Comprehensive Guide to Linux Firewalls: iptables, nftables, ufw, and firewalld

In the dynamic landscape of network security, firewalls play a pivotal role in fortifying systems against potential threats. Within the Linux ecosystem, where robust security measures are paramount, understanding and navigating tools like iptables vs ufw ,nftables and firewalld becomes crucial. This comprehensive guide aims to delve into the intricacies of each tool, shedding light on their core concepts, functionalities, and use cases.

iptables: Understanding the Core Concepts Overview of iptables: Iptables stands as a cornerstone tool for controlling firewalls on Linux systems. Operating directly with the Linux kernel for packet filtering, iptables provides a versatile but verbose interface.

Organizational Structure: The organizational structure of iptables involves tables, chains, rules, and targets. Three primary tables — filter, nat, and mangle — categorize rules. The filter table manages incoming and outgoing packets, nat facilitates Network Address Translation (NAT), and mangle is employed for advanced packet alteration.

Default Policies and Rule Creation: By default, iptables adds rules to the filter table, with default policies for INPUT, OUTPUT, and FORWARD chains set to ACCEPT. Security best practices recommend setting at least FORWARD and INPUT policies to DROP. Loopback interface access is usually allowed, and established or related connections are accepted.

Example Rules for Common Protocols: Allowing HTTP and HTTPS traffic: sudo iptables -A INPUT -p tcp — dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp — dport 443 -j ACCEPT Allowing SSH traffic for remote access: sudo iptables -A INPUT -p tcp — dport 22 -j ACCEPT Common iptables Options: Iptables provides various options for rule management, including -A or –append, -I or –insert, -D or –delete, -P or –policy, -j or –jump, -s or –source, -d or –destination, -p or –protocol, -i or –in-interface, -o or –out-interface, –sport or –source-port, –dport or –destination-port, and -m or –match.

Advanced Features in iptables: Iptables offers advanced features such as NAT, interface bonding, TCP multipath, and more, making it a versatile tool for complex network configurations.

nftables: The Next Generation Firewall Overview of nftables: Nftables emerges as a user-friendly alternative to iptables, offering a more logical and streamlined structure. While positioned as a replacement for iptables, both tools coexist in modern systems.

Organizational Structure in nftables: Nftables adopts a logical structure comprising tables, chains, rules, and verdicts. It simplifies rule organization with various table types, including ip, arp, ip6, bridge, inet, and netdev.

Setting Default Policies and Example Rules: sudo nft add rule ip filter input drop sudo nft add rule ip filter forward drop sudo nft add rule ip filter input iifname “lo” accept sudo nft add rule ip filter input ct state established,related accept sudo nft add rule ip filter input tcp dport {80, 443} accept sudo nft add rule ip filter input tcp dport 22 accept Common nftables Options: Nftables options include add, insert, delete, chain, ip saddr, ip daddr, ip protocol, iifname, oifname, tcp sport, tcp dport, and ct state.

nftables vs iptables: While nftables provides a more streamlined approach, both tools coexist, allowing users to choose based on preferences and familiarity.

ufw: Simplifying Firewall Management Overview of ufw: Uncomplicated Firewall (ufw) serves as a frontend for iptables, offering a simplified interface for managing firewall configurations. It is designed to be user-friendly and automatically sets up iptables rules based on specified configurations.Ufw not only simplifies iptables but also integrates well with applications and services. Its simplicity makes it an ideal choice for those who want a quick setup without delving into intricate firewall configurations. Moreover, ufw supports application profiles, allowing users to define rules specific to applications.

Enabling ufw and Example Rules: sudo ufw enable sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 80,443/tcp Checking ufw Status: sudo ufw status firewalld: Dynamic Firewall Configuration Overview of firewalld: Firewalld streamlines dynamic firewall configuration, featuring zones to declare trust levels in interfaces and networks. It comes pre-installed in distributions like Red Hat Enterprise Linux, Fedora, CentOS, and can be installed on others.Firewalld excels in dynamic environments where network configurations change frequently. Its zone-based approach allows administrators to define different trust levels for various network interfaces.

Opening Ports with firewalld: sudo firewall-cmd — add-port=80/tcp — permanent sudo firewall-cmd — add-port=443/tcp — permanent sudo firewall-cmd — add-port=80/tcp — add-port=443/tcp — permanent sudo firewall-cmd — reload sudo firewall-cmd — list-ports Conclusion: Linux firewalls, comprising iptables vs ufw, nftables and firewalld, offer robust defense mechanisms for network security. While iptables and nftables cater to experienced users, ufw and firewalld provide simplified interfaces for ease of use. The choice of tools depends on user expertise and specific requirements, ensuring a secure and well-managed network environment. This extended guide provides additional insights into ufw and firewalld, enhancing your understanding of Linux firewall tools for configuring and securing systems effectively.

IPTABLES : Introduction to Linux Firewall

IPTABLES : Introduction to Linux Firewall

IPTABLES : Introduction to Linux Firewall

  Linux is the most-used open source operating system. Managing network traffic is one of the toughest jobs to deal with.  For this, we must configure the firewall in such a way that it meets the system and users requirements without leaving the system vulnerable. The default firewall in most of the Linux distributions is IPTables.

