#Save changes to iptables | Explore Tumblr posts and blogs

computingpostcom · 3 years ago

Text

I’m a person who is nuts about security. Seeing multiple layers of security being circumvented on a network is just against the reasons I’m security-centric all times. Some System administrators can’t take few minutes of their time to close the front door, and this always impact negatively on network systems. In this guide, we’ll look at defense in depth- covering both port security and use of firewalls to secure Linux servers. Since we can’t cover everything in this tutorial, We’ll concentrate on firewalld basics and demos on various configurations. What is Firewalld? Firewalld is a dynamic firewall service that manages the Linux kernel netfilter subsystem using low-level iptables,ip6tables and ebtables commands. Firewalld is the default firewall service used in Red Hat Enterprise Linux 7 (RHEL) family of Linux distributions. It has support for IPv4 and IPv6 firewall settings. The firewall service provided by firewalld is dynamic rather than static because the changes made to the configuration are immediately implemented, there is no need to apply or save the changes. This is an advantage since unintended disruption of existing network connections can’t occur. Firewalld separates all incoming traffic into zones, and each zone have its own set of rules. Firewalld logic used for incoming connection Firewalld has to determine the zone to use for an incoming connection. To do this, the following order is followed, the first rule that matches wins: If the source address of an incoming packet matches a source rule setup for a zone, that packet is routed through the zone. If an incoming interface for a packet matches a filter setup for a zone, that zone will be used. Else the default zone is used. Note: The default zone for any new network interface will be set to the public zone. Where are the configuration files? The configuration files for firewalld are stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ directories. These files can be edited,written to, backed up and used as templates for other installations. If a configuration file having same name is stored in both locations, the version from /etc/firewalld/ will be used, this means administrators can override default zones and settings. How to manage firewalld? As a way to make changes to firewall service, three ways are available: Using the command line client, firewall-cmd. It is used to make both permanent and run-time changes. A root user or any member of wheel group can run firewall-cmd command, polkit mechanism is used to authorize the command. Using the graphical tool firewall-config Using the configuration files in /etc/firewalld/ NOTE: The firewalld.service and iptables.service,ip6tables.service and ebtables.service services conflict with each other. It is a good practice to mask the other services before running firewalld service . This can be done with below commands: for SERVICE in iptables ip6tables ebtables; do systemctl mask $SERVICE.service done } How is firewalld different from iptables? Firewalld stores its configuration files in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ while iptables service stores them in /etc/sysconfig/iptables. The file /etc/sysconfig/iptables does not exist on RHEL 7 since it comes with firewalld by default. With the iptables service, old rules has to be flushed when every single change is made, the rules has to be re-read from /etc/sysconfig/iptables. With firewalld only the differences are applied and settings can be changed during run time without losing existing connections. Firewalld vs IPtables Working Diagram Configuring firewall settings with firewall-cmd firewall-cmd is installed as part of the main firewalld package. Almost all commands will work on the runtime configuration, unless the --permanent option is specified. The zone where the rules are applied is specified using the option --zone=. Default zone is used if --zone is omitted.

Changes are activated with firewall-cmd --reload if they are applied to the --permanentpermanent configuration. The following table shows a number of frequently used firewall-cmd commands, along with explanation: Command Command Explanation --get-zones List all available zones --get-default-zone Get the current default zone --get-active-zones List all zones with an interface or source tied to them and are currently in use. --set-default-zone= Set the default zone. This will change both the runtime and permanent configuration. --list-all-zones Retrieve all information for all zones – interfaces,ports,services,sources e.t.c. --list-all [--zone=] List all configured services,ports,sources and interfaces for . Default zone is used if no --zone= option is used. --add-interface= [--zone=] Route all traffic coming through to the specified zone. Default zone used if no --zone= option is provided. --change-interface= [--zone=] Associate an interface with the instead of its current zone. Default zone used if no --zone= option is provided. --add-source= [--zone=] Route all the traffic that comes from the IP address/network to the specified zone. Default zone used if no zone is provided. --remove-source= [--zone= Remove a rule that routes all traffic coming from specified IP address or network from specified zone. Default zone used if no zone option is given. --get-services List all predefined services --add-service= Allow traffic to the . Default zone is used if no --zone=option is provided. --remove-service= Remove from the allowed list for the zone. Default zone is used if no --zone= option is provided. --add-port= Allow traffic to the port(s). Default zone is used if no --zone= option is provided. --remove-port= Remove port(s) from the allowed list for the zone. Default zone is used if no --zone= option is provided. --reload Drop the runtime configuration and apply the persistent configuration. Understanding Network Zones Firewalls can separate networks into different zones based on the level of trust the user has decided to place. A number of predefined zones are shipped with firewalld, and each has its intended usage. The table below explains more: Zone Default Configuration trusted By default, it allows all incoming traffic home By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic public By default, reject incoming traffic unless it matches the ssh,dhcpv6-client predefined services or related to outgoing traffic. This is the default zone for newly added network interfaces. internal By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic – same as home zone. work By default, reject incoming traffic unless it matches the ssh,ipp-client,dhcpv6-client predefined services or related to outgoing traffic dmz By default, reject incoming traffic unless it matches the ssh predefined services or related to outgoing traffic. Mostly used in demilitarized zone for computers that are publicly-accessible with limited access to the internal network external By default, reject incoming traffic unless it matches the ssh predefined service or is related to outgoing traffic. The outgoing traffic for IPv4 forwarded through this zone is masqueraded to resemble traffic originating from the IPv4 address of the outgoing network interface. block By default, rejects all incoming traffic unless related to outgoing traffic drop By default, drops all incoming traffic unless it is related to outgoing traffic – do not respond with ICMP errors. Using firewall-cmd examples Consider examples below to help you strengthen your knowledge on how firewall-cmd is used. First verify that firewalld is enabled and running on your system.

systemctl status firewalld.service If not running, you can start and enable it using: systemctl start firewalld systemctl enable firewalld 1. Set the default zone to dmz. firewall-cmd --set-default-zone=dmz firewall-cmd --get-default-zone 2. Assign all traffic coming from the 192.168.100.0/24 network to the trusted zone and verify. firewall-cmd --permanent --zone=trusted --add-source=192.168.100.0/24 firewall-cmd --reload firewall-cmd --list-all --zone=trusted firewall-cmd --get-active-zones 3. Open up http and https traffic for the internal zone. firewall-cmd --permanent --add-service=http,https --zone=internal firewall-cmd --reload firewall-cmd --list-services --zone=internal To remove permanent service from a zone: firewall-cmd --permanent [--zone=] --remove-service= 4. Transition eth0 interface to the “internal” zone for the current session: firewall-cmd --zone=internal --change-interface=eth0 5. Add eth1 interface to home zone: firewall-cmd --zone=home --add-interface=eth1 Other options for interface management: Query if an interface is in a zone: firewall-cmd [--zone=] --query-interface= Remove an interface from a zone: firewall-cmd [--zone=] --remove-interface= 6. Enable masquerading in a home zone firewall-cmd --zone=home --add-masquerade Disable masquerading in a zone firewall-cmd [--zone=] --remove-masquerade Query masquerading in a zone firewall-cmd [--zone=] --query-masquerade Disable masquerading permanently in a zone firewall-cmd --permanent [--zone=] --remove-masquerade 7. Enable port 3306/tcp for mysql permanently in the home zone firewall-cmd --permanent --zone=home --add-port=3306/tcp Disable a port and protocol combination permanently in a zone firewall-cmd --permanent [--zone=] --remove-port=[-]/ 8. Block echo-reply messages in the public zone firewall-cmd --zone=public --add-icmp-block=echo-reply 9. Forward ssh to host 192.168.10.5 in the internal zone firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=192.168.10.5 References Man pages: man firewall-cmd man firewalld man firewalld.zones man firewall.zone man firewall-config

0 notes

modelsdemo · 3 years ago

Text

Learning red hat enterprise linux

Know what can be done to recover a lost partition table.

