khushil.io

One of the first things I do on any machine is lock it’s network access down. It makes sense to make sure you only run and expose what you need, to who you need to.

Let’s take a look at what’s open by default on a standard smartmachine install:

Khushils-MacBook-Pro:~ kdep$ nmap -Pn SERVER_IP_ADDRESS
Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-19 22:18 GMT
Nmap scan report for SERVER_IP_ADDRESS
Host is up (0.021s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
37/tcp filtered time
119/tcp filtered nntp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
563/tcp filtered snews
6969/tcp filtered acmsoda
Nmap done: 1 IP address (1 host up) scanned in 43.24 seconds

That’s not very secure.

Update 20-12-2012 : As @jasonh pointed out, that is actually secure, with only port 22 being open. I’d managed to completely miss that the other ports are actually filtered, meaning that in response to the SYN packet, there was no response, not even a RST. In my defence it was late at night and I may have been slightly tipsy.

In theory, you could stop at this point and wend your merry way hence. However, as I’m from Linux where a lot of stuff come installed and started on a default install and I’m used to doing the following as a minimum when I build/configure, I’ll document it anyway:

We’re going to use IPFilter to lockdown connectivity to our box and it’s own network edge.

Login and edit the file /etc/ipf/ipf.conf.  This file contains some basic pre-installed configuration. At first, we will want to lock this down quite hard. Let’s make sure that only SSH is exposed and then only to our IP address. The lines you’re looking for in the file are:

# Allow all out going connections
pass out from SERVER_IP_ADDRESS to any keep state

# Allow SSH
pass in quick from YOUR_IP_ADDRESS to SERVER_IP_ADDRESS port=22

# Block everything else coming in
block in from any to SERVER_IP_ADDRESS

That first line tells IPF to allow all outbound connections and maintain state.

The second allows port 22  connections but only from YOUR_IP_ADDRESS. This assumes that you’re ssh daemon is listening on port 22 – which it will be unless you’ve fiddled with it.

Ensure that you get at least the YOUR_IP_ADDRESS correct in the step above. Failure could lock you out of your own system, requiring support intervention – or as @AlainODea suggested, crontab a reset in now+20min just to be on the safe side. Something like the following should do the trick. Remove once you’re happy you haven’t locked yourself out of the system.

0,20 * * * * /user/sbin/ipf -D > /dev/null 2>&1

The last line blocks all other traffic to any other ports on our SERVER_IP_ADDRESS.

Now that’s done, we can enable the service:

svcadm enable network/ipfilter

Now let’s make sure IPF actually picks up our ruleset:

ipf -Fa -f /etc/ipf/ipf.conf

Now logout and log back in. Let’s check that IPF picked it up:

[root@somewhere ~]# ipfstat -ioh
9 pass out from 37.153.97.131/32 to any keep state
7 pass in quick from any to 37.153.97.131/32 port = 22
2146 block in from any to 37.153.97.131/32

In this case I’ve connected a few times so my count is more that 1 (which your’s should be at this stage). Take a look at the number of blocked connections though – interesting huh?

You can now work on this machine knowing that you’re relatively safe. As you add services and want to allow those services access from the outside world, add to the /etc/ipf/ipf.conf file as needed – always remember that rule order is important. For more IPF filter samples see here (quite old but relevant).