OK, i have completed installing these on a new server
There can be many variations and permutations, but this is a basic one.
If I erred let us know. Its just that too many people are getting stung,
maybe this will help
============= I P C H A I N S ================
1) wget http://netfilter.samba.org/ipchains/ipchains-1.3.10.tar.gz
2) tar -zxvf ipchains-1.3.10.tar.gz
3) cd ipchains-1.3.10
4) make all (does nothing, as its compiled)
5) make install
============ P M F I R E W A L L ==========
1) wget http://www.pointman.org/PMFirewall/download/pmfirewall-1.1.4.tar.gz
2) tar -zxvf pmfirewall-1.1.4.tar.gz
3) cd pmfirewall-1.1.4
4) edit /etc/host.allow
in.telnetd : <my.ip.add.res>
5) edit /etc/host.deny
in.tellnetd : ALL
6) Insure telnet is enabled
7) ./install.sh (note in most cases you will 'hit' Enter see *)
Directory to place config files [/usr/local/pmfirewall]:
External Interface [eth0]:
Are there any IP ranges which require unrestricted access? (y/N):
Are there any IP ranges which should be blocked completely? (y/N):
Is your IP address assigned via DHCP? (y/N):
*Are you running a FTP Server on ports: 20/21 (y/N):y
*Are you running a SSH Server on port: 22 (y/N):y
Enter the IP Range or press ENTER for any IP address:
*Are you running a Telnet Server on port: 23 (y/N):y
Are you running a SMTP Server on port: 25 (y/N):
*Are you running a DNS Server on port: 53 (y/N):y
Enter the IP Range or press ENTER for any IP address:
Are you running a Finger Server on port: 79 (y/N):
*Are you running a Web Server on port: 80 (y/N):y
Enter the IP Range or press ENTER for any IP address:
*Are you running a POP Server on port: 110 (y/N):y
Enter the IP Range or press ENTER for any IP address:
Allow IDENT connections on port: 113 (y/N):
Are you running a NNTP Server port: 119 (y/N):
*Are you using NTP, it requires port: 123 (y/N):y
Do you wish to open NetBIOS/SAMBA ports 137-139 (not recommended)? (y/N):
? Are you running an IMAP Server on port: 143 (y/N):
*Are you running a SSL Web Server on port: 443 (y/N):y
Enter the IP Range or press ENTER for any IP address:
Are you running Routed (RIP) on port: 520 (y/N):
Do you wish to open NFS port 2049 (not recommended)? (y/N):
Do you wish to open X-Server ports 5999-6003 (not recommended)? (y/N):
*Are there any other ports you wish to open to the outside? (y/N):y
Port number: 81
tcp, udp or both: tcp
Enter the IP Range or press ENTER for any IP address:
*Do you wish to add others? (y/N): y
Port number: 444
tcp, udp or both: tcp
Enter the IP Range or press ENTER for any IP address:
Do you wish to add others? (y/N):
Start PMFirewall on bootup? (Y/n):
Do you want pmfirewall to autodetect your IP address? (Y/n)
Will this box Masquerade connections for other PC's (y/N):
8) ipchains -L -n shows rules
9) review your rules (not necessary but you might look)
vi /usr/local/pmfirewall/pmfirewall.rules.local
If you are using any of the following ip address comment out the one you
use
# Block Nonroutable IP's from entering on the External Interface
$IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF
#$IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
Make sure tlenet port 23 is at accept
9) /etc/rc.d/init.d/pmfirewall start (don't exit your shell until you test)
Enter a new SSH and telnet shell from your PC, make sure it works!!!
10) ipchains -L -n (shows rules)
This setsup a basic firewall.
Add - subtract rules from /usr/local/pmfirewall/pmfirewall.rules.local
read up on ipchains
============ P O R T S E N T R Y ===========
1) wget http://www.psionic.com/downloads/portsentry-1.1.tar.gz============ P
M F I R E W A L L ==========
2) tar -zxvf portsentry-1.1.tar.gz
3) cd portsentry-1.1
4) vi portsentry.conf
find:
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,1234
6,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771
,32772,32773,32774,31337,54321" === remove 143 above + looks like below ====
TCP_PORTS="1,11,15,79,111,119,540,635,1080,1524,2000,5742,6667,12345,12346,20
034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771
,32772,32773,32774,31337,54321" find:
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option. [ uncomment this line ]
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# ipchain support for Linux [ uncomment this line AMD ]
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
# ipfwadm support for Linux [ uncomment this line MIPS ]
KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
5) save the portsentry.conf file
6) make linux
7) make install
8) vi /etc/rc.d/rc.local
at the end of the fiel insert
/usr/local/psionic/portsentry/portsentry -udp
/usr/local/psionic/portsentry/portsentry -tcp
9) there are more advanced methods and are left as an exercise for the user
============== L O G C H E C K =============
1) wget http://www.psionic.com/downloads/logsentry-1.1.1.tar.gz
2) tar -zxvf logsentry-1.1.1.tar.gz
3) cd logsentry-1.1.1
4) make linux
5) vi /usr/local/etc/logcheck.sh
# Person to send log activity to.
SYSADMIN="<email address>"
6) vi /usr/local/etc/logcheck.cron
# my logcheck cron job
00 * * * * root /bin/sh /usr/local/etc/logcheck.sh
7) save the file
8) crontab /usr/local/etc/logcheck.cron
9) crontab -l (see if it loaded)
10) /etc/rc.d/init.d/crond restart
--
Gerald Waugh
http://frontstreetnetworks.com SOHO Networks & Web Site Hosting
Front Street Networks LLC voice +1 203 785 0699 * fax +1 203 785 1787
229 Front Street, Ste. #C, New Haven CT 06513-3203