Know what can be done to recover lost or deleted files.

Hands-on experience with troubleshooting tools.

Steps necessary to make sure problems can be easily found and resolved.

Learn and practice an approach to troubleshooting Linux systems.

This course is taught using both RHEL 5 and RHEL 6 so that the changes made by Red Hat in moving to RHEL 6 are understood. Each section contains a workshop where students solve problems in the area. Among other topics, the course covers the areas of booting, disk problems (LVM, RAID, ext family), handling kernel modules, client-side DHCP, NIS, and DNS, secure networking IPtable, and an overview of VPNs. After reviewing an area, the course presents typical problems and solutions for the area. The student completing this course will have the knowledge and techniques necessary to quickly find the cause or causes of the anomalous behavior and make informed decisions on how to lessen or fix the problem. Linux is an extremely stable OS yet, as with any complex system, it can have problems. Red Hat Enterprise Linux Troubleshooting (5 days)

Scripting Languages (Python, Perl, etc.).

Google Cloud Advanced Skills & Certification Workshop – Associate Cloud Engineer.

Google Cloud Advanced Skill & Certification Workshop – Professional Data Engineer.

Google Cloud Advanced Skill & Certification Workshop – Professional Cloud Architect.

Google Cloud Advanced Skills & Certification Workshops.

Google Cloud Fundamentals for AWS Professionals.

Google Cloud Big Data and Machine Learning Fundamentals.

Google Cloud Fundamentals: Core Infrastructure.

Installing and Managing Google Cloud’s Apigee API Platform in Private Cloud.

Managing Google Cloud’s Apigee API Platform for Hybrid Cloud.

Developing APIs with Google Cloud’s Apigee API Platform.

Apigee and Business Application Platform.

Customer Experiences with Contact Center AI – Dialogflow CX.

Customer Experiences with Contact Center AI – Dialogflow ES.

Machine Learning and Artificial Intelligence.

Google Cloud Advanced Skills & Certification Workshop – Security Engineer.

Leading Change When Moving to Google Cloud.

Managing Machine Learning Projects with Google Cloud.

Data-Driven Transformation with Google Cloud.

Google Cloud Advanced Skills & Certification Workshop: Cloud Developer.

Logging, Monitoring, and Observability in Google Cloud.

Developing Applications with Google Cloud.

Architecting Hybrid Cloud Infrastructure with Anthos.

Architecting with Google Kubernetes Engine.

Analyzing and Visualizing Data in Looker.

Google Cloud Advanced Skills & Certification Workshop – Data Engineer.

Developing Application with Google Cloud Platform – Classroom Course Offerings.

Serverless Data Processing with Dataflow.

From Data to Insights with Google Cloud Platform.

Google Cloud Advanced Skills & Certification Workshop – Cloud ArchitectĪrchitecting on Amazon Web Services (AWS) for Google Cloud Professionals.

Google Cloud Advanced Skills & Certification Workshop: Associate Cloud Engineer (ACE)

Architecting with Google Cloud Platform: Design and Process.

Getting Started with Google Kubernetes Engine.

Architecting with Google Compute Engine.

Google Cloud Training and Certification Roadmap.

Labs are entirely HTML 5, no plug-ins or downloads needed.

Highly intuitive user interface allows easy access and completion.

Direct purchase, money saving e-commerce fulfillment.

Labs are entirely HTML 5, with no downloads or plug-ins, significantly reducing technical issues for both instructors and students.

LTI integration for single sign-on and integrated Gradebook functionality.

All scores automatically roll-up into a robust dashboard for instructors to provide actionable performance data management.

Auto Scored “flags” embedded in each lab.

BASIC LABS: This configuration includes only the labs themselves, with the auto-scored flags, but without the solution steps.

These labs also include the auto-scored flags.

ENHANCED LABS: The enhanced labs provide the step-by-step solution instructions that provide the learner with a highly prescriptive approach to mastery.

Provides instructors with actionable data about student usage.

Instructionally designed for better student outcomes.

Very easy to implement into the program.

While surveying current Red Hat Academy institutions, we sought to understand what would enhance this already powerful program. These labs are completely cloud based, can be accessed globally 24/7, offer upgraded scoring features, and have a successful record of improving student outcomes. Infosec Learning has partnered with Red Hat Academy to deploy the RHEL 8 labs. Sign up for a webinar RED HAT ACADEMY AND INFOSEC LEARNING

#Learning red hat enterprise linux

0 notes

dedicated-server-atalnetworks · 3 years ago

Text

How To Set Up A VPS Firewall?

A VPS is a type of computer that allows you to spin up virtual servers in order to host websites or web applications. A firewall can help protect your VPS from outside attacks, though it's important to note that some methods are more effective than others. Being able to configure your own VPS firewall is one of the best things about using this service.

Why You Need A VPS Firewall

A virtual private server (VPS) firewall is a great way to protect your online data, website, and applications. A VPS firewall is a software application installed on a Virtual Private Server that helps protect your data from unauthorized access, attacks, and theft.

There are many reasons you might want to install a VPS firewall. Perhaps you need to protect your website or application from unauthorized access or attacks. Maybe you need to keep track of who is accessing your data and what they are doing with it. Or maybe you just want to protect your privacy.

Regardless of why you might want to install a VPS firewall, there are a few things you need to consider before doing so. First, make sure that your VPS can support the installation and use of a VPS firewall. Second, decide which type of VPS firewall best suits your needs. Third, install and configure the VPS firewall accordingly. Finally, test the VPS firewall to make sure it is working properly.

How to Set Up a VPS Firewall?

Hello readers! In this blog, we will be discussing how to set up a VPS firewall. By following these simple steps, you can help protect your VPS and enable smoother online activity.

To set up a VPS firewall, you first need to purchase and install a VPN software. A VPN is a great way to protect your privacy and keep your data safe. Once the VPN is installed, open it and set up a connection to the VPS. Next, open the SSH session that you established with the VPS and enter the following command:

iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

This command will enable the VPS firewall for TCP traffic on port 22. Now you will need to create three rules in the iptables firewall. The first rule should allow all traffic from the clients connected to your VPN server. The second rule should block all other traffic from entering the VPS. The last rule should allow outgoing TCP traffic from your VPS to the clients connected to your VPN server. Save all of your changes by pressing CTRL+X, Y and ENTER, then press ENTER again to exit the SSH session

Conclusion

Setting up a VPS firewall is an important step in protecting your business data from cybercrime. By limiting access to your server from the outside world, you can help keep your data safe and secure. In this article, we will show you how to set up a VPS firewall using the Linux operating system. We recommend reading our guide before beginning so that you have a better understanding of the steps involved. Once you have completed the tutorial, be sure to read our tips on how to protect your VPS against attack.

0 notes

wolfliving · 8 years ago

Text

How to (attempt to) secure your Raspberry Pi against IoT hacker attacks

*Gee, that doesn’t look difficult, painful, or time-consuming.

https://makezine.com/2017/09/07/secure-your-raspberry-pi-against-attackers/

Why would anyone hack a Raspberry Pi?

Its computing power can be abused for operations like mining cryptocurrency.

It can be used as a bounce point to attack other hosts, in order to cover the attacker’s tracks.

It’s an entry point to the rest of an internal network. An attacker can easily reach the file servers and try to install ransomware, obtain documents for blackmail, or manipulate the firewall and router settings to ensure persistent access in the future for later nefarious actions, either by attacking the web console of the router or performing uPNP manipulation to open up more ports to the Internet for attack.

Passwords

Change the default passwords — If you are installing a recent version of NOOBS or Raspbian, be sure to change the default password of the “pi” user to something that is long and hard to guess. A passphase like “iamasuckerfor5dollarmojitos” is much better than P@assword1! Even if you plan on disabling the account, this first step is basic protection in case you forget.

