I am getting a lot of unwanted access to my virtualmin web server:
Operating system Debian Linux 9, Webmin version 1.881, Virtualmin version 6.02.gpl, Kernel and CPU Linux 4.9.0-6-686-pae on i686
Here is a cleaned-up list of some of the accesses using ‘pktstat -i eth0 -nt’
152.6k 6% udp :22473 <-> :53
146.5k 5% udp :18575 <-> :53
122.1k 4% udp :52275 <-> :53
…
13.5k 0% arp
…
4.6k 0% udp 0.0.0.0:68 <-> 255.255.255.255:67
…
569.6 0% llc 802.1d -> 802.1d
417.7 0% udp :5353 <-> 224.0.0.251:5353
291.1 0% udp :137 <-> 209.160.27.255:137
224.7 0% udp :5678 <-> 255.255.255.255:5678
148.7 0% udp :1985 <-> 224.0.0.102:1985
…
My IP is not any of those above.
1- I would need something to prevent port 53 from getting so much query.
2- Not sure what to do about ‘arp’ and 802.1d?
3- I did not enable 5353, 137, 5678 or 1985 but they seem to pass through. By default all should be dropped, no? See bottom of my post for more complete iptables.
Set default chain policies
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
4- I thought I already blocked port 0.0.0.0 and 255.255.255.255 using these?
Reject spoofed packets
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP
RFC 3330
-A INPUT -s 192.0.2.0/24 -j DROP
TEST-NET rfc3330
#-A INPUT -s 198.18.0/25 -j DROP
testnet2 from rfc2544
#-A INPUT -s 198.51.100/24 -j DROP
testnet3 RFC 5736, RFC 5737
#-A INPUT -s 203.0.113/24 -j DROP
protocol assignment(192.0.0.0/24)
-A INPUT -s 192.0.0.0/24 -j DROP
carrier grade nat from rfc6598
#-A INPUT -s 100.64/10 -j DROP
5- I tried blocking port 1985 and also IP 224.0.0.102 using this but it does not seem to work either:
Reject HSRP
-A INPUT -p udp --dport 1985 -j DROP
-A OUTPUT -p udp --dport 1985 -j DROP
-A OUTPUT -s 224.0.0.102 -j DROP
Drop multicast
-A INPUT -m pkttype --pkt-type multicast -j DROP
Here is a strip down version of my iptables.up.rules:
Each of the ‘allow’ below is like this but with a different port:
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Allow previously accepted
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Allow incoming SSH
Allow Virtualmin
Allow incoming HTTP
Allow incoming HTTPS
MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
Allow outgoing HTTP
Allow outgoing HTTPS
Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
Ping from outside to inside
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
Drop all traffic to 127/8 that doesn’t use lo0
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
Allow inbound DNS
Allow outbound DNS
Allow SMTP
Allow SMTP SSL
Allow POP3S
Allow FTP
to investigate?
-A INPUT -p tcp -m tcp -m limit --tcp-flags FIN,SYN,RST,ACK SYN --limit 5/sec -j ACCEPT
Prevent http DoS attack
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
Drop null packets
Block fragmented Packet
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Block fragmented Packet
-A INPUT -f -j DROP
Force SYN Packet Check
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Frop XMAS Packet
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Reject spoofed packets
see ‘4-’ above
Log dropped packets
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 6/min -j LOG --log-prefix "iptables packet dropped: " --log-level 7
-A LOGGING -j DROP
-A FORWARD -j DROP
COMMIT