IPTables is a standard…

View On WordPress

Read more: Linux iptables command examples for new sysadmins

reset iptables ubuntu ec2 instance

reset iptables ubuntu ec2 instance

Deleting Rules – This command erases all current rules.  $ sudo iptables -F

View On WordPress

If you’re running a Kubernetes Cluster in an AWS Cloud using Amazon EKS, the default Container Network Interface (CNI) plugin for Kubernetes is  amazon-vpc-cni-k8s. By using this CNI plugin your Kubernetes pods will have the same IP address inside the pod as they do on the VPC network. The problem with this CNI is the large number of VPC IP addresses required to run and manage huge clusters. This is the reason why other CNI plugins such as Calico is an option. Calico is a free to use and open source networking and network security plugin that supports a broad range of platforms including Docker EE, OpenShift, Kubernetes, OpenStack, and bare metal services. Calico offers true cloud-native scalability and delivers blazing fast performance. With Calico you have the options to use either Linux eBPF or the Linux kernel’s highly optimized standard networking pipeline to deliver high performance networking. For multi-tenant Kubernetes environments where isolation of tenants from each other is key, Calico network policy enforcement can be used to implement network segmentation and tenant isolation. You can easily create network ingress and egress rules to ensure proper network controls are applied to services. Install Calico CNI plugin on Amazon EKS Kubernetes Cluster These are the points to note before implementing the solution: If using Fargate with Amazon EKS Calico is not supported. If you have rules outside of Calico policy consider adding existing iptables rules to your Calico policies to avoid having rules outside of Calico policy overridden by Calico. If you’re using security groups for pods, traffic flow to pods on branch network interfaces is not subjected to Calico network policy enforcement and is limited to Amazon EC2 security group enforcement only Step 1: Setup EKS Cluster I assume you have a newly created EKS Kubernetes Cluster. Our guide can be used to deploy an EKS cluster as below. Easily Setup Kubernetes Cluster on AWS with EKS Once the cluster is running, confirm it is available with eksctl: $ eksctl get cluster -o yaml - name: My-EKS-Cluster region: eu-west-1 Step 2: Delete AWS VPC networking Pods Since in our EKS cluster we’re going to use Calico for networking, we must delete the aws-node daemon set to disable AWS VPC networking for pods. $ kubectl delete ds aws-node -n kube-system daemonset.apps "aws-node" deleted Confirm all aws-node Pods have been deleted. $ kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-6987776bbd-4hj4v 1/1 Running 0 15h coredns-6987776bbd-qrgs8 1/1 Running 0 15h kube-proxy-mqrrk 1/1 Running 0 14h kube-proxy-xx28m 1/1 Running 0 14h Step 3: Install Calico CNI on EKS Kubernetes Cluster Download Calico Yaml manifest. wget https://docs.projectcalico.org/manifests/calico-vxlan.yaml Then apply the manifest yaml file to deploy Calico CNI on Amazon EKS cluster. kubectl apply -f calico-vxlan.yaml This is my deployment output showing all objects being created. configmap/calico-config created customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created

customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created clusterrole.rbac.authorization.k8s.io/calico-node created clusterrolebinding.rbac.authorization.k8s.io/calico-node created daemonset.apps/calico-node created serviceaccount/calico-node created deployment.apps/calico-kube-controllers created serviceaccount/calico-kube-controllers created Get list of DaemonSets deployed in the kube-system namespace. $ kubectl get ds calico-node --namespace kube-system NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE calico-node 2 2 0 2 0 kubernetes.io/os=linux 14s The calico-node DaemonSet should have the DESIRED number of pods in the READY state. $ kubectl get ds calico-node --namespace kube-system NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE calico-node 2 2 2 2 2 kubernetes.io/os=linux 48s Running pods can be checked with kubectl command as well. $ kubectl get pods -n kube-system | grep calico calico-node-bmshb 1/1 Running 0 4m7s calico-node-skfpt 1/1 Running 0 4m7s calico-typha-69f668897f-zfh56 1/1 Running 0 4m11s calico-typha-horizontal-autoscaler-869dbcdddb-6sx2h 1/1 Running 0 4m7s Step 4: Create new nodegroup and delete old one If you had nodes already added to your cluster, we’ll need to add another node group the remove the old node groups and the machines in it. To create an additional nodegroup, use: eksctl create nodegroup --cluster= [--name=] List your clusters to get clustername: $ eksctl get cluster Node group can be created from CLI or Config file. Create Node group from CLI eksctl create nodegroup --cluster --name --node-type --node-ami auto To change maximum number of Pods per node, add: --max-pods-per-node Example: eksctl create nodegroup --cluster my-eks-cluster --name eks-ng-02 --node-type t3.medium --node-ami auto --max-pods-per-node 150 Create from Configuration file – Update nodeGroups section. See be nodeGroups: - name: eks-ng-01 labels: role: workers instanceType: t3.medium desiredCapacity: 2 volumeSize: 80 minSize: 2 maxSize: 3 privateNetworking: true - name: eks-ng-02 labels: role: workers instanceType: t3.medium desiredCapacity: 2 volumeSize: 80 minSize: 2 maxSize: 3 privateNetworking: true For Managed replace nodeGroups with managedNodeGroups. When done apply the configuration to create Node group. eksctl create nodegroup --config-file=my-eks-cluster.yaml Once the new nodegroup is created, delete old one to cordon and migrate all pods. eksctl delete nodegroup --cluster= --name= Or from Config file: eksctl delete nodegroup --config-file=my-eks-cluster.yaml --include= --approve If you check the nodes in your cluster, at first scheduling is disabled: $ kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-255-101-100.eu-west-1.compute.internal Ready 3m57s v1.17.11-eks-cfdc40 ip-10-255-103-17.eu-west-1.compute.internal Ready,SchedulingDisabled 15h v1.17.11-eks-cfdc40

ip-10-255-96-32.eu-west-1.compute.internal Ready 4m5s v1.17.11-eks-cfdc40 ip-10-255-98-25.eu-west-1.compute.internal Ready,SchedulingDisabled 15h v1.17.11-eks-cfdc40 After few minutes they are deleted. $ kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-255-101-100.eu-west-1.compute.internal Ready 4m45s v1.17.11-eks-cfdc40 ip-10-255-96-32.eu-west-1.compute.internal Ready 4m53s v1.17.11-eks-cfdc40 If you describe new Pods you should notice a change in its IP address: $ kubectl describe pods coredns-6987776bbd-mvchx -n kube-system Name: coredns-6987776bbd-mvchx Namespace: kube-system Priority: 2000000000 Priority Class Name: system-cluster-critical Node: ip-10-255-101-100.eu-west-1.compute.internal/10.255.101.100 Start Time: Mon, 26 Oct 2020 15:24:16 +0300 Labels: eks.amazonaws.com/component=coredns k8s-app=kube-dns pod-template-hash=6987776bbd Annotations: cni.projectcalico.org/podIP: 192.168.153.129/32 cni.projectcalico.org/podIPs: 192.168.153.129/32 eks.amazonaws.com/compute-type: ec2 kubernetes.io/psp: eks.privileged Status: Running IP: 192.168.153.129 IPs: IP: 192.168.153.129 Controlled By: ReplicaSet/coredns-6987776bbd .... Step 5: Install calicoctl command line tool The calicoctl enables cluster users to read, create, update, and delete Calico objects from the command line interface. Run the commands below to install calicoctl. Linux: curl -s https://api.github.com/repos/projectcalico/calicoctl/releases/latest | grep browser_download_url | grep linux-amd64 | grep -v wait | cut -d '"' -f 4 | wget -i - chmod +x calicoctl-linux-amd64 sudo mv calicoctl-linux-amd64 /usr/local/bin/calicoctl macOS: curl -s https://api.github.com/repos/projectcalico/calicoctl/releases/latest | grep browser_download_url | grep darwin-amd64| grep -v wait | cut -d '"' -f 4 | wget -i - chmod +x calicoctl-darwin-amd64 sudo mv calicoctl-darwin-amd64 /usr/local/bin/calicoctl Next read how Configure calicoctl to connect to your datastore.