User Accounts

Your next step should be to disable the default Pi account in Raspbian. Before doing this, create a new account on the system. You can use the useradd command to do this, with some extra flags to specify that a new home directory be created for the user. Log in as the Pi user and issue the command:

$ sudo /usr/sbin/useradd --groups sudo -m makezine

Use your own username instead of “makezine.” This will create a new account, create a directory for the account (such as /home/makezine), and add the new account to the sudo group so the user can use the sudo command. Once the new user account is created we need to set a password for the account. You can do this using the command:

$ sudo passwd makezine

Next, reset the root password. Choose something long and hard to guess.

$ sudo passwd root

Finally, you’ll want to disable the Pi account:

$ sudo passwd --lock pi

Now you can log out of the Pi account and log in with your new account and password.

Securing SSH

By default, Raspbian installs a remote access shell (SSH) that can be accessed from anywhere. You can disable this by setting up SSH so that only machines with an authorized SSH key can log in. Back up your private keys in at least two locations you trust.

To set them up, edit the SSH configuration file using vi, or another text editor, with the command:

$ sudo vi /etc/ssh/sshd_config

Make sure the following lines are set and uncommented — meaning that the lines are in the file and they aren’t preceded with a hash tag symbol, which marks a line as a comment and ignores it for configuration purposes:

# Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no UsePAM no

The last line is very important since it will disable Pluggable Authentication Modules (PAM), or native Linux authentication, and only allow users to log in with a key. Next, generate an SSH key. You can do this with PuTTY on Windows or with the ssh-keygen command on Linux. Create a .ssh directory in your user’s home directory and an authorized_keys file with the following commands. Be sure to set the permissions properly (otherwise the key based authentication will fail):

$ mkdir ~/.ssh $ chmod 0700 ~/.ssh $ touch ~/.ssh/authorized_keys $ chmod 0600 ~/.ssh/authorized_keys

Next use your text editor to edit the authorized_keys file and paste in the public key you generated so you can log in. Be sure to restart SSH to ensure the changes take effect using the command:

$ sudo systemctl restart ssh

Firewall

Once you’ve locked down SSH, you’ll want to ensure that the iptables firewall is running on your Pi. For good measure, you can configure the firewall so that it logs a message whenever a firewall rule is activated and a connection is blocked. First make sure that iptables is installed using the command:

$ sudo apt-get install iptables iptables-persistent

Note that using the iptables firewall will require new kernel modules to be loaded. The easiest way to load them is to reboot your Pi. Once iptables is installed, go ahead and check the current iptables rules with the command:

$ sudo /sbin/iptables -L

This will list the rules, which are probably empty. You can save these rules off to a text file and edit it using the command:

$ sudo /sbin/iptables-save > /etc/iptables/rules.v4

This is the file that iptables-persistent uses when your system boots or reboots to make sure that the firewall is still running. Save, then edit the file so that it looks somewhat like the following (altering whatever rules you need):

$ sudo cat /etc/iptables/rules.v4 :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT

Next, ensure your iptables are working properly. This can be tricky (((etc etc etc etc)))

3 notes · View notes

sololinuxes · 6 years ago

Text

Como usar múltiples puertos SSH

Como usar múltiples puertos SSH. Para un sysadmin es algo común y aceptable tener la necesidad de especificar más de un puerto SSH para el demonio sshd. Hablamos de una practica especialmente útil a la hora de depurar o implantar una seguridad adicional, sobre todo cuando el servidor o VPS está vinculado a varias direcciones IP diferentes. El proceso es bastante simple, no se requiere de ningún tipo de conocimiento avanzado, tan solo debes estar familiarizado con la consola / terminal y algún editor de la misma (por ejemplo nano). Vemos como proceder.

Como usar múltiples puertos SSH

Lo único que tenemos que hacer es editar el archivo de configuración "/etc/ssh/sshd_config", agregando bajo el puerto predeterminado (por defecto el 22) más puertos. nano /etc/ssh/sshd_config Veras algo similar a... # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: En este ejemplo agregaremos dos puertos más, el 210, y el 220. Lo que tenemos que hacer es descomentar la linea del puerto 22 (muy importante), y agregar a continuación las de los puertos 210 y 220. Nos quedara de esta forma... # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 Port 210 Port 220 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: Reiniciamos el servicio ssh. sudo systemctl restart ssh OJO!!!!! NO cierres la consola / terminal, primero tenemos que abrir los puertos ssh, en este caso directamente sobre iptables / nftables. iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 210 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 220 -j ACCEPT Guardamos las nuevas reglas y reiniciamos iptables o nftables. service iptables save service iptables restart

Verificar los puertos SSH

Podemos verificar que los puertos están escuchando correctamente con el comando netstat y grep. netstat -nal | grep 22 Entre las salidas podrás localizar lineas similares a: tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:210 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:220 0.0.0.0:* LISTEN Al intentar conectarnos a uno de los nuevos puertos, es posible que aparezca la siguiente advertencia: The authenticity of host ':210 (:210)' can't be established. ECDSA key fingerprint is SHA256:12efZx1MOEmlxQOWKhM5eaxDwJr4vUlLhcpElkGHTow. Are you sure you want to continue connecting (yes/no)? No te alarmes, solo intenta autentificar la conexión. Responde "yes". Damos por concluido este articulo. Espero que este articulo sea de utilidad, puedes colaborar con nosotros con una donación (paypal), o con el simple gesto de compartir los manuales en tu sitio web, blog, foro o redes sociales. Read the full article

#/etc/ssh/sshd_config #demoniosshd #ip #iptables #múltiplespuertos #nano #Netstat #nftables #puerto #puertosssh #serviciossh #servidor #ssh #sshd #sysadmin #vps

0 notes

blondiecode-lh · 8 years ago

Text

MongoDB extorted by a kraken ransomware virus. SOLVED

Recently plenty of servers became a victim of hacker attacks. The reason was the vulnerability of non-relational database mongodb. Hackers used this security hole to erase database from the server and demanded a ransom by inserting the following code in your database:

The victim could find this record in mongodb logfile (for ubuntu-servers the path is /var/log/mongodb/mongod.log).

When you recover the database hacker will erase it again, so even if you have backups on your server this will not solve a problem.

What should I do to protect my server?

DO NOT PAY TO THIS RASCAL! He will not return your database.

1. If your database should not be reachable for external ips, you may just disable remote access to a MongoDB server. Change mongod.conf (standart path for Ubuntu is /etc/mongod.conf) and uncomment or add the rule: If you need access to your database from external ip-address go to point 2.

2. Deny all incoming traffic from external ip-adresses on port 27017 (or your custom port for MongoDB server)! For Linux systems use iptables program. Remember that rules in iptables configurations fall into chains and chains have an order. At first you should open the port for some external ip and then close it for others. If you will change an order you will disable access for all ips. Insert this rule to open port for local database Insert rules for external servers that use your database (new rule for each ip) Then deny access for everyone else Attention! Do NOT use this command BEFORE you read next! Important additional information, you can read next rule in mongodb help Change Default Policy to DROP https://docs.mongodb.com/manual/tutorial/configure-linux-iptables-firewall/ iptables -P INPUT DROP Unfortunately some people don't read all sentences. This rule you can use only after completing all iptables configuration, because this rule can close to You all connections to your server including SSH immediately. And you should not use this rule in this exactly case, because closing mongodb port are good enough. But do not worry if you lost connection to your server, just restart it from provider web interface. All iptables rules will be dropped. To check all iptables configuration use this command: To drop ALL iptables: Important! This rules will work up to server restart. So if some rule working wrong and you lost connection to your server, just restart it via your provider web interface. Use iptables-persistent if you need automatically restarting service. Installation: If rules are determined but iptables-peristent are not installed, rules will be saved automatically during installation. To start service: Rules are saved to /etc/iptables/rules.v4 and /etc/iptables/rules.v6

Using this service, you can check your server for open ports: https://www.shodan.io (Just type your server's ip in the search box)

#[email protected]#[email protected] virus #kraken mongodb drop #mongodb hacker attack #mongodb drop database #kraken ransomware virus #mongodb sequrity #mongodb protection from hackers #mongodb sequrity hole

3 notes · View notes

treslogicsblog · 4 years ago

Text

10 Basic Strides for Planning Another Laborer

By Tres Logics

That is a respectable new Linux laborer you showed up at… it would be a shame if something some way or another figured out how to happen to it. It might drive okay to leave the holder, yet before you put it in progress, there are 10 phases you need to take to guarantee it's planned securely. The nuances of these methods may change starting with one scattering then onto the next, yet sensibly they apply to any sort of Linux. By affirming these methods on new specialists, you can ensure that they have in any occasion fundamental protection from the most broadly perceived attacks.

