ä¸å›½éŸ“国北æœé®®ã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ç¦æ¢ã€SSHãªã©é‡è¦ãªãƒãƒ¼ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’日本国内ã‹ã‚‰ã®ã¿ã«åˆ¶é™ã—ã¤ã¤æ—¥æœ¬å›½å†…ã¨ãã®ä»–ã®æµ·å¤–ã«å¯¾ã—ã¦ã‚¦ã‚§ãƒ–サイトを公開ã™ã‚‹è¨å®šä¾‹ã‚’紹介。Firewall機能を実装ã™ã‚‹å„種攻撃対ç–も組ã¿è¾¼ã¿æ¸ˆã¿ã€‚
ã“ã®ã‚¹ã‚¯ãƒªãƒ—ト実行ã—ã¨ãã ã‘ã§ã‚µãƒ¼ãƒãƒ¼ã®ä¾µå…¥é›£æ˜“度ãŒè·³ã上ãŒã‚Šã¾ã™ã€‚日本ã®ãƒœãƒƒãƒˆã‚µãƒ¼ãƒãƒ¼å‰Šæ¸›ã«ãŠå½¹ç«‹ã¦ãã ã•ã„。
最新版ã¯GitHubã§å…¬é–‹ã—ã¦ã„ã¾ã™ã€‚
falsandtru/iptables-firewall · GitHub
大幅に改良した新バージョンをリリースしていますのでこちらをご利用ください。仕様を刷新しているためこのページ内容は最新版と互換性がありません。
iptables firewall
iptablesã«Firewallã¨ã—ã¦ã®æ©Ÿèƒ½ã‚’実装ã—ã¾ã™ã€‚
è¨å®š
- 特定ã®å¤–国ã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹æ‹’å¦
- 特定ã®å¤–国を除ãã™ã¹ã¦ã®å›½ã‹ã‚‰ã®HTTPãƒãƒ¼ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯(海外ã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ã®ã¯HTTPãƒãƒ¼ãƒˆã®ã¿)
- 日本国内ã‹ã‚‰ã®ã¿ç‰¹å®šã®ãƒãƒ¼ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯
- サーãƒãƒ¼ã¸ã®æ”»æ’ƒã‚’防御
国別フィルタ機能
- IPリストを自動更新
- 全体ã§æ‹’å¦ã™ã‚‹å›½ã‚’è¨å®šå¯èƒ½
- 特定ã®ãƒãƒ¼ãƒˆã«ã‚¢ã‚¯ã‚»ã‚¹å¯èƒ½ãªå›½ã‚’別途制é™å¯èƒ½
Firewall機能
- BruteForce攻撃対ç–
- PingOfDeath攻撃対ç–
- DoS攻撃対ç–(TCP/UDP/ICMP全対応)
- Spoofing攻撃対ç–
- Ingress攻撃対ç–
- ãƒãƒ¼ãƒˆã‚¹ã‚ャン対ç–
- ステルススã‚ャン対ç–
- ãƒãƒ¼ãƒˆã‚¹ã‚ャントラップ
- ブãƒãƒ¼ãƒ‰ã‚ャスト通信をé®æ–
- マルãƒã‚ャスト通信をé®æ–
- æ–片化パケットをé®æ–
- NetBIOSã¨ã®é€šä¿¡ã‚’é®æ–
- éŽå‰°ãªãƒã‚®ãƒ³ã‚°ã‚’防æ¢
防御機能ã¯ãƒã‚§ãƒ¼ãƒ³ã”ã¨ã«ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«åŒ–ã•ã‚Œã¦ã„ã‚‹ãŸã‚自由ã«çµ„ã¿æ›¿ãˆå¯èƒ½ã€‚ ãƒãƒ¼ãƒˆã‚¹ã‚ャントラップ機能ã¯1時間以上ã®é•·ã„é–“éš”ã§ã®ãƒãƒ¼ãƒˆã‚¹ã‚ャンも追跡防御ã§ãã¾ã™ã€‚
ブラックリスト
ブラックリストã®IPã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦
ホワイトリスト
ブラックリストã€å›½åˆ¥ã®IPã«ã‚ˆã‚‹åˆ¶é™ã‹ã‚‰é™¤å¤–
åŽ³æ ¼ãƒ¢ãƒ¼ãƒ‰
ホワイトリストã®IP以外ã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦
IDS/IPS防御連æº
- IDS/IPSã¨ã®æŽ¥ç¶šè¨å®šã‚’用æ„(Snort)
ãã®ä»–
- å¯èªæ€§ã®é«˜ã„実行çµæžœã‚’出力
$ sudo sh /var/iptables/rule.sh iptables firewall UPDATE: NO NAMESERVER: XX.XX.XX.XX NTPSERVER: XX.XX.XX.XX FIREWALL: ANTI_SPY ACCEPT_FILTER FIREWALL: DENY_BROADCAST INPUT FIREWALL: DENY_BROADCAST FORWARD FIREWALL: ANTI_INGRESS FORWARD FIREWALL: ANTI_SPOOFING ACCEPT_FILTER FIREWALL: DENY_NETBIOS ACCEPT_FILTER FIREWALL: DENY_FRAGMENT ACCEPT_FILTER FIREWALL: ANTI_STEALTHSCAN ACCEPT_FILTER FIREWALL: ANTI_PINGDEATH ACCEPT_FILTER FIREWALL: ANTI_SYNFLOOD ACCEPT_FILTER[TCP:80] FIREWALL: ANTI_SYNFLOOD_SSL ACCEPT_FILTER[TCP:443] FIREWALL: ANTI_UDPFLOOD ACCEPT_FILTER[UDP] FIREWALL: ANTI_ICMPFLOOD ACCEPT_FILTER[ICMP] FIREWALL: ANTI_BRUTEFORCE ACCEPT_FILTER[TCP] IDS/IPS: DISABLE REUSE: Chain COUNTRY_FILTER REUSE: Chain DROP_FILTER OPEN: HTTP[TCP:80] OPEN: HTTPS[TCP:443] FIREWALL: TRAP_PORTSCAN INPUT[TCP/UDP/ICMP] FIREWALL: TRAP_PORTSCAN FORWARD[TCP/UDP/ICMP] iptables: ファイアウォールã®ãƒ«ãƒ¼ãƒ«ã‚’ /etc/sysconfig/iptable[ OK ]ä¸: net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 kernel.sysrq = 0 kernel.core_uses_pid = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.conf.eth2.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.eth1.accept_source_route = 0 net.ipv4.conf.eth2.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 complete
- å¯èªæ€§ã®é«˜ã„ルールを生æˆ
$ sudo vi /etc/sysconfig/iptables ... :TRAP_PORTSCAN - [0:0] -A INPUT -i lo -j ACCEPT_FILTER -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT_FILTER -A INPUT -s XX.XX.XX.XX/32 -p udp -m udp --dport 53 -j ACCEPT_FILTER -A INPUT -s XX.XX.XX.XX/32 -p udp -m udp --dport 123 -j ACCEPT_FILTER -A INPUT -j DROP_FILTER -A INPUT -j FW_BROADCAST -A INPUT -p icmp -m icmp --icmp-type 3 -j COUNTRY_FILTER -A INPUT -p icmp -m icmp --icmp-type 4 -j COUNTRY_FILTER -A INPUT -p icmp -m icmp --icmp-type 5 -j COUNTRY_FILTER -A INPUT -p icmp -m icmp --icmp-type 11 -j COUNTRY_FILTER -A INPUT -p icmp -m icmp --icmp-type 12 -j COUNTRY_FILTER -A INPUT -p tcp -m multiport --dports 22 -j COUNTRY_FILTER -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT_FILTER -A INPUT -p tcp -m tcp --dport 443 -j COUNTRY_FILTER -A INPUT -j FW_PORTSCAN -A FORWARD -i lo -j ACCEPT_FILTER -A FORWARD -o lo -j ACCEPT_FILTER -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT_FILTER -A FORWARD -s XX.XX.XX.XX/32 -p udp -m udp --dport 53 -j ACCEPT_FILTER -A FORWARD -d XX.XX.XX.XX/32 -p udp -m udp --sport 53 -j ACCEPT_FILTER -A FORWARD -s XX.XX.XX.XX/32 -p udp -m udp --dport 123 -j ACCEPT_FILTER -A FORWARD -d XX.XX.XX.XX/32 -p udp -m udp --sport 123 -j ACCEPT_FILTER -A FORWARD -j DROP_FILTER -A FORWARD -j FW_BROADCAST -A FORWARD -j FW_INGRESS -A FORWARD -j FW_PORTSCAN -A OUTPUT -o lo -j ACCEPT_FILTER -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT_FILTER -A OUTPUT -d XX.XX.XX.XX/32 -p udp -m udp --sport 53 -j ACCEPT_FILTER -A OUTPUT -d XX.XX.XX.XX/32 -p udp -m udp --sport 123 -j ACCEPT_FILTER -A OUTPUT -j DROP_FILTER -A ACCEPT_FILTER -j FW_SPY -A ACCEPT_FILTER -j FW_SPOOFING -A ACCEPT_FILTER -j FW_NETBIOS -A ACCEPT_FILTER -j FW_FRAGMENT -A ACCEPT_FILTER -j FW_STEALTHSCAN -A ACCEPT_FILTER -j FW_PINGDEATH -A ACCEPT_FILTER -j FW_SYNFLOOD -A ACCEPT_FILTER -j FW_SYNFLOOD_SSL -A ACCEPT_FILTER -j FW_UDPFLOOD -A ACCEPT_FILTER -j FW_ICMPFLOOD -A ACCEPT_FILTER -j FW_BRUTEFORCE -A ACCEPT_FILTER -j ACCEPT ...
