• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » iptables Basics : Chapter 2, Fail2Ban

By Abhishek Ghosh September 13, 2016 3:23 am Updated on May 31, 2017

iptables Basics : Chapter 2, Fail2Ban

Advertisement

This is Era of Automation. iptables Rules Can Be Automated With Interactive Package Fail2Ban Which iptables Basics Chapter 2 Will Explain. We expect that the reader has undergone Chapter 1 of iptables Basics. It is very important to read for this guide.

 

iptables Basics : Deny Bad, Allow Some

 

None of us need to become expert on iptables. We need to know just basics on iptables to avoid situation like this where SSH gets flooded with errors out of brute force attacks. Not only your search engine ranking position can fall, Google AdSense can deliver warning if bots increase false impression.

First, stop the automatic system via cron to erase the new rules we taught you on Chapter 1 of iptables Basics by running crontab -e and commenting out the line.

Advertisement

---

iptables-basics-chapter-2-fail2ban

We can then add a few simple firewall rules to block most of the common attacks. These will protect our server from the script kiddies. Can iptables block DDOS or worser like MiTMA? Yes, unless you are running a financial website for too many attacks you need higher RAM server in front as loadbalancer with higher security. Again you need iptables. The cloud services for protecting DDoS are mostly designed for the larger websites with ton of traffic with zero false positive. Web hosts have some anti-DDoS. Plus it is important to use a premium DNS service like Dyn. You can use $7/month 6GB server with it, there are many such options like Host1Plus, RAMNode, OVH, VPSDime, ArubaCloud. Linode, DigitalOcean, Rackspace – all are kind of same and frankly lost merit now as cloud computing and virtualization softwares are mostly Free Softwares now.

First, we start with blocking null packets :

Vim
1
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Next stop the syn floods :

Vim
1
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Then drop the XMAS attacks :

Vim
1
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Thereafter open the common ports :

Vim
1
2
3
4
5
6
7
8
9
10
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You have to two options for SSH port, one is to allow all :

Vim
1
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

OR, to allow none except one IP :

Vim
1
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Take a backup of the /etc/iptables/rules.v4 file and activate the automatic “reset” of iptables as we talked on
Chapter 1 of iptables Basics. You should follow this guide too to avoid situation where SSH can get flooded with brute force attacks. That is mandatory to disable root to SSH. You can also try to SSH to our server with root username!

Frankly, for the most up to this will run fine. Now the last set of commands are :

Vim
1
2
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

If you followed our Chapter 1 of iptables Basics, without fear you can do whatever – after 10 minutes, iptables will get “reset”. You have to test within this period. Slowly you will increase the time for testing and use Github like revision control system to keep backup of the iptables rule set.

You need a point only few ports remain open – quite simple. Port 80, 443, 22 are most mandatory to keep open ports. If you block Port 80, 443 and allow few – it becomes virtual private IP. Such are needed for database servers.

 

iptables Basics : Chapter 2, Fail2Ban

 

Within 10 minutes will be running Fail2Ban (a software to automatically detect the attack pattern and write on iptables to ban IPs and lift the ban too). It is no longer iptables Basics guide though. If you followed our Chapter 1 of iptables Basics, you must stop the 10 minutes iptables automatic “reset” system first.

You will read about Fail2Ban on official website and configure it. We are providing method for immediate run.

Vim
1
2
sudo apt-get install -y fail2ban
echo " " > /etc/fail2ban/jail.conf

Now those configuration files has been empty. What will happen? I have a ready to use gist on Github. You can run cat in this way :

Vim
1
wget https://gist.githubusercontent.com/AbhishekGhosh/03dec029f9c34f32eec3e3ab8f070ad7/raw/ef99882403dc64d646579918f9eca0d1ace636e5/jail.conf > /etc/fail2ban/jail.conf

Vim
1
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Vim
1
sudo service fail2ban start

You can see status of Fail2Ban :

Vim
1
2
systemctl status fail2ban.service
fail2ban-client status

After few minutes you can run :

Vim
1
cat /var/log/fail2ban.log

It is very important to take a backup of iptables at this point – fail2ban itself get added on iptables for working. The configuration I provided lack security for nginx or apache and just “basic”. You should read documentation and modify it. Default configuration file is frankly like bloated php.ini file.

It is difficult for a professional hacker to enter a server if fail2ban is installed and properly configured. It will actively ban like a human. It goes great when the hacker checks the real webpage. Just imagine, this level of automation is circumvented by targeted attack. There is no reason to think that we have enough secured the server. We are still in “iptables Basics”.