What Why

Customer configuration Secure your accreditations

Association configuration Build up correspondences

Pack management Add what you need, wipe out what you don't

Update installation Fix your shortcomings

NTP configuration Forestall clock drift

Firewalls and Iptables Limit your external impression

Getting SSH Solidify far away gatherings

Daemon configuration Minimize your attack surface

SELinux and further hardening Protect the piece and applications

Logging Know what's happening

1 - Customer Game plan

Indisputably the main thing you should do if it wasn't fundamental for your working framework game plan, is to change the root secret key. This should act normally obvious anyway can be incredibly overlooked during an ordinary laborer course of action. The mysterious word should be at any rate 8 characters, using a blend of upper and lowercase letters, numbers, and pictures. You should in like manner set up a mysterious key procedure that decides developing, locking, history, and unpredictability necessities if you will use close by records. A large part of the time, you ought to debilitate the root customer through and through and make non-supported customer accounts with sudo access for the people who require raised rights.

2 - Association Plan

Maybe the most fundamental arrangements you'll need to make is to engage network accessibility by distributing the specialist an IP address and hostname. For most laborers, you'll need to use a static IP so clients can by and large find the resource at a comparative area. If your association uses VLANs, consider how disconnected the specialist's section is and where it would best fit. In case you don't use IPv6, turn it off. Set the hostname, region, and DNS specialist information. At any rate two DNS laborers should be used for overabundance and you should test ns-lookup to guarantee the name objective is working adequately.

3 - Pack The chiefs

Presumably, you're setting up your new specialist for a specific explanation, so guarantee you present whatever groups you may need if they aren't fundamental for the scattering you're using. These could be application packs like PHP, MongoDB, Nginx or supporting groups like a pear. Essentially, any coincidental groups that are acquainted on your structure should with be taken out to wither the specialist impression. The whole of this should be done through your movement's pack the board game plan, for instance, yum or capable for less complex organization so to speak.

4 - Update Foundation and Plan

At the point when you have the right packages presented on your laborer, you ought to guarantee everything is revived. The groups you presented, yet the part and default packages as well. But in the event that you have a need for a specific structure, you should reliably use the latest creation conveyance to keep your system secure. Ordinarily, your pack the chief's plan will pass on the most state-of-the-art maintained variation. You should in like manner consider setting up modified revives inside the group the board instrument if doing so works for the service(s) you're working with on this laborer

5 - NTP Game plan

Mastermind your specialist to synchronize its chance with NTP laborers. These could be inside NTP laborers if your present condition has those or outside miscreants that are open for anyone. What's critical is to prevent clock skim, where the laborer's clock inclines from the constant. This can cause a huge load of issues, including approval issues where the time incline between the laborer and the affirming establishment is assessed before surrendering access. This should be a fundamental change, yet it's an essential piece of a strong system.

6 - Firewalls and iptables

Dependent upon your movement, iptables may as of now be completely gotten and anticipate that you should open what you need, anyway paying little psyche to the default config, you should reliably explore it and guarantee it's set up the way where you need. Try to reliably use the norm of least benefit and simply open those ports you thoroughly need for the organizations on that laborer. If your specialist is behind a submitted firewall or something to that effect, make sure to deny everything aside from what's significant there as well. Tolerating your iptables/firewall IS restrictive as per usual, make sure to open up what you need for your specialist to handle its work!

7 - Getting SSH

SSH is the rule far away access method for Linux courses and as such should be fittingly gotten. You ought to incapacitate the root's ability to SSH in indirectly, whether or not you injured the record with the objective that just in case of root gets enabled on the specialist for no good reason it really will not be exploitable remotely. You can similarly restrict SSH to certain IP ranges if you have a fixed course of action of client IPs that will interface. On the other hand, you can change the default SSH port to "dull" it, yet really, a fundamental yield will uncover the new open port to any person who needs to find it. Finally, you can disable mystery express check completely and use confirmation based affirmation to decrease extensively further the chances of SSH misuse.

8 - Daemon Arrangement

You've cleaned up your packs, and yet, it's basic to set the right applications to AutoStart on reboot. Make sure to execute any daemons you needn't mess with. One key to a protected specialist is decreasing the unique impression whatever amount as could be anticipated so the solitary surface districts available for attack are those required by the application(s). At whatever point this is done, lingering organizations should be cemented whatever amount as could be required to ensure strength.

9 - SELinux and Further Cementing

In case you've anytime used a Red Cap distro, you might be familiar with SELinux, the bit setting gadget that safeguards the system from various errands. SELinux is unprecedented at getting against unapproved use and access of structure resources. It's in like manner inconceivable at breaking applications, so guarantee you test your plan out with SELinux enabled and use the logs to guarantee nothing certifiable is being obstructed. Past this, you need to explore setting any applications like MySQL or Apache, as everybody will have a set-up of best practices to follow.

10 - Logging

Finally, you ought to guarantee that the level of logging you need is enabled and that you have sufficient resources for it. You will end up examining this specialist, so assist yourself with excursion and collect the logging structure you'll need to deal with issues quickly. Most programming has configurable logging, nonetheless, you'll require some experimentation to find the right concordance between inadequate information and to a limit. There are a huge gathering of pariah logging instruments that can help including combination to portrayal, yet every environment ought to be considered for its necessities first. By then, you can find the tool(s) that will help you fill them.

Each and every one of these methods can save some push to complete, especially the initial go through around. In any case, by setting up an ordinary act of starting laborer course of action, you can ensure that new machines in your present situation will be adaptable. Failure to take any of these steps can incite truly real results if your laborer is ever the target of an attack. Following them won't guarantee prosperity - data infiltrates happen - yet it makes it certainly harder for malignant performers and will require some degree of capacity to endure.

Worker Setup By Tres Logics

We have a solid group of specialists in the field of various Worker solidifying Establishment/setup, the board, and support.

We offer types of assistance in the accompanying regions:

Cloud Worker Establishments/Arrangement, The executives, support, and organizations. (MS Sky blue, AWS, and so forth)

Linux Worker Establishment, The board, and Support (Ubuntu, RedHat, CentOS, and so forth)

Window Workers (2016 ,2012 ,2008)

Linux, Apache, MySQL, and PHP (Light) Arrangement and Upkeep

Control Board Establishment/arrangement, the executives, and support (cPanel, Plesk, CentOS Web Board).

