Tivoli Access Manager for e-Business(TAM eB) Process Flow.

Authentication and Authorization flow charts of TAM-eB.

Ten iptables firewall rules to secure Linux box

Linux users have some inherent advantages over our fellow Windows users when it comes to security. Linux is both more secure and less common than Windows based systems with the consequence that attacks on Linux systems occur less frequently than on Windows systems. Having said that it would be foolish to be complacent about securing any system regardless of whether it runs Windows, Linux or any other operating system.

How do we do this? 

Use a Firewall, The first line of defense. Firewall is one of the gateways which filter the incoming and outgoing packets of network as per the pre- defined firewall rules. In IT world there are two types of firewalls: software and hardware. Cisco PIX/ASA, NetASQ are examples of hardware firewalls and ISA, SELinux, Iptables are examples of software firewalls.

The iptables tool is a magnificent means of securing a Linux box. But it would be rather overwhelming to say, even after you gain a solid understanding of the command structure and know what to lock down and how to lock it down, iptables can be confusing. But the nice thing about iptables is that it’s fairly universal in its protection. So having a few iptables rules to put together into a script can make this job much easier.

With that in mind, let’s take a look at 10 such commands. Some of these rules will be more server oriented, whereas some will be more desktop oriented. For the purpose of this article, I'm not going to explain all of the various arguments and flags for iptables. Instead, I’ll just give you the rule and explain what it does. For more information on the specifics of the rule, you can read the man page for iptables, which will outline the arguments and flags for you.

1: iptables -A INPUT -p tcp -syn -j DROP

This is a desktop-centric rule that will do two things: First it will allow you to actually work normally on your desktop. All network traffic going out of your machine will be allowed out, but all TCP/IP traffic coming into your machine will simply be dropped. This makes for a solid Linux desktop that does not need any incoming traffic. What if you want to allow specific networking traffic in -- for example, ssh for remote management? To do this, you'll need to add an iptables rule for the service and make sure that service rule is run before the rule to drop all incoming traffic.

2: iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

Let's build on our first command. To allow traffic to reach port 22 (secure shell), you will add this line. Understand that this line will allow any incoming traffic into port 22. This is not the most secure setup alone. To make it more secure, you'll want to limit which machines can actually connect to port 22 on the machine. Fortunately, you can do this with iptables as well. If you know the IP address of the source machine, you can add the

-s SOURCE_ADDRESS option (Where SOURCE_ADDRESS is the actual address of the source machine) before the --destination-port portion of the line.

3: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This will allow all previously initiated and accepted exchanges to bypass rule checking. The ESTABLISHED and RELATED arguments belong to the --state switch. The ESTABLISHED argument says, "Any packet that belongs to an existing connection," and the RELATED argument says, "Any packet that does not belong to an already existing connection but is related to an existing connection." The "state machine" of iptables is a means for iptables to track connections with the help of the kernel level "conntrack" module. By tracking connections, iptables knows what connections can be allowed and what can’t. This reduces the amount of work the administrator has to do.
Here's how state works. If the local user initiates a connection, that packet (to that connection) is set as NEW in the pre-routing chain. When the local user gets a return packet, the state is changed to ESTABLISHED in the pre-routing chain. So when a state is set as ESTABLISHED, it can be allowed with the right iptables rule.

4: iptables -N LOGDROP

With this handy chain, iptables will log all dropped packets. Of course, this is only part of the chain. To complete it, you need to add the follow two rules:

a) iptables -A logdrop -J LOG

b) iptables -A logdrop -J DROP

Now all matching packets (in this case, anything that has been dropped) will be added to the logdrop chain which will log them and then drop them.

5: iptables -t nat -A PREROUTING -i WLAN_INTERFACE -p tcp –dport PORTNUMBERS -j DNAT --to-destination DESTINATION_IP

When you need to route packets from external sources to specific ports on specific internal machines, this is what you have to do. This rule takes advantage of network address translation to route packets properly. To suit your needs, the WLAN_INTERFACE must be changed to the WLAN interface that bridges the external network to the internal network, the PORTNUMBERS must be changed, and DESTINATION_IP must be changed to match the IP address of the destination machine.

