Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginLinux NewsClick the above for your daily dose of Linux news. Food for ThoughtLearn from your parent's mistakes -- use birth control! Spam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
Firewall on serverHello, If I'm reading the PCI Compliance requirements correctly, I need to set up a firewall on the server supporting my web store. After several days of Googling the topic, studying iptables docs, etc., I'm still don't feel competent to do this. My server is Apache2 running on Debian Etch. The store is PhP on MySql. I use SSH for remote management and have locked out remote root login. The store processes credit cards with SSL; sends out e-mail confirmations. I have a vague understanding of what needs to be done, but several warnings in the literature make me nervous about screwing it up. Can anyone point me to an up-to-date, straight forward, recipe for doing this? Or perhaps give me some first-hand guidance? Many thanks, LRP Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
Re: Firewall on server
I'm no expert on setting up an firewall of this kind but i can give you some basic advice.
Disabling root access to ssh is a good begin, i would extend this with adding the AllowUser command to your sshd_config followed by the allowed users to login separated by a space.
Since your server is handling delicate info i would even disable the password login and switch to private key logins.
Don't use the same passwords for sql, apache or root access to make even harder to get into your stuff.
Now regarding the firewall: your main strategy should be to DROP EVERYTHING.
To be able to even make your website public you need to build exceptions to this rule, so on for ssh login etc.
Instead of just ACCEPTING connection on your ssh port, which by the should be changed from 22 to something else for even better security (can simply be done with a POSTROUTING line in iptables), i recommend using port-knocking.
this is some basic idea of what could create a reasonable secured box, but again, i have no experience setting this up for commercial use.
best regards, sjors
Re: Firewall on server
Thanks, sjors,
Great tips. Some I was aware of, but several are new.
One thing I don't understand is where to install firewall script. And, several docs say I need to enable CONFIG_NETFILTER. How do I check to see if this is enabled? If it isn't, how do I do so?
Thanks again,
lPrentice
Re: Firewall on server
In addition to my first reply: If you only need to ssh into your server from a few know places(=ip's) it's even smarter to only allow traffic FROM those ip's to you're ssh port, even if portknocking is used.
But to awnser your questions:
The firewall script is preferably stored in the /ect/init.d/ directory (chmod it to at least 755!), to make it bootable execute 'update-rc.d firewall.scriptname defaults'
the system will echo which files it creates (some S... and K... files in each one of your rc%.d dirs, which contain several boot scripts according to its run level %).
CONFIG_NETFILTER is a kernel option which enables you to scan inet packages. i tried to locate my own kernel config but i can not find it (should be in /proc/config.gz or /usr/src/linux.../) but as far as i know kernels above 2.6.16 are already compile with it enabled
i've also read 'somewere' that it should be possible to load it as a module into your kernel, but you should dig deeper into it to be sure.
You can alway compile your own kernel with CONFIG_NETFILTER enabled.
regards sjors