Java Worker Climate arrangement (Apache Tomcat, JBoss EAP, Uncontrollably, and so forth)

Data set worker establishment/setup, replication, and the board (SQL Worker, MongoDB, Redis, MySQL, and so forth)

Worker Information Movement

Mail Worker Arrangement/Setup and the board

Worker Security and checking

0 notes

xkamaindriverssite-blog · 5 years ago

Text

DOWNLOAD SCANJET 3970 DRIVER

Download Type: http File Format: exe Date Added: 12 January, 2020 Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X File Version: 510121874 Price: Free Uploader: Hero Downloads: 6314 File Size: 23 Mb File Name: scanjet 3970 driver

Bug fix: - Release NotesFixed Issues(scanjet 3970 driver Issues) - Unable to launch the Problem Report Wizard from CCCSlim in Radeon Settings. - Fixed(scanjet 3970 driver Fixed) suspect list (mydlink portal) 8. - Fixed an issue with HW saving window closing after save is selected. - Fixed system memory mapIt is highly recommended to always use the(scanjet 3970 driver the) most recent driver version available. - Fixed the D-Lab bug - Windows Media Player didn't list any recording file of DUT SD card, and disable the UPnP AV functionality. 5. - Fixed bug where IP configuration changes were not maintained over reboots. - Backup, Replication,(scanjet 3970 driver Replication,) and Failover]: Fixed a bug where the "Configuring failover. - Fixed an issue where the computer hanged when the display mode was changed to Duplicated after resuming normal operation from standby/sleep state. - Fixed summary page "CPU ID/ucode(scanjet 3970 driver ID/ucode) ID" string will show "CPU ID/uc" instead. - Fixed safe ratio for prescott FMB1.5It is highly recommended to always use the most recent driver version available. Users content: RealTek Bootrom can' T Be loadedIt is highly recommended to always use the most recent driver version available. Recording source (microphone in or line in) is selected by system mixer. The Wireless Mini Navigator is designed for portable notebooks; it's cordless, compact, has power-saving function and provides more stylish colors. You can also stream movies, TV shows and music that are stored on your computer. However, the Windows Vista Media Center application does not support TV/Capture functionality provided by the ATI All-in-Wonder. IPtables filter INPUT rule for port 21 removed in order to prevent security issues. Both applications are installed in /Applications/Creative Professional/E-MU USB Audio. Fix S4 long run failed on DC mode with BSOD 9F. Microphone port in ß> Center/Bass b. SNMP- IPV6 addressing support. http://eb4smallsoftwaresportal.guildwork.com/forum/threads/5e95c6a9881c5937e3a34818-download-temedia-fm801-vista-driver Supported OS: Microsoft Windows 10 (32-bit) Windows XP 64-bit Windows Server 2012 Windows 7 64-bit Microsoft Windows 8.1 Pro (32-bit) Notebook 8.1/8/7 32-bit Microsoft Windows 8 (64-bit) Windows 8 Microsoft Windows 8 Pro (64-bit) Windows 10 Microsoft Windows 8.1 (64-bit) Microsoft Windows 8 (32-bit) Microsoft Windows 8.1 Pro (64-bit) Microsoft Windows 8.1 Enterprise (64-bit) Microsoft Windows 10 (64-bit) Windows Server 2003 64-bit Windows 8.1/8/7/Vista 64-bit Microsoft Windows 8.1 Enterprise (32-bit) Windows Server 2012 R2 Windows 7 32-bit Windows Vista 64-bit Windows XP 32-bit Microsoft Windows 8 Pro (32-bit) Windows 8.1 Windows 7 Microsoft Windows 8 Enterprise (32-bit) Windows 2000 Windows Server 2016 Notebook 8.1/8/7 64-bit Microsoft Windows 8.1 (32-bit) Windows Server 2008 R2 Microsoft Windows 8 Enterprise (64-bit) Windows Server 2008 Windows Vista 32-bit Windows 8.1/8/7/Vista 32-bit Windows Server 2003 32-bit Searches: scanjet 3970 Hud361-udp; scanjet 3970 driver for Microsoft Windows 8.1 (64-bit); scanjet 3970 driver for Windows 7 64-bit; scanjet 3970 H36u; scanjet 3970 HXDSY3614; scanjet 3970 driver for Windows Server 2012; scanjet 3970 driver for Windows Server 2012 R2; scanjet 3970 driver for Microsoft Windows 10 (64-bit); scanjet 3970 H HX361-3; driver scanjet 3970; scanjet 3970 HX3614 Compatible Devices: Samsung; Keyboards; Scanner; Memory Card; Usb Cables; Ipad To ensure the integrity of your download, please verify the checksum value. MD5: 695cd519e08b2b1fd9f222e1012ac39b SHA1: 557ce365a3a4e2aa13a0cbad359b09f3ea234399 SHA-256: 6ba4315c97fe76b8ac833b3d09176307f74c4c0ce8084c78c9dad82e5031c726

0 notes

epaenetu09 · 5 years ago

Text

Basic concepts of Kubernetes

What is Kubernetes

Kubernetes is a container orchestration system that manages your container effectively. It is arguably the most crucial container management technology in the world and used a lot in a real production environment where you have many containers to manage.

It's essential from the scalability perspective and also to manage your resources effectively. Even though it's not from Google, Its origin is. It's created as an open-source by engineers who work on a similar tool in Google. You can understand that if it can work on the scale of Google, it's definitely well tried and tested.

What Kubernetes do

Imagine you've an application which has multiple services and each of these services configured in a very container. Let assume those two services as Service A and Service B. Also, Service A use Service B to get done some works. So, we can represent service dependency as follows.

When high availability required, then we must scale the machine so that each service have a copy of a unique and run these copy in another node( separate physical/ virtual machine).

Here, load balancer used to distribute force between servers. In this method, single point failure handled by routing traffic to other node if one node is getting down.

In lager system which has plenty of nodes and services, hardware utilization might be not efficient since every one of service requires different hardware requirements. Therefore hardwiring services right into a specific node is not that efficient. Kubernetes provide an elegant way to fix this resource utilization issues by orchestrating container services in multiple nodes.

Kubernetes cluster maintains by the master including scheduling applications, maintaining applications’ desired state, scaling applications, and rolling out new updates. A node is just a VM or a physical computer that serves as a worker machine in a Kubernetes cluster. Node and master communicate with one another through the Kubernetes API. A Kubernetes pod is a small grouping of containers which are deployed together on a single host.

Pod

A pod is a collection of containers and the unit of deployment in Kubernetes cluster. All the pod having its own IP address. Meaning, each containers in exactly the same pod have same IP address so that they'll find one another with localhost.

Services

Since pods are dynamically changing, it is hard to reference individual pod. Services providing an abstraction over Pods and provide an addressable method of communicating with pods.

Ingress

The majority of the time pods and services are encapsulated in inside the Kubernetes cluster so that external client cannot call these servers. An Ingress is a collection of rules that allow inbound connections to attain the cluster services.

Docker

A Docker Daemon is running in each node to pull images from the Docker registry and runt it.

Kubelet

Kubelet is the node agent that runs periodically to checks the health of the containers in a pods. API server sends instruction that required to operate containers and kubelet make certain containers in desired state.

Kube-proxy

Kube-proxy distribute force to the pods. Load distribution predicated on either iptable rules or round robin method.

Deployment

The deployment is what you use to describes your preferred state to Kubernetes.

Features of Kubernetes

Kubernetes provide multiple features so that application deployer can quickly deploy and maintain the entire system.

Control replication

This component allows maintaining how many replicated pods that want to help keep in Kubernetes cluster.

Resource Monitoring

Health and the performance of the cluster can be measure by using add ons such as for instance Heapster. This can collect the metrics from the cluster and save stats in InfluxDB. Data can be visualized by using Grafana which can be ideal UI to analyze these data.

Horizontal auto scaling

Heapster data also useful when scaling the machine when high load makes the system. Amount of pods can be increase or decrease according force of the system.

Collecting logs

Collecting log is very important to check the status of the containers. Fluentd used along side Elastic Search and Kibana to see the logs from the containers.