å°Žå…¥æ‰‹é †
$ sudo mkdir /var/cache/iptables $ sudo touch /etc/cron.daily/iptables $ sudo chmod 700 /etc/cron.daily/iptables $ sudo vi /etc/cron.daily/iptables $ sudo sh /etc/cron.daily/iptables
/etc/cron.daily/iptables
#!/bin/sh # # iptables firewall # # @version 0.1.4 # @author falsandtru https://github.com/falsandtru/iptables-firewall/ # @copyright 2014, falsandtru # @license MIT # #----------------------------------------------------------# # Config # #----------------------------------------------------------# # 管ç†ç”¨ãƒãƒ¼ãƒˆç•ªå· LOGIN=0 # IPã®æ›´æ–°é–“éš”(æ—¥) INTERVAL=7 # インタフェースå定義 LAN=eth0 # IPSã®ä½¿ç”¨ IPS= # è¨±å¯ æ—¥æœ¬ ACCEPT_COUNTRY_CODE="JP" # æ‹’å¦ ä¸å›½|香港|マカオ|韓国|北æœé®® DROP_COUNTRY_CODE="CN|HK|MO|KR|KP" # ブラックリスト/ホワイトリスト/åŽ³æ ¼ãƒ¢ãƒ¼ãƒ‰ BLACKLIST= WHITELIST= STRICT=false # ãƒã‚°ã®æœ€å¤§ç”Ÿæˆé–“éš” LOG_LIMIT=6/m LOG_LIMIT_BURST=10 # コマンド IPTABLES=iptables # IPリストä¿å˜å…ˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒª CACHE_DIR=/var/cache/iptables/ #----------------------------------------------------------# # AutoConfig # #----------------------------------------------------------# echo "iptables firewall" # SSHãƒãƒ¼ãƒˆå–å¾— [[ ! $LOGIN -gt 0 ]] && LOGIN=`cat /etc/ssh/sshd_config | grep '^Port ' | tail -n 1 | sed -e 's/^[^0-9]*\([0-9]\+\).*$/\1/'` echo "LOGIN: $LOGIN" # IPSè¨å®š if [ ! $IPS ] || [ $IPS != false ]; then if [ `ps alx | grep -v grep | grep /snort | head -n 1 | cut -c1` ]; then IPS=Snort else IPS=false fi fi LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d` # 内部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ãƒãƒƒãƒˆãƒžã‚¹ã‚¯å–å¾— LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d` # 内部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å–å¾— LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '` LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASK # IPè¨å®š NAMESERVERS=($(grep '^nameserver' /etc/resolv.conf | cut -d' ' -f2)) NTPSERVERS=($(grep '^server' /etc/ntp.conf | cut -d' ' -f2 | awk '{system("dig +short "$1)}')) #----------------------------------------------------------# # Download # #----------------------------------------------------------# WGET="/usr/bin/wget -N --retr-symlinks -P ${CACHE_DIR}" if [ $STRICT = true ] || [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -ctime -$INTERVAL 2>&1) ]]; then UPDATE=0 echo "UPDATE: NO" else UPDATE=1 echo "UPDATE: YES" $WGET ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest $WGET ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest $WGET ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-extended-latest $WGET ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest $WGET ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-extended-latest fi #----------------------------------------------------------# # Initialize # #----------------------------------------------------------# if [ 0 -ne $UPDATE ] && [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -mtime -$INTERVAL 2>&1) ]]; then RESET=1 else RESET=0 fi $IPTABLES -D DROP_FILTER -g WHITELIST 2>/dev/null for CHAIN in `$IPTABLES -nL | grep ^Chain | cut -d " " -f 2`; do if [ $RESET -ne 0 ]; then echo "DELETE: All Chains" $IPTABLES -F $IPTABLES -X break fi if [ $CHAIN != COUNTRY_FILTER ] && [ $CHAIN != DROP_FILTER ]; then $IPTABLES -F $CHAIN fi done for CHAIN in `$IPTABLES -nL | grep ^Chain | cut -d " " -f 2`; do if [ $RESET -ne 0 ]; then break fi if [ $CHAIN != COUNTRY_FILTER ] && [ $CHAIN != DROP_FILTER ] && [ $CHAIN != ACCEPT_FILTER ]; then if [ $CHAIN != INPUT ] && [ $CHAIN != FORWARD ] && [ $CHAIN != OUTPUT ]; then $IPTABLES -X $CHAIN fi fi done $IPTABLES -Z $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP $IPTABLES -N ACCEPT_FILTER 2>/dev/null $IPTABLES -A ACCEPT_FILTER -j ACCEPT #----------------------------------------------------------# # Preprocess # #----------------------------------------------------------# # ループãƒãƒƒã‚¯(自身)ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ã™ã¹ã¦è¨±å¯ $IPTABLES -A INPUT -i lo -j ACCEPT_FILTER $IPTABLES -A OUTPUT -o lo -j ACCEPT_FILTER $IPTABLES -A FORWARD -i lo -j ACCEPT_FILTER $IPTABLES -A FORWARD -o lo -j ACCEPT_FILTER # 確立ã—ãŸæŽ¥ç¶šã‚’切æ–ã—ãªã„ # è¨å®šå®Œäº†ã¾ã§åˆ‡æ–ã•ã‚Œã¦ã‚‚よã„ãªã‚‰é™¤å¤– $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT_FILTER $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT_FILTER $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT_FILTER # åå‰è§£æ±ºã§ãるよã†ã«ã™ã‚‹ for nameserver in ${NAMESERVERS[@]}; do $IPTABLES -A INPUT -s $nameserver -p udp --dport 53 -j ACCEPT_FILTER $IPTABLES -A OUTPUT -d $nameserver -p udp --sport 53 -j ACCEPT_FILTER $IPTABLES -A FORWARD -s $nameserver -p udp --dport 53 -j ACCEPT_FILTER $IPTABLES -A FORWARD -d $nameserver -p udp --sport 53 -j ACCEPT_FILTER echo "NAMESERVER: $nameserver" done # NTPサーãƒã¨åŒæœŸã§ãるよã†ã«ã™ã‚‹ for ntpserver in ${NTPSERVERS[@]}; do $IPTABLES -A INPUT -s $ntpserver -p udp --dport 123 -j ACCEPT_FILTER $IPTABLES -A OUTPUT -d $ntpserver -p udp --sport 123 -j ACCEPT_FILTER $IPTABLES -A FORWARD -s $ntpserver -p udp --dport 123 -j ACCEPT_FILTER $IPTABLES -A FORWARD -d $ntpserver -p udp --sport 123 -j ACCEPT_FILTER echo "NTPSERVER: $ntpserver" done #----------------------------------------------------------# # CountryFilter # #----------------------------------------------------------# BUILD_COUNTRY(){ if [ ! -s $CACHE_DIR$1 ] || [ ! $2 ] || [ ! $3 ];then return;fi echo "LOAD: $1" for line in `cat $CACHE_DIR$1 | grep -E "\|($2|$3)\|ipv4\|"` do CODE=`echo $line | cut -d "|" -f 2` ADDR=`echo $line | cut -d "|" -f 4` TEMP=`echo $line | cut -d "|" -f 5` CIDR=32 while [ $TEMP -ne 1 ]; do TEMP=`expr "$TEMP" / 2` CIDR=`expr "$CIDR" - 1` done if [ `echo $line | grep -E "\|($3)\|ipv4\|"` ]; then $IPTABLES -A COUNTRY_FILTER -s $ADDR/$CIDR -j ACCEPT_FILTER printf "%-10s%-4s%-20s%s\n" ACCEPT $CODE $ADDR/$CIDR $line else $IPTABLES -A DROP_FILTER -s $ADDR/$CIDR -j DROP printf "%-10s%-4s%-20s%s\n" DROP $CODE $ADDR/$CIDR $line fi done } if [ $STRICT != true ]; then if [ $RESET -ne 0 ] || [[ 3 > $($IPTABLES -nL COUNTRY_FILTER 2>/dev/null | awk 'END{print NR}') ]] || [[ 3 > $($IPTABLES -nL DROP_FILTER 2>/dev/null | awk 'END{print NR}') ]]; then echo "BUILD: Chain COUNTRY_FILTER" echo "BUILD: Chain DROP_FILTER" $IPTABLES -F COUNTRY_FILTER 2>/dev/null $IPTABLES -X COUNTRY_FILTER 2>/dev/null $IPTABLES -N COUNTRY_FILTER 2>/dev/null $IPTABLES -F DROP_FILTER 2>/dev/null $IPTABLES -X DROP_FILTER 2>/dev/null $IPTABLES -N DROP_FILTER 2>/dev/null BUILD_COUNTRY "delegated-apnic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE BUILD_COUNTRY "delegated-arin-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE BUILD_COUNTRY "delegated-ripencc-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE BUILD_COUNTRY "delegated-lacnic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE BUILD_COUNTRY "delegated-afrinic-extended-latest" $DROP_COUNTRY_CODE $ACCEPT_COUNTRY_CODE $IPTABLES -A COUNTRY_FILTER -j DROP else echo "REUSE: Chain COUNTRY_FILTER" echo "REUSE: Chain DROP_FILTER" fi $IPTABLES -A INPUT -j DROP_FILTER $IPTABLES -A OUTPUT -j DROP_FILTER $IPTABLES -A FORWARD -j DROP_FILTER else $IPTABLES -N COUNTRY_FILTER 2>/dev/null $IPTABLES -N DROP_FILTER 2>/dev/null $IPTABLES -A COUNTRY_FILTER -j ACCEPT_FILTER fi #----------------------------------------------------------# # Firewall # #----------------------------------------------------------# # é€ä¿¡å…ƒIPã®å½è£…é˜²æ¢ sed -i '/net.ipv4.conf.*.rp_filter/d' /etc/sysctl.conf for dev in `ls /proc/sys/net/ipv4/conf/` do sysctl -w net.ipv4.conf.$dev.rp_filter=1 > /dev/null echo "net.ipv4.conf.$dev.rp_filter=1" >> /etc/sysctl.conf done # ICMP Redirectãƒ‘ã‚±ãƒƒãƒˆã‚’æ‹’å¦ sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf for dev in `ls /proc/sys/net/ipv4/conf/` do sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf done # Source Routedãƒ‘ã‚±ãƒƒãƒˆã‚’æ‹’å¦ sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf for dev in `ls /proc/sys/net/ipv4/conf/` do sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf done # ブãƒãƒ¼ãƒ‰ã‚ャストアドレス宛pingã«ã¯å¿œç”ã—ãªã„ # ※Smurfæ”»æ’ƒå¯¾ç– sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf # SYN Cookiesを有効ã«ã™ã‚‹ # ※TCP SYN Floodæ”»æ’ƒå¯¾ç– sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf # システムã®é€£ç¶šç¨¼åƒæ™‚間を通知ã—ãªã„ # ※カーãƒãƒ«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ç‰¹å®šå¯¾ç– sysctl -w net.ipv4.tcp_timestamps=1 > /dev/null sed -i '/net.ipv4.tcp_timestamps/d' /etc/sysctl.conf echo "net.ipv4.tcp_timestamps=1" >> /etc/sysctl.conf # ä¸æ£ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’è¡Œã£ãŸIPã‹ã‚‰ã®ã™ã¹ã¦ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ # ※調査的アクセスã‹ã‚‰å…¬é–‹ãƒãƒ¼ãƒˆã‚’éš è”½ã™ã‚‹ # ※公開サーãƒãƒ¼ã§ã¯ç„¡åŠ¹ã«ã—ã¦ã‚ˆã„ $IPTABLES -N ANTI_SPY $IPTABLES -A ANTI_SPY -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SPY] : ' $IPTABLES -A ANTI_SPY -j DROP $IPTABLES -N FW_SPY # 公開サーãƒãƒ¼ã§ã¯æ—¢çŸ¥ã®ãƒãƒ¼ãƒˆã¯ãƒ•ã‚£ãƒ«ã‚¿ã—ãªã„ $IPTABLES -A FW_SPY -p tcp --dport 0:1023 -j RETURN $IPTABLES -A FW_SPY -p tcp -m state --state ESTABLISHED,RELATED -j RETURN $IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-rapid --update --rttl -j ANTI_SPY $IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-fast --update --rttl -j ANTI_SPY $IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-medium --update --rttl -j ANTI_SPY $IPTABLES -A FW_SPY -m limit --limit 1000/s --limit-burst 10000 -m recent --name spy-slow --update --rttl -j ANTI_SPY $IPTABLES -A ACCEPT_FILTER -j FW_SPY && echo "FIREWALL: ANTI_SPY ACCEPT_FILTER" # recentモジュールã¯åˆæœŸå€¤ã§100IPã—ã‹è¨˜æ†¶ã§ããªã„ # é€ä¿¡å…ƒã‚’å½è£…ã—ãŸãƒ‘ケットを大é‡ã«é€ã‚Šã¤ã‘ã‚‹ã‹èª¿æŸ»å…ƒã®çµ¶å¯¾æ•°ãŒå¢—ãˆã‚‹ã¨å®¹æ˜“ã«ç„¡åŠ¹åŒ–ã•ã‚Œã‚‹ãŸã‚対処ã•ã‚Œã‚Œã°åŠ¹æžœã¯ãªã„ # 攻撃価値ã®ä¸æ˜ŽãªIPã®å˜åœ¨ç¢ºèªã¨ãƒãƒ¼ãƒˆã‚¹ã‚ャンã«å¿…è¦ã¨ãªã‚‹æœ€å°ã‚³ã‚¹ãƒˆã‚’上ã’る防御ã¨ã—ã¦ã¯æœ‰åŠ¹ # 管ç†æ©Ÿèƒ½ã‚’æŒã¤ã‚µãƒ¼ãƒãƒ¼ã¯æ”»æ’ƒä¾¡å€¤ã‚’特定ã•ã‚Œæœ¬æ ¼çš„ãªæ”»æ’ƒã‚’å—ã‘ãªã„よã†éžå…¬é–‹ã‚µãƒ¼ãƒãƒ¼ã«åˆ†é›¢éš 蔽ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ # $ vi /etc/modprobe.d/iptables-recent.conf # options ip_list_hash_size=0 xt_recent ip_list_tot=1000 # $ reboot # $ cat /sys/module/xt_recent/parameters/ip_list_tot # $ ls /proc/net/xt_recent/ # ä¸å¯©ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’è¡Œã£ã¦ã„ã‚‹IPをスパイã¨ã—ã¦è¨˜éŒ² # ※ä¸å¯©ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’長時間追跡ã™ã‚‹ # ※æ£è¦ã®é€šä¿¡ã®ãƒ•ã‚£ãƒ«ã‚¿ã¨ã—ã¦ä½¿ç”¨ä¸å¯ # ※公開サーãƒãƒ¼ã§ã¯ç„¡åŠ¹ã«ã—ã¦ã‚ˆã„ $IPTABLES -N ANTI_PROWLER_RAPID $IPTABLES -A ANTI_PROWLER_RAPID -m recent --name spy-rapid --update --rttl -j DROP $IPTABLES -A ANTI_PROWLER_RAPID -m recent --name spy-rapid --set -j DROP $IPTABLES -N ANTI_PROWLER_FAST $IPTABLES -A ANTI_PROWLER_FAST -m recent --name spy-fast --update --rttl -j DROP $IPTABLES -A ANTI_PROWLER_FAST -m recent --name spy-fast --set -j DROP $IPTABLES -N ANTI_PROWLER_MEDIUM $IPTABLES -A ANTI_PROWLER_MEDIUM -m recent --name spy-medium --update --rttl -j DROP $IPTABLES -A ANTI_PROWLER_MEDIUM -m recent --name spy-medium --set -j DROP $IPTABLES -N ANTI_PROWLER_SLOW $IPTABLES -A ANTI_PROWLER_SLOW -m recent --name spy-slow --update --rttl -j DROP $IPTABLES -A ANTI_PROWLER_SLOW -m recent --name spy-slow --set -j DROP $IPTABLES -N FW_PROWLER $IPTABLES -A FW_PROWLER \ -m hashlimit \ --hashlimit-name prowler-limit \ --hashlimit-above 1/s \ --hashlimit-burst 1 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 800 \ -j DROP $IPTABLES -N FW_PROWLER_LIMIT $IPTABLES -A FW_PROWLER_LIMIT -m limit --limit 1000/s --limit-burst 10000 -j RETURN $IPTABLES -A FW_PROWLER_LIMIT -j DROP $IPTABLES -A FW_PROWLER -j FW_PROWLER_LIMIT $IPTABLES -A FW_PROWLER \ -m hashlimit \ --hashlimit-name prowler-rapid \ --hashlimit-above 1/s \ --hashlimit-burst 1 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 1000 \ -j ANTI_PROWLER_RAPID $IPTABLES -A FW_PROWLER -m recent --name spy-rapid --set $IPTABLES -A FW_PROWLER \ -m hashlimit \ --hashlimit-name prowler-fast \ --hashlimit-above 1/h \ --hashlimit-burst 1 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 100000 \ -j ANTI_PROWLER_FAST $IPTABLES -A FW_PROWLER -m recent --name spy-fast --set $IPTABLES -A FW_PROWLER \ -m hashlimit \ --hashlimit-name prowler-medium \ --hashlimit-above 1/h \ --hashlimit-burst 1 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 1000000 \ -j ANTI_PROWLER_MEDIUM $IPTABLES -A FW_PROWLER -m recent --name spy-medium --set $IPTABLES -A FW_PROWLER \ -m hashlimit \ --hashlimit-name prowler-slow \ --hashlimit-above 1/d \ --hashlimit-burst 1 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 10000000 \ -j ANTI_PROWLER_SLOW $IPTABLES -A FW_PROWLER -m recent --name spy-slow --set $IPTABLES -A FW_PROWLER -j DROP # 全ホスト(ブãƒãƒ¼ãƒ‰ã‚ャストアドレスã€ãƒžãƒ«ãƒã‚ャストアドレス)宛パケットをãƒã‚°ã‚’記録ã›ãšã«ç ´æ£„ $IPTABLES -N DENY_BROADCAST $IPTABLES -A DENY_BROADCAST -j DROP $IPTABLES -N FW_BROADCAST $IPTABLES -A FW_BROADCAST -m pkttype --pkt-type broadcast -j DENY_BROADCAST $IPTABLES -A FW_BROADCAST -m pkttype --pkt-type multicast -j DENY_BROADCAST $IPTABLES -A INPUT -j FW_BROADCAST && echo "FIREWALL: DENY_BROADCAST INPUT" $IPTABLES -A FORWARD -j FW_BROADCAST && echo "FIREWALL: