読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

さくらVPSのINPUTパケットを制限する(Debian Wheezy)

■さくらVPSにSnortを導入

# apt-get install -y snort

# tail /var/log/snort/alert
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
08/28-15:20:31.722756 0.0.0.0 -> 224.0.0.1
IGMP TTL:1 TOS:0xC0 ID:0 IpLen:24 DgmLen:32 DF
IP Options (1) => RTRALT 
[Xref => http://www.cert.org/advisories/CA-1997-28.html]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016]
[Xref => http://www.securityfocus.com/bid/2666]

■apache2の導入
 ngixでも良い気はするけど、認証付きにする予定なので分かりやすい方を。

# apt-get install -y apache2
# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
# /etc/init.d/apache2 restart
[ ok ] Reloading web server config: apache2.
# netstat -an | grep "\:80 \|\:443"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     

■Postfixのポート変更
 お試し期間中だったので、OB25対応しておく。

 「さくらのVPS」でメールの送信ができません。
 http://sakura.custhelp.com/app/answers/detail/a_id/1378

 サブミッションポート(587番ポート)に対応していますか?
 http://sakura.custhelp.com/app/answers/detail/a_id/1196/related/1/session/L2F2LzEvdGltZS8xNDA5MjEzOTY1L3NpZC9Na240RFkqbA%3D%3D

■オプションで色々制限出来るけど、今回は有効にするのみ。

# grep "submission\|^smtp.*smtpd\$" /etc/postfix/master.cf 
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission

# sed -i s/"^smtp.*smtpd\$"/"#&"/ /etc/postfix/master.cf; \
  sed -i s/"#\(submission.*\)"/"\1"/ /etc/postfix/master.cf; \
  postfix check && /etc/init.d/postfix reload
[ ok ] Reloading Postfix configuration...done.

# netstat -an | grep "\:.*25\|587"
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN     

■IPv6の無効化

# echo "options ipv6 disable=1" > /etc/modprobe.d/disable-ipv6.conf
# modprobe -c | grep "^options ipv6"
options ipv6 disable=1

# grep "^net.ipv6" /etc/sysctl.conf 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# shutdown -r now && exit
# netstat -an | grep ^[tu][cd]p6
udp6       0      0 :::123                  :::*

■sshdのrootログインを禁止

# sed -i s/"\(PermitRootLogin \)yes"/"\1no"/ /etc/ssh/sshd_config
# /etc/init.d/ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

■iptablesの設定について

 iptablesの設定方法
 http://support.sakura.ad.jp/manual/vps/security/iptables.html

■iptablesで入力のみ制御
 web、mail、sshの通信と自身のIP宛のUDP設定のみ許可する
 NTPのルールは不要だったのでコメントアウトした。

# cat myvpsinput.sh 
#!/bin/bash 

if [ `id -u` -ne "0" ];then
  echo "Sorry Not Permit User!" >&2
  exit 1
fi

export PATH=/sbin:/usr/sbin:/bin:/usr/bin

IPTABLES=/sbin/iptables
FAIL2BAN=/etc/init.d/fail2ban
SSHDCONFIG=/etc/ssh/sshd_config
NTPDCONFIG=/etc/ntp.conf
SMTPPORT=587

# at 1st

if [ -x $FAIL2BAN ];then
  $FAIL2BAN stop
else
  FAIL2BAN="x"
fi

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F -t filter
$IPTABLES -F -t nat

$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# for ssh
if [ -f $SSHDCONFIG ];then
  grep ^Port /etc/ssh/sshd_config | awk '{print $2}' | \
  for SSHPORT in `xargs`;do
    $IPTABLES -A INPUT -p tcp -m tcp --dport $SSHPORT -j ACCEPT
  done
else
  SSHPORT=22
  $IPTABLES -A INPUT -p tcp -m tcp --dport $SSHPORT -j ACCEPT
fi

# for web services
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# for mail services
$IPTABLES -A INPUT -p tcp -m tcp --dport $SMTPPORT -j ACCEPT

# for ntp

#grep ^server $NTPDCONFIG  | awk '{print $2}' | \
#  for list in `xargs`;do
#    $IPTABLES -A INPUT -p udp -m udp -s ${list} --dport 123 -j ACCEPT
#  done

# for lo

$IPTABLES -A INPUT -i lo -j ACCEPT

# eth0

FLAG=`ip a list eth0 | grep "state UP" > /dev/null 2>&1;echo $?`

if [ "$FLAG" -eq "0" ];then
  MYIP=$(ip a list eth0 | grep "inet " | awk '{print $2}' | sed s%/[0-9]*%%)
  $IPTABLES -A INPUT -p udp -m udp -d $MYIP -j ACCEPT