For more details about Docker and Kubernetes online course CLICK HERE

#Kubernetes Training in Hyderabad #Docker Training in Hyderabad #Docker Online Training #Kubernetes Online Training #Docker and Kubernetes Training in Hyderabad #Docker and Kubernetes Online Training #Docker and Kubernetes Training

0 notes

johnattaway · 6 years ago

Text

Where Business Hosting Services

What Panel Type Is Best For Gaming

What Panel Type Is Best For Gaming Get eaten up by it’s interfacing with end users. Is an itty bitty site? Small business, you needn’t to you for some time though we are talking about our customers can attest to our overview of the microsoft store the info files for the best services. In order find some shady online page provider, and content material distribution community are available in diverse classes similar to blogs can run on your task and get it involves making an impact in the electronic industry, you the best and most cost-effective ads tools that you can put in many cases but not in plastic i are getting a lot of cyber web websites are added for flavor, plus a few recipes you were taking into consideration what is the significance of your dollars together with fishing boats tied up to send and get hold of emails. Not only did i are looking to the server by modern web hosting web internet hosting isn’t about each url, comparable to for those who talk in regards to the future.

Which Show License Keys

Proxy classes or jax-ws moveable application that may be performed savlib command. The hosts is not there in the sense to access facilities inner to databases a 32-bit number is added to the web and technical updates to maintain your answer to suit your budget. Also, web hosting companies that you take into account the change between program or hardware encoding, and install the guest operating system. The more those who can create custom iptables rule to the vhdstore remote windows powershell session before appearing this command. Every user gets 10gb of your business. Most businesses may be the most suitable option at no cost web provider hosting. You have efficiently created a device with a view to access the web using a simple android it will keep running tabs to them, and turn among the two playable landmasses appeared to not just be about 512 mb of ram, but also at an analogous time in reviewing our thought and corporations to very large and around the globe and the accessories required for.

When Ssh Host Windows

Easiest ways to get started. It turns out that one which allows your site to share with other users. Therefore, quickbooks most effective hosting is a giant amount of any given filename load entity keybinds from anywhere you want. You can save all of your uploaded images has to be utilized in a 12 week period. English composition i is divided into four types of servers. Unix continues to be applicable today in the same server. When it’s about not being able to find web page internet hosting in budget and hostgatorvoted best linux. They need really good servers that can set up your associate site, facebook may give your company site some providers would cut down loading time by alot. The player name is overlooked. So i amassed all the free website internet hosting provider, akin to the file server,.

Where Dedicated Host

Influence, since this has been around, have they got a website? Index an index is, although, the info coverage aspect. The query of which law enforcement the uk executive introduced by microsoft in the mid-1990s, is a scripting language designed by you and printed for your system. 2. When signing up with a cloud computing substances accessible. Create a more a professional as of today, many groups which deliver these facilities adapted to making company internet sites can be accessed 24/7 in along with your work or school on planet earth, khan academy.

The post Where Business Hosting Services appeared first on Quick Click Hosting.

https://ift.tt/2quGq5P from Blogger http://johnattaway.blogspot.com/2019/10/where-business-hosting-services.html

#Quick Click Hosting

0 notes

quickclickhosting · 6 years ago

Text

Where Business Hosting Services

What Panel Type Is Best For Gaming

Which Show License Keys

When Ssh Host Windows

Where Dedicated Host

The post Where Business Hosting Services appeared first on Quick Click Hosting.

from Quick Click Hosting https://ift.tt/2quGq5P via IFTTT

#IFTTT #Quick Click Hosting

0 notes

robertbryantblog · 6 years ago

Text

Where Business Hosting Services

What Panel Type Is Best For Gaming

Which Show License Keys

When Ssh Host Windows

Where Dedicated Host

The post Where Business Hosting Services appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/where-business-hosting-services-2/

#Quick Click Hosting

0 notes

whatsamknows · 7 years ago

Text

Free SSL on CentOS with Cloudflare

Cloudflare can be configured to offer free SSL to your website. No need to pay for a certificate. This post assumes you have already routed your domain through Cloudflare and use CentOS + Apache. A more detailed guide from Cloudflare is available here.

1. First generate a certificate by navigating to the Crypto section of your Cloudflare dashboard. From there, click the Create Certificate button in the Origin Certificates section. Then just use the defaults to generate the certificate and key.

2. Copy these down to two seperate files located on your web server e.g.

/var/www/html/ssl/example.com.crt /var/www/html/ssl/example.com.key

3. Configure your virtual host block as below, taking note of the parts in bold. You can just copy your existing block configured for post :80 and leave the existing one intact.

<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /var/www/html/ssl/example.com.crt SSLCertificateKeyFile /var/www/html/ssl/example.com.key </VirtualHost>

4. Test your configuration.

apachectl configtest

5. Next set permissions for your certificate and key files.

chmod 600 /var/www/html/ssl/example.com.crt chmod 600 /var/www/html/ssl/example.com.key

The enclosing folder can also be protected:

chmod 700 /var/www/html/ssl/

The owner of the directory and files should be root.

6. Make sure your server is open to traffic on port :443

Add port 443 to the firewall rule and reload the firewall service firewall-cmd --zone=public --add-port=443/tcp --permanent firewall-cmd --reload

Check whether or not the port has been added to the iptables and check whether or not port 443 is listening iptables-save | grep 443 netstat -plnt | grep ':443'

7. You should now be able to load your website via https://

In Cloudflare, enable Automatic HTTPS Rewrites, and Always use HTTPS. Change your SSL mode to Full (strict).

If you get a bad gateway error 502 or 523 when trying to load your site, make sure your firewall is open on port 443.

0 notes

josidel · 8 years ago

Text

Security measures to protect an unmanaged VPS.

Virtual private server

have long been thought of as a next-generation shared hosting solution.

They use virtualization ‘tricks’ to let you coin your own hosting environment and be a master of your server at a pretty affordable price.

If you are well-versed in server administration, then an unmanaged VPS will help you make the most of your virtual machine’s capabilities.

However, are you well-versed enough in security as well?

Here is a Linux VPS security checklist, which comes courtesy of our Admin Department.

What exactly is an unmanaged VPS?

Before we move to the security checklist, let’s find out exactly what an unmanaged VPS is and what benefits it can bring to you.

With an unmanaged VPS, pretty much everything will be your responsibility.

Once the initial setup is complete, you will have to take care of server maintenance procedures, OS updates, software installations, etc. Data backups should be within your circle of competence as well.

This means that you will need to have a thorough knowledge of the Linux OS. What’s more, you will have to handle any and all resource usage, software configuration and server performance issues.

Your host will only look into network- and hardware-related problems.

Why an unmanaged VPS?

The key advantages of unmanaged VPSs over managed VPSs are as follows:

you will have full administrative power and no one else will be able to access your information;you will have full control over the bandwidth, storage space and memory usage;you will be able to customize the server to your needs specifically;you will be able to install any software you want;you will save some money on server management – it really isn’t that hard to set up and secure a server if you apply yourself and updating packages is very easy;you will be able to manage your server in a cost-efficient way without the need to buy the physical machine itself (you would have to if you had a dedicated server);

Unmanaged VPS – security checklist

With an unmanaged VPS, you will need to take care of your sensitive personal data.

Here is a list of the security measures that our administrators think are key to ensuring your server’s and your data’s health:

1. Use a strong password

Choosing a strong password is critical to securing your server. With a good password, you can minimize your exposure to brute-force attacks. Security specialists recommend that your password be at least 10 characters long.

Plus, it should contain a mix of lower and uppercase letters, numbers and special characters and should not include common words or personally identifiable information. You are strongly advised to use a unique password so as to avoid a compromised service-connected breakthrough.

A strong password may consist of phrases, acronyms, nicknames, shortcuts and even emoticons. Examples include:

1tsrAIn1NGcts&DGS!:-) (It’s raining cats and dogs!) humTdumt$@t0nAwa11:-0 (Humpty Dumpty sat on a wall) p@$$GOandCLCt$500 :-> (Pass Go and collect $500)

2. Change the default SSH port

Modifying the default SSH port is a must-do security measure.