6: iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT

This is the beginning of a SYN flood protection rule. This portion of the rule blocks DoS attacks on a mail server port. (You can change this to suit your mail server needs)
There are three more portions of this rule set. The first is to add the same rule but modify the port to whatever is being served up by whatever ports you have open. The next portion is iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT, which is the actual SYN flood protection. Finally, iptables -A INPUT -p tcp --syn -j DROP will drop all SYN flood packets.

7: iptables -A INPUT -p tcp -m tcp -s MALICIOUS_ADDRESS -j DROP

This is where you can take care of malicious source IP addresses. For this to work properly, you must make sure you know the offending source IP address and that, in fact, it's one you want to block. The biggest problem with this occurs when the offending address has been spoofed. If that's the case, you can wind up blocking legitimate traffic from reaching your network. Do your research on this address.

8: iptables -N port-scan

This is the beginning of a rule to block furtive port scanning. A furtive port scan is a scan that detects closed ports to deduce open ports. Two more lines are needed to complete this rule:

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN

iptables -A port-scan -j DROP

Notice that the above rule set is adding a new chain called "port-scan". You don't have to name it such; it's just easier to keep things organized. You can also add timeouts to the above rule set like so:

iptables -A specific-rule-set -p tcp --syn -j syn-flood

iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan

9: iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

What you see here is a chain making use of the multiport argument, which will allow you to set up multiple ports. Using the multiport argument lets you write one chain instead of multiple chains. This single rule saves you from writing out four separate rules, one each for ssh, smtp, http, and https. Naturally, you can apply this to ACCEPT, DENY, REJECT.

10: iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 -j DNAT --to-destination 192.168.1.10:80

If you're looking to load balance between multiple mirrored servers (in the example case, load balancing a Web server at 192.168.1.10), this rule is what you want. At the heart of this rule is the nth extension, which tells iptables to act on every "nth" packet. In the example, iptables uses counter 0 and acts upon every 4th packet. You can extend this to balance out your mirrored sites this way. Say you have four mirrored servers up and you want to balance the load between them. You could have one line for each server like so:

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 -j DNAT --to-destination 192.168.1.10:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 1 -j DNAT --to-destination 192.168.1.20:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 2 -j DNAT --to-destination 192.168.1.30:80

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 3 -j DNAT --to-destination 192.168.1.40:80

As you can see the server on .10 will be routed every 0 packet, the server on .20 will be routed every 1st packet, the server on .30 will be routed every 2nd packet, and the server on .40 will be routed every 3rd packet.

These 10 iptables rules will help you secure your Linux server. Of course, with anything Linux, there are multiple possibilities to achieve the same results. But these rules should serve as an outstanding springboard for Linux server security -- as well as Linux security discussion.

Five Reasons why Linux is not winning over Windows:

 Linux has soared in recent years both in servers and desktops. Several factors are contributing to this surge, all happening at once. First, there is a change in the trend from powerful desktops to smaller, but less powerful, notebooks -- and now, netbooks. In addition, more user (and media) friendly Linux distributions, such as Ubuntu, have hit the scene. Not to forget the surge in the embedded world, especially with the Linux-based Android giving it a boost in smartphone sales. Finally, here comes the OS everybody loves to hate: Windows Vista -- significantly more resource hungry than XP and perhaps released a little too soon. All these factors probably made many users think of giving a shot to Linux.

Most people have heard that Linux is something tedious they came across at college. Other people think of it as something used by scientists and run on powerful but expensive workstations. Main concern with Linux is that it is not as easy as MacOS or Windows, and users simply miss their familiar Windows functions. Likewise, there are a number of reasons why Linux isn’t winning over Windows. I'm going to look at 5 of these reasons, some that apply primarily to servers, some to desktops, and some to both.