DENY_BROADCAST FORWARD" # é€ä¿¡å…ƒIPアドレスãŒLANãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ç¯„囲外ã®ãƒ‘ケットをãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG # ※Ingressæ”»æ’ƒå¯¾ç– $IPTABLES -N ANTI_INGRESS $IPTABLES -A ANTI_INGRESS -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INGRESS] : ' $IPTABLES -A ANTI_INGRESS -j FW_PROWLER $IPTABLES -A ANTI_INGRESS -j DROP $IPTABLES -N FW_INGRESS $IPTABLES -A FW_INGRESS -i $LAN ! -s $LOCALNET -j ANTI_INGRESS $IPTABLES -A FORWARD -j FW_INGRESS && echo "FIREWALL: ANTI_INGRESS FORWARD" # WANã‹ã‚‰ã®é€ä¿¡å…ƒãŒãƒ—ライベートIPアドレスã®ãƒ‘ケットをãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG # ※IP spoofingæ”»æ’ƒå¯¾ç– $IPTABLES -N ANTI_SPOOFING $IPTABLES -A ANTI_SPOOFING -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SPOOFING] : ' $IPTABLES -A ANTI_SPOOFING -j FW_PROWLER $IPTABLES -A ANTI_SPOOFING -j DROP $IPTABLES -N FW_SPOOFING $IPTABLES -A FW_SPOOFING -i eth+ -s 127.0.0.0/8 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i eth+ -s 10.0.0.0/8 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i eth+ -s 172.16.0.0/12 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i eth+ -s 192.168.0.0/16 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i ppp+ -s 127.0.0.0/8 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i ppp+ -s 10.0.0.0/8 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i ppp+ -s 172.16.0.0/12 -j ANTI_SPOOFING $IPTABLES -A FW_SPOOFING -i ppp+ -s 192.168.0.0/16 -j ANTI_SPOOFING $IPTABLES -A ACCEPT_FILTER -j FW_SPOOFING && echo "FIREWALL: ANTI_SPOOFING ACCEPT_FILTER" # 外部ã¨ã®NetBIOS関連ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ãƒã‚°ã‚’記録ã›ãšã«ç ´æ£„ã—ã¦NG $IPTABLES -N DENY_NETBIOS $IPTABLES -A DENY_NETBIOS -j FW_PROWLER $IPTABLES -A DENY_NETBIOS -j DROP $IPTABLES -N FW_NETBIOS $IPTABLES -A FW_NETBIOS -i eth+ -p tcp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -i eth+ -p udp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -o eth+ -p tcp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -o eth+ -p udp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -i ppp+ -p tcp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -i ppp+ -p udp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -o ppp+ -p tcp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A FW_NETBIOS -o ppp+ -p udp -m multiport --sports 135,137,138,139,445 -j DENY_NETBIOS $IPTABLES -A ACCEPT_FILTER -j FW_NETBIOS && echo "FIREWALL: DENY_NETBIOS ACCEPT_FILTER" # フラグメント化ã•ã‚ŒãŸãƒ‘ケットをãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG $IPTABLES -N DENY_FRAGMENT $IPTABLES -A DENY_FRAGMENT -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES FRAGMENT] : ' $IPTABLES -A DENY_FRAGMENT -j FW_PROWLER $IPTABLES -A DENY_FRAGMENT -j DROP $IPTABLES -N FW_FRAGMENT $IPTABLES -A FW_FRAGMENT -f -j DENY_FRAGMENT $IPTABLES -A ACCEPT_FILTER -j FW_FRAGMENT && echo "FIREWALL: DENY_FRAGMENT ACCEPT_FILTER" # ä¸æ£ãªãƒ‘ケットをãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG $IPTABLES -N DENY_INVALID $IPTABLES -A DENY_INVALID -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INVALID] : ' $IPTABLES -A DENY_INVALID -j DROP $IPTABLES -N FW_INVALID $IPTABLES -A FW_INVALID -m state --state INVALID -j DENY_INVALID $IPTABLES -A ACCEPT_FILTER -j FW_INVALID && echo "FIREWALL: DENY_INVALID ACCEPT_FILTER" # フラグã®ä¸æ£ãªãƒ‘ã‚±ãƒƒãƒˆã‚’ç ´æ£„ã€16分間ã«3回を超ãˆãŸã‚‰ãƒã‚°ã‚’記録ã—ã¦NG # ※ステルススã‚ãƒ£ãƒ³å¯¾ç– # ※既知ã®ãƒãƒ¼ãƒˆã¯ã‚‚ã¨ã‚‚ã¨éš 密性ãŒãªã„ãŸã‚ä¿è·ã›ãšèª¤ä½œå‹•ã®å›žé¿ã‚’優先 # ※SSHã®çµ‚了処ç†ã‚’ã—ãªã„ã§åˆ‡æ–ã•ã‚Œã‚‹ã¨ç°¡å˜ã«è‡ªçˆ†ã™ã‚‹ã®ã§æ³¨æ„ # ※FW_PORTSCANã¨FW_SPYãŒæ©Ÿèƒ½ã—ã¦ã„ã‚‹ã†ã¡ã¯æœ‰åŠ¹ã«ã™ã‚‹å¿…è¦æ€§ã¯ä½Žã„ # ※フラグパターンã®å¦¥å½“性未検証 # ※公開サーãƒãƒ¼ã§ã¯ç„¡åŠ¹ã«ã—ã¦ã‚ˆã„ $IPTABLES -N ANTI_STEALTHSCAN $IPTABLES -A ANTI_STEALTHSCAN \ -m hashlimit \ --hashlimit-name scan \ --hashlimit 1/h \ --hashlimit-burst 3 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 960000 \ -j DROP $IPTABLES -A ANTI_STEALTHSCAN -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES STEALTHSCAN] : ' $IPTABLES -A ANTI_STEALTHSCAN -j FW_PROWLER $IPTABLES -A ANTI_STEALTHSCAN -j DROP $IPTABLES -N FW_STEALTHSCAN $IPTABLES -A FW_STEALTHSCAN -o lo -j RETURN $IPTABLES -A FW_STEALTHSCAN -o eth+ -j RETURN $IPTABLES -A FW_STEALTHSCAN -o ppp+ -j RETURN $IPTABLES -A FW_STEALTHSCAN ! -p tcp -j RETURN $IPTABLES -A FW_STEALTHSCAN -p tcp --dport 0:1023 -j RETURN $IPTABLES -A FW_STEALTHSCAN -p tcp -m state ! --state NEW -j RETURN # SYN + ACK when NEW $IPTABLES -A FW_STEALTHSCAN -p tcp -m state --state NEW --tcp-flags SYN,ACK SYN,ACK -j ANTI_STEALTHSCAN # FIN/PSH/URG without