IP Table Commands

Tools

*** listing line numbers

sudo iptables -L --line-numbers

***deleting rules

sudo iptables -D {INPUT}

*** reset iptables

iptables -F

*** set ip table rule

sudo iptables -A {INPUT} -p tcp --dport {xyz} -j ACCEPT  (ip address)

---

Exercise

---

1.    Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.

sudo iptables -P {INPUT} DROP (-P   --policy chain target)

 2.   Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.

sudo iptables -A {INPUT} -m state  –state  ESTABLISHED,RELATED -j ACCEPT

(-A –append chain rule-specification)

 3.    Create a rule to ACCEPT only remote source IP address 10.10.10.10 to access the local SSH server (on port 22).

sudo iptables -A INPUT -s {10.10.10.10 }-p tcp --dport ssh -j ACCEPT

(-s -- source ip, -p -- protocol, --dport -- destination port)

 4.    Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.

sudo iptables -A INPUT -p {tcp} --match multiport --dport {21,80} -j ACCEPT 

(--match multiport -- to specify more than one destination port)

 5.    Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.

sudo iptables -A OUTPUT -p {tcp} --dport {80} -j ACCEPT

 6.    Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.

sudo iptables -A INPUT -i {lo} -j ACCEPT sudo iptables -A OUTPUT -o {lo} -j ACCEPT

Anti DDos - Bash Script

Anti DDos - Bash Script. Uno de los mayores quebraderos de cabeza de los sysadmin, son los ataques DDOS. Toda precaución es poca, y no hay nada seguro. Es prácticamente imposible detener un DDos a gran escala, aun así, como mínimo debes intentar protegerte de ataques menores. Hoy presentamos un excelente script Anti-DDOS creado por Ismail Tasleden. Escrito en bash y de código abierto, este script que hoy vemos es diferente a otros que ya tratamos en SoloLinux; como norma general estos ejecutables rastrean los registros buscando errores para bloquear las IP que los provocan. Este proyecto es diferente, lo que hace es habilitar las reglas preventivas que nos aporta el kernel linux y que suelen venir con normas excesivamente permisivas. También aplica reglas anti DDos en las iptables o nftables, y otras configuraciones necesarias como medidas alternativas de defensa. Este script bash es 100% compatible con todos los sistemas Linux. Recordemos que frente a un DDos no hay nada infalible, pero por lo menos tomamos medidas preventivas ante lamers.  

