You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: wiki/Rules.md
+34-9Lines changed: 34 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,7 +42,7 @@ Rules are stored as JSON files inside the `-rule-path` directory (by default `/e
42
42
||`regexp` matches the regexp from the `data` field against the connection |
43
43
||`network` checks if the IP of a connection is contained within the specified network range (127.0.0.1/8) |
44
44
||`lists` will look for matches on lists of something (domains, IPs, etc). Typically used to create [blocklists](https://github.com/evilsocket/opensnitch/wiki/block-lists)|
45
-
||`range` will check if an Operand (`dest.port` or `source.port`) is within the given range.|
45
+
||`range`(v1.9.0) will check if an Operand (`dest.port` or `source.port`) is within the given range.|
46
46
||`list`, a combination of all of the previous types.|
47
47
| operator.data | The data of the rule against which an outbound connection will be compared: an IP, a destination port, a command line, etc. |
48
48
| operator.operand | Property of the connection against which the rule will be compared: |
@@ -61,7 +61,7 @@ Rules are stored as JSON files inside the `-rule-path` directory (by default `/e
61
61
||`source.network`|
62
62
||`dest.ip`|
63
63
||`dest.host`|
64
-
||`dest.network` (v1.3.0)|
64
+
||`dest.network` (v1.3.0) - you can use a network range, or the constants predefined in the file |
65
65
||`dest.port`|
66
66
||`iface.in` (v1.6.0) |
67
67
||`iface.out` (v1.6.0) |
@@ -266,11 +266,15 @@ If you want to restrict it further, under the `Addresses` tab you can review wha
266
266
267
267
Usually the attackers use `wget`, `curl` or `bash` to establish outbound connections ([malware examples](https://github.com/evilsocket/opensnitch/discussions/1119)). So, if you don't need these binaries, just uninstall them.
268
268
269
-
- If you need them, restrict their outbound connections as much as possible:
270
-
Set the DefaultAction to `deny` or `reject` in `default-config.json`, and create a similar rule to this:
271
-
(you can also create this rule, and another one to deny everything from curl/wget).
269
+
There're two approaches to secure a server with OpenSnitch:
272
270
273
-
```
271
+
1) restrict everything by default (`DefaultAction` set to deny/reject in the `default-config.json` file) and allow only system binaries and needed apps. Incoming connections will keep working, but NEW outbound connections will be denied.
272
+
2) allow everything by default, and deny connections from specific locations, or by binary / destination.
273
+
274
+
275
+
- If you need curl or wget and the `DefaultAction` is not `allow`, restrict their outbound connections as much as possible (this practice applies to any other binary of the server):
276
+
277
+
```json
274
278
{
275
279
"created": "2020-02-07T14:16:20.550255152+01:00",
276
280
"updated": "2020-02-07T14:16:20.729849966+01:00",
@@ -310,8 +314,29 @@ If you want to restrict it further, under the `Addresses` tab you can review wha
310
314
}
311
315
```
312
316
317
+
Or for example you can allow everything only to the local lan, and let the rest of outbound connections be denied by the DefaultAction:
318
+
```json
319
+
{
320
+
"created": "2023-05-20T20:39:33.765468194+02:00",
321
+
"updated": "2023-05-20T20:39:33.7655761+02:00",
322
+
"name": "000-allow-lan",
323
+
"description": "",
324
+
"enabled": true,
325
+
"precedence": true,
326
+
"nolog": false,
327
+
"action": "allow",
328
+
"duration": "always",
329
+
"operator": {
330
+
"type": "network",
331
+
"operand": "dest.network",
332
+
"sensitive": false,
333
+
"data": "LAN",
334
+
"list": []
335
+
}
336
+
}
337
+
```
313
338
314
-
-Don't allow connections opened by binaries located under certain directories: `/dev/shm`, `/tmp`, `/var/tmp` or `/memfd`
339
+
-When the `DefaultAction` is `allow`, don't allow connections opened by binaries located under certain directories: `/dev/shm`, `/tmp`, `/var/tmp` or `/memfd`:
315
340
316
341
There're ton of examples (more common on servers than on the desktop):
317
342
@@ -325,7 +350,7 @@ If you want to restrict it further, under the `Addresses` tab you can review wha
325
350
```
326
351
327
352
/etc/opensnitchd/rules/000-deny-tmp.json:
328
-
```
353
+
```json
329
354
{
330
355
"created": "2025-04-26T09:58:03.704090244+02:00",
331
356
"updated": "2025-04-26T09:58:03.704216578+02:00",
@@ -344,7 +369,7 @@ If you want to restrict it further, under the `Addresses` tab you can review wha
344
369
}
345
370
```
346
371
347
-
- You can also block outbound connections to crypto mining pools and malware domains/ips with [blocklists rules]https://github.com/evilsocket/opensnitch/wiki/block-lists).
372
+
- You can also block outbound connections to crypto mining pools and malware domains/ips with [blocklists rules](https://github.com/evilsocket/opensnitch/wiki/block-lists).
348
373
349
374
One of the common reason to compromise servers is to mine cryptos. Denying connections to the mining pools, disrupts the operation.
0 commit comments