Tuesday, April 28, 2009

Assign Virtual IPs to your NIC

Edit file /etc/sysconfig/network-scripts/ifcfg-eth0. 



DEVICE=eth0

BOOTPROTO=static


BROADCAST=192.168.0.255


HWADDR=00:00:00:00:00:00


IPADDR=192.168.10.2


NETMASK=255.255.255.0


NETWORK=192.168.10.0


ONBOOT=yes


TYPE=Ethernet


GATEWAY=192.168.10.1


 


Make a copy of this in the same directory naming the new file ifcfg-eth0:1


# cp ifcfg-eth0 ifcfg-eth0\:1


 



Modify /etc/sysconfig/network-scripts/ifcfg-eth0:1 file. Modification are in bold

DEVICE=eth0:1


BOOTPROTO=static


BROADCAST=192.168.0.255


HWADDR=00:00:00:00:00:00


IPADDR=192.168.10.101


NETMASK=255.255.255.0


NETWORK=192.168.10.0


ONBOOT=yes


TYPE=Ethernet


GATEWAY=192.168.10.1



 

# cp ifcfg-eth0\:1 /etc/sysconfig/networking/devices/


# cp ifcfg-eth0\:1 /etc/sysconfig/networking/profiles/default/



 

Now, bring up the new interface using the ifup script:


# ifup eth0\:1


Running ifconfig, the new interface should be listed. You can also check it by pinging:


# ping 192.168.10.101

Posted by sanjay dalal at 11:59 PM 0 comments
Labels: ,

Copy one file to a bunch of directories using find and cp

find directory1 directory2 directory3 -type d -exec cp filename {} \;


what this command does:


First, I use the find command, and I tell it to


   1.  look in four sub-directories       (directory1, directory2, directory3 and directory4).


   2.  I tell it to find only directories (-type d).

Posted by sanjay dalal at 11:51 PM 0 comments
Labels: , ,

Run a Unix/Linux job in the background when you log off

If  you want to log off and go home for somewhere, but you need to run a job that’s going to take a couple of hours? Then use nohup will help you to doing this task.

nohup filename.sh &
Posted by sanjay dalal at 11:44 PM 0 comments
Labels:

Vim commands I'm trying to learn/remember


Here are some vi/vim commands that I need to remember:


Vim Commands


------------


:set autoindent


 :syntax on


 :set all                                     (display the value of all options)


 :set number                            (show line numbers)


 :set hlsearch                          (highlight matching search strings)


 :set ignorecase                     (makes searches case insensitive)


 :browse set                            (set options using a screen-based dialog)


 m{letter}                                  (place mark)


 '{letter}                                    (go to mark)


 R ... <Esc>                             (replace characters until <Esc> is hit)


 :split {file}                                (split window)


 CTRL-Wj                                (move up a window)


 CTRL-Wk                               (move down a window)


 CTRL-Wo                               (make the current window the only window)


 

Posted by sanjay dalal at 11:07 PM 0 comments
Labels:

Basic Rules of a typical Firewall

Kill INVALID packets with illegal combination flags.


$IPTABLES -A INPUT -m state --state INVALID -j DROP


$IPTABLES -A FORWARD -m state --state INVALID -j DROP


 


No restrictions to connections from localhost


 


$IPTABLES -A INPUT -i lo -j ACCEPT


 


 


Reject connections from Outside world to Internal loop back device.


$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT


 


 


No restrictions for traffic generating from legit internal addresses


$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT


 


 


Incase we have to use IPv6 addresses in your environment uncomment the below line:


#$IPTABLES -A INPUT -p ipv6 -j ACCEPT


 


 


Kill all packets from Outside world claiming to be packets generated from Internal network.


$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT


 


 


Block ICMP requests.


$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT


 


 


Prevent Ping flood attacks:


$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT



$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP

 

Deny pings to local broadcast address:


$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP


 


Allow all other icmp


$IPTABLES -A INPUT -p icmp -j ACCEPT


 


 No restrictions to established connections:


$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



 

 

Dont forward SMB related traffic. Samba Services are one of the most aimed targets by hackers.


$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT


$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT


$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT


$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT


$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT


$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT


$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT


 


 


Disable Samba Share


$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT


$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT


$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT


$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT


$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT


$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT


 


Allow all other connections to be forwarded


$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT


 


Allow replies from established connections :


$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT


 


Allow yourself to be a DHCP server for your inside network


$IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT


$IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT


 


 ftp-data


 


$IPTABLES -A INPUT -p tcp  --dport 20 -j ACCEPT


 


 ftp


$IPTABLES -A INPUT -p tcp  --dport 21 -j ACCEPT


 


 ssh


#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT


 


Telnet


$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT


 


 


 DNS  


$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT


$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT


 


 http


$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT


 


 POP-3


$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT


 


 https


$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT


 


VNC Server


$IPTABLES -A INPUT -p tcp --dport 5801 -j ACCEPT


$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT


$IPTABLES -A INPUT -p tcp --dport 6001 -j ACCEPT


 




EXPLICITLY BLOCKING SERVICE PORTS FOR GATEWAY FROM OUTSIDE WORLD


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 21        # ftp


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 22        # ssh


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 23        # telnet


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 25        # smtp


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 53        # domain


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 79        # finger


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 80        # httpd


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 110       # pop3


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 111       # sunrpc


/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 137       # netbios-ns



Posted by sanjay dalal at 11:04 PM 0 comments
Labels:
Subscribe to: Posts (Atom)

sanjay's shared items

My Blog List