ew-firewall
文件大小: unknow
源码售价: 5 个金币 积分规则     积分充值
资源说明:Easy Web Firewall for shared hosting environments
Easy Web Firewall
=================

Easy Web Firewall is a lightweight iptables-based firewall solution to mitigate
problems resulting from hacked websites in shared virtual hosting servers. In
such servers, vulnerable web applications are usually exploited by "hackers" to
either:

* Scan for additional vulnerabilities, both in the local server and remote ones.
* Send spam mails through a cgi that avoids using the system mailer.

Since this actions do not directly prevent the server from operating normally,
sysadmins do not usually notice that their server is infected until other
servers start taking counter-measures against it. This is, their e-mails begin
being rejected as comming from a spam source or their connections get blocked by
vulnerability scanners.

Easy Web Firewall prevents these issues by:

1. Enabling the system administrator to maintain a whitelist of allowed outgoing 
   connections.
2. Optionally notifying the administrator when unauthorized connections are
   blocked by the firewall.

== Whitelisting connections ==

Outgoing connections can be whitelisted through two complementary mechanisms:

First, EWF allows iptables blocking based on
combinations of user, destination, and port. Hence, it blocks everything that is
not whitelisted, promptly notifying the system administrator whenever this
happens. Thereafter, sysadmins can quickly discover infected websites and take
appropiate measures, or extend the whitelist if the connection attempt was
legit. Additionally, since malicious connections are being blocked locally, the
server's reputation will remain intact. This is, it will not be suddently listed
in any rbls or similar blacklists affecting the whole server's user base.

Second, EWF also integrates with tinyproxy, to provide better detection of
blocked remote websites. Because iptables is a low level firewall, it only knows
about destination IP and port of the connections. However, when local websites
try to open remote URLs, the administrator needs to know the actual URL to
decide if that was a legit attempt, or one from a blocked website. Easy Web
Firewall solves this issue by forcing local websites to make their HTTP(S)
requests through a local tinyproxy installation. Thereafter, EWF combines the
logs generated by iptables and tinyproxy to report both the local website that
originated each blocked request, and its destination URL.

Theory of operation
-------------------

Easy Web Firewall's iptables component operates by adding a set of rules to
iptables that block (and log) any outgoing connection attemps, except the
whitelisted ones specified through the `rules` configuration file. Additionally,
it includes a cron task to scan through the iptables generated logs and notify the
sysadmin by e-mail whenever it detects a blocked connection so that she can take
the appropiate action.

For the tinyproxy integration to work, it is only necessary to setup tinyproxy
as described below, and force all websites to make their requests through it. For
websites using php in a debian server, this is surprisingly easy to do. Check the
installation section for detailed instructions.

Requirements
------------

 * `iptables`, including support for the `owner` module.
 * `bash` shell (it might work with dash or sh, but it's not tested).
 * php-cli, the command line version of the php interpreter.
 * `PEAR Console_Getopt`, to parse command line arguments (it should already be
   installed in your system, because it is part of the base PEAR installation).
 * (optional) `tinyproxy`, with the configuration detailed below.

Installation
------------

At the time of this writing, ew-firewall has only been tested in Debian. To
install it, start by downloading the program sources either from the [github]
repository. Thereafter, execute `make install` to install its files:

  * `/etc/ew-firewall/rules`:
    Contains the rules defining the allowed outgoing connections.
  * `/etc/default/ew-firewall`:
    Base configuration directives.
  * `/etc/init.d/ew-firewall`:
    Init script to start/stop the firewall.
  * `/usr/local/sbin/ew-firewall`:
    Main program logic (rule parser and blocked connections detector),
    implemented in php.
  * `/etc/cron.d/ew-firewall`:
    Cron definition that runs the block detection every 5 minutes.

Next, adapt the `/etc/default/ew-firewall` configuration file according to your
system's setup. We recommend you to keep the `BLOCK` variable to `0` to avoid
actually blocking any connections until you are confident to have already
whitelisted most legit connections. Then, launch the firewall by running
`/etc/init.d/ew-firewall start` and setup it to run at startup (this is
distribution-specific, `update-rc.d ew-firewall defaults` in Debian). Once
started, the firewall will begin logging the connections that would be blocked,
and send them to you by e-mail.