ACK $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,FIN FIN -j ANTI_STEALTHSCAN $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,PSH PSH -j ANTI_STEALTHSCAN $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ACK,URG URG -j ANTI_STEALTHSCAN # SYN + FIN $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j ANTI_STEALTHSCAN # SYN + RST $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j ANTI_STEALTHSCAN # FIN + RST $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j ANTI_STEALTHSCAN # ALL $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL ALL -j ANTI_STEALTHSCAN # nmap Null scans / no flags $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL NONE -j ANTI_STEALTHSCAN # nmap FIN stealth scan $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL FIN -j ANTI_STEALTHSCAN # FIN + URG + PSH $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j ANTI_STEALTHSCAN # XMAS $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ANTI_STEALTHSCAN $IPTABLES -A FW_STEALTHSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG,PSH -j ANTI_STEALTHSCAN $IPTABLES -A ACCEPT_FILTER -j FW_STEALTHSCAN && echo "FIREWALL: ANTI_STEALTHSCAN ACCEPT_FILTER" # pingã¯1秒間ã«4回を超ãˆãŸã‚‰ãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG # ※Ping of Deathæ”»æ’ƒå¯¾ç– $IPTABLES -N ANTI_PINGDEATH $IPTABLES -A ANTI_PINGDEATH \ -m hashlimit \ --hashlimit-name scan \ --hashlimit 1/s \ --hashlimit-burst 4 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 1000 \ -j RETURN $IPTABLES -A ANTI_PINGDEATH -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PINGDEATH] : ' $IPTABLES -A ANTI_PINGDEATH -j FW_PROWLER $IPTABLES -A ANTI_PINGDEATH -j DROP $IPTABLES -N FW_PINGDEATH $IPTABLES -A FW_PINGDEATH -i eth+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH $IPTABLES -A FW_PINGDEATH -i ppp+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH $IPTABLES -A ACCEPT_FILTER -j FW_PINGDEATH && echo "FIREWALL: ANTI_PINGDEATH ACCEPT_FILTER" # éŽå¤§ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’IPå˜ä½ã§åˆ¶é™ # ※SYN Flood攻撃対ç–(数値ã¯é©å®œèª¿æ•´) # # -m hashlimit :hashlimitモジュールを利用 # --hashlimit-name name :ãƒãƒƒã‚·ãƒ¥ãƒ†ãƒ¼ãƒ–ルå # --hashlimit n ï¼šãƒ‘ã‚±ãƒƒãƒˆå›žå¾©é‡ # --hashlimit-burst n ï¼šãƒ‘ã‚±ãƒƒãƒˆå®¹é‡ # --hashlimit-mode hash :åŒä¸€ã‚¢ã‚¯ã‚»ã‚¹ã¨ã—ã¦ã‚«ã‚¦ãƒ³ãƒˆã™ã‚‹è˜åˆ¥åŸºæº– # --hashlimit-htable-expire ms :ãƒãƒƒã‚·ãƒ¥ãƒ†ãƒ¼ãƒ–ル内ã®ãƒ¬ã‚³ãƒ¼ãƒ‰ã®æœ‰åŠ¹æœŸé–“(å˜ä½ï¼šãƒŸãƒªç§’) # # HTTPãƒãƒ¼ãƒˆã¸ã®éŽå¤§ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ $IPTABLES -N ANTI_SYNFLOOD $IPTABLES -A ANTI_SYNFLOOD \ -m hashlimit \ --hashlimit-name http \ --hashlimit 10/m \ --hashlimit-burst 60 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 60000 \ -j RETURN $IPTABLES -A ANTI_SYNFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD] : ' $IPTABLES -A ANTI_SYNFLOOD -j DROP $IPTABLES -N FW_SYNFLOOD $IPTABLES -A FW_SYNFLOOD -i eth+ -p tcp --dport 80 -m state --state NEW -j ANTI_SYNFLOOD $IPTABLES -A FW_SYNFLOOD -i ppp+ -p tcp --dport 80 -m state --state NEW -j ANTI_SYNFLOOD $IPTABLES -A ACCEPT_FILTER -j FW_SYNFLOOD && echo "FIREWALL: ANTI_SYNFLOOD ACCEPT_FILTER[TCP:80]" # # HTTPSãƒãƒ¼ãƒˆã¸ã®éŽå¤§ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ $IPTABLES -N ANTI_SYNFLOOD_SSL $IPTABLES -A ANTI_SYNFLOOD_SSL \ -m hashlimit \ --hashlimit-name https \ --hashlimit 30/m \ --hashlimit-burst 60 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 60000 \ -j RETURN $IPTABLES -A ANTI_SYNFLOOD_SSL -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD(SSL)] : ' $IPTABLES -A ANTI_SYNFLOOD_SSL -j DROP $IPTABLES -N FW_SYNFLOOD_SSL $IPTABLES -A FW_SYNFLOOD_SSL -i eth+ -p tcp --dport 443 -m state --state NEW -j ANTI_SYNFLOOD_SSL $IPTABLES -A FW_SYNFLOOD_SSL -i ppp+ -p tcp --dport 443 -m state --state NEW -j ANTI_SYNFLOOD_SSL $IPTABLES -A ACCEPT_FILTER -j FW_SYNFLOOD_SSL && echo "FIREWALL: ANTI_SYNFLOOD_SSL ACCEPT_FILTER[TCP:443]" # # UDPã«ã‚ˆã‚‹éŽå¤§ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ $IPTABLES -N ANTI_UDPFLOOD $IPTABLES -A ANTI_UDPFLOOD \ -m hashlimit \ --hashlimit-name udp \ --hashlimit 30/m \ --hashlimit-burst 60 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 60000 \ -j RETURN $IPTABLES -A ANTI_UDPFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES UDPFLOOD] : ' $IPTABLES -A ANTI_UDPFLOOD -j DROP $IPTABLES -N FW_UDPFLOOD $IPTABLES -A FW_UDPFLOOD -i eth+ -p udp -m state --state NEW -j ANTI_UDPFLOOD $IPTABLES -A FW_UDPFLOOD -i ppp+ -p udp -m state --state NEW -j ANTI_UDPFLOOD $IPTABLES -A ACCEPT_FILTER -j FW_UDPFLOOD && echo "FIREWALL: ANTI_UDPFLOOD