[CentOS] Paranoid Firewalling

Sun Oct 9 10:10:15 UTC 2005
Maciej Żenczykowski <maze at cela.pl>

> I guess I need to read a bit more on the ALL:PARANOID bit.. that also might 
> work for here, but not downtown.

In my experience paranoid is more of a nuissance then a help.
I've often been blocked simply because I was on a temporary computer 
which had no reverse DNS -- it's annoying and not that uncommon.

Another solution would be to use the linux firewall 'recent' match type or 
'limit' match types to limit connections to a certain number per hour or 
something.

Ie. something like this (all in filter table):

:newssh - [0:0]
:whitelist - [0:0]

-A INPUT -p tcp --dport 12345 -m recent --set
-A INPUT -p tcp --dport ssh -m state --state NEW -j newssh

-A newssh -m recent --update --seconds 43200 -j ACCEPT
-A newssh -j whitelist

-A whitelist -s 127.0.0.0/8 -j ACCEPT
-A whitelist -s 10.0.0.0/8 -j ACCEPT
-A whitelist -s 172.16.0.0/12 -j ACCEPT
-A whitelist -s 192.168.0.0/16 -j ACCEPT
-A whitelist -s x.y.z.0/24 -j ACCEPT
-A whitelist -s static_home_ip_number -j ACCEPT

The above accepts ssh connections from IP's which have tried telneting in 
to port 12345 (or been allowed to ssh) within the past 12 hours and from 
anybody in the WHITELIST chain (which basically accepts private/local 
networks, and my own computers, etc)

Or instead of the newssh chain above you could try:

-A newssh -j whitelist
-A newssh -m limit --limit 1/hour --limit-burst 5 -j ACCEPT

Which would accept any whitelisted computer and a maximum of 5 attempts in 
a row from anywhere else (recharge rate of 1 per hour).
Of course the above doesn't distinguish IP's.

So you could do something like this:
-A newssh -j whitelist
-A newssh -m recent --update --seconds 3600 --hitcount 10 -j REJECT --reject-with tcp-reset
-A newssh -j ACCEPT

Which would accept any whitelisted computer, and up to 10 connections 
within an hour from any other IP.

I think the above (to be placed in /etc/sysconfig/iptables) are a lot 
easier solutions than some scripts - although these solutions do not 
distinguish between successful logins and failures.  Still the level of 
complication is a lot easier and this approach will work for _ANY_ tcp/ip 
service.

Cheers,
MaZe.