Ostatnio znalazlem takie nazedzie 'conntrack' ze strony
http://www.netfilter.org/Przydatne do wywalania śledzonych polaczen na serverze.. po instalacji.. gdy biore
# conntrack -L
wypisuje ze musze byc root'em albo ustawic CAP_NET_ADMIN
..nie wiem zabardzo o co chodzi wiec pogrzebalem w necie.. i znalazlem cos o nazwie LIDS
![Smiley :)](http://forum.linux.pl/Smileys/default/smiley.gif)
i tam da sie takie 'captivitis' ustawiac.. skompilowalem poprawnie jadro z lata.. (Debian 2.6.14.4)
i niestety.. moj serverek sie odpala.. lecz chyba LIDS jest jeszcze zbyt surowo skonfigurowany.. bo wiele proramow wyswietla ze interfejsy sieciowe sa nieosiagalne
![Smiley :)](http://forum.linux.pl/Smileys/default/smiley.gif)
Nie znam tak dobrze architektury Debiana aby wiedziec ktore skrypty/programy odpowiadaja za udostepnianie internetu (lub w ogole za to aby ten internet w ogole dzialal)..
Macie moze jakies dobre materialy jak ustawic server z LIDS'em.. lub cokolwiek co moglo by pomuc?
PS: to moje regulki LIDS'a:
#!/bin/bash
lidsconf -Z
lidsconf -Z BOOT
lidsconf -Z POSTBOOT
# Prawa katalogow
/sbin/lidsconf -A -o /etc/lids -j DENY
/sbin/lidsconf -A -o / -j READONLY
/sbin/lidsconf -A -o /bin -j READONLY
/sbin/lidsconf -A -o /boot -j READONLY
/sbin/lidsconf -A -o /etc -j READONLY
/sbin/lidsconf -A -o /home -j WRITE
/sbin/lidsconf -A -o /initrd -j READONLY
/sbin/lidsconf -A -o /lib -j READONLY
/sbin/lidsconf -A -o /mnt -j READONLY
/sbin/lidsconf -A -o /opt -j READONLY
/sbin/lidsconf -A -o /root -j WRITE
/sbin/lidsconf -A -o /sbin -j READONLY
/sbin/lidsconf -A -o /srv -j READONLY
/sbin/lidsconf -A -o /tmp -j WRITE
/sbin/lidsconf -A -o /usr -j READONLY
/sbin/lidsconf -A -o /var -j READONLY
/sbin/lidsconf -A -o /var/run -j WRITE
/sbin/lidsconf -A -o /var/lock -j WRITE
/sbin/lidsconf -A -o /var/tmp -j WRITE
/sbin/lidsconf -A -o /var/log -j WRITE
# Give rcS some permissions
/sbin/lidsconf -A BOOT -s /etc/init.d/rcS -o /etc -i 2 -j WRITE
# Mount virtual FS
/sbin/lidsconf -A BOOT -s /etc/init.d/mountvirtfs -o /etc -i 2 -j WRITE
# Networking
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/networking -o /etc/network -i 3 -j WRITE
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/ifupdown -o /etc/network -i 3 -j WRITE
# Urandom seed
/sbin/lidsconf -A BOOT -s /etc/init.d/urandom -o /var/lib/urandom -i 1 -j WRITE
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/urandom -o /var/lib/urandom -i 1 -j WRITE
