iptables Basics : Chapter 2, Fail2Ban

This is Era of Automation. iptables Rules Can Be Automated With Interactive Package Fail2Ban Which iptables Basics Chapter 2 Will Explain. We expect that the reader has undergone Chapter 1 of iptables Basics. It is very important to read for this guide.

iptables Basics : Deny Bad, Allow Some

None of us need to become expert on iptables. We need to know just basics on iptables to avoid situation like this where SSH gets flooded with errors out of brute force attacks. Not only your search engine ranking position can fall, Google AdSense can deliver warning if bots increase false impression.

First, stop the automatic system via cron to erase the new rules we taught you on Chapter 1 of iptables Basics by running crontab -e and commenting out the line.

We can then add a few simple firewall rules to block most of the common attacks. These will protect our server from the script kiddies. Can iptables block DDOS or worser like MiTMA? Yes, unless you are running a financial website for too many attacks you need higher RAM server in front as loadbalancer with higher security. Again you need iptables. The cloud services for protecting DDoS are mostly designed for the larger websites with ton of traffic with zero false positive. Web hosts have some anti-DDoS. Plus it is important to use a premium DNS service like Dyn. You can use $7/month 6GB server with it, there are many such options like Host1Plus, RAMNode, OVH, VPSDime, ArubaCloud. Linode, DigitalOcean, Rackspace – all are kind of same and frankly lost merit now as cloud computing and virtualization softwares are mostly Free Softwares now.

First, we start with blocking null packets :

Next stop the syn floods :

Then drop the XMAS attacks :

Thereafter open the common ports :

You have to two options for SSH port, one is to allow all :

OR, to allow none except one IP :

Take a backup of the /etc/iptables/rules.v4 file and activate the automatic “reset” of iptables as we talked on
Chapter 1 of iptables Basics. You should follow this guide too to avoid situation where SSH can get flooded with brute force attacks. That is mandatory to disable root to SSH. You can also try to SSH to our server with root username!

Frankly, for the most up to this will run fine. Now the last set of commands are :

If you followed our Chapter 1 of iptables Basics, without fear you can do whatever – after 10 minutes, iptables will get “reset”. You have to test within this period. Slowly you will increase the time for testing and use Github like revision control system to keep backup of the iptables rule set.

You need a point only few ports remain open – quite simple. Port 80, 443, 22 are most mandatory to keep open ports. If you block Port 80, 443 and allow few – it becomes virtual private IP. Such are needed for database servers.

iptables Basics : Chapter 2, Fail2Ban

Within 10 minutes will be running Fail2Ban (a software to automatically detect the attack pattern and write on iptables to ban IPs and lift the ban too). It is no longer iptables Basics guide though. If you followed our Chapter 1 of iptables Basics, you must stop the 10 minutes iptables automatic “reset” system first.

You will read about Fail2Ban on official website and configure it. We are providing method for immediate run.

Now those configuration files has been empty. What will happen? I have a ready to use gist on Github. You can run cat in this way :

You can see status of Fail2Ban :

After few minutes you can run :

It is very important to take a backup of iptables at this point – fail2ban itself get added on iptables for working. The configuration I provided lack security for nginx or apache and just “basic”. You should read documentation and modify it. Default configuration file is frankly like bloated php.ini file.

It is difficult for a professional hacker to enter a server if fail2ban is installed and properly configured. It will actively ban like a human. It goes great when the hacker checks the real webpage. Just imagine, this level of automation is circumvented by targeted attack. There is no reason to think that we have enough secured the server. We are still in “iptables Basics”.

Last, install nmap, Trinity in Matrix Revolution used this stuff (I am not joking) :

You will scan your server :

Port scan can figure out what services are running, then you find one that is out of date and exploit it. In the Matrix movie Trinity was able to break into the power plant system, because the sysadmin probably never updated the ssh demon and thus she was able to run SSHv1 CRC32 exploit on the machine and get root privilege. She used sshnuke. If Trinity was sysadmin, definitely not keep the system not updated. nmap has dedicated webpage for their mentions in movies. Here is the full size image we included, notice carefully.

You can continue reading our next chapter – iptables Basics Chapter 3 where we have discussed how to harden WordPress in conjunction to IPTables, Fail2Ban and Fail2Ban WordPress Plugin.

This the copy-paste from the screen, which attachers may also run on your server :