CIS 238 - UNIX System Administration

CIS 238 - UNIX System Administration

Lab Exercise #13: Limiting access, Firewalls

1) Check current firewalld configuration – specifically for SSH

2) Setup firewalld for http, https, ftp, telnet, dns, https

3) Disable the fircwalld server: systemctl disable firewalld.service (or mask)

4) Install iptables and system-config-securitylevel, system-config-firewall packages

5) Review TCPD Wrappers, hosts.allow, hosts.deny

6) Modify /etc/hosts.allow to restrict access for TELNET, FTP, SSH to the lab subnet

Allow all other services from everywhere

7) Use the GUI to Enable the firewall

8) Check the boxes for the following services:

- http

- dns

- ftp

- ssh

- smtp

- https

9) Add TCP/UDP ports, 177, 5800 and 5900, 6000-6010

10) Save results, reload the firewall

11) Add to rc.local file:

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe iptable_nat

modprobe ip_nat_ftp

run it.

12) Use iptables –L to list iptables rules.

13) Have your lab partner attempt to TELNET to your machine, SSH

14) Review /etc/sysconfig/iptables

15) Save your table: iptables-save > /tmp/iptables.save

16) Restore your tables: iptables-restore < /tmp/iptables.save

17) Run service iptables save

18) Review /etc/sysconfig/iptables

CIS 238 - UNIX System Administration

19) Typical Kernel mods /etc/sysctl.conf

# IP spoofing

net/ipv4/conf/all/rp_filter = 1

# Enable logging of packets with malformed IP addresses

net/ipv4/conf/all/log_martians = 1

# Disable redirects

net/ipv4/conf/all/send_redirects = 0

# Disable source routed packets

net/ipv4/conf/all/accept_source_route = 0

# Disable acceptance of ICMP redirects

net/ipv4/conf/all/accept_redirects = 0

# Turn on protection from Denial of Service (DOS) attacks

net/ipv4/tcp_syncookies = 1

# Disable responding to ping broadcasts

net/ipv4/icmp_echo_ignore_broadcasts = 1

# Enable IP routing. Required if your firewall is protecting a

net/ipv4/ip_forward = 1

.