# Umount
/sbin/lidsconf -A SHUTDOWN -s /etc/init.d/umountfs -o /etc -i 1 -j WRITE
# HWClock
/sbin/lidsconf -A SHUTDOWN -s /sbin/hwclock -o /etc -j WRITE
# After booting nobody has to be in the following directories...
/sbin/lidsconf -A POSTBOOT -o /etc/init.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rcS.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc0.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc1.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc2.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc3.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc4.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc5.d -j DENY
/sbin/lidsconf -A POSTBOOT -o /etc/rc6.d -j DENY
# Make sure nobody can shutdown the system, only in SHUTDOWN state
/sbin/lidsconf -A POSTBOOT -o /sbin/shutdown -j DENY
/sbin/lidsconf -A POSTBOOT -o /sbin/halt -j DENY
# Allow logins (can be useful ;-) )
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SYS_RESOURCE -j GRANT
# Getty
/sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_READ_SEARCH -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/getty -o CAP_FOWNER -j GRANT
# Every system should have su installed
/sbin/lidsconf -A -s /bin/su -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /bin/su -o /etc/shadow -j READONLY
# mesg needs to set the pts
/sbin/lidsconf -A POSTBOOT -s /usr/bin/mesg -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A POSTBOOT -s /usr/bin/mesg -o CAP_FSETID -j GRANT
# Deny access to run-parts. Cron uses this to execute scripts and it is used
# during the boot process.
/sbin/lidsconf -A POSTBOOT -o /bin/run-parts -j DENY
# Exim4 settings..
/sbin/lidsconf -A BOOT -s /etc/init.d/exim4 -o /var/lib/exim4 -i 2 -j WRITE
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o CAP_DAC_READ_SEARCH -j GRANT
/sbin/lidsconf -A -s /usr/sbin/exim4 -o /var/mail -j WRITE
/sbin/lidsconf -A -s /usr/sbin/exim4 -o /var/spool/exim4 -j WRITE
/sbin/lidsconf -A -o /var/spool/exim4 -j DENY
# ping najczesciej wykorzystywany jest w sploitach do uzyskania praw roota.
# To ograniczenie pozwala /bin/ping uruchamianie tylko siebie
/sbin/lidsconf -A -s /bin/ping -o LIDS_EXEC -j ENABLE
/sbin/lidsconf -A -s /bin/ping6 -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /bin/ping6 -o LIDS_EXEC -j ENABLE
/sbin/lidsconf -A -s /bin/ping -o CAP_NET_RAW -j GRANT
# Make sure that nobody is able to start exim on another port
# with an alternate configuration file.
/sbin/lidsconf -A POSTBOOT -o /usr/sbin/exim4 -j DENY
# Grub config
/sbin/lidsconf -A -o /boot/grub/menu.lst -j DENY
# Shadow and passwords
/sbin/lidsconf -A -o /etc/shadow -j DENY #hasla pod kontrola
# init
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -i -1 -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -i -1 -j WRITE
# cron
/sbin/lidsconf -A -s /usr/sbin/cron -o CAP_SETUID -j GRANT #cron
/sbin/lidsconf -A -s /usr/sbin/cron -o /etc/shadow -j READONLY
# iptables
/sbin/lidsconf -A -s /sbin/iptables -o CAP_NET_RAW -j GRANT #iptables
/sbin/lidsconf -A -s /sbin/iptables -o CAP_SETUID -j GRANT
# hwclock
/sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime -j WRITE #aktualizujemy czas systemowy
# others..
/sbin/lidsconf -A -o /usr/share/zoneinfo/Europe/Warsaw -j READONLY
/sbin/lidsconf -A -s /usr/sbin/gpm -o CAP_SYS_RAWIO -i 1 -j GRANT #obsluga myszki na konsoli
# SSH
/sbin/lidsconf -A -o /usr/sbin/sshd -j READONLY
/sbin/lidsconf -A -o /etc/ssh/sshd_config -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_key -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_rsa_key -j DENY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/sshd_config -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_dsa_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/ssh/ssh_host_rsa_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/passwd -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd -o /var/log/messages -j APPEND
/sbin/lidsconf -A -s /usr/sbin/sshd -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd -o CAP_PROTECTED -j GRANT
# conntrack stuff
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /usr/local/sbin/conntrack -o CAP_SETUID -j GRANT
# tc & ip
/sbin/lidsconf -A -s /sbin/tc -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /sbin/tc -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_NET_ADMIN -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_SYS_RESOURCE -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_NET_RAW -j GRANT
/sbin/lidsconf -A -s /sbin/ip -o CAP_SETUID -j GRANT