Ostatnio znalazlem takie nazedzie 'conntrack' ze strony
http://www.netfilter.org/Przydatne do wywalania śledzonych polaczen na serverze.. po instalacji.. gdy biore
# conntrack -L
wypisuje ze musze byc root'em albo ustawic CAP_NET_ADMIN
..nie wiem zabardzo o co chodzi wiec pogrzebalem w necie.. i znalazlem cos o nazwie LIDS
i tam da sie takie 'captivitis' ustawiac.. skompilowalem poprawnie jadro z lata.. (Debian 2.6.14.4)
i niestety.. moj serverek sie odpala.. lecz chyba LIDS jest jeszcze zbyt surowo skonfigurowany.. bo wiele proramow wyswietla ze interfejsy sieciowe sa nieosiagalne
Nie znam tak dobrze architektury Debiana aby wiedziec ktore skrypty/programy odpowiadaja za udostepnianie internetu (lub w ogole za to aby ten internet w ogole dzialal)..
Macie moze jakies dobre materialy jak ustawic server z LIDS'em.. lub cokolwiek co moglo by pomuc?
PS: to moje regulki LIDS'a:
#!/bin/bash
lidsconf -Z
lidsconf -Z BOOT
lidsconf -Z POSTBOOT
# Prawa katalogow
/sbin/lidsconf -A -o /etc/lids -j DENY
/sbin/lidsconf -A -o / -j READONLY
/sbin/lidsconf -A -o /bin -j READONLY
/sbin/lidsconf -A -o /boot -j READONLY
/sbin/lidsconf -A -o /etc -j READONLY
/sbin/lidsconf -A -o /home -j WRITE
/sbin/lidsconf -A -o /initrd -j READONLY
/sbin/lidsconf -A -o /lib -j READONLY
/sbin/lidsconf -A -o /mnt -j READONLY
/sbin/lidsconf -A -o /opt -j READONLY
/sbin/lidsconf -A -o /root -j WRITE
/sbin/lidsconf -A -o /sbin -j READONLY
/sbin/lidsconf -A -o /srv -j READONLY
/sbin/lidsconf -A -o /tmp -j WRITE
/sbin/lidsconf -A -o /usr -j READONLY
/sbin/lidsconf -A -o /var -j READONLY
/sbin/lidsconf -A -o /var/run -j WRITE
/sbin/lidsconf -A -o /var/lock -j WRITE
/sbin/lidsconf -A -o /var/tmp -j WRITE
/sbin/lidsconf -A -o /var/log -j WRITE
# Give rcS some permissions
/sbin/lidsconf -A BOOT -s /etc/init.d/rcS -o /etc -i 2 -j WRITE
# Mount virtual FS
/sbin/lidsconf -A BOOT -s /etc/init.d/mountvirtfs -o /etc -i 2 -j WRITE
# Networking
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/networking -o /etc/network -i 3 -j WRITE
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/ifupdown -o /etc/network -i 3 -j WRITE
# Urandom seed
/sbin/lidsconf -A BOOT -s /etc/init.d/urandom -o /var/lib/urandom -i 1 -j WRITE
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/urandom -o /var/lib/urandom -i 1 -j WRITE
# Umount
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/umountfs -o /etc -i 1 -j WRITE
# HWClock
/sbin/lidsconf -A SHUTDOWN -s /sbin/hwclock -o /etc -j WRITE
# After booting nobody has to be in the following directories...
/sbin/lidsconf -A POSTBOOT -o /etc/init.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rcS.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc0.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc1.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc2.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc3.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc4.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc5.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc6.d -j DENY
# Make sure nobody can shutdown the system, only in SHUTDOWN state
/sbin/lidsconf -A POSTBOOT -o /sbin/shutdown -j DENY
/sbin/lidsconf -A POSTBOOT -o /sbin/halt -j DENY
# Allow logins (can be useful ;-) )
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SYS_RESOURCE -j GRANT
# Getty
/sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_READ_SEARCH -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_FOWNER -j GRANT
# Every system should have su installed
/sbin/lidsconf -A -s /bin/su -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /bin/su -o /etc/shadow -j READONLY
# mesg needs to set the pts
/sbin/lidsconf -A POSTBOOT -s /usr/bin/mesg -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A POSTBOOT -s /usr/bin/mesg -o CAP_FSETID -j GRANT
# Deny access to run-parts. Cron uses this to execute scripts and it is used
# during the boot process.
/sbin/lidsconf -A POSTBOOT -o /bin/run-parts -j DENY
# Exim4 settings..
/sbin/lidsconf -A BOOT -s /etc/init.d/exim4 -o /var/lib/exim4 -i 2 -j WRITE
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_DAC_READ_SEARCH -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o /var/mail -j WRITE
/sbin/lidsconf -A -s /usr/sbin/exim4 -o /var/spool/exim4 -j WRITE
/sbin/lidsconf -A -o /var/spool/exim4 -j DENY
# ping najczesciej wykorzystywany jest w sploitach do uzyskania praw roota.
# To ograniczenie pozwala /bin/ping uruchamianie tylko siebie
/sbin/lidsconf -A -s /bin/ping -o LIDS_EXEC -j ENABLE
/sbin/lidsconf -A -s /bin/ping6 -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /bin/ping6 -o LIDS_EXEC -j ENABLE
/sbin/lidsconf -A -s /bin/ping -o CAP_NET_RAW -j GRANT
# Make sure that nobody is able to start exim on another port
# with an alternate configuration file.
/sbin/lidsconf -A POSTBOOT -o /usr/sbin/exim4 -j DENY
# Grub config
/sbin/lidsconf -A -o /boot/grub/menu.lst -j DENY
# Shadow and passwords
/sbin/lidsconf -A -o /etc/shadow -j DENY #hasla pod kontrola
# init
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -i -1 -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -i -1 -j WRITE
# cron
/sbin/lidsconf -A -s /usr/sbin/cron -o CAP_SETUID -j GRANT #cron
/sbin/lidsconf -A -s /usr/sbin/cron -o /etc/shadow -j READONLY
# iptables
/sbin/lidsconf -A -s /sbin/iptables -o CAP_NET_RAW -j GRANT #iptables
/sbin/lidsconf -A -s /sbin/iptables -o CAP_SETUID -j GRANT
# hwclock
/sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime -j WRITE #aktualizujemy czas systemowy
# others..
/sbin/lidsconf -A -o /usr/share/zoneinfo/Europe/Warsaw -j READONLY
/sbin/lidsconf -A -s /usr/sbin/gpm -o CAP_SYS_RAWIO -i 1 -j GRANT #obsluga myszki na konsoli
# SSH
/sbin/lidsconf -A -o /usr/sbin/sshd -j READONLY
/sbin/lidsconf -A -o /etc/ssh/sshd_config -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_key -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_rsa_key -j DENY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/sshd_config -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_dsa_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_rsa_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/passwd -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/messages -j APPEND
/sbin/lidsconf -A -s /usr/sbin/sshd -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd -o CAP_PROTECTED -j GRANT
# conntrack stuff
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_SETUID -j GRANT
# tc & ip
/sbin/lidsconf -A -s /sbin/tc -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_SETUID -j GRANT
Dystrybucja - środowisko graficzna dla amigowca (MUI) (3)
ePBF & Observability meetup in Warsaw (0)