One of the first things I do on any machine is lock it’s network access down. It makes sense to make sure you only run and expose what you need, to who you need to.
Let’s take a look at what’s open by default on a standard smartmachine install:
Khushils-MacBook-Pro:~ kdep$ nmap -Pn SERVER_IP_ADDRESS Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-19 22:18 GMT Nmap scan report for SERVER_IP_ADDRESS Host is up (0.021s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 37/tcp filtered time 119/tcp filtered nntp 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 563/tcp filtered snews 6969/tcp filtered acmsoda Nmap done: 1 IP address (1 host up) scanned in 43.24 seconds
That’s not very secure.
Update 20-12-2012 : As @jasonh pointed out, that is actually secure, with only port 22 being open. I’d managed to completely miss that the other ports are actually filtered, meaning that in response to the SYN packet, there was no response, not even a RST. In my defence it was late at night and I may have been slightly tipsy.
In theory, you could stop at this point and wend your merry way hence. However, as I’m from Linux where a lot of stuff come installed and started on a default install and I’m used to doing the following as a minimum when I build/configure, I’ll document it anyway:
We’re going to use IPFilter to lockdown connectivity to our box and it’s own network edge.
Login and edit the file /etc/ipf/ipf.conf. This file contains some basic pre-installed configuration. At first, we will want to lock this down quite hard. Let’s make sure that only SSH is exposed and then only to our IP address. The lines you’re looking for in the file are:
# Allow all out going connections pass out from SERVER_IP_ADDRESS to any keep state
# Allow SSH pass in quick from YOUR_IP_ADDRESS to SERVER_IP_ADDRESS port=22
# Block everything else coming in block in from any to SERVER_IP_ADDRESS
That first line tells IPF to allow all outbound connections and maintain state.
The second allows port 22 connections but only from YOUR_IP_ADDRESS. This assumes that you’re ssh daemon is listening on port 22 – which it will be unless you’ve fiddled with it.
Ensure that you get at least the YOUR_IP_ADDRESS correct in the step above. Failure could lock you out of your own system, requiring support intervention – or as @AlainODea suggested, crontab a reset in now+20min just to be on the safe side. Something like the following should do the trick. Remove once you’re happy you haven’t locked yourself out of the system.
0,20 * * * * /user/sbin/ipf -D > /dev/null 2>&1
The last line blocks all other traffic to any other ports on our SERVER_IP_ADDRESS.
Now that’s done, we can enable the service:
svcadm enable network/ipfilter
Now let’s make sure IPF actually picks up our ruleset:
ipf -Fa -f /etc/ipf/ipf.conf
Now logout and log back in. Let’s check that IPF picked it up:
[root@somewhere ~]# ipfstat -ioh 9 pass out from 18.104.22.168/32 to any keep state 7 pass in quick from any to 22.214.171.124/32 port = 22 2146 block in from any to 126.96.36.199/32
In this case I’ve connected a few times so my count is more that 1 (which your’s should be at this stage). Take a look at the number of blocked connections though – interesting huh?
You can now work on this machine knowing that you’re relatively safe. As you add services and want to allow those services access from the outside world, add to the /etc/ipf/ipf.conf file as needed – always remember that rule order is important. For more IPF filter samples see here (quite old but relevant).