hacking attempts

Doug Sutherland doug at proficio.ca
Sat Feb 10 20:12:17 EST 2007

Regarding hacking attempts, I suggest reading about iptables
and how to configure this. In a nutshell, you can do these few
things to block attempts.

Set a known state for iptables: set a default rule to drop all
input packets, output packets, and forward packets.

Set a rule to allow local only connections.
Set a rule to allow outgoing connections.
Set a rule to permit answers on already established connections.

This way, by default everything is blocked except you connecting
outwards, returned answers from established connections (like
ftp using two ports etc), and local only allow.

Everything else is dropped.
You will need to add specific rules if you want to expose certain
interfaces like ftp and ssh etc for outside connection.

There are also some things you can by writing to /proc/sys
to gain extra protection, like the following:

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don¹t send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
echo 0 > /proc/sys/net/ipv4/tcp_ecn

Check out this useful example from linuxfromscratch

And look for the docs for iptables and tutorials on how it work.
None of this is distro specific except how the scripts get fired
and where they reside etc.

Littlefield, tyler wrote:
 > I'm not sure how to set up iptables, and don't really have a whole lot
 > of time to go through a huge 300000 page tutorial.

More information about the Speakup mailing list