This is Era of Automation. iptables Rules Can Be Automated With Interactive Package Fail2Ban Which iptables Basics Chapter 2 Will Explain. We expect that the reader has undergone Chapter 1 of iptables Basics. It is very important to read for this guide.
iptables Basics : Deny Bad, Allow Some
None of us need to become expert on iptables. We need to know just basics on iptables to avoid situation like this where SSH gets flooded with errors out of brute force attacks. Not only your search engine ranking position can fall, Google AdSense can deliver warning if bots increase false impression.
First, stop the automatic system via cron to erase the new rules we taught you on Chapter 1 of iptables Basics by running
crontab -e and commenting out the line.
We can then add a few simple firewall rules to block most of the common attacks. These will protect our server from the script kiddies. Can iptables block DDOS or worser like MiTMA? Yes, unless you are running a financial website for too many attacks you need higher RAM server in front as loadbalancer with higher security. Again you need iptables. The cloud services for protecting DDoS are mostly designed for the larger websites with ton of traffic with zero false positive. Web hosts have some anti-DDoS. Plus it is important to use a premium DNS service like Dyn. You can use $7/month 6GB server with it, there are many such options like Host1Plus, RAMNode, OVH, VPSDime, ArubaCloud. Linode, DigitalOcean, Rackspace – all are kind of same and frankly lost merit now as cloud computing and virtualization softwares are mostly Free Softwares now.
First, we start with blocking null packets :
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Next stop the syn floods :
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Then drop the XMAS attacks :
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Thereafter open the common ports :
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You have to two options for SSH port, one is to allow all :
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
OR, to allow none except one IP :
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT
Take a backup of the
/etc/iptables/rules.v4 file and activate the automatic “reset” of iptables as we talked on
Chapter 1 of iptables Basics. You should follow this guide too to avoid situation where SSH can get flooded with brute force attacks. That is mandatory to disable
root to SSH. You can also try to SSH to our server with
Frankly, for the most up to this will run fine. Now the last set of commands are :
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
If you followed our Chapter 1 of iptables Basics, without fear you can do whatever – after 10 minutes, iptables will get “reset”. You have to test within this period. Slowly you will increase the time for testing and use Github like revision control system to keep backup of the iptables rule set.
You need a point only few ports remain open – quite simple. Port 80, 443, 22 are most mandatory to keep open ports. If you block Port 80, 443 and allow few – it becomes virtual private IP. Such are needed for database servers.
iptables Basics : Chapter 2, Fail2Ban
Within 10 minutes will be running Fail2Ban (a software to automatically detect the attack pattern and write on iptables to ban IPs and lift the ban too). It is no longer iptables Basics guide though. If you followed our Chapter 1 of iptables Basics, you must stop the 10 minutes iptables automatic “reset” system first.
You will read about Fail2Ban on official website and configure it. We are providing method for immediate run.
sudo apt-get install -y fail2ban
echo " " > /etc/fail2ban/jail.conf
Now those configuration files has been empty. What will happen? I have a ready to use gist on Github. You can run cat in this way :
wget https://gist.githubusercontent.com/AbhishekGhosh/03dec029f9c34f32eec3e3ab8f070ad7/raw/ef99882403dc64d646579918f9eca0d1ace636e5/jail.conf > /etc/fail2ban/jail.conf
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo service fail2ban start
You can see status of Fail2Ban :
systemctl status fail2ban.service
After few minutes you can run :
It is very important to take a backup of iptables at this point – fail2ban itself get added on iptables for working. The configuration I provided lack security for nginx or apache and just “basic”. You should read documentation and modify it. Default configuration file is frankly like bloated
It is difficult for a professional hacker to enter a server if fail2ban is installed and properly configured. It will actively ban like a human. It goes great when the hacker checks the real webpage. Just imagine, this level of automation is circumvented by targeted attack. There is no reason to think that we have enough secured the server. We are still in “iptables Basics”.
Last, install nmap, Trinity in Matrix Revolution used this stuff (I am not joking) :
sudo apt-get install nmap
You will scan your server :
sudo nmap -v -sS localhost
Port scan can figure out what services are running, then you find one that is out of date and exploit it. In the Matrix movie Trinity was able to break into the power plant system, because the sysadmin probably never updated the ssh demon and thus she was able to run SSHv1 CRC32 exploit on the machine and get root privilege. She used sshnuke. If Trinity was sysadmin, definitely not keep the system not updated. nmap has dedicated webpage for their mentions in movies. Here is the full size image we included, notice carefully. This the copy-paste from the screen, which attachers may also run on your server :
22/tcp open ssh
No exact OS matches for host
nmap run completed -- 1 IP address (1 host up) scanneds
% sshnuke 10.2.2.2 -rootpw-"Z1ON0101"
Connecting to 10.2.2.2:ssh ... successful.
Attempting to exploit SSHv1 CRC32 ... successful.
Reseting root password to "Z1ON0101".
System open: Access Level (9)
% ssh 10.2.2.2 -l root
RTF-CONTROL> disable grid nodes 21 - 48
Warning: Disabling nodes 21-48 will disconnect sector 11 (27 nodes)
ARE YOU SURE ? (y/n)
Grid Node 21 offline...
Grid Node 22 offline...
Grid Node 23 offline...
Grid Node 24 offline...
Grid Node 25 offline...
Grid Node 26 offline...
Grid Node 27 offline...
Grid Node 28 offline...
Grid Node 29 offline...
Grid Node 30 offline...
Grid Node 31 offline...
Grid Node 32 offline...
Grid Node 33 offline...
Grid Node 34 offline...
Grid Node 35 offline...
Grid Node 36 offline...
Grid Node 37 offline...
Grid Node 38 offline...
Grid Node 39 offline...
Grid Node 40 offline...
Grid Node 41 offline...
Grid Node 42 offline...
Grid Node 43 offline...
Grid Node 44 offline...
Grid Node 45 offline...
Grid Node 46 offline...
Grid Node 47 offline...
Grid Node 48 offline...