ACCEPT_FILTER[UDP]" # # ICMPã«ã‚ˆã‚‹éŽå¤§ãªã‚¢ã‚¯ã‚»ã‚¹ã‚’æ‹’å¦ $IPTABLES -N ANTI_ICMPFLOOD $IPTABLES -A ANTI_ICMPFLOOD \ -m hashlimit \ --hashlimit-name icmp \ --hashlimit 30/m \ --hashlimit-burst 60 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 60000 \ -j RETURN $IPTABLES -A ANTI_ICMPFLOOD -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES ICMPFLOOD] : ' $IPTABLES -A ANTI_ICMPFLOOD -j DROP $IPTABLES -N FW_ICMPFLOOD $IPTABLES -A FW_ICMPFLOOD -i eth+ -p icmp --icmp-type echo-request -j ANTI_ICMPFLOOD $IPTABLES -A FW_ICMPFLOOD -i ppp+ -p icmp --icmp-type echo-request -j ANTI_ICMPFLOOD $IPTABLES -A ACCEPT_FILTER -j FW_ICMPFLOOD && echo "FIREWALL: ANTI_ICMPFLOOD ACCEPT_FILTER[ICMP]" # 管ç†ç”¨ãƒãƒ¼ãƒˆã¸3分間ã«10回を超ãˆã¦æŽ¥ç¶šè©¦è¡Œã—ã¦ã„ã‚‹IPã‚’æ‹’å¦ã—ã¦NG # ※Brute Forceæ”»æ’ƒå¯¾ç– $IPTABLES -N ANTI_BRUTEFORCE $IPTABLES -A ANTI_BRUTEFORCE \ -m hashlimit \ --hashlimit-name bruteforce \ --hashlimit 1/m \ --hashlimit-burst 7 \ --hashlimit-mode srcip \ --hashlimit-htable-expire 180000 \ -j RETURN $IPTABLES -A ANTI_BRUTEFORCE -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES BRUTEFORCE] : ' $IPTABLES -A ANTI_BRUTEFORCE -j DROP $IPTABLES -N FW_BRUTEFORCE $IPTABLES -A FW_BRUTEFORCE -i eth+ -p tcp -m multiport --dports $LOGIN -m state --syn --state NEW -j ANTI_BRUTEFORCE $IPTABLES -A FW_BRUTEFORCE -i ppp+ -p tcp -m multiport --dports $LOGIN -m state --syn --state NEW -j ANTI_BRUTEFORCE $IPTABLES -A ACCEPT_FILTER -j FW_BRUTEFORCE && echo "FIREWALL: ANTI_BRUTEFORCE ACCEPT_FILTER[TCP]" #----------------------------------------------------------# # BLACKLIST/WHITELIST # #----------------------------------------------------------# # ブラックリストã«ä¸€è‡´ã™ã‚‹IPã‚’DROPã™ã‚‹ if [ $BLACKLIST ] && [ -s $BLACKLIST ]; then $IPTABLES -N BLACKLIST 2>/dev/null for line in `cat $BLACKLIST | grep ^[0-9]` do $IPTABLES -A BLACKLIST -s $line -j DROP done $IPTABLES -A INPUT -j BLACKLIST $IPTABLES -A FORWARD -j BLACKLIST $IPTABLES -A OUTPUT -j BLACKLIST fi # ホワイトリストã«ä¸€è‡´ã—ãªã„IPã‚’DROPã™ã‚‹ if [ $WHITELIST ] && [ -s $WHITELIST ]; then $IPTABLES -N WHITELIST 2>/dev/null for line in `cat $WHITELIST | grep ^[0-9]` do $IPTABLES -A WHITELIST -s $line -j RETURN done $IPTABLES -I BLACKLIST -g WHITELIST 2>/dev/null $IPTABLES -I DROP_FILTER -g WHITELIST if [ $STRICT = true ]; then $IPTABLES -A WHITELIST -j DROP $IPTABLES -A INPUT -j WHITELIST $IPTABLES -A FORWARD -j WHITELIST $IPTABLES -A OUTPUT -j WHITELIST fi fi #----------------------------------------------------------# # IDS/IPS # #----------------------------------------------------------# $IPTABLES -D ACCEPT_FILTER 1 if [ $IPS = Snort ]; then # ICMPパケットをã™ã¹ã¦è§£æž $IPTABLES -A ACCEPT_FILTER -p icmp -j NFQUEUE --queue-num 2 # UDPパケットをã™ã¹ã¦è§£æž $IPTABLES -A ACCEPT_FILTER -p udp -j NFQUEUE --queue-num 2 # TCPパケットを外部通信分ã®ã¿è§£æž $IPTABLES -A ACCEPT_FILTER -i eth+ -p tcp -j NFQUEUE --queue-num 2 $IPTABLES -A ACCEPT_FILTER -i ppp+ -p tcp -j NFQUEUE --queue-num 2 $IPTABLES -A ACCEPT_FILTER -o eth+ -p tcp -j NFQUEUE --queue-num 2 $IPTABLES -A ACCEPT_FILTER -o ppp+ -p tcp -j NFQUEUE --queue-num 2 # ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã‚µãƒ¼ãƒãƒ¼ã¨ã®å†…éƒ¨é€šä¿¡ãƒ‘ã‚±ãƒƒãƒˆã‚’è§£æž $IPTABLES -A ACCEPT_FILTER -i lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2 $IPTABLES -A ACCEPT_FILTER -o lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2 # 解æžã—ãªã„パケットã¯ã™ã¹ã¦è¨±å¯ $IPTABLES -A ACCEPT_FILTER -j ACCEPT echo "IDS/IPS: Snort" else $IPTABLES -A ACCEPT_FILTER -j ACCEPT echo "IDS/IPS: DISABLE" fi #----------------------------------------------------------# # Port # #----------------------------------------------------------# # 最å°é™ã®ICMPã®ã¿è¨±å¯ $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j COUNTRY_FILTER $IPTABLES -A INPUT -p icmp --icmp-type source-quench -j COUNTRY_FILTER $IPTABLES -A INPUT -p icmp --icmp-type redirect -j COUNTRY_FILTER $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j COUNTRY_FILTER $IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j COUNTRY_FILTER # 管ç†ç”¨ãƒãƒ¼ãƒˆ(SSHç‰)を開放 $IPTABLES -A INPUT -p tcp -m multiport --dports $LOGIN -j COUNTRY_FILTER # SNMP[UDP:160,161]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p udp --dport 160 -j COUNTRY_FILTER && echo "OPEN: SNMP[UDP:160]" #$IPTABLES -A INPUT -p udp --dport 161 -j COUNTRY_FILTER && echo "OPEN: SNMP[UDP:161]" # DNS[TCP/UDP:53]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 53 -j COUNTRY_FILTER && echo "OPEN: DNS[TCP:53]" #$IPTABLES -A INPUT -p udp --dport 53 -j COUNTRY_FILTER && echo "OPEN: DNS[UDP:53]" # HTTP[TCP:80]ãƒãƒ¼ãƒˆã‚’開放 $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT_FILTER && echo "OPEN: HTTP[TCP:80]" # HTTPS[TCP:443]ãƒãƒ¼ãƒˆã‚’開放 $IPTABLES -A INPUT -p tcp --dport 443 -j COUNTRY_FILTER && echo "OPEN: HTTPS[TCP:443]" # FTP[TCP:21]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 21 -j COUNTRY_FILTER # PASV(FTP-DATA)ãƒãƒ¼ãƒˆã‚’開放 ※PASV用ãƒãƒ¼ãƒˆ60000:60030ã¯è¨å®šä¾‹ #$IPTABLES -A INPUT -p tcp --dport 60000:60030 -j COUNTRY_FILTER && echo "OPEN: PASV[TCP:60000-60030]" # IDENT[TCP:113]ãƒãƒ¼ãƒˆã‚’開放 # ※IDENTを使用ã›ãšãƒ¡ãƒ¼ãƒ«ã‚µãƒ¼ãƒãƒ¼ã‚’公開ã™ã‚‹å ´åˆã¯ãƒ¡ãƒ¼ãƒ«ã‚µãƒ¼ãƒç‰ã®ãƒ¬ã‚¹ãƒãƒ³ã‚¹ä½Žä¸‹é˜²æ¢ã®ãŸã‚æ‹’å¦å¿œç” #$IPTABLES -A INPUT -p tcp --dport 113 -j COUNTRY_FILTER && echo "OPEN: IDENT[TCP:113]" #$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset && echo "REJECT: IDENT[TCP:113]" # SMTP[TCP:25]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 25 -j COUNTRY_FILTER && echo "OPEN: SMTP[TCP:25]" # SMTPS[TCP:465]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 465 -j COUNTRY_FILTER && echo "OPEN: SMTPS[TCP:465]" # POP3[TCP:110]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 110 -j COUNTRY_FILTER && echo "OPEN: POP3[TCP:110]" # POP3S[TCP:995]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 995 -j COUNTRY_FILTER && echo "OPEN: POP3S[TCP:995]" # IMAP[TCP:143]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 143 -j COUNTRY_FILTER && echo "OPEN: IMAP[TCP:143]" # IMAPS[TCP:993]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 993 -j COUNTRY_FILTER && echo "OPEN: IMAPS[TCP:993]" # OpenVPN[UDP:1194]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p udp --dport 1194 -j COUNTRY_FILTER && echo "OPEN: OpenVPN[UDP:1194]" # IPsec[TCP/UDP:50,51]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p 50 -j COUNTRY_FILTER && echo "OPEN: IPsec[TCP/UDP:50]" #$IPTABLES -A INPUT -p 51 -j COUNTRY_FILTER && echo "OPEN: IPsec[TCP/UDP:51]" # Submission[TCP:587]ãƒãƒ¼ãƒˆã‚’開放 #$IPTABLES -A INPUT -p tcp --dport 587 -j COUNTRY_FILTER && echo "OPEN: Submission[TCP:587]" # VPNインタフェース用ファイアウォールè¨å®š #[ -f /etc/openvpn/openvpn-startup ] && /etc/openvpn/openvpn-startup # 公開ã—ã¦ã„ãªã„ãƒãƒ¼ãƒˆã¸ã®ãƒ‘ケットをãƒã‚°ã‚’記録ã—ã¦ç ´æ£„ã—ã¦NG # ※ãƒãƒ¼ãƒˆã‚¹ã‚ãƒ£ãƒ³å¯¾ç– # ※開ã‘ã¦ã„ãªã„ãƒãƒ¼ãƒˆã«1度ã§ã‚‚触ã£ãŸã‚‰ã‚¢ã‚¦ãƒˆ # ※公開サーãƒãƒ¼ã§ã¯ç„¡åŠ¹ã«ã—ã¦ã‚ˆã„ $IPTABLES -N TRAP_PORTSCAN $IPTABLES -A TRAP_PORTSCAN -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PORTSCAN] : ' $IPTABLES -A TRAP_PORTSCAN -j FW_PROWLER $IPTABLES -A TRAP_PORTSCAN -j DROP $IPTABLES -N FW_PORTSCAN $IPTABLES -A FW_PORTSCAN -j TRAP_PORTSCAN $IPTABLES -A INPUT -j FW_PORTSCAN && echo "FIREWALL: TRAP_PORTSCAN INPUT[TCP/UDP/ICMP]" $IPTABLES -A FORWARD -j FW_PORTSCAN && echo "FIREWALL: TRAP_PORTSCAN FORWARD[TCP/UDP/ICMP]" #----------------------------------------------------------# # Finalize # #----------------------------------------------------------# # è¨å®šä¿å˜(/etc/sysconfig/iptablesã®æ—¢å˜ã®è¨å®šã¯å‰Šé™¤) service iptables save sysctl -p 2>&1 | grep -v -E "^error:.*(ipv6|bridge-nf-call)" service rsyslog restart echo complete
BLACKLIST/WHITELIST
BLACKLIST=/etc/iptables/blacklist WHITELIST=/etc/iptables/whitelist STRICT=false
# BLACKLIST 1.2.3.0/24
# WHITELIST 1.2.3.4
STRICT
BLACKLIST= WHITELIST=/etc/iptables/whitelist STRICT=true
ãƒã‚°ãƒãƒ¼ãƒ†ãƒ¼ãƒˆ
$ sudo vi /etc/rsyslog.conf kern.=debug /var/log/iptables.log $ sudo service rsyslog restart $ sudo vi /etc/logrotate.d/iptables /var/log/iptables.log { rotate 14 daily compress missing ok notifempty postrotate service rsyslog restart endscript }
ipv6無効化
$ sudo vi /etc/sysctl.conf # ipv6 disable net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 $ sudo vi /etc/modprobe.d/disable-ipv6.conf options ipv6 disable=1 $ sudo vi /etc/hosts #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $ sudo chkconfig ip6tables off $ sudo /sbin/sysctl -p $ sudo service network restart $ sudo reboot $ ifconfig $ netstat -an -A inet6 $ lsmod | grep ipv6 # モジュール自体ã¯ãƒãƒ¼ãƒ‰ã•ã›ã‚‹
å‚考・引用
- IP sets
- Man page of IPTABLES
- 明示的なマッチ
- kernel/システムパラメタ - Linux Tips
- New Statistics Format Available
- sshへの総当り攻撃をiptablesの2行で防ぐ方法 ([email protected])
- iptablesサンプル パソコン鳥のブログ/ウェブリブログ
- iptables - 国内からの接続のみ許可して海外からの接続を遮断する パソコン鳥のブログ/ウェブリブログ
- http://dambo.no-ip.org/pwiki/index.php?%E5%A4%A7%E9%99%B8%E3%81%8B%E3%82%89%E3%81%AE%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E3%82%92%E8%A6%8F%E5%88%B6%E3%81%99%E3%82%8B
- 「iptables」によるパケットフィルタリング
- ファイアウォール構築(iptables) - Fedoraで自宅サーバー構築
- CentOS iptablesによるパケットフィルタ
- DSAS開発者の部屋:ssh の brute force アタックパケットの制限 -- DOS 的パケットをフィルタリングする