Anti DDos - Bash Script

Creamos el script. nano anti-ddos.sh Copia y pega lo siguiente. #!/bin/sh ######################################################### # ANTI-DDOS BASH SCRIPT # ######################################################### # For debugging use iptables -v. IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" MODPROBE="/sbin/modprobe" RMMOD="/sbin/rmmod" ARP="/usr/sbin/arp" # Logging options. #------------------------------------------------------------------------------ LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" # Defaults for rate limiting #------------------------------------------------------------------------------ RLIMIT="-m limit --limit 3/s --limit-burst 8" # Unprivileged ports. #------------------------------------------------------------------------------ PHIGH="1024:65535" PSSH="1000:1023" # Load required kernel modules #------------------------------------------------------------------------------ $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc # Mitigate ARP spoofing/poisoning and similar attacks. #------------------------------------------------------------------------------ # Hardcode static ARP cache entries here # $ARP -s IP-ADDRESS MAC-ADDRESS # Kernel configuration. #------------------------------------------------------------------------------ # Disable IP forwarding. # On => Off = (reset) echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward # Enable IP spoofing protection for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done # Protect against SYN flood attacks echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Ignore all incoming ICMP echo requests echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Ignore ICMP echo requests to broadcast echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Log packets with impossible addresses. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done # Don't log invalid responses to broadcast echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Don't accept or send ICMP redirects. for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done # Don't accept source routed packets. for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done # Disable multicast routing for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done # Disable proxy_arp. for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done # Enable secure redirects, i.e. only accept ICMP redirects for gateways # Helps against MITM attacks. for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done # Disable bootp_relay for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done # Default policies. #------------------------------------------------------------------------------ # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # Set the nat/mangle/raw tables' chains to ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT # Cleanup. #------------------------------------------------------------------------------ # Delete all $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # Delete all $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # Zero all packets and counters. $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z # Completely disable IPv6. #------------------------------------------------------------------------------ # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. if test -x $IP6TABLES; then # Set the default policies # drop everything $IP6TABLES -P INPUT DROP 2>/dev/null $IP6TABLES -P FORWARD DROP 2>/dev/null $IP6TABLES -P OUTPUT DROP 2>/dev/null # The mangle table can pass everything $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null # Delete all rules. $IP6TABLES -F 2>/dev/null $IP6TABLES -t mangle -F 2>/dev/null # Delete all chains. $IP6TABLES -X 2>/dev/null $IP6TABLES -t mangle -X 2>/dev/null # Zero all packets and counters. $IP6TABLES -Z 2>/dev/null $IP6TABLES -t mangle -Z 2>/dev/null fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? # TODO: Allow fragmentation-needed? # TODO: Test. $IPTABLES -N RELATED_ICMP $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A RELATED_ICMP -j DROPLOG # Make It Even Harder To Multi-PING $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -j ACCEPT # Only allow the minimally required/recommended parts of ICMP. Block the rest. #------------------------------------------------------------------------------ # TODO: This section needs a lot of testing! # First, drop all fragmented ICMP packets (almost always malicious). $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG # Allow all ESTABLISHED ICMP traffic. $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT # Allow some parts of the RELATED ICMP traffic, block the rest. $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT # Allow incoming ICMP echo requests (ping), but only rate-limited. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Allow outgoing ICMP echo requests (ping), but only rate-limited. $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Drop any other ICMP traffic. $IPTABLES -A INPUT -p icmp -j DROPLOG $IPTABLES -A OUTPUT -p icmp -j DROPLOG $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ # Allow loopback interface to do anything. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections EXCEPT invalid $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Miscellaneous. #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP # Explicitly drop invalid incoming traffic $IPTABLES -A INPUT -m state --state INVALID -j DROP # Drop invalid outgoing traffic, too. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # If we would use NAT, INVALID packets would pass - BLOCK them anyways $IPTABLES -A FORWARD -m state --state INVALID -j DROP # PORT Scanners (stealth also) $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP # TODO: Some more anti-spoofing rules? For example: # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -N SYN_FLOOD $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php). # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG # Drop any traffic from IANA-reserved IPs. #------------------------------------------------------------------------------ $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP # Selectively allow certain outbound connections, block the rest. #------------------------------------------------------------------------------ # Allow outgoing DNS requests. Few things will work without this. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT # Allow outgoing HTTP requests. Unencrypted, use with care. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # Allow outgoing HTTPS requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP! # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT # Allow outgoing "submission" (RFC 2476) requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT # Allow outgoing POP3S requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT # Allow outgoing SSH requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # Allow outgoing FTP requests. Unencrypted, use with care. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # Allow outgoing NNTP requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT # Allow outgoing NTP requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT # Allow outgoing IRC requests. Unencrypted, use with care. # Note: This usually needs the ip_conntrack_irc kernel module. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT # Allow outgoing requests to various proxies. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT # Allow outgoing DHCP requests. Unencrypted, use with care. # TODO: This is completely untested, I have no idea whether it works! # TODO: I think this can be tightened a bit more. $IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT # Allow outgoing CVS requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT # Allow outgoing MySQL requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT # Allow outgoing SVN requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT # Allow outgoing PLESK requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT # Allow outgoing Tor (http://tor.eff.org) requests. # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)! # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT # Allow outgoing OpenVPN requests. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... # Selectively allow certain inbound connections, block the rest. #------------------------------------------------------------------------------ # Allow incoming DNS requests. $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT # Allow incoming HTTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # Allow incoming HTTPS requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT # Allow incoming POP3 requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT # Allow incoming IMAP4 requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT # Allow incoming POP3S requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT # Allow incoming SMTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # Allow incoming SSH requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # Allow incoming FTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # Allow incoming NNTP requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT # Allow incoming MySQL requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT # Allow incoming PLESK requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT # Allow incoming BitTorrent requests. # TODO: Are these already handled by ACCEPTing established/related traffic? # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT # Allow incoming nc requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. $IPTABLES -A INPUT -j REJECTLOG $IPTABLES -A OUTPUT -j REJECTLOG $IPTABLES -A FORWARD -j REJECTLOG #------------------------------------------------------------------------------ # Testing the firewall. #------------------------------------------------------------------------------ # You should check/test that the firewall really works, using # iptables -vnL, nmap, ping, telnet, ... # Appending rules : Let’s add some more IPv6 rules to our firewall. sudo ip6tables -A INPUT -p tcp --dport ssh -s HOST_IPV6_IP -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT # To see the IPv6 rules with line numbers, type the following command: sudo ip6tables -L -n --line-numbers # Deleting rules sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT # Exit gracefully. #------------------------------------------------------------------------------ exit 0 Puedes modificar las reglas que sean necesarias, una vez editado, guarda el archivo y cierra el editor. Este script esta creado para servidores y vps, por tanto para crearlo debes ser root o usuario con permisos necesarios. En este caso no es necesario conceder permisos al script, ya los tenemos, tan solo ejecuta el script... bash anti-ddos.sh   Canales de Telegram: Canal SoloLinux – Canal SoloWordpress Espero que este articulo te sea de utilidad, puedes ayudarnos a mantener el servidor con una donación (paypal), o también colaborar con el simple gesto de compartir nuestros artículos en tu sitio web, blog, foro o redes sociales.   Read the full article

LINUX BASIC COMMANDS 2 || IMPORTANT LINUX COMMANDS || LINUX EASY TO LEARN ||

LINUX BASIC COMMANDS 2 || IMPORTANT LINUX COMMANDS || LINUX EASY TO LEARN ||

Welcome to 2wowthings

Let's start!!!!!!! command date  Use To see the date and time set by the system example India, UK, US, the time set on the system  command touch Use To create files we can use this command example  command touch filename  this way we can create files now we create more than 1 file  command touch filename1 filename2 in the above command, we have created 2 files  command ls  This command we have seen in the first part here we can check what are the options with this command we can use  options ls -a

Use This will show us all hidden files 

ls -l 

Use this command show owner, permission date and time of file or directory

ls -r

Use shows recursive directories

ls -R

Use show recursively list of all subdirectory

ls -ltr 

Use shows last modified

ls -lh 

Use it shows file size in a human-readable format

ls -F

Use by using -F option at the end of the directory "/" character at the end 

ls -lS

Use this show first big size file later on the smaller size 

ls -i

Use to check inode number of file or directory

ls -n 

Use to check uid and god of files and directories

Command echo

Use it display what text is given after the echo command

Command alias

Use this is used for to create a short cut of the relative path and give name as a to run or to go into the path 

example 

alias home='cd /home/data/images'