You can do that in a few quick steps:

Connect to your server using SSHSwitch to the root userRun the following command: vi /etc/ssh/sshd_configLocate the following line: # Port 22Remove # and replace 22 with another port numberRestart the sshd service by running the following command: service sshd restart

3. Disable the root user login

The root user has unlimited privileges and can execute any command – even one that could accidentally open a backdoor that allows for unsolicited activities.

To prevent unauthorized root-level access to your server, you should disable the root user login and use a limited admin account instead.

Here is how you can add a new admin user that can log into the server as root via SSH:

Create the user by replacing example_user with your desired username (in our case – ‘admin’): adduser adminSet the password for the admin user account: passwd adminTo get admin privileges, use the following command: echo 'admin ALL=(ALL) ALL' >> /etc/sudoersDisconnect and log back in as the new user: ssh [email protected] you are logged in, switch to the root user using the ‘su’ command: su password: whoami rootTo disable the root user login, edit the /etc/ssh/sshd_config file. You will only need to change this line: #PermitRootLogin yes to: PermitRootLogin no

You will now be able to connect to your server via SSH using your new admin user account.

4. Use a rootkit scanner

Use a tool like rkhunter (Rootkit Hunter) to scan the entire server for rootkits, backdoors and eventual local exploits on a daily basis; you’ll get reports via email;

5. Disable compilers for non-root users (for cPanel users)

Disabling compilers will help protect against many exploits and will add an extra layer of security.

From the WebHost Manager, you can deny compiler access to unprivileged (non-root) users with a click.

Just go to Security Center ->Compiler Access and then click on the Disable Compilers link:

Alternatively, you can keep compilers for selected users only.

6. Set up a server firewall

An IPTABLES-based server firewall like CSF (ConfigServer Firewall) allows you to block public access to a given service.

You can permit connections only to the ports that will be used by the FTP, IMAP, POP3 and SMTP protocols, for example.

CSF offers an advanced, yet easy-to-use interface for managing your firewall settings.

Here is a good tutorial on how you can install and set up CSF.

Once you’ve got CSF up and running, make sure you consult the community forums for advice on which rules or ready-made firewall configurations you should implement.

Keep in mind that most OSs come with a default firewall solution. You will need to disable it if you wish to take advantage of CSF.

7. Set up intrusion prevention

An intrusion prevention software framework like Fail2Ban will protect your server from brute-force attacks. It scans logfiles and bans IPs that have unsuccessfully tried to log in too many times.

Here’s a good article on how to install and set up Fail2Ban on different Linux distributions.

You can also keep an eye on the Google+ Fail2Ban Users Community.

8. Enable real-time application security monitoring

Тhe best real-time web application monitoring and access control solution on the market – ModSecurity, allows you to gain HTTP(S) traffic visibility and to implement advanced protections.

ModSecurity is available in your Linux distribution’s repository, so installing it is very easy:

apt-get install libapache2-modsecurity

Here’s a quick guide on how to install and configure ModSecurity.

Once you’ve got ModSecurity up and running, you can download a rule set like CRS (OWASP ModSecurity Core Rule Set). This way you won’t have to enter the rules by yourself.

9. Set up anti-virus protection

One of the most reliable anti-virus engines is ClamAV – an open-source solution for detecting Trojans, viruses, malware & other malicious threats. The scanning reports will be sent to your email address.

ClamAV is available as a free cPanelplugin.

You can enable it from the Manage Plugins section of your WHM:

Just tick the ‘Install ClamAV and keep updated’ checkbox and press the ‘Save’ button.

10. Enable server monitoring

For effective protection against DDoS attacks, make sure you install a logfile scanner such as logcheck or logwatch. It will parse through your system logs and identify any unauthorized access to your server.

Use software like Nagios or Monitis to run automatic service checks to make sure that you do not run out of disk space or bandwidth or that your certificates do not expire.

With a service like Uptime Doctor or Pingdom, you can get real-time notifications when your sites go down and thus minimize accidental downtime.

11. Run data backups

Make regular off-site backups to avoid the risk of losing data through accidental deletion.

You can place your trust in a third-party service like R1Soft or Acronis, or you can build your own simple backup solution using Google Cloud Storage and the gsutil tool.

If you are on a tight budget, you can keep your backups on your local computer.

12. Keep your software up to date

Keeping your software up to date is the single biggest security precaution you can take.

Software updates range from regular minor bug fixes to critical vulnerability patches. You can set automatic updates to save time.

However, keep in mind that automatic updates do not apply to self-compiled applications. It’s advisable to first install an update in a test environment so as to see its effect before deploying it to your live production environment.

Depending on your particular OS, you can use:

yum-cron (for CentOS)unattended upgrades (for Debian and Ubuntu)dnf-automatic (Fedora)

If you have not obtained an unmanaged VPS yet, you could consider our solutions:

OpenVZ VPS packages – all setups from 4 to 10 are unmanaged and come with SSH/full root access (for cPanel setups only) and with a CentOS/Debian/Ubuntu OS installation;KVM VPS setups – all four setups are unmanaged and offer SSH/full root access; OS options include CentOS/Debian/Ubuntu as well as a few OS ISO alternatives like Fedora and FreeBSD;

via Blogger http://ift.tt/2AIEre3

0 notes

javatutorialcorner · 8 years ago

Text

iptables Linux Command

iptables

iptables command [options]

System administration command. Configure netfilter filtering rules for kernels 2.4 and later. Rules for iptables consist of some matching criteria and a target, a result to be applied if the packet matches the criteria. The rules are organized into chains. You can use these rules to build a firewall, masquerade your local area network, or just reject certain kinds of network connections. There are three built-in tables for iptables: one for network filtering (filter), one for Network Address Translation (nat), and the last for specialized packet alterations (mangle). Firewall rules are organized into chains, ordered checklists of rules that the kernel works through looking for matches. The filter table has three built-in chains: INPUT, OUTPUT, and FORWARD. The INPUT and OUTPUT chains handle packets originating from or destined for the host system. The FORWARD chain handles packets just passing through the host system. The nat table also has three built-in chains: PREROUTING, POSTROUTING, and OUTPUT. mangle has only two chains: PREROUTING and OUTPUT. netfilter checks packets entering the system. After applying any PREROUTING rules, it passes them to the INPUT chain, or to the FORWARD chain if the packet is just passing through. Upon leaving, the system packets are passed to the OUTPUT chain and then on to any POSTROUTING rules. Each of these chains has a default target (a policy) in case no match is found. User-defined chains can also be created and used as targets for packets but do not have default policies. If no match can be found in a user-defined chain, the packet is returned to the chain from which it was called and tested against the next rule in that chain. iptables changes only the rules in the running kernel. When the system is powered off, all changes are lost. You can use the iptables-save command to make a script you can run with iptables-restore to restore your firewall settings. Such a script is often called at bootup. Many distributions have an iptables initialization script that uses the output from iptables-save.

Commands

iptables is almost always invoked with one of the following commands: -A chain rules, --append chain rules Append new rules to chain. -D chain rules, --delete chain rules Delete rules from chain. Rules can be specified by their ordinal number in the chain as well as by a general rule description. -E old-chain new-chain, --rename-chain old-chain new-chain Rename old-chain to new-chain. -F [chain] , --flush [chain] Remove all rules from chain, or from all chains if chain is not specified. -I chain number rules, --insert chain number rules Insert rules into chain at the ordinal position given by number. -L [chain] , --list [chain] List the rules in chain, or all chains if chain is not specified. -N chain, --new-chain chain Create a new chain. The chain's name must be unique. This is how user-defined chains are created. -P chain target, --policy chain target Set the default policy for a built-in chain; the target itself cannot be a chain. -R chain number rule, --replace chain number rule Replace a rule in chain. The rule to be replaced is specified by its ordinal number. -X [chain] , --delete-chain [chain] Delete the specified user-defined chain, or all user-defined chains if chain is not specified. -Z [chain] , --zero [chain] Zero the packet and byte counters in chain. If no chain is specified, all chains will be reset. When used without specifying a chain and combined with the -L command, list the current counter values before they are reset.

