6. IPtales firewall rules
Assume that our server server1 runs Apache and sshd (sshd can be modified in the configuration file without running on the standard port ). The ethO Nic is connected to the Internet, and the ethi is connected to the LAN. The Administrator logs on to server2 at home by dialing (the private network TP is 192.168.0.12) and then logs on to server1. The command is as follows:
To prevent IP spoofing, you can also bind the NIC address of Server 2:
[[The No.1 Picture.]
However, few people seem to be able to do this, and there is no practical value.
Do people who know about attacks know the wonderful combination of "port redirection Ten reverse pipelines" to cross the firewall? This kind of technique has been used too widely and is very harmful. To defend against this difficult attack, we must sacrifice a certain degree of ease of use:
The above rules will prevent the active TCP selection from the inside out.
In addition, it is common to use tftp or other clients to obtain files in reverse direction. Because mfv and tools such as loki depend on UDP, We need to completely erase it:
Note: These two rules must be removed temporarily when updating the system and debugging the network.
Because the essence of intrusion is to get the shell of the target operating system through the standard or non-standard port through the text or graphic interface, this not only can prevent the reverse pipe itself, but also can be immune to many intrusion techniques, however, this is too harsh for general system administrators!
The following are some of tables's attack strategies.
In addition, iptables can also configure scanning behaviors, such as nmap failure rules. It should be noted that the firewall is not omnipotent. When an attacker is crazy enough, do not expect your firewall to withstand DDoS attacks.
7. Integrity Verification
Tripwire is a famous tool that helps you determine whether important system files have been modified. Currently, Linux releases generally have open-source versions with the tool. You can add some sensitive files to the default validation object configuration file.
Run the "man rpm" command to view help. The "-V" parameter is used for MD5 verification. Make a hard backup of the binary data file generated by rpm verification to prevent modification.