Last, install nmap, Trinity in Matrix Revolution used this stuff (I am not joking) :

Vim
1
sudo apt-get install nmap

You will scan your server :

Vim
1
sudo nmap -v -sS localhost

Port scan can figure out what services are running, then you find one that is out of date and exploit it. In the Matrix movie Trinity was able to break into the power plant system, because the sysadmin probably never updated the ssh demon and thus she was able to run SSHv1 CRC32 exploit on the machine and get root privilege. She used sshnuke. If Trinity was sysadmin, definitely not keep the system not updated. nmap has dedicated webpage for their mentions in movies. Here is the full size image we included, notice carefully.

You can continue reading our next chapter – iptables Basics Chapter 3 where we have discussed how to harden WordPress in conjunction to IPTables, Fail2Ban and Fail2Ban WordPress Plugin.

This the copy-paste from the screen, which attachers may also run on your server :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
           state       service
22/tcp     open        ssh
 
No exact OS matches for host
 
nmap run completed -- 1 IP address (1 host up) scanneds
% sshnuke 10.2.2.2 -rootpw-"Z1ON0101"
 
Connecting to 10.2.2.2:ssh ... successful.
Attempting to exploit SSHv1 CRC32 ... successful.
Reseting root password to "Z1ON0101".
System open: Access Level (9)
% ssh 10.2.2.2 -l root
 
root@10.2.2.2's password:
 
RTF-CONTROL> disable grid nodes 21 - 48
Warning: Disabling nodes 21-48 will disconnect sector 11 (27 nodes)
 
        ARE YOU SURE ? (y/n)
 
Grid Node 21 offline...
Grid Node 22 offline...
Grid Node 23 offline...
Grid Node 24 offline...
Grid Node 25 offline...
Grid Node 26 offline...
Grid Node 27 offline...
Grid Node 28 offline...
Grid Node 29 offline...
Grid Node 30 offline...
Grid Node 31 offline...
Grid Node 32 offline...
Grid Node 33 offline...
Grid Node 34 offline...
Grid Node 35 offline...
Grid Node 36 offline...
Grid Node 37 offline...
Grid Node 38 offline...
Grid Node 39 offline...
Grid Node 40 offline...
Grid Node 41 offline...
Grid Node 42 offline...
Grid Node 43 offline...
Grid Node 44 offline...
Grid Node 45 offline...
Grid Node 46 offline...
Grid Node 47 offline...
Grid Node 48 offline...

Tagged With iptables own rules and fail2ban

This Article Has Been Shared 171 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Orthopaedic Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to iptables Basics : Chapter 2, Fail2Ban

  • What is DANE Protocol?

    What is DANE Protocol? DANE is a network protocol intended to secure in a way so that the used certificates of domain can not be substituted.

  • iptables Basics : Chapter 1

    IPTables Basics Chapter 1 is Intended For the New Blank Cloud Server or Dedicated Server Users. It is Must to Read Before Executing Commands.

  • What is CAA DNS Record And How to Add?

    CA/Browser Forum voted to make CAA mandatory which be in action by September 2017. Here is Our Guide Around CAA DNS Record And How to Add It.

  • HTTPS Everywhere Atlas Vs HSTS Preload List

    In This Article We Have Explained Real Life Matters Around HTTPS Everywhere Atlas Vs HSTS Preload List For the WebMasters and Developers.

  • Podcasting Audio and Video : All in Details

    Podcasting Audio and Video – from generating podcasts, managing to publishing and software and hardware requirements has been in written details.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

You can subscribe to our Free Once a Day, Regular Newsletter by clicking the subscribe button below.

Click To Subscribe

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (20K Followers)
  • Twitter (4.9k Followers)
  • Facebook (5.8k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.2k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • What is Software Modernization? January 21, 2021
  • Cloud Computing : Cybersecurity Tips for Small Business Owners January 20, 2021
  • Arduino : Independently Blink Multiple LED January 18, 2021
  • What is a Loosely Coupled System? January 17, 2021
  • How To Repack Installed Software on Debian/Ubuntu January 16, 2021

 

About This Article

Cite this article as: Abhishek Ghosh, "iptables Basics : Chapter 2, Fail2Ban," in The Customize Windows, September 13, 2016, January 21, 2021, https://thecustomizewindows.com/2016/09/iptables-basics-chapter-2-fail2ban/.

Source:The Customize Windows, JiMA.in

 

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Cookie Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2021 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy