Friday, February 7, 2014

Harden a CentOS 6.4 server

Here’s a basic step-by-step to harden a CentOS 6.4 server via the iptables firewall:


- Set up iptables to drop everything not explicitly allowed (from here: http://ift.tt/LGueEJ)

1. iptables -F (clears all rules)

2. iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP (drop “null” packets)

3. iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP (drop syn flood packets)

4. iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP (drop “christmas” packets)

5. iptables -A INPUT -i lo -j ACCEPT (accept local loopback interface)

6. iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT (accept SSH)

7. iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT (allow return traffic from established outgoing connections)

8. iptables -P OUTPUT ACCEPT (by default allow outgoing connections)

9. iptables -P INPUT DROP (by default drop incoming connections unless rules match)

10. iptables-save

11. iptables -L (list rules)





Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)