  $IPTABLES -A INPUT -d 224.0.0.1 -j DROP

fi

if [ -x $FAIL2BAN ];then
  $FAIL2BAN start
fi

# default policy
$IPTABLES -P INPUT DROP

if [ -x $FAIL2BAN ];then
  # for save
  $FAIL2BAN restart
fi

$IPTABLES -L -v -n 
unset IPTABLES MYIP FLAG FAIL2BAN SSHDCONFIG NTPDCONFIG SSHPORT SMTPPORT PATH
exit 0

# /etc/rc.local > /dev/null

■外部からの通信テストスクリプト

$ cat vpscheck.sh #!/bin/bash

MYVPSIP=XXX.XXX.XXX.XXX
SSHPORT=XX022
SMTPPORT=587
HTTPPORT=80
HTTPSPORT=443

(sleep 1;echo "EHLO localhost";
 sleep 1;echo "mail from:root";
 sleep 1;echo "rcpt to:root";
 sleep 1;echo "data";
 sleep 1;echo "Subject: Test";
 sleep 1;echo "";
 sleep 1;echo "test body";
 sleep 1;echo ".";
 sleep 1;echo "quit";) | telnet $MYVPSIP $SMTPPORT

w3m -dump http://$MYVPSIP:$HTTPPORT
w3m -dump https://$MYVPSIP:$HTTPSPORT

ssh -p $SSHPORT $MYVPSIP

■クライアントからの動作確認

$ ./vpscheck.sh
Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
220 XXXXX.sakura.ne.jp ESMTP Postfix (Debian/GNU)
250-XXXXX.sakura.ne.jp
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 91DC63C06E0
Connection closed by foreign host.
It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

self signed certificate: accept? (y/n)y
Bad cert ident XXXXX.sakura.ne.jp from XXX.XXX.XXX.XXX: accept? (y/n)y
Accept unsecure SSL session:Bad cert ident XXXXX.sakura.ne.jp from XXX.XXX.XXX.XXX
It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

labunix@XXX.XXX.XXX.XXX's password: 
X11 forwarding request failed on channel 0
Linux XXXXX 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Thu Aug 28 18:13:37 2014 from [外部IP]

■DROPなく正常に通信出来ていることを確認

# watch -d -n 1 'iptables -L INPUT -v -n'
Every 1.0s: iptables -L INPUT -v -n
                                                                                          Thu Aug 28 18:18:42 2014

Chain INPUT (policy DROP 177 packets, 8904 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 fail2ban-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
 5853  396K fail2ban-ssh-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,XX022
 5853  396K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,XX022
 8497 2433K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  218 22791 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 state NEW
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
   10   600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:XX022
   11   620 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   14   820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
   14   720 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
 3002  145K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            XXX.XXX.XXX.XXX      udp
    1    32 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1 

■後片付け

# a2dismod ssl
Module ssl disabled.
To activate the new configuration, you need to run:
  service apache2 restart
# a2dissite default-ssl
Site default-ssl disabled.
To activate the new configuration, you need to run:
  service apache2 reload
# /etc/init.d/apache2 stop
[ ok ] Stopping web server: apache2 ... waiting .
# chkconfig --list apache2
apache2                   0:off  1:off  2:on   3:on   4:on   5:on   6:off
# chkconfig apache2 off
# chkconfig --list apache2
apache2                   0:off  1:off  2:off  3:off  4:off  5:off  6:off
# shutdown -r now && exit
$ exit

■CPU使用率が0.0%より大きいか、メモリ使用率が1%より大きいプロセスの一覧
 snortとfail2ban-serverが仲間入り。

# ps axo pid,cmd,%cpu,%mem | awk '($NF>1)||($(NF-1)>0.0){print}'
 2602 /usr/sbin/spamd --create-pr  0.2  3.0
 2644 /usr/sbin/amavisd-new (mast  0.2  4.7
 2646 spamd child                  0.0  2.9
 2647 spamd child                  0.0  2.9
 2648 /usr/sbin/snort -m 027 -D -  0.1  5.5
 2668 /usr/sbin/amavisd-new (virg  0.0  4.7
 2669 /usr/sbin/amavisd-new (virg  0.0  4.7
 2712 /usr/sbin/clamd -c /etc/cla  0.0 13.4
 2888 /usr/bin/freshclam -d --qui  0.5  0.1
 3583 /usr/bin/python /usr/bin/fa  0.1  0.4

■全体では微々たる負荷。

# top -b -n 1 | head -5 | sed s/"\([a-z]\),"/"\1\n"/g
top - 18:36:55 up 13 min
  1 user
  load average: 0.00, 0.01, 0.05
Tasks:  84 total
   1 running
  83 sleeping
   0 stopped
   0 zombie
%Cpu(s):  0.9 us
  0.2 sy
  0.0 ni
 98.5 id
  0.3 wa
  0.0 hi
  0.0 si
  0.1 st
KiB Mem:   2061060 total
   798972 used
  1262088 free
    12064 buffers
KiB Swap: 13671420 total
        0 used
 13671420 free
   167192 cached