Bastille

Bastille benötigt perl-tk.

apt-get install bastille

The firewall is controlled by /etc/init.d/bastille-firewall. The configuration file is

/etc/Bastille/bastille-firewall.cfg

which you may modify. After it has been installed, you can then test the firewall by using

/etc/init.d/bastille-firewall start                                                   

and (to remove all firewall rules)

/etc/init.d/bastille-firewall stop                                    
                                           

Once you have a configuration that will work on your system, you can make it run at every normal boot-up by

# /usr/sbin/update-rc.d bastille-firewall start 40 S . stop 89 0 6 .                                                      
# /etc/init.d/bastille-firewall start        
  • more restrictive permissions on the administration utilities? [N] (which include linuxconf, fsck, ifconfig, runlevel and portmap)
  • SUID-Flag für Programme entfernen:
  • (u)mount
  • ping
  • at
  • disable clear-text Utils: r*
  • password-aging
  • restrict cron to admin-users
  • default umask:
002  - Everyone can read your files & people in your group can alter them.                                                                              
022  - Everyone can read your files, but no one can write to them.
027  - Only people in your group can read your files, no one can write to them
077  - No one on the system can read or write your files.
  • disable root-login on all ttys?
  • disable Strg-Alt-Entf Reboots?
  • Password-protect single-user-mode
  • Would you like to set a default-deny on TCP Wrappers and xinetd?
  • disable telnet
  • disable inetd ftp-service?
  • Display unathorized-use messages at login?
  • restrict gcc to root
  • put limits on resource usage? (anti dos)
  • restrict console-acces to a small group of user accounts?
  • additional logging → Loghost
  • restrict privileged daemons
  • install TMP/TEMP-Dir Scripts? (/tmp are often used in dangerous ways)
  • install firewall-Script? (Helper for FW-rules)1024: = 1024 and higher ports 1024:1048 sind ranges
  • DNS-Server? blank if /etc/resolv.conf
  • public Interfaces
  • audit-Services
  • tcp
  • udp
  • allow services?
  • tcp: 80 8080 22 53
  • udp: 53
  • force passive ftp? yes
  • Block Services?
    • TCP (watch lsof -i)
    • UDP
  • allowed ICMP-Types: estination-unreachable echo-reply time-exceeded
  • source-verification (anti-spoffing)
  • REJECT or DENY ?
  • allowed outbound ICMP-Types: destination-unreachable time-exceeded
  • enable FW at boot-time?

# Q: Would you like to set more restrictive permissions on the administration utilities? [N] FilePermissions.generalperms_1_1=„Y“

# Q: Would you like to disable SUID status for mount/umount? FilePermissions.suidmount=„Y“

# Q: Would you like to disable SUID status for ping? [Y] FilePermissions.suidping=„N“

# Q: Would you like to disable SUID status for at? [Y] FilePermissions.suidat=„Y“

# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] AccountSecurity.protectrhost=„Y“

# Q: Would you like to enforce password aging? [Y] AccountSecurity.passwdage=„N“

# Q: Would you like to restrict the use of cron to administrative accounts? [Y] AccountSecurity.cronuser=„N“

# Q: Do you want to set the default umask? [Y] AccountSecurity.umaskyn=„Y“

# Q: What umask would you like to set for users on the system? [077] AccountSecurity.umask=„077“

# Q: Should we disallow root login on all ttys? [N] AccountSecurity.rootttylogins=„N“

# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] BootSecurity.secureinittab=„N“

# Q: Would you like to password protect single-user mode? [Y] BootSecurity.passsum=„N“

# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] SecureInetd.tcpd_default_deny=„N“

# Q: Should Bastille ensure the telnet service does not run on this system? [y] SecureInetd.deactivate_telnet=„Y“

# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] SecureInetd.deactivate_ftp=„Y“

# Q: Would you like to display „Authorized Use“ messages at log-in time? [Y] SecureInetd.banners=„N“

# Q: Would you like to disable the gcc compiler? [N] DisableUserTools.compiler=„Y“

# Q: Would you like to put limits on system resource usage? [N] ConfigureMiscPAM.limitsconf=„N“

# Q: Should we restrict console access to a small group of user accounts? [N] ConfigureMiscPAM.consolelogin=„N“

# Q: Would you like to add additional logging? [Y] Logging.morelogging=„N“

# Q: Would you like to install TMPDIR/TMP scripts? [N] TMPDIR.tmpdir=„N“

# Q: Would you like to run the packet filtering script? [N] Firewall.ip_intro=„Y“

# Q: Do you need the advanced networking options? Firewall.ip_advnetwork=„N“

# Q: DNS Servers: [0.0.0.0/0] Firewall.ip_b_dns=„0.0.0.0/0“

# Q: Public interfaces: [eth+ ppp+ slip+] Firewall.ip_b_publiciface=„eth0“

# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] Firewall.ip_b_tcpaudit=„telnet ftp imap imaps pop3 pop3s mysql ftp finger sunrpc exec login linuxconf ssh“

# Q: UDP services to audit: [31337] Firewall.ip_b_udpaudit=„“

# Q: ICMP services to audit: [ ] Firewall.ip_b_icmpaudit=„“

# Q: TCP service names or port numbers to allow on public interfaces: [ ] Firewall.ip_b_publictcp=„80 8080 22 53“

# Q: UDP service names or port numbers to allow on public interfaces: [ ] Firewall.ip_b_publicudp=„53“

# Q: Force passive mode? [N] Firewall.ip_b_passiveftp=„Y“

# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] Firewall.ip_b_tcpblock=„“

# Q: UDP services to block: [2049 6770] Firewall.ip_b_udpblock=„“

# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] Firewall.ip_b_icmpallowed=„destination-unreachable echo-reply time-exceeded“

# Q: Enable source address verification? [Y] Firewall.ip_b_srcaddr=„Y“

# Q: Reject method: [DENY] Firewall.ip_b_rejectmethod=„DENY“

# Q: Interfaces for DHCP queries: [ ] Firewall.ip_b_dhcpiface=„“

# Q: NTP servers to query: [ ] Firewall.ip_b_ntpsrv=„ntps1-0.cs.tu-berlin.de“

# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] Firewall.ip_b_icmpout=„destination-unreachable time-exceeded“

# Q: Should Bastille run the firewall and enable it at boot time? [N] Firewall.ip_enable_firewall=„N“