Secure Your Linux Server
Pages: 1, 2, 3

ipchains

ipchains is Linux's answer to a firewall. There are a lot of neat tricks you can perform with ipchains, and you can search for those tricks on Google. The module itself is fairly easy to use once you get the hang of it. I hope you can stay with me on this, as it can sound a bit overtechnical. Please be careful, as you can easily lock yourself out of your own box!

ipchains actually refers to three separate chains. A typical ipchain command consists of several parts. First, it carries one of three commands:

• -F flushes a chain
• -P sets the handling for a chain
• -A adds a new rule to the chain

To set up a chain, you might use:

# ipchains --F input
# ipchains --A input REJECT

This is a blanket command that essentially halts all incoming traffic. The first command flushes the input chain, and the second command adds a new rule to the input chain that rejects all traffic.

You could do this if you were completely disconnected from a network, but most of the world is not. Almost every desktop or server Linux box in the world connects to a network or the internet, so it's not realistic to use such a blanket command.

There are plenty of other options to set up a more intelligent filtering system. Suppose that your Linux box is a development server accessible only on the local LAN. The IP of its network device is 192.168.25.4, with a netmask of 255.255.255.0.

Note that on Linux you can determine the source machine's network IP through ifconfig, or on Windows using ipconfig at the command prompt. The rest of the network is on the 192.168.x.x private block as well.

You might write a rule that looks like:

# ipchains --A input --I eth0  -s 192.168.1.0/255.255.255.0 \
    --d 192.168.25.4 --j ACCEPT

What the heck does that mean?

ipchains --A input adds a rule to the input chain.

-I eth0 tells the firewall that the packet traffic on which to run this rule is attached to Ethernet network device 0 (Eth0).

-s 192.168.1.0/255.255.255.0 identifies the source, or sending IP address, as 192.168.1.0. The number after the slash denotes the netmask, which in this case is 255.255.255.0

The ACCEPT designates that ipchains should allow all traffic from this source. You can also use REJECT to keep traffic out.

The best bet for ipchains firewalling lies within the ipchains how-to.

Other Tricks

Some other tricks you can perform to further secure your server have to do with your servers' hosts* files.

In /etc/hosts.deny and /etc/hosts.allow, you can enable tcp wrappers, which simply wrap a service in a particular rule. Your hosts.allow file might look similar to:

// Allow localhost ALL : 127.0.0.1
// Allow SSH Access to anyone except from 192.168.1.101
sshd : ALL EXCEPT 192.168.1.101 : ALLOW

Your /etc/hosts.deny file might resemble:

// No one can connect via anything except loopback localhost
ALL : ALL EXCEPT 127.0.0.1:DENY

Intrusion Detection

You may want to consider using a package like Tripwire to detect intrusions. It doesn't come with Red Hat 9, but you can get the source and compile it yourself. It creates and compares the hashes of critical files to determine whether any changes have been made.

An effective hacker won't just break into your system. He will also create a back door for himself so that he can gain access at other times. Most of the time, these back doors are in exploited files, and this is one way you can protect against this occurrence.

Summary

There are many other tricks and tips available to the security-conscious system administrator. The key to being effective is to always be on your toes and ready to think outside the box. There's generally more than one way to skin a cat, and hackers are consistently inventing or discovering new means.

Please don't read this article and think this is the last word in system security. These tips merely scratch the surface. Happy guarding!

Aaron Brazell is an author and blogger from Baltimore, Maryland, and is the primary system administrator for b5media, a network of more than 100 blogs.

---

Return to the Linux DevCenter.