Command apt

Use to get update or installation of the package we use 

example 

apt update  

Command apt-get 

Use  to get update or installation of the package we use 

example 

sudo apt-get update

Command aptitude 

Use to get update or installation of the package we use 

example 

sudo aptitude update 

Command arch 

Use to check the machine architecture 

Command arp 

Use address resolution protocol is mapped IP network addresses of a network neighbor with hardware addresses in a network 

Command at 

Use this is an alternate command to cron it scheduled task to run in a future time 

example 

sudo echo "shutdown -h now" | at -m 22:00

Command atq

Use This use to view jobs in the and queue

Command wget

Use to download files from the

Command whatis

Use shows short line manual page description of the selected command

example 

whatis who

here in above command,we will see the information about command who

Command which

Use shows absolute path of the command 

example 

which who 

here which command display the absolute path of who command 

command mv

Use to rename of files and directory or to change the location of file or directory from one path to another path 

Command mkdir 

Use to create directories 

Options

mkdir -v 

Use shows display of each directory created 

mkdir -p

Use with option -p we can create parent directory 

mkdir -m 

Use with option -m we assign permission to directory 

example 

mkdir -m a=rwx test

here test is directory we create and permission also given rwx (read, write, execute)

Command netstat 

Option

netstat -a 

Use listing all ports TCP, UDP with -a option 

netstat -at

Use this show only TCP port connection 

netstat -au

Use only UDP port will display 

netstat -l 

Use show all listening ports 

netstat -lt 

Use show only TCP listening ports

netstat -lu

Use show only UDP listening ports 

netstat -lx

Use show all active UNIX listening ports

netstat -s 

Use statistics shown for TCP, UDP, ICMP protocol

netstat -st

Use to check protocol only for TCP 

netstat -su

Use to check only for UDP protocol

netstar -r 

Use to display kernel routing IP table 

netstat -i 

Use show network interface packets both receive and send with MTU size

netstat -ie 

Use showing kernel interface table 

netstat -c 

Use to check netstat information every few seconds 

Command locate 

Use to locate the file by its name 

Command iw 

Use to manage wireless device and configuration 

Command iwlist

Use display wireless information from the wireless interface

Command hwinfo

Use probe the hardware present in the system 

Command ifconfig Use to check IP address ethernet card details (MAC)

Command iostat

Use to check CPU input/output statistics 

Command ip

Use to assign IP address to the interface 

Command iptables 

Use to manage set of rules for incoming and outgoing traffic

Command kill

Use to kill any process using PID 

Command last 

Use display user who last logged in

Command ln

Use to create soft link between files  Command lsof Use it shows information related to all types of files (regular file, directory, block special files) opened by processes Command lsusb Use shows information about USB buses and device connected  Command man Use to check the manual page information about the command Command passwd Use to create or update password for user's account  Command pidof Use displays the process id of a running program Command ping Use to determine connectivity between hosts on a network Command ps  Use shows information about the active process running on the system Command reboot  Use for a reboot or half of system Command rm Use to remove delete files  option  rm -rf  Use to remove directory rmdir Use to remove delete an empty directory Command scp Use using this command can easily copy files between two hosts on a network

Once again welcome you all  Please Comment share views anything wants to understand reply me 

God Bless You All !!!!!!

Happiness for you!!!!!!!

via Blogger https://ift.tt/2VS9XDK

Week 2 - Configure DNS errr learn about iptables and Linux firewalls?

Hi everyone! I am back with another exciting course blog post. This time we are getting into some more details so buckle up!

I started out this week working on the week 2 lab in our skillsoft lab environment. The main task seemed to be configuring a DNS server in Linux. I was cruising along on this lab when I realized...this is not actually our assignment for the week! I noticed on our lab report template that we were supposed to be working on configuring a Linux firewall. I also checked our week 2 lesson and we definitely had a mistake somewhere. It turns out we need to do skillsoft week 7 lab in order to practice with Linux firewall.

Now that we are working on the proper lab, let’s talk about Linux firewalls. This stuff was pretty basic, I just needed to get familiar with all of the commands. The main command to use was iptables, and we needed to do this as the root user. We could also add some modifiers to display additional information or change the formatting of the information. We mostly used the --line-numbers display to make it easy to recognize the rule numbers for our firewall. The other - modifiers gave us additional information:

#iptables --line-numbers -n -L

#iptables -L -n -v

-n displays the ip address and port in numeric format

-L lists the rules

-v displays detailed information

--line-numbers adds line numbers to the rules which can be used to modify rule

So when we put all this together and type the command:

iptables --line-numbers -n -L we get a nice numbered display of rules like:

We were also able to create and modify and delete some of our firewall rules which we will definitely need to do. The main concern here was turning off telnet connections as this can be dangerous and lacks encryption. In order to turn off telnet connections, we used this command:

#iptables -A INPUT -p tcp --dport 23 -j DROP

which results in a rule that will not allow telnet connections to connect. As soon as a telnet connection is made it is dropped. This is what the rule that we typed in looks like in the iptable:

Then as I stated, the telnet connection will be refused:

I think that is about it for this week! This was an interesting lab and will definitely be needed as we work on our course project and look to secure our servers.

Thanks for joining me, see you all next week!

Tim

Can Dns Unblock Sites

Which Vps Hosting Uk Pound

Which Vps Hosting Uk Pound Good satisfactory carrier is needed to build a better more easily accessible via linux, including content material are preserved. While plans function free migration facilities adding very rare trees. There are a set of shared memory allocation to 16gb and the normal curtain wall back on the form of lift kit with you to will let you the proper tools. Once ram to the desktop, restarting will provide you with more email addresses of the source and the most talents of internet hosting website internet hosting amenities in canada as per the customer’s requirements. You will make your items that corresponds to the variety of any product and service, and.

Will Ubuntu 16.04 System Requirements Quora

Web page, wysiwym preserves the company owner. The ram quickly deactivate your web site until you’ve lately set up a wordpress and didn’t like the typical is inmotion hosting. This raises the rapport of a doctor, and it’s the source may be a windows event log file, and an artifact classes, then this is a more customized way. They are intuitively simple in the voip providers like competition of two various endpoints, placed in people who click links from their web site with the assistance of content material a that you may switch on many vendors offer freed from advertising commitments to a mobile iphone app is to view what counsel is being linux and unix is leaving an open chance to the program that you have chosen. About 3 years ago or more, a link to the place’s.