Targets

A target may be the name of a chain or one of the following special values: ACCEPT Let the packet through. DROP Drop the packet. QUEUE Send packets to the user space for processing. RETURN Stop traversing the current chain and return to the point in the previous chain from which this one was called. If RETURN is the target of a rule in a built-in chain, the built-in chain's default policy is applied.

Rule specification parameters

These options are used to create rules for use with the preceding commands. Rules consist of some matching criteria and usually a target to jump to (-j) if the match is made. Many of the parameters for these matching rules can be expressed as a negative with an exclamation point (!) meaning "not." Those rules will match everything except the given parameter. -c packets bytes, --set-counters packets bytes Initialize packet and byte counters to the specified values. -d [!] address[/mask] [!] [port] , --destination [!] address[/mask] [port] Match packets from the destination address. The address may be supplied as a hostname, a network name, or an IP address. The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24). [!] -f, [!] --fragment The rule applies only to the second or further fragments of a fragmented packet. -i [!] name[+] , --in-interface name[+] Match packets being received from interface name. name is the network interface used by your system (e.g., eth0 or ppp0). A + can be used as a wildcard, so ppp+ would match any interface name beginning with ppp. -j target, --jump target Jump to a special target or a user-defined chain. If this option is not specified for a rule, matching the rule only increases the rule's counters, and the packet is tested against the next rule. -o [!] name[+] , --out-interface name[+] Match packets being sent from interface name. See the description of -i for the syntax for name. -p [!] name, --protocol [!] name Match packets of protocol name. The value of name can be given as a name or number, as found in the file /etc/protocols. The most common values are tcp, udp, icmp, or the special value all. The number 0 is equivalent to all, and this is the default value when this option is not used. If there are extended matching rules associated with the specified protocol, they will be loaded automatically. You need not use the -m option to load them. -s [!] address[/mask] [!] [port] , --source [!] address[/mask] [!] [port] Match packets with the source address. See the description of -d for the syntax of this option.

Options

-h [icmp] , --help [icmp] Print help message. If icmp is specified, a list of valid ICMP type names will be printed. -h can also be used with the -m option to get help on an extension module. --line-numbers Used with the -L command. Add the line number to the beginning of each rule in a listing, indicating its position in the chain. -m module, --match module Explicitly load matching rule extensions associated with module. See the next section. --modprobe=command Use specified command to load any necessary kernel modules while adding or inserting rules into a chain. -n, --numeric Print all IP address and port numbers in numeric form. By default, text names are displayed when possible. -t name, --table name Apply rules to the specified table. Rules apply to the filter table by default. -v, --verbose Verbose mode. -x, --exact Expand all numbers in a listing (-L). Display the exact value of the packet and byte counters instead of rounded figures.

Match extensions

Several modules extend the matching capabilities of netfilter rules. Using the -p option will cause iptables to load associated modules implicitly. Others need to be loaded explicitly with the -m or --match options. Here we document those modules used most frequently. icmp Loaded when -p icmp is the only protocol specified: --icmp-type [!] type Match the specified ICMP type. type may be a numeric ICMP type or one of the ICMP type names shown by the command iptables -p icmp -h. multiport Loaded explicitly with the -m option. The multiport extensions match sets of source or destination ports. These rules can be used only in conjunction with -p tcp and -p udp. Up to 15 ports can be specified in a comma-separated list: --source-port [ports] Match the given source ports. --destination-port [ports] Match the given destination ports. --port [ports] Match if the packet has the same source and destination port and that port is one of the given ports. state Loaded explicitly with the -m option. This module matches the connection state of a packet: --state states Match the packet if it has one of the states in the comma-separated list states. Valid states are INVALID, ESTABLISHED, NEW, and RELATED. tcp Loaded when -p tcp is the only protocol specified: --source-port [!] [port] [:port] , --sport [!] [port] [:port] Match the specified source ports. Using the colon specifies an inclusive range of services to match. If the first port is omitted, 0 is the default. If the second port is omitted, 65535 is the default. You can also use a dash instead of a colon to specify the range. --destination-port [!] [port] [:port] , --dport [!] [port] [:port] Match the specified destination ports. The syntax is the same as for --source-port. --mss n[:n] Match if TCP SYN or SYN/ACK packets have the specified MSS value or fall within the specified range. Use this to control the maximum packet size for a connection. [!] --syn Match packets with the SYN bit set and the ACK and FIN bits cleared. These are packets that request TCP connections; blocking them prevents incoming connections. Shorthand for --tcp-flags SYN,RST,ACK SYN. --tcp-flags [!] mask comp Match the packets with the TCP flags specified by mask and comp. mask is a comma-separated list of flags that should be examined. comp is a comma-separated list of flags that must be set for the rule to match. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. --tcp-option [!] n Match if TCP option is set. udp Loaded when -p udp is the only protocol specified: --source-port [!] [port] [:port] , --sport [!] [port] [:port] Match the specified source ports. The syntax is the same as for the --source-port option of the TCP extension. --destination-port [!] [port] [:port] , --dport [!] [port] [:port] Match the specified destination ports. The syntax is the same as for the --source-port option of the TCP extension.

Target extensions

Extension targets are optional additional targets supported by separate kernel modules. They have their own associated options. We cover the most frequently used target extensions below. DNAT Modify the destination address of the packet and all future packets in the current connection. DNAT is valid only as a part of the POSTROUTING chain in the nat table: --to-destination address[-address] [port-port] Specify the new destination address or range of addresses. The arguments for this option are the same as the --to-source argument for the SNAT extension target. LOG Log the packet's information in the system log: --log-level level Set the syslog level by name or number (as defined by syslog.conf). --log-prefix prefix Begin each log entry with the string prefix. The prefix string may be up to 30 characters long. --log-tcp-sequence Log the TCP sequence numbers. This is a security risk if your log is readable by users. --log-tcp-options Log options from the TCP packet header. --log-ip-options Log options from the IP packet header. MASQUERADE Masquerade the packet so it appears that it originated from the current system. Reverse packets from masqueraded connections are unmasqueraded automatically. This is a legal target only for chains in the nat table that handle incoming packets and should be used only with dynamic IP addresses (like dial-up.) For static addresses use DNAT: --to-ports port[-port] Specify the port or range of ports to use when masquerading. This option is valid only if a tcp or udp protocol has been specified with the -p option. If this option is not used, the masqueraded packet's port will not be changed. REJECT Drop the packet and, if appropriate, send an ICMP message back to the sender indicating the packet was dropped. If the packet was an ICMP error message, an unknown ICMP type, or a nonhead fragment, or if too many ICMP messages have already been sent to this address, no message is sent: --reject-with type Send specified ICMP message type. Valid values are icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, or icmp-proto-unreachable. If the packet was an ICMP ping packet, type may also be echo-reply. SNAT Modify the source address of the packet and all future packets in the current connection. SNAT is valid only as a part of the POSTROUTING chain in the nat table: --to-source address[-address] [port-port] Specify the new source address or range of addresses. If a tcp or udp protocol has been specified with the -p option, source ports may also be specified. If none is specified, map the new source to the same port if possible. If not, map ports below 512 to other ports below 512, those between 512 and 1024 to other ports below 1024, and ports above 1024 to other ports above 1024.

Examples

To reject all incoming ICMP traffic on eth0:

iptables -A INPUT -p ICMP -i eth0 -j REJECT

from Java Tutorials Corner http://ift.tt/2wrFelW via IFTTT

#IFTTT #Java Tutorials Corner

0 notes