Re: [Openvpn-users] Securing OpenVP server guide?

[J. W. <web...@ho...>]

Well, I have the following services running.
I would like to use the standard block all and open up what should be allowed methodology but unfortunately I can't know all the applications that my client computers might have and therefore the ports they use.

[root@server myscripts]# netstat -tlpn

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address         
    State       PID/Program name

tcp        0      0 0.0.0.0:1194                0.0.0.0:*               
    LISTEN      16781/openvpn

tcp        0      0 0.0.0.0:3306                0.0.0.0:*               
    LISTEN      15291/mysqld

tcp        0      0 0.0.0.0:843                 0.0.0.0:*               
    LISTEN      2357/rpc.statd

tcp        0      0 0.0.0.0:111                 0.0.0.0:*               
    LISTEN      2320/portmap

tcp        0      0 88.xxx.xxx.xx8:80           0.0.0.0:*               
    LISTEN      11122/(squid)

tcp        0      0 0.0.0.0:8080                0.0.0.0:*               
    LISTEN      11122/(squid)

tcp        0      0 88.xxx.xxx.xxx9:80           0.0.0.0:*              
     LISTEN      3416/httpd

tcp        0      0 0.0.0.0:5555                0.0.0.0:*               
    LISTEN      2854/httpd-matrixsa

tcp        0      0 172.16.0.1:53               0.0.0.0:*               
    LISTEN      10999/named

tcp        0      0 88.xxx.xxx.xx9:53           0.0.0.0:*               
    LISTEN      10999/named

tcp        0      0 88.xxx.xxx.xx8:53           0.0.0.0:*               
    LISTEN      10999/named

tcp        0      0 127.0.0.1:53                0.0.0.0:*               
    LISTEN      10999/named

tcp        0      0 127.0.0.1:8087              0.0.0.0:*               
    LISTEN      6655/python

tcp        0      0 127.0.0.1:631               0.0.0.0:*               
    LISTEN      737/cupsd

tcp        0      0 127.0.0.1:953               0.0.0.0:*               
    LISTEN      10999/named

tcp        0      0 0.0.0.0:25                  0.0.0.0:*               
    LISTEN      3509/master

tcp        0      0 :::1057                     :::*                    
    LISTEN      15331/sshd

tcp        0      0 ::1:953                     :::*                    
    LISTEN      10999/named

tcp        0      0 :::443                      :::*                    
    LISTEN      3416/httpd

So, would this work in my iptables? Is it even necessary as most of those services won't be listneing on 127.0.0.1 apart from maybe squid cache manager and the webserver?
-A INPUT -i tun+ -m tcp --dport 3306 -j DROP

-A INPUT -i tun+ -m tcp --dport 843 -j DROP

-A INPUT -i tun+ -m tcp --dport 111 -j DROP

-A INPUT -i tun+ -m tcp --dport 5555 -j DROP

-A INPUT -i tun+ -j ACCEPT

-A INPUT -i tap+ -j ACCEPT

----------------------------------------
> Date: Tue, 27 Apr 2010 14:29:56 +0200
> From: ope...@to...
> To: web...@ho...
> CC: ope...@li...
> Subject: Re: [Openvpn-users] Securing OpenVP server guide?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 27/04/10 13:20, J. Webster wrote:
>>
>> I have got openvpn running on my system with certificates and open to
>> the IP addresses 17.xx.xx.x on the server.
>>
>> What should I definitely block off from the system so that clients using
>> the VPN cannot gain access and how should I go about this in the
>> firewall?
>>
>> I'm guessing to block off intranet access to the webserver.
>>
>> I have mysql and some mail programs running as well - how can I block
>> those off?
>>
>> All other raffic from the clients including web, email, etc. should be allowed.
>> Does anyone know of some decent links on this topic?
>
> This all is pure firewalling. So, if you're using Linux, you'll need to
> dig into iptables. If you're a *BSD user, pf is the thing to learn I
> believe. If your server is on Windows, you'll need to figure out
> firewalling on Windows.
>
> Further, if you're using a routed environment and the VPN IP address is
> exposed to the internal networks (ie. not NATed), then you can also
> harden web servers by disallowing VPN IP addresses. I believe you can
> do the same with MySQL as well - even though, iirc, with MySQL you
> usually block remote access by default and use GRANT to open access for
> users against databases and tables based on hostname wildcards and user
> names.
>
> You might also want to have a look on tcpwrapper (which also handle UDP
> connections) for those services supporting that.
>
> It's all about going through all your network services on each server,
> and decide where to allow traffic from. In general, I recommend
> blocking access for everything and everyone, and just opening up those
> holes you need to make things work for your users. If you then redesign
> the network or change VPN IP ranges, you don't need to modify that much.
>
> But start with firewalling, and then each service on each server
> accessible. Then you've come a far way of tightening the security.
>
>
> kind regards,
>
> David Sommerseth
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvW2MIACgkQDC186MBRfrpengCgiz3v2SDbTs9kWhE9jTXJyE/y
> UKAAn0MbOP3mWxBSzGf8uV5i9O4l8tUQ
> =4QO4
> -----END PGP SIGNATURE-----
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now