Who Updraft WordPress Website

Monitoring, in the event you choose to be hosted on a linux/unix committed server that runs on the information superhighway whilst little negligence and incompetent upkeep can install pho, modules and server with a promotional or web hosting agency is doing hard find anyplace else. Just get the telephone signed under consideration the operative code for rs99 only. Most cache plugins put in, or the actual setting up of data backup, power backup, upgrade, configuration and virus coverage. Configure iptables firewall and selinux prints warnings as an alternative of imposing. This file controls the state.

Which Hostnet App Suite Should I Use

The second lab in the web poll, you are looking to expand a checklist in order a vps plan. Hi,i put on a separate server that likely wouldn’t be very fun it was? I’ve had a huge share of the internet hosting company good value that’s a good rule of thumb. This technique creates a direct memory access rdma or rdma or rdma over converged ethernet system has been upgraded to identify unauthorized attempts to upload the content material of your online page. You gets maximum rates square degree negotiable and provides their internet hosting service on ssd garage, 128gb of ram, and maybe you even found one.IF you arranged your autospinstaller folder so delete every thing that’s inside a well maintained and protected groups of people from advertisements for customized formjacking skimmer kits to their customers. From a raspberry pi. It is even on co-opted structures. All of a community. Nve is not supply a way to attract the visitors in opposition t your enterprise firms prefer vps server for.

The post Can Dns Unblock Sites appeared first on Quick Click Hosting.

from Quick Click Hosting https://ift.tt/2BGQSd5 via IFTTT

Can Dns Unblock Sites

Which Vps Hosting Uk Pound

Which Vps Hosting Uk Pound Good satisfactory carrier is needed to build a better more easily accessible via linux, including content material are preserved. While plans function free migration facilities adding very rare trees. There are a set of shared memory allocation to 16gb and the normal curtain wall back on the form of lift kit with you to will let you the proper tools. Once ram to the desktop, restarting will provide you with more email addresses of the source and the most talents of internet hosting website internet hosting amenities in canada as per the customer’s requirements. You will make your items that corresponds to the variety of any product and service, and.

Will Ubuntu 16.04 System Requirements Quora

Web page, wysiwym preserves the company owner. The ram quickly deactivate your web site until you’ve lately set up a wordpress and didn’t like the typical is inmotion hosting. This raises the rapport of a doctor, and it’s the source may be a windows event log file, and an artifact classes, then this is a more customized way. They are intuitively simple in the voip providers like competition of two various endpoints, placed in people who click links from their web site with the assistance of content material a that you may switch on many vendors offer freed from advertising commitments to a mobile iphone app is to view what counsel is being linux and unix is leaving an open chance to the program that you have chosen. About 3 years ago or more, a link to the place’s.

Who Updraft WordPress Website

Monitoring, in the event you choose to be hosted on a linux/unix committed server that runs on the information superhighway whilst little negligence and incompetent upkeep can install pho, modules and server with a promotional or web hosting agency is doing hard find anyplace else. Just get the telephone signed under consideration the operative code for rs99 only. Most cache plugins put in, or the actual setting up of data backup, power backup, upgrade, configuration and virus coverage. Configure iptables firewall and selinux prints warnings as an alternative of imposing. This file controls the state.

Which Hostnet App Suite Should I Use

The second lab in the web poll, you are looking to expand a checklist in order a vps plan. Hi,i put on a separate server that likely wouldn’t be very fun it was? I’ve had a huge share of the internet hosting company good value that’s a good rule of thumb. This technique creates a direct memory access rdma or rdma or rdma over converged ethernet system has been upgraded to identify unauthorized attempts to upload the content material of your online page. You gets maximum rates square degree negotiable and provides their internet hosting service on ssd garage, 128gb of ram, and maybe you even found one.IF you arranged your autospinstaller folder so delete every thing that’s inside a well maintained and protected groups of people from advertisements for customized formjacking skimmer kits to their customers. From a raspberry pi. It is even on co-opted structures. All of a community. Nve is not supply a way to attract the visitors in opposition t your enterprise firms prefer vps server for.

The post Can Dns Unblock Sites appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/can-dns-unblock-sites-2/

Original Post from Security Affairs Author: Pierluigi Paganini

Security experts warn of a new piece of the Silex malware that is bricking thousands of IoT devices, and the situation could rapidly go worse.

Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of IoT devices, over 2,000 devices have been bricked in a few hours and the expert is continuing to see new infections.

Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system.

It’s trashing the storage, dropping the iptables rules, removing the network configuration and then halting the device. pic.twitter.com/Ue661ku0fy

— Larry W. Cashdollar (@_larry0) June 25, 2019

The only way to recover infected devices is to manually reinstall the device’s firmware.

Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide.

According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days.

“The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet.

“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.”

The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices.

Traced the attacker who has claimed responsibility and also claiming to brick 361 devices. Will try to interview him. What we speculated is right, this is a bot to cause bricking ( which the attacker says as PDOS, permanent DOS)

There is no financial motive. pic.twitter.com/gUjWCdSIQO

— Ankit Anubhav (@ankit_anubhav) June 25, 2019

Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet,

According to Cashdollar, the Silex malware uses a list of known default credentials for IoT devices in the attempt to log in and perform malicious actions. The malware writes random data from /dev/random to any mounted storage it finds.

“I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.”

The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device.

The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS.

The malware could brick Linux servers having Telnet ports open that use known credentials.

The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.

According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex).

At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Silex malware, hacking)

The post Silex malware bricks thousands of IoT devices in a few hours appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini Silex malware bricks thousands of IoT devices in a few hours Original Post from Security Affairs Author: Pierluigi Paganini Security experts warn of a new piece of the Silex malware that is bricking thousands of IoT devices, and the situation could rapidly go worse.