Keep adjusting your rules file whenever you receive an e-mail with blocked
connection reports until you are confindent that all legit connections are
already allowed by your rules. Finally, enable real blocking by setting `BLOCK`
to `1` in the `/etc/defaults/ew-firewall` configuration file, and enjoy your
newly enhanced security!

[github]: http://github.com/kilburn/ew-firewall "ew-firewall in GitHub"

Rules definition file
---------------------

The rules definition file is designed to be as easy as possible. Lines starting
with a dash (`#`) are ignored, whereas each other line defines a rule using the
following format (fields are separated by any number of spaces or tabs):

    A UID		Destination		Port

Where:

 - `A` is the action to take on connections matching this rule. Allowed actions:
   `A` : Allow the connection (no logs generated).
   `I` : Drop the connection without logging.

 - `UID` is the UID or range of UIDs of the matching users, while an asterisk
   (`*`) matches any user. 
   Examples: `1000`, `1000-200`, `*`.

 - `Destination` is an IP address or CIDR block matching the connection's
   destination IP, while an asterisk (`*`) matches any destination IP.
   Examples: 127.0.0.1/8, 1.2.3.4, *.

 - `Port` is the port or port range of the connection, while an asterisk `(*`)
   matches any port.
   Examples: 80, 8000-8005, *.

### Sample firewall rules

Allow all loopback connections to all users.

    A *			127.0.0.1/8			*

Allow user 1000 to send e-mails through gmail.

    A 1000		209.85.229.0/24		25


Tinyproxy integration
---------------------

To receive the full URL of blocked outgoing http requests, it is necessary to
install tinyproxy, and force all websites to use it. Unfortunately, it is not
easy to automate this intallation task, so you will have to perform both of
these steps manually.

### Installing tinyproxy

On debian systems, installing tinyproxy is as easy as running:

    apt-get install tinyproxy

Once apt-get has finished, you need to adjust the following tinyproxy 
configuration settings in `/etc/tinyproxy.conf`:

  * (optional) `Listen 127.0.0.1`, so that tinyproxy can no be accessed from
    outside.
  * `LogFile` should be disabled, because it is incompatible with the required
    `Syslog` directive.
  * `Syslog` must be set to `On`, because EWF looks for tinyproxy's log lines
    in the syslog.
  * `LogLevel` must be set to `Notice` or higher, or tinyproxy will not log
    connections being blocked.
  * `FilterURLs` is recommended for the extra flexibility when specifying what
    to block.
  * `FilterExtended` is also recommended for flexibility.
  * `FilterDefaultDeny` must be enabled.

You are free to modify any of the other configuration settings to better suit
your installation. Remember to restart tinyproxy after making any configuration
changes.

### Forcing php websites to go through the proxy

After installing tinyproxy, we need to tell all our websites to use it whenever
making external connections. This could be done by setting up a tinyproxy as a
transparent proxy. However, it is impossible to make SSL connections through a
transparent proxy, because the proxy is effectively a man-in-the-middle attacker,
against which SSL is designed to protect. Therefore, we encourage you to setup
users' websites to explicitly use tinyproxy for their outgoing connections.

In the case of PHP websites, and when running under debian, you can force all
outgoing connections to go through the proxy in the following way:

  1. Copy the `etc/php/proxy.php` file to `/usr/share/php`. This php file,
     when included, sets up the local proxy for any php functions that make
     external http(s) connections.
  2. Copy the `etc/php/proxy.ini` file to `/etc/php5/conf.d/`. This ini file
     forces the execution of the above `proxy.php` before running any php script,
     effectively enabled the proxy system-wide.

### Allowing connections through tinyproxy

Tinyproxy includes its own list of allowed domains/URLs, usually located in
`/etc/tinyproxy/filter`. Hence, when using the tinyproxy integration, you should
not allow direct connections from the local websites to remote ones using EWF's
`/etc/ew-firewall/rules`. Instead, you should allow any legit domains/URLs using
tinyproxy's `filter` file. Also, remember to reload tinyproxy's configuration
whenever you change the filters.

本源码包内暂不包含可直接显示的源代码文件,请下载源码包。