BigBlueButton hardening: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→HSTS) |
(→Script) |
||
(7 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 16: | Zeile 16: | ||
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | iptables -A INPUT -p tcp --dport 443 -j ACCEPT | ||
iptables -A INPUT -p tcp --dport 1935 -j ACCEPT | iptables -A INPUT -p tcp --dport 1935 -j ACCEPT | ||
+ | #iptables -A INPUT -p tcp --dport 5060 -j ACCEPT | ||
+ | #iptables -A INPUT -p udp --dport 5060 -j ACCEPT | ||
+ | #iptables -A INPUT -p tcp --dport 5080 -j ACCEPT | ||
+ | #iptables -A INPUT -p udp --dport 5080 -j ACCEPT | ||
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT | iptables -A INPUT -p tcp --dport 7443 -j ACCEPT | ||
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT | iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT | ||
+ | iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT | ||
iptables -A INPUT -j LOG --log-prefix " --ipt-in-- " | iptables -A INPUT -j LOG --log-prefix " --ipt-in-- " | ||
;; | ;; | ||
Zeile 25: | Zeile 30: | ||
esac | esac | ||
</pre> | </pre> | ||
+ | |||
==Unit== | ==Unit== | ||
− | */etc/ | + | */etc/systemd/system/firewall.service |
<pre> | <pre> | ||
[Unit] | [Unit] | ||
Zeile 41: | Zeile 47: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
</pre> | </pre> | ||
+ | |||
+ | ==Download== | ||
+ | [[Datei:firewall.tar.gz]] | ||
+ | |||
+ | ==Activate== | ||
+ | *systemctl daemon-reload | ||
+ | *systemctl enable firewall.service | ||
+ | *systemctl start firewall.service | ||
+ | |||
=HSTS= | =HSTS= | ||
*sed -ie '/ssl_dhparam/aadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";' /etc/nginx/sites-enabled/bigbluebutton | *sed -ie '/ssl_dhparam/aadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";' /etc/nginx/sites-enabled/bigbluebutton | ||
*systemctl restart nginx | *systemctl restart nginx | ||
+ | ==Check== | ||
+ | *curl -s -D- https://video.xinux.de/ | grep -i Strict | ||
+ | =Links= | ||
+ | *https://andersgood.de/blog/bigbluebutton-auch-hinter-firewalls-nutzen |
Aktuelle Version vom 26. Oktober 2020, 15:58 Uhr
Firewall
Script
- /usr/local/sbin/firewall
#!/bin/bash iptables -F INPUT case $1 in start) iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 1935 -j ACCEPT #iptables -A INPUT -p tcp --dport 5060 -j ACCEPT #iptables -A INPUT -p udp --dport 5060 -j ACCEPT #iptables -A INPUT -p tcp --dport 5080 -j ACCEPT #iptables -A INPUT -p udp --dport 5080 -j ACCEPT iptables -A INPUT -p tcp --dport 7443 -j ACCEPT iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j LOG --log-prefix " --ipt-in-- " ;; stop) iptables -P INPUT ACCEPT ;; esac
Unit
- /etc/systemd/system/firewall.service
[Unit] Description=firewall After=network.target syslog.target [Service] RemainAfterExit=yes ExecStart=/usr/local/sbin/firewall start ExecStop=/usr/local/sbin/firewall stop User=root [Install] WantedBy=multi-user.target
Download
Activate
- systemctl daemon-reload
- systemctl enable firewall.service
- systemctl start firewall.service
HSTS
- sed -ie '/ssl_dhparam/aadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";' /etc/nginx/sites-enabled/bigbluebutton
- systemctl restart nginx
Check
- curl -s -D- https://video.xinux.de/ | grep -i Strict