将Linux配置为堡垒主机
时间:2020-01-09 10:41:14 来源:igfitidea点击:
什么是堡垒主机?
如何在Linux下配置堡垒主机?
如何在任何Linux发行版下为堡垒主机创建防火墙?
堡垒主机是您网络上的高风险主机。
它可以是运行netfilter的专用Linux,也可以是运行PF或Cisco PIX设备的OpenBSD盒。
该设备旨在保护您的网络免受外部威胁。
The Internet
\
\
Bastion Host
//
//
Your Network
通常,堡垒主机位于公司防火墙外部或DMZ本身中。
The Internet
\
+---------------+
| Bastion Host |
In most cases it has access from the Internet or untrusted parties / computers. In some case a bastion host can be a:
Web server
DNS Server
FTP Server
Proxy Server
Honey pots
Email Server etc
WARNING! These examples needs a dedicated Linux box.You MUST know how to install programs on your computer, how to navigate file system, list open ports, configure iptables, write a firewall script and other advanced admin tasks.
Bastion Host and Screened Subnet
Bastion host adds an extra layer of security to the screened host architecture. It isolate your internal network form the Internet. The end result is that your bastion host is the primary target of Internet attacks. If someone beaks into the bastion host, your internal hosts are safe as the bastion host is isolated by the perimeter network. The bastion host firewall configuration has more security. Usually following is done on bastion hosts:
Firewall works in close all ports and opened required port mode only.
Intrusion detection system (IDS/IPS) such as as snort.
Security settings to avoid Denial of Service (DoS), spoofing, and flood attacks.
Undergo regular auditing.
Runs upto date software.
May run special kernel security patches.
All user accounts are locked down except admin account.
Encryption used for logging (ssh) or disk storage.
Remove all end user software and other network servers such as Apache, MySQL and so on.
TCP/IP stack tuned for network traffic including network buffers.
/etc/sysctl.conf customized to improve server security
Usually, the bastion host does act as proxy server. It allows and denies connection as created by your security policy.
How Do I Build Linux As a Bastion Host?
A Linux based bastion host can be build using the following steps:
Grab Debian / CentOS CD or your favorite Linux distribution.
Install minimum operating system. Avoid installing desktop software or other apps such as MySQL, Apache and other software.
Reboot the server.
Patch server.
Install grsecurity kernel patch and reboot the system.
Install additional software such as snort IDS and configure it.
Install Advanced Intrusion Detection Environment (AIDE) Software.
Make sure all security patches are installed.
Disable all network services except ssh.
Disable all other daemons.
Network tuning vis sysctl.conf
Configure firewall (see sample script below).
Remove centralized authentication such as LDAP.
Remove as many utilities and system configuration tools as is practical for your setup. No need to have gcc compilers and other unwanted tools. Use rpm/yum and dpkg command to list all packages.
Logging of all security related events and turn on auditing.
Write protect all log files and only allow them in append only mode using chattr command (e.g. chattr +a /var/log/messages or chattr +i /etc/shadow).
Encrypt all database passwords including file systems if possible.
Create system recovery DVD or tape.
Above all are generic and recommended steps to configure bastion host.
Sample Linux Iptables Bastion Host Rules
You need at least two network interface one is connected to the Internet via public IP and another private to your Lan.
#!/bin/sh
# The bastion host firewall for bhost.lan.theitroad.com
# The bastion host is also:
# (a) Mail server to relay mail to postfix.lan.theitroad.com
# (b) DNS server send zone trasfer to ns1.lan.theitroad.com and ns2.lan.theitroad.com
# (c) Allow incoming ssh / http / https to bhost.lan.theitroad.com from LAN SUBNET sothat
# we can manage bhost.lan.theitroad.com via ssh, and read snort stats via ACID web interface.
#--------------------------------------------------------------------------------------------------
### Set vars ###
IPT=/sbin/iptables
SYSCTL=/sbin/sysctl
### Set interfaces ###
EXT_IF="eth0" # The Internet
LAN_IF="eth1" # Lan
LOOP_BACK="lo"
### Block RFC 1918 private address space range ###
### Block reserved Class D and E IP ###
### Block the unallocated address range et all ###
SPOOFDIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
### Set Lan Subnet ###
LAN_SUBNET="192.169.1.0/24"
### Set DNS Server IPs ###
NS1_SERVER_IP=192.168.1.130
NS2_SERVER_IP=192.168.1.131
### Set Postfix Server IP ###
SMTP_SERVER_IP=192.168.1.132
### Set port numbers ###
SSH_PORT=22
SMTP_PORT=25
HTTP_PORT=80
HTTPS_PORT=443
DNS_PORT=53
### Clean out old fw ###
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
### Turn on SYN flooding protection ###
$SYSCTL -w net/ipv4/tcp_syncookies=1
### Block out eveything ###
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
### Allow full access to loopback ###
$IPT -A INPUT -i ${LOOP_BACK} -j ACCEPT
$IPT -A OUTPUT -o ${LOOP_BACK} -j ACCEPT
### Block the RFC 1918 private address space ranges ###
for rfc in $SPOOFDIP
do
$IPT -A INPUT -i ${EXT_IF} -s ${rfc} -j LOG --log-prefix " SPOOF DROP "
$IPT -A INPUT -i ${EXT_IF} -s ${rfc} -j DROP
done
### Drop bad stuff ###
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP
# FIN-Only
$IPT -A INPUT -p tcp --tcp-flags FIN FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# FIN
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
# NULL packets
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# XMAS
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Fragments
$IPT -A INPUT -f -j DROP
# sync
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
### Allows the bastion host to query remote DNS servers ###
$IPT -A INPUT -i ${EXT_IF} -p udp --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p udp --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
### Allow internal DNS i.e. zone trasfer between the bastion and 2 LAN ns1 & ns2 ###
$IPT -A INPUT -i ${EXT_IF} -p udp -s ${NS1_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p udp -s ${NS2_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp -s ${NS1_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp -s ${NS2_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
### Allow outgoing DNS and Zone transfers btw the bastion host and two 2 LAN ns1 & ns2 ###
$IPT -A OUTPUT -o ${EXT_IF} -p udp -d ${NS1_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p udp -d ${NS2_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp -d ${NS1_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp -d ${NS2_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
### Allow LAN workstation to get into the bastion host via SSH but no access from the Internet ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${SSH_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${SSH_PORT} -m state --state ESTABLISHED -j ACCEPT
### Allow LAN workstation to get into the bastion host via HTTP to read SNORT stuff via web interface but no access from the Internet ###
### Read ACID stats ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${HTTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${HTTP_PORT} -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${HTTPS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${HTTPS_PORT} -m state --state ESTABLISHED -j ACCEPT
### External SMTP Rules ###
$IPT -A INPUT -i ${EXT_IF} -p tcp --dport ${SMTP_PORT} -m state --state NEW,ESTABLISHED - j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp --sport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
### Internal SMTP Rules ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${SMTP_SERVER_IP} --sport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${SMTP_SERVER_IP} --dport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
### Add your other rules below ###
### End no editing below ###
### Log ###
$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix " INVAID DROP "
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -i ${EXT_IF} -j LOG --log-prefix " INPUT DROP "
$IPT -A OUTPUT -o ${EXT_IF} -j LOG --log-prefix " OUTPUT DROP "
上面的脚本是基本的,可以根据您的要求进行修改。
您还可以使用防火墙分发(例如pFsense或IPcop)自动丢失内容。
