firewall interview questions
Top firewall frequently asked interview questions
I need to access an ftps server (vsftpd) on a vendor's site. The vendor has a firewall in front of the ftps server and I have a firewall in front of my ftps client.
I understand that ports 990, 991 and maybe 989 need to be opened up for control traffic. When looking at it from the vendor's firewall perspective, should these ports be opened up for both inbound and outbound traffic?
What about ports for the DATA channel? Do I have to open all ports above 1000? And should I do it for both inbound and outbound traffic?
TIA for your help.
Source: (StackOverflow)
You add a rule like this:
ufw allow 22/tcp
The rule is saved, and is applied even after reboot. But it's not written anywhere in /etc/ufw. Where is it saved to? (Ubuntu, using ufw as pre-installed.)
Source: (StackOverflow)
Traditionally, all anti-virus programs and IPS systems work using signature-based techniques. However, this doesn't help much to prevent zero-day attacks.
Therefore, what can be done to prevent zero-day attacks?
Source: (StackOverflow)
I have an EC2 instance running, and it belongs to a security group. If I add a new allowed connection to that security group through AWS Management Console, should that change be effective immediately? Or perhaps only after restart of the instance?
In my case, I'm trying to allow access to PostgreSQL's default port (tcp 5432 5432 0.0.0.0/0), and I'm not sure if it's the EC2 firewall or PostgreSQL's settings that are refusing the connection.
Source: (StackOverflow)
Let's say it again, we all make mistakes, and I have just made one.
A brief history: I was doing some stuff on a VPS (Debian) I'm renting, when I noticed some strange behaviour. Using the netstat command I saw an non-authorized connection through SSH. I didn't know what to do, so I decided to close his connection using iptables:
iptables -A INPUT -p tcp --dport ssh -s IP -j DROP
But I am tired, and I wrote
iptables -A INPUT -p tcp --dport ssh -j DROP
and I kicked myself (and everyone else) out...
How do I fix this?
Source: (StackOverflow)
I just checked my server's /var/log/auth.log and found that I'm getting over 500 failed password/break-in attempt notifications per day! My site is small, and its URL is obscure. Is this normal? Should I be taking any measures?
Source: (StackOverflow)
PLEASE NOTE: I'm not interested in making this into a flame war! I understand that many people have strongly-held beliefs about this subject, in no small part because they've put a lot of effort into their firewalling solutions, and also because they've been indoctrinated to believe in their necessity.
However, I'm looking for answers from people who are experts in security. I believe that this is an important question, and the answer will benefit more than just myself and the company I work for. I've been running our server network for several years without a compromise, without any firewalling at all. None of the security compromises that we have had could have been prevented with a firewall.
Edited to add: I guess I've been working here too long, because when I say "servers", I always mean "services offered to the public" not "secret internal billing databases". As such, any rules we would have in any firewalls would have to allow access to the whole internet. Also, our public-access servers are all in a dedicated datacenter separate from our office.
Someone else asked a similar question, and my answer was voted into negative numbers. This leads me to believe that either the people voting it down didn't really understand my answer, or I don't understand security enough to be doing what I'm currently doing.
This is my approach to server security:
Follow my operating system's security guidelines before connecting my server to the internet.
Use TCP wrappers to restrict access to SSH (and other management services) to a small number of IP addresses.
Monitor the state of this server with Munin. And fix the egregious security problems inherent to Munin-node in its default configuration.
Nmap my new server (also before connecting my server to the internet). If I were to firewall this server, this should be the exact set of ports incoming connections should be restricted to.
Install the server in the server room and give it a public IP address.
Keep the system secure by using my operating system's security updates feature.
My philosophy (and the basis of the question) is that strong host-based security removes the necessity of a firewall. Overall security philosophy says that strong host-based security is still required even if you have a firewall (see security guidelines). The reason for this is that a firewall that forwards public services to a server enables an attacker just as much as no firewall at all. It is the service itself that is vulnerable, and since offering that service to the entire internet is a requirement of its operation, restricting access to it is not the point.
If there are ports available on the server that do not need to be accessed by the whole internet, then that software needed to be shut down in step 1, and was verified by step 4. Should an attacker successfully break into the server through vulnerable software and open a port themselves, the attacker can (and do) just as easily defeat any firewall by making an outbound connection on a random port instead. The point of security isn't to defend yourself after a successful attack - that's already proven to be impossible - it's to keep the attackers out in the first place.
It's been suggested that there are other security considerations besides open ports - but to me that just sounds like defending one's faith. Any operating system/TCP stack vulnerabilities should be equally vulnerable whether or not a firewall exists - based on the fact that ports are being forwarded directly to that operating system/TCP stack. Likewise, running your firewall on the server itself as opposed to having it on the router (or worse, in both places) seems to be adding unnecessary layers of complexity. I understand the philosophy "security comes in layers" but there comes a point where it's like building a roof by stacking X number of layers of plywood on top of each other and then drilling a hole through all of them. Another layer of plywood isn't going to stop the leaks through that hole you're making on purpose.
To be honest, the only way I see a firewall being any use for servers is if it has dynamic rules preventing all connections to all servers from known attackers - like the RBLs for spam (which coincidentally, is pretty much what our mail server does). Unfortunately, I can't find any firewalls that do that. The next best thing is an IDS server, but that assumes that the attacker doesn't attack your real servers first, and that attackers bother to probe your entire network before attacking. Besides, these have been known to produce large numbers of false positives.
Source: (StackOverflow)
I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.
I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>
But is there not a way to do it with the fail2ban-client?
In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.
Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.
Source: (StackOverflow)
On the Windows platform, what native options to I have to check if a port (3306, for example) on my local machine (as in localhost), is being blocked?
Source: (StackOverflow)
I am installing a Debian server which is connected directly to the Internet. Obviously I want to make it as secure as possible. I would like you guys/gals to add your ideas to secure it and what programs you use for it.
I want part of this question to cover what do you use as a firewall? Just iptables manually configured or do you use some kind of software to aid you? What's the best way? Block everything and allow only what is needed? Are there maybe good tutorials for beginners to this topic?
Do you change your SSH port? Do you use software like Fail2Ban to prevent bruteforce attacks?
Source: (StackOverflow)
I admin a handful of cloud-based (VPS) servers for the company I work for.
The servers are minimal ubuntu installs that run bits of LAMP stacks / inbound data collection (rsync). The data is large but not personal, financial or anything like that (ie not that interesting)
Clearly on here people are forever asking about configuring firewalls and such like.
I use a bunch of approaches to secure the servers, for example (but not restricted to)
- ssh on non standard ports; no password typing, only known ssh keys from known ips for login etc
- https, and restricted shells (rssh) generally only from known keys/ips
- servers are minimal, up to date and patched regularly
- use things like rkhunter, cfengine, lynis denyhosts etc for monitoring
I have extensive experience of unix sys admin. I'm confident I know what I'm doing in my setups. I configure /etc files. I have never felt a compelling need to install stuff like firewalls: iptables etc.
Put aside for a moment the issues of physical security of the VPS.
Q? I can't decide whether I am being naive or the incremental protection a fw might offer is worth the effort of learning / installing and the additional complexity (packages, config files, possible support etc) on the servers.
To date (touch wood) I've never had any problems with security but I am not complacent about it either.
Source: (StackOverflow)
I have a problem with Windows 7 RC (7100).
I frequently use a crossover network cable on WinXP with static IP addresses to connect to various industrial devices (e.g. robots, pumps, valves or even other Windows PCs) that have Ethernet network ports.
When I do this on Windows 7, the network connection is classed as an "Unidentified Network" in Networks and Sharing Center and the public firewall profile is enforced by Windows. I do not want to change the public profile and would prefer to use the Home or Work profile instead.
For other networks like Home and Work I'm able to click on them and change the classification. This is not available for unidentified networks.
My questions are these:-
- Is there a way to manual override the "Unidentified Network" classification?
- What tests are performed on the network that fail, therefore classifying it as an "Unidentified Network"
By googling (hitting mainly vista issues) it seems that you need to ensure that the default gateway is not 0.0.0.0. I've done this. I've also tried to remove IPv6 but this does not seem possible on Windows 7.
UPDATE
For those still having problems here is the answer to my issue and the possible reasons why:-
Win7 keeps a list of the networks you visit by (I am assuming, but don’t know for sure) the MACID of the device pointed to by the Default Gateway. The default gateway is usually the constant device in a network (i.e. the NAT or router) so can be used to uniquely identify one network from another.
The default gateway in the IPv4 properties panel must therefore point to an actual endpoint so windows can then keep track of it. If there is a device at the end of the Default Gateway windows will identify it and track it remembering its settings.
The ways you can therefore fool Win7 is to either point the default gateway to your own IP address, or the IP address of the target device you’re communicating with. This will have the side effect of expecting that target device to start routing packets for IP destinations that are outside your subnet. So some applications on Win7 will try to communicate with the internet, these will be passed on to the default gateway (either back you the same IP address or a target device that is not a router) and thus will eventually timeout because neither can route packets. Which you can usually live with. This gets slightly complicated when you mix a this type of connection with a real connection to the internet via WIFI. The wired network card usually has priority when routing because of the “interface metric” so some applications might not connect correctly.
Source: (StackOverflow)
Dumb question:
Is there an equivalent of iptables on Windows? Could I install one via cygwin?
The real question: how can I accomplish on Windows what I can accomplish via iptables?
Just looking for basic firewall functionality (e.g. blocking certain IP addresses)
Source: (StackOverflow)
One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and sometimes a reboot later, everything is back to normal.
Amazon has security groups and firewall, but what else should I have in place on an EC2 server to mitigate or prevent an attack?
From similar questions I've learned:
- Limit the rate of requests/minute (or seconds) from a particular IP address via something like IP tables (or maybe UFW?)
- Have enough resources to survive such an attack - or -
- Possibly build the web application so it is elastic / has an elastic load balancer and can quickly scale up to meet such a high demand)
- If using mySql, set up mySql connections so that they run sequentially so that slow queries won't bog down the system
What else am I missing? I would love information about specific tools and configuration options (again, using Linux here), and/or anything that is specific to Amazon EC2.
ps: Notes about monitoring for DDOS would also be welcomed - perhaps with nagios? ;)
Source: (StackOverflow)
I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...
# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains
# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP
# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Block all other traffic
iptables -A INPUT -j DROP
For context, this machine is a Virtual Private Server Web app host.
In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?
If I need to not block ICMP, how could I go about locking it down more?
Source: (StackOverflow)