If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.<\/p>\n
I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring\/testing before security resets.<\/p>\n
Paranoid hint: Make sure you stay logged into the target host with an extra terminal somewhere else as well.<\/p>\n
I could also have done \/etc\/init.d\/iptables restart or service iptables restart to reset rules from cron. That would prevent you from having a wide open machine after the flush. But the downside of that is if you save rules that were broken, a restart will load your saved (broken) rules.<\/p>\n
Set two cron jobs:<\/strong><\/span><\/p>\n Tcp wrappers:<\/strong><\/span><\/p>\n I made a copy of \/etc\/hosts.deny file in \/root and then waited for the next cron run to test if the copy is really working as expected.<\/p>\n It looked good after cron ran.<\/p>\n Now uncomment the ALL: ALL line in the real \/etc\/hosts.deny and start testing \/etc\/hosts.allow rules.<\/p>\n Test from non allowed and allowed host.<\/p>\n Now lets go tune the firewall rules...<\/p>\n List rules:<\/strong><\/span><\/p>\n Saved rules in this file:<\/strong><\/span><\/p>\n Delete unneeded rules:<\/strong><\/span><\/p>\n Check (and test using something like nmap):<\/span><\/strong><\/p>\n Save the rules:<\/strong><\/span><\/p>\n Check stored rules:<\/strong><\/span><\/p>\n Check running rules:<\/strong><\/span><\/p>\n Delete the cron job(s) when working!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-239","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=239"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/239\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\n[root@uhz002192 dev]# crontab -l\r\n\/10 * * * * cp \/root\/hosts.deny \/etc\/hosts.deny\r\n\/10 * * * * \/sbin\/iptables --flush\r\n<\/pre>\n
\r\n# cat \/etc\/hosts.deny\r\n#\r\n...\r\n#ALL: ALL\r\n<\/pre>\n
\r\n# more \/etc\/hosts.allow\r\n...\r\n# Host allowed to SSH\r\nsshd: xx.xx.xx.xx\r\n<\/pre>\n
\r\nFeb 24 05:32:56 uhz002192 sshd[12346]: pam_unix(sshd:session): session opened for user rrosso by (uid=0)\r\nFeb 24 05:33:43 uhz002192 sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)\r\n\r\nFeb 24 05:34:34 uhz002192 sshd[12386]: Accepted password for rrosso from xx.xx.xx.xx port 37415 ssh2\r\nFeb 24 05:34:34 uhz002192 sshd[12386]: pam_unix(sshd:session): session opened for user rrosso by (uid=0)\r\n<\/pre>\n
\r\n\r\n# iptables --list\r\nChain INPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 icmp --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 icmp any\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state RELATED,ESTABLISHED\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:webcache\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:etlservicemgr\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:mysql\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:redwood-broker\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:ssh\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:smtp\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:http\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:ftp\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:https\r\nREJECT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 reject-with icmp-host-prohibited\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n<\/pre>\n
\r\n# cat \/etc\/sysconfig\/iptables\r\n# Firewall configuration written by system-config-securitylevel\r\n# Manual customization of this file is not recommended.\r\n*filter\r\n:INPUT ACCEPT [0:0]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [0:0]\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -p icmp --icmp-type any -j ACCEPT\r\n-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\nCOMMIT\r\n<\/pre>\n
\r\n# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT\r\n# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT\r\n# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT\r\n# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT\r\n<\/pre>\n
\r\n# iptables --list\r\nChain INPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 icmp --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 icmp any\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state RELATED,ESTABLISHED\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:etlservicemgr\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:redwood-broker\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:ssh\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:http\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:https\r\nREJECT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 reject-with icmp-host-prohibited\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n<\/pre>\n
\r\n# service iptables save\r\nSaving firewall rules to \/etc\/sysconfig\/iptables:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u00a0 OK\u00a0 ]\r\n<\/pre>\n
\r\n# cat \/etc\/sysconfig\/iptables\r\n# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012\r\n*filter\r\n:INPUT ACCEPT [0:0]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [734:96465]\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT\r\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\nCOMMIT\r\n# Completed on Fri Feb 24 05:48:21 2012\r\n<\/pre>\n
\r\n# iptables --list\r\nChain INPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 icmp --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 icmp any\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state RELATED,ESTABLISHED\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:etlservicemgr\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:redwood-broker\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:ssh\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:http\r\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state NEW tcp dpt:https\r\nREJECT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 reject-with icmp-host-prohibited\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\r\n<\/pre>\n