them or log them during an attack - so simply drop them:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
Port scans: We want to prevent any port scans being run on our server - the following will block anyone who attempts to run a portscan on the server for 24 hours:
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
and then the following removes the 'ban' after 24 hours:
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
We can also log the hosts initiating the port scan with:
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Address spoofing: We also want to ensure that any WAN only connected machines do block any LAN addresses:
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
XMAS attacks: These attacks simply have every option set for whichever protocol is used and should almost always be treated as suspect - we can drop these with:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
0 comments:
Post a Comment