Haven't time to give you a really worthwhile answer right now - I'll try to get back later today or tomorrow - but I'll try to make the high level points now and get back to a bit of detail later, perhaps in the light of your further comments.
More use than most of the things that I am about to say is a manual; the man page is pretty good (...for a man page...), but the thing over at
frozentux is the one I'd go for. Manual.tutorial and a good reference source, you don't want to be without (eg, download the pdf version).
Quote:
|
1) Can I specify the interface always, in every rule or only for forwarding?
|
Always
Quote:
|
2) Can I reject instead dropping in all cases?, to cheat on vulnerability scanners or the "reject" rules I added are enough?
|
Reject or drop is your choice. If you have networking problems, reject can make them easier to debug, but does, potentially, make things easier for the bad guys. Drop isn't really in conformance with the relevant Internet RFQs, but a lot of people feel that it is the lesser of two evils.
At this point, I should step back from the strictly iptables questions, and suggest that you also need to think about how your network is set up. Try
Linuxhomenetworking, which is (I think) a bit out of date these days, but does go through this stuff in detail.
In particular, SSH port: don't regard moving the port as an adequate security measure by itself (well, perhaps unless you can block scanning, which may be easy enough, but it isn't really guaranteed to keep working if people improve scanning algoritms, so may be best not to rely on).
If people can port scan you, moving the port is only worth an extra 20 seconds worth of security, which is essentially nothing; it will keep your log files cleaner though, and that might be worth having. There is a page on
samhain which goes in to the options. The simplest is probably:
- disallow ssh v1 (everyone should be doing that by default)
- disallow root log in via ssh
- use passwordless, provided that you have a safe and secure way of distributing the keys
- (moving the port will keep the log files 'cleaner' and that may have a real value in making attacks stand out)
Quote:
|
3) What the hell is conntrack?
|
It is an add-on (module) for iptables to allow more sophisticated
connection tracking things.
Quote:
|
This is for a production server which runs a website (2 websites)...
|
Would you describe it as 'local' or 'remote'? If remote, there are some mistakes that you really don't want to make, because you'll have to travel to put them right.
Both Apache and Nginx? That seems a bit excessive, but there may be reasons connected with your two different websites that makes this essential.
All of these panel things bring certain considerations with them (and plesk may one of the better ones, but still). They are buggy; going on history, and assuming that the past is the same as the future, every so often a bug is discovered that renders your site vulnerable. When that does happen, the important thing is to be able to get the patched version in place as fast as is possible to limit the vulnerability.
I would have expected some mention of a CMS-like thing (eg, Drupal, Wordpress, etc) or something similar. I hope you aren't running a home-brewed equivalent, because those are usually vulnerable in mysterious and unknown ways.
something else you may be able to consider is to limit traffic to and from potentially vulnerable services to traffic that is local to some more trustworthy net range (eg, inside your organisation, whatever that comprises). If, eg, ssh, plesk can only communicate with what are machines local to your administrative area, that reduces the worries a bit.
A more general question is whether it is sensible to have all of this on one machine; it might be ok from a throughput point of view (or, it might not, depends on whether the websites are busy and whether they stay that way) but you might be creating something that is difficult to administer from a security and availability point of view. Imagine, for example, a new version of a database (again two!) is released and this version corrects a potential security issue. How do you ensure that everything works before installing it? Does it (potentially) break both your websites? Is that a risk you can take (if, for example, it was an internal organisation website, it might be tolerable, in some other cases it might not)?
I still didn't see anything about what DNS does.
Quote:
|
6) I saw many versions of my last rules for outgoing traffic (I want to allow all outgoing traffic), its the mine correct?
|
I think, no. The rule
Code:
#ALLOW ALL OUTPUT TRAFFIC
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
doesn't allow any new traffic. Now, it may be that the traffic that you are concerned about is the website traffic, and it actually starts as 'related' (related to some existing connection that someone has already made to a webserver), but I would think not all of it.
One way to proceed would be to log packets that you are dropping and have a look at the logfile to see what you are dropping and whether you really wanted to drop those packets. That's a bit 'trial and error' though, and you are probably better trying to 'design it right' and then just look at logs for conformation.
