My root goal is to be able to prevent attackers from making unauthorised outgoing connections on my server (e.g. for connect-back shells).
I can achieve this by blocking all ports for outgoing traffic using "ufw", except for the ones that the server needs to operate (i.e. DNS, HTTP, SSH and SMTP).
ufw allows me to only allow outgoing DNS connections to a static IP address (so I will configure the server to use Google DNS) and it allows me to restrict outgoing SSH destined for 127.0.0.1 (my automatic deployment script requires this with Git).
As I have learned, ufw doesn't truly allow outgoing restrictions based on domain names, which makes sense (from a performance perspective). I need to be able to do this to restrict outgoing SMTP connections to the domain of my mail server (currently just using Gmail to test) and for HTTP connections to Ubuntu servers (for system updates).
I know iptables allows you to specify rules based on domains, but they are translated on startup and not performed every time (i.e. reverse DNS). I know that is by design, for performance reasons.
So what is the solution to restrict outgoing network traffic by domain name (i.e. every outgoing connection needs to have it's destination IP address reverse DNS'd and matched against a whitelist of domain names)?
I'm thinking that if I can't get the domain-based half of the outgoing restrictions working, there isn't much point to restricting DNS and SSH by IP using ufw.
Aucun commentaire:
Enregistrer un commentaire