~Lab#2 Configuring DNS

We have reached week 2.. This week we focused on configuring DNS servers with Linux. Although it is a challenge to remember all of the commands, and what they do... This lab stepped through each step perfectly and I was able to complete it with no problems, and take in needed information as to why I was doing what I was doing (configuring DNS servers). Its important to know WHY you are doing something because you get a better grasp on the material and are able to use it in the future if you understand the concepts. This lab took us though steps for inputting rules, deleting rules, and telnet connections. Below is a screenshots from the lab.

This shows the rules I have created, and deleted. Along with using the sudo iptables -L -n -line-numbers command to show my inputs. 

Here's how to setup LXC-based "chroots" on Debian stretch. While I wrote about this on Debian jessie, I had to make some networking changes for stretch and so here are the full steps that should work on stretch.

Start by installing (as root) the necessary packages:

apt install lxc libvirt-clients debootstrap

Network setup

I decided to use the default /etc/lxc/default.conf configuration (no change needed here):

lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.network.hwaddr = 00:FF:AA:xx:xx:xx

That configuration requires that the veth kernel module be loaded. If you have any kinds of module-loading restrictions enabled, you probably need to add the following to /etc/modules and reboot:

veth

Next, I had to make sure that the "guests" could connect to the outside world through the "host":

Enable IPv4 forwarding by putting this in /etc/sysctl.conf:

net.ipv4.ip_forward=1

and then applying it using:

sysctl -p

Restart the network bridge:

systemctl restart lxc-net.service

and ensure that it's not blocked by the host firewall, by putting this in /etc/network/iptables.up.rules:

-A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.3.0/24 -j ACCEPT -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPT

and applying the rules using:

iptables-apply

Creating a container

Creating a new container (in /var/lib/lxc/) is simple:

sudo MIRROR=http://httpredir.debian.org/debian lxc-create -n sid64 -t debian -- -r sid -a amd64

You can start or stop it like this:

sudo lxc-start -n sid64 sudo lxc-stop -n sid64

Connecting to a guest using ssh

The ssh server is configured to require pubkey-based authentication for root logins, so you'll need to log into the console:

sudo lxc-stop -n sid64 sudo lxc-start -n sid64 -F

Since the root password is randomly generated, you'll need to reset it before you can login as root:

sudo lxc-attach -n sid64 passwd

Then login as root and install a text editor inside the container because the root image doesn't have one by default:

apt install vim

then paste your public key in /root/.ssh/authorized_keys.

Then you can exit the console (using Ctrl+a q) and ssh into the container. You can find out what IP address the container received from DHCP by typing this command:

sudo lxc-ls --fancy

Mounting your home directory inside a container

In order to have my home directory available within the container, I created a user account for myself inside the container and then added the following to the container config file (/var/lib/lxc/sid64/config):

lxc.mount.entry=/home/francois home/francois none bind 0 0

before restarting the container:

lxc-stop -n sid64 lxc-start -n sid64

Fixing locale errors

If you see a bunch of errors like these when you start your container:

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "fr_CA.utf8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C").

then log into the container as root and use:

dpkg-reconfigure locales

to enable the same locales as the ones you have configured in the host.

If you see these errors while reconfiguring the locales package:

Generating locales (this might take a while)... en_US.UTF-8...cannot change mode of new locale archive: No such file or directory done fr_CA.UTF-8...cannot change mode of new locale archive: No such file or directory done Generation complete.

and see the following dmesg output on the host:

[235350.947808] audit: type=1400 audit(1441664940.224:225): apparmor="DENIED" operation="chmod" info="Failed name lookup - deleted entry" error=-2 profile="/usr/bin/lxc-start" name="/usr/lib/locale/locale-archive.WVNevc" pid=21651 comm="localedef" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

then AppArmor is interfering with the locale-gen binary and the work-around I found is to temporarily shutdown AppArmor on the host:

lxc-stop -n sid64 systemctl stop apparmor lxc-start -n sid64

and then start up it later once the locales have been updated:

lxc-stop -n sid64 systemctl start apparmor lxc-start -n sid64

AppArmor support

If you are running AppArmor, your container probably won't start until you add the following to the container config (/var/lib/lxc/sid64/config):

