B.6. 防火墙保护下的安全更新

标准安装完成后, 系统也许仍然存在一些漏洞. 除非您下载用于其它系统的漏洞修补包(或您有 security.debian.org 的本地镜像)系统必须连入互联网进行下载.

However, as soon as you connect to the Internet you are exposing this system. If one of your local services is vulnerable, you might be compromised even before the update is finished! This may seem paranoid but, in fact, analysis from the http://www.honeynet.org has shown that systems can be compromised in less than three days, even if the system is not publicly known (i.e., not published in DNS records).

当对没有外部系统如防火墙保护的系统进行升级时, 可以正确的设置本地防火墙, 以阻止除更新以外的其它连接. 下边的例子给出如何设置本地防火墙, 仅允许源自 security.debian.org 的更新连接.

The following example can be use to setup a restricted firewall ruleset. Run this commands from a local console (not a remote one) to reduce the chances of locking yourself out of the system.

  1.   # iptables -F
  2.   # iptables -L
  3.   Chain INPUT (policy ACCEPT)
  4.   target     prot opt source               destination
  5.  
  6.   Chain FORWARD (policy ACCEPT)
  7.   target     prot opt source               destination
  8.  
  9.   Chain OUTPUT (policy ACCEPT)
  10.   target     prot opt source               destination
  11.   # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT
  12.   # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  13.   # iptables -A INPUT -p icmp -j ACCEPT
  14.   # iptables -A INPUT -j LOG
  15.   # iptables -A OUTPUT -j LOG
  16.   # iptables -P INPUT DROP
  17.   # iptables -P FORWARD DROP
  18.   # iptables -P OUTPUT DROP
  19.   # iptables -L
  20.   Chain INPUT (policy DROP)
  21.   target     prot opt source               destination
  22.   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  23.   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
  24.   LOG        all  --  anywhere             anywhere           LOG level warning
  25.  
  26.   Chain FORWARD (policy DROP)
  27.   target     prot opt source               destination
  28.  
  29.   Chain OUTPUT (policy DROP)
  30.   target     prot opt source               destination
  31.   ACCEPT     80   --  anywhere             security.debian.org
  32.   LOG        all  --  anywhere             anywhere           LOG level warning

Note: Using a DROP policy in the INPUT chain is the most correct thing to do, but be very careful when doing this after flushing the chain from a remote connection. When testing firewall rulesets from a remote location it is best if you run a script with the firewall ruleset (instead of introducing the ruleset line by line through the command line) and, as a precaution, keep a backdoor[79]

Of course, you should disable any backdoors before getting the system into production. configured so that you can re-enable access to the system if you make a mistake. That way there would be no need to go to a remote location to fix a firewall ruleset that blocks you.

FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)

FIXME: 这只适用于 HTTP URL 因为 ftp 可能需要 ip_conntrack_ftp 模块,或者使用 passive 方式.

[79] Such as knockd. Alternatively, you can open a different console and have the system ask for confirmation that there is somebody on the other side, and reset the firewall chain if no confirmation is given. The following test script could be of use:

  1. #!/bin/bash
  2.  
  3. while true; do
  4.     read -n 1 -p "Are you there? " -t 30 ayt
  5.     if [ -z "$ayt" ] ; then
  6.         break
  7.     fi
  8. done
  9.  
  10. # Reset the firewall chain, user is not available
  11. echo
  12. echo "Resetting firewall chain!"
  13. iptables -F
  14. iptables -P INPUT ACCEPT
  15. iptables -P FORWARD ACCEPT
  16. iptables -P OUTPUT ACCEPT
  17. exit 1