1)     Misleading Cost comparisons:

Let’s get what may be the most controversial point out of the way early. First, in the server space especially, we should try to compare apples to apples. This means comparing Windows Server to paid Linux. By far the most dominant flavor is Red Hat Enterprise Linux (RHEL), with about a two-thirds share of the paid enterprise Linux market, so this seems the most logical comparison. While there are plenty of free options out there, such as CentOS, for a business running mission-critical workloads, an unsupported operating system is a hard pill to swallow.
There are a couple of ways we can look at cost, neither of which is nearly as flattering to Linux as one might expect. First, we can look at the costs directly related to the acquisition of the platform. RHEL is a subscription-based license, meaning that rather than pay for the software itself, you pay for support. This doesn’t mean just phone tech support or troubleshooting (although that is included too, whether you want it or not) but also includes standard patches and bug fixes. Standard support for RHEL 5 Advanced Platform is $1,499 per year per server, or $4,047 for three years. Compare this with $3,999 for Windows Server 2008 Enterprise edition with free patching and bug fixes, and you can basically call it a wash unless you use a bulk of phone support. And there are also features that aren’t included and must be purchased separately, such as Red Hat Directory Server –few more bucks per annum. The other way of looking at cost is total cost of ownership (TCO) of the platform, and this explains our next reason.

2)     Windows Experts are more readily available

When looking at TCO, we’re not just looking at the software costs but also at staffing and administration costs, costs due to downtime, hardware costs, etc. Of these, staffing is the largest, accounting for more than half of the TCO. Here, Windows wins out because IT pros experienced with Windows are much more plentiful and generally cheaper to hire than Linux experts and because they can often be more productive.
With Linux, efficient management over many machines usually means going to the command line and pounding out a script to automate a process -- which is cool. However, with Windows Server 2008, PowerShell is now built in, which means the Windows guys can do that too, arguably better. Add that to the System Center family of tools, where virtually all management tasks are available at the click of a button (and which really have no peer on the Linux side), and Windows is simply easier to manage.

3)     Linux, not competing Head to Head

The last reason Linux isn’t winning over Windows in the server side is that it’s not really the primary focus. Right now, both Linux and Windows are gaining in server market share. How is that possible? Old granddaddy UNIX is being thrown under the bus to make it happen. Today, companies are dumping their old mainframe or proprietary UNIX servers for cheaper x86-based commodity hardware. It’s easy for a Linux sales guy to come in and make the value proposition: “It’s essentially the UNIX you know and love, but it runs on hardware a fraction of the cost.”
Unfortunately, the market for UNIX conversions and mainframe modernization is drying up. When those deals are gone, Linux will have to compete head-to-head with Windows to continue its growth, and this is a much harder proposition to make. Why should an organization already using Windows change platforms and have to build whole new skill sets around Linux?

4)     Advancement in Hardware

While Windows 7 is significantly faster than Vista, I don’t claim that it will be as friendly to the lowest end hardware as Linux. As time marches on, hardware improves. We can now get a quad-core processor and 8 gigs of RAM in our lappies. Intel has a dual-core Atom processor out, and even if it is made for nettops rather than netbooks, it's a safe bet that a dual-core Atom with netbook-friendly power consumption levels is right around the corner. In any case, as hardware continues to advance, that aspect of the Linux argument will become more and more irrelevant.
Also, while we’re on the topic of netbooks, let’s not forget that while these may seemingly be the perfect candidates for conversion from Windows to Linux, according to a Laptop Magazine interview of MSI’s director of U.S. sales, Andy Tung, the return rate of netbooks running Linux is much greater than the rate of those running Windows.
“They start playing around with Linux and start realizing that it’s not what they are used to. They don’t want to spend time to learn it so they bring it back to the store. The return rate is at least four times higher for Linux netbooks than Windows XP netbooks”

5)     The much acclaimed open source don’t stand up to scrutiny

Much of the hype about Linux is really more about open source development in general. The buzzwords all sound good: Open source is all about sharing, collaboration, proliferation of knowledge etc. To certain extent, there is nothing wrong with the open source model, and it surely helps in the advancement software development. As a business model and a model for end-user products, though, it's less reasonable. Here, it causes a lack of standardization. Egos issues among different developers collide, and the final product suffers. Let's not forget the old saying “Too many cooks spoil the broth.”
Another claim is that Linux and open source software are more secure than Windows and Microsoft software. This is largely based on problems with legacy versions of Windows. Back in the NT and Windows 2000 days, there were valid points to be made, but this is far less true today. The last several years have seen a massive emphasis on security across the industry. And now, with Windows Server 2008, Windows Vista, and the whole Forefront line of products, Microsoft is running a pretty tight ship -- enough so that major competitors such as Red Hat are not really bringing up the security argument against Windows anymore.