APRESS.COM : Hardening Linux : 9781590594445

By James Turnbull
ISBN13: 978-1-59059-444-5
ISBN10: 1-59059-444-4
584 pp.
Published Feb 2005
Print Book Price: $44.99
eBook Price: $31.49

My eBook

Errata Submission

If you think that you've found an error in Hardening Linux, please let us know about it. You will find any confirmed erratum below, so you can check if your concern has already been addressed.

Submit Errata

Errata

Issue	Author's Response
Chapter 2, page 116, Listing 2-43, Limiting Incoming SYN Packets. This forces _ALL_ SYN packets below the limit to be accepted. Replacing it with the following would fix this problem: iptables -N SYN_FLOOD iptables -A INPUT -p tcp --syn -j SYN_FLOOD iptables -A SYN_FLOOD -m limit --limit 5/s --limit-burst 10 -j RETURN iptables -A SYN_FLOOD -j LOG --log-prefix "SYN_FLOOD DROPPED " iptables -A SYN_FLOOD -j DROP	Thanks for the feedback!
Chapter 2, bastion.sh script, line 66 should be broken into two lines: $IPT -A ICMP_IN -i $EXT_INTER -p icmp -j LOG --log-prefix "IPT: ICMP_IN " $IPT -A ICMP_IN -i $EXT_INTER -p icmp -j DROP	Thanks for the feedback!
Chapter 2, bastion.sh script, line 63 The "state" argument is missing the double hyphen. The line should read: $IPT -A ICMP_IN -i $EXT_INTER -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT	Thanks for the feedback!
Chapter 2, page 114, listing 2-40 you specify to recognize FIN-only packets as "--tcp-flags FIN FIN", but this matches legit packets. I think you meant to say "--tcp-flags ALL FIN" as the intent is to match packets where nothing is set BUT the FIN packet.	This is quite correct. This was a error made when copyediting. Thank you for submitting the feedback! Cheers James Turnbull
Ch. 2, p. 114, Listing 2-40: Printed: kitten# iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j LOG --log-prefix "IPT: Bad F Flag " kitten# iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j DROP It's my understanding that matching with '--tcp-flags FIN FIN' will match all packets with a FIN flag, but the intent of the rule as stated seems to be to match all packets with _only_ a FIN flag. Common web traffic has packets with ACK,FIN set, so this rule doesn't allow normal http operation. Here's what I changed it to in my firewall: iptables -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "IPT: Bad F Flag " iptables -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j DROP Now I'm pretty new to the iptables game, so I could definitely be mistaken here. Either way, thanks for an educational (and useful) book!	This is correct. Apologies for the confusion and thanks for the feedback.

Issue

Author's Response

Chapter 2, page 116, Listing 2-43, Limiting Incoming SYN Packets.

This forces _ALL_ SYN packets below the limit to be accepted. Replacing it with the following would fix this problem:

iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 5/s --limit-burst 10 -j RETURN
iptables -A SYN_FLOOD -j LOG --log-prefix "SYN_FLOOD DROPPED "
iptables -A SYN_FLOOD -j DROP

Thanks for the feedback!

Chapter 2, bastion.sh script, line 66 should be broken into two lines:
$IPT -A ICMP_IN -i $EXT_INTER -p icmp -j LOG --log-prefix "IPT: ICMP_IN "
$IPT -A ICMP_IN -i $EXT_INTER -p icmp -j DROP

Thanks for the feedback!

Chapter 2, bastion.sh script, line 63
The "state" argument is missing the double hyphen. The line should read:
$IPT -A ICMP_IN -i $EXT_INTER -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Thanks for the feedback!

Chapter 2, page 114, listing 2-40 you specify to recognize FIN-only packets as "--tcp-flags FIN FIN", but this matches legit packets. I think you meant to say "--tcp-flags ALL FIN" as the intent is to match packets where nothing is set BUT the FIN packet.

This is quite correct. This was a error made when copyediting. Thank you for submitting the feedback!

Cheers

James Turnbull

Ch. 2, p. 114, Listing 2-40:

Printed:
kitten# iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j LOG --log-prefix "IPT: Bad F Flag "
kitten# iptables -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j DROP

It's my understanding that matching with '--tcp-flags FIN FIN' will match all packets with a FIN flag, but the intent of the rule as stated seems to be to match all packets with _only_ a FIN flag. Common web traffic has packets with ACK,FIN set, so this rule doesn't allow normal http operation. Here's what I changed it to in my firewall:

iptables -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "IPT: Bad F Flag "
iptables -A BAD_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j DROP

Now I'm pretty new to the iptables game, so I could definitely be mistaken here. Either way, thanks for an educational (and useful) book!

This is correct. Apologies for the confusion and thanks for the feedback.