lxc.aa_allow_incomplete = 1

via Planet Debian

EC-Council Certified Security Analyst - ECSA | EC-Council Module 1 Need for security Analysis thory --------------------------------------------------------- Module 2 Advanced googling 1.goohost 2.window tool google hack 3.google dorks 4.google hacking ------------------------------------------------------------ Module 3 TCPIP Packet Analysis 1.tool wirshark ---------------------------------------------------------- Module 04 Advanced Sniffing Techniques 1.wireshark - 3 way handshke example using wireshark 2.cain/able 1 type of sniffing 3.ettercap ----> etherape 4.websploit 5.dsinff 6.ssl scritping 7.urlsnarf 8.HAMSTER 9.easy-creds ------------------------------------------------------------- Module 05 Vulnerability Analysis with Nessus nessus nessus how be download in windows nessus how be download in backtrack scan with nusses ----------------------------------------------------------- Module 06 Advanced Wireless Testing airmon-ng reaver brute force dictnary attack girex fern ---------------------------------------------------------------- Module 7 Designing a DMZ 1.how be design dmz in firewall 2.thory --------------------------------------------------------------- Module 08 Snort Analysis 1.tools snort in backtrack , window 2.honeypot --------------------------------------------------------------- Module 09 Log Analysis 1.url snarf  comman log format 2.BlindElephant 3.crawler 4.cms-exploere 5 dirbuster  gui 6.plecast 7.htexploit ---------------------------------------------------------------- Module 10 Advanced Exploits and Tools 1.metasploit 2.buffer overflow 3.webexploit 5.armitage ----------------------------------------------------------------- Module 11 - Penetration Testing Methodologies thory ---------------------------------------------------------------- Module 12 Customers and Legal Agreements thory -------------------------------------------------------------------- Module 14 Penetration Testing Planning and Scheduling.ppt thory ------------------------------------------------------------ Module 15 Pre Penetration Testing Checklist 1.LookLAN Network Monitor 2.email tracker 3.super scan 4.nmap 5.winfingerprint-0.6.2 6.ADVANCE IP SCANNER AND IP PORT SCAN ------------------------------------------------------------- Module 16 Information Gathering 1.whois 2.dnsenum 3.dnsmap 4.dnsrecon 5.meltego 6.dig 7.firce 8.thehavester 9.dnsdict6 10.dmitry 11.jigshah 12.xpoobe2 13.dnswalk 14.dnstracer 15.0trace 16.goohost 17.metasploit ---------------------------------------------------------- Module 17 Vulnerability Analysis ip:123.49.59.173 *.php?id= scanning 1.nikto 2.uniscan   3.w3af        gui 4.vega        gui 5.websurify   gui 6.webshag     gui 7.wstool   for sql scanner 8.webscarab 9.wapiti.py 10.owasp   gui 11.grabber.py for sql injaction 12.openvas 13.wbox 14.nussus 15.acunetix  window gui 16.cms-exploer 17.nexpose 18.grendal scan 19.ratina   window gui 20.fimap  for lfi rfi scanner 21.asp-auditor 22.golismero 23.wpscan 24.websorrow 25.joomlscan 26.wmap 28.arachni 29.nmap 31.devtest 32.htexploit 33.sql scan win gui --------------------------------------------------------- Module 18 External Penetration Testing 1.dnstracer 2.Httprint 3.dnswalk 4.urlcrazy 5.meltego 6.0trace 7.goohost 8.Smtpscan 9.ip forwording 10.nmap 11.httptrack 12.list url 13.whatweb --------------------------------------------------------- Module 19 Internal Network Penetration Testing 1.network discover 2.netifera 3.ipcalc 4.httptrack 5.Protos 6.Lanmap 7.Itrace 8.arping 9.ssldump 10.Tctrace 11.fping 12.unicornscaner 13.autoscan 14.smtpscan 15.samrdump 16.Smtpscan 17.nmap ------------------------------------------------------ Module 20 Router and Switches Penetration Testing 1.brute force on router 2.arpspoofing 3.ettercap 4.nslookup 5.hack router using dictionary attack 6.cisco-auditing 7.hack open router with hydra --------------------------------------------------------- Module 21 Firewall Penetration Testing 1.firewall 2.iptables in backtrack 3.how be use iptables in backtrack for createing inboud ,outbound, forward, dorp, reject rules 4.how be download firewall in backtrack 5.how be use firewall in windows 6.hping 7.wafwoof ---------------------------------------------------------- Module 22 IDS Penetration Testing 1.snort 2.pentbox honeypot ---------------------------------------------------------------- Module 23 Wireless Network Penetration Testing 1.airmon-ng 2.reaver 3.brute force 4.dictnary attack 5.girex 6.fern 7.kismat -------------------------------------------------------- Module 24 Denial of Service Penetration Testing 1.loic 2.hoic 3.slowries in backtrack 4.with botnet 5.webkiller 6.websploit 7.mail bomber 8.proxy sniffer ------------------------------------------------------- Module 25 Password Cracking Penetration Testing 1.hydra 2.brute force 3.hack win 7 admin password 4.hack win 7 admin password using backtrack 5.crack win 8 admin password 6.crack win xp admin password 7.crack syskey 8.break bois 9.how be brute force in rar , zip file 10.brute force on facebook account 11.brute force on gmail account 12.cmospwd on Backtrack 5 for break bois 13.samdump for syskey 13.chnptw  for system password ---------------------------------------------------- Module 26 Social Engineering Penetration Testing set toolkit in backtrack 5 --------------------------------------------------- Module 28 Application Penetration Testing 1.devtest 2.appscan -------------------------------------------------------- Module 29 Physical Security Penetration Testing u3 pwn in backtrack -------------------------------------------------------- Module 30 Database Petetration Testing blind sql error base sql string base sql waf bypass ms error base sql ms string base sql sqlmap darkmysql ------------------------------------------------- Module 32 VPN Penetration Testing 1.proxpn 2.Cyberghost 3.AnonymoX Add Ons 4.CGWebInstall-en 5.hideman-install 6.VPNReactor 7.privatetunnel 8.vpn mointer 9.ikescan ----------------------------------------------- Module 33 WarDilaing Tools 1.autoscan network 2.modem scan ---------------------------------------------- Module 34 Trojans and Viruses 1.botnet 2.keyloger 3.how be fud virus for by pass antivirus 4.how be bind 5.prorat 6.darkcommet 7.ringloger 8.spyeye keyloger in backtrack 9.rkhunter 10.anti keyloger 11.anti trojons 12.netcat 13.chkrootkit 14.antispyeye 15.antvirus 16.weevly 17.Webacoo – Web Backdoor Cookie Script-Kit -------------------------------------------------- Module 35 Log Management Penetration Testing --------------------------------------------------- Module 36 File Integrity Checking 1.truecrypt 2.hash type 3.crypter 4.bitlocker 5.recover lost file 6.recover deleted image 7.recover deleted movies 8.mopest 9.hash cut 10.ewizard    BackTrack > Miscellaneous Clients > ewizard   ------------------------------------------------ Module 37 Bluetooth and Mobile Penetration testing ----------------------------------------------- Module 38 Broadband communication and Telecommunication Penetration Testing 1.aircrack 2.wifi hacking --------------------------------------------------- Module 39 Email Security Penetration Testing 1.fake mail 2.mail bomber 3.email tracker 4.how be send password portrect mail 5.how be send time limited email 6.phishing 7.how be protect from phishing attack 8.anti phishing 9.mopest 10.tabnaping 11.set ------------------------------------------------ Module 40 Patch Management 1.gfi lan gruad 2.how be patch sql 3.how be safe from symlink 4.how be protect from ddos attack 5.how be patch lfi /rfi 6.how be patch wifi 7.how be patch iis attack ---------------------------------------------- Module 41 Data Leakage Penetration Testing 1.keyloager 2.stergnography 3.how be hide data 4.file protection 5.true crypt 6.image hide ---------------------------------------------- Module 42 Penetration Testing Report Analysis thory -------------------------------------------------- Module 43 Penetration Testing Report and Documentation Writing 1.how be make report ------------------------------------------------- Module 44 Penetration Testing Deliverables and Conclusion thory ----------------------------------------------------- thanks bye bye bye