Author: Ricky Bryce (Montgomery County, Illinois)
| Click here to learn why Christ came to this Earth for us! | Get 10% off VPSLink! Enter REFERRAL code MJDCDJ |
IPTables (Firewall Configuration)
Next, we'll configure the IPTables firewall. We can do this graphically. I firewall is useful for blocking the ports of services which do not need to be accessible from the Internet. This makes your server more secure. IPTables can also be used to drop abusive IP addresses, and hinder “brute force” attacks, where the attacker will attempt to gain access to your system by sending random usernames and passwords.
We are going to set up our initial firewall configuration from webmin, so in your browser's address bar, go to https://brycefamily.com:10000 (You may have to force the browser to accept the security certificate as we did in earlier lessons.
Log in with your root username and password.
Under “Networking”, choose “Linux Firewall”
We are going to chose “Block all except ports used for virtual hosting, on interface: Eth0”, then hit “Setup Firewall”
Next, we'll need to open a few more ports, and customize the firewall to minimize the chance of “brute force” or “dictionary” attacks. The easiest way to do this is to manually edit the iptables firewall configuration file. Go to PUTTY, and login. Type su to become the root user if you are logged in as a standard user.
Type cd /etc/sysconfig/ to enter the directory where our firewall configuration is stored.
Type vi iptables to open the file for editing with the vi text editor.
Cursor down about 21 lines until you are immediately after the *filter section. You will be sitting on the line that reads # Accept traffic from internal interfaces.
Tap “i” on your keyboard to get into Insert mode.
Press enter 5 times to give yourself some blank space above the line you are on.
Cursor up (with your up arrow key) 3 times.
Copy the following rules, and paste them into your text editor:
###############################This is the custom rules######################
# A few more things. Let's drop Brute force attacks....
#Now Let's deal with Brute Force SSH Attacks
-I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --set
-I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
-A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
-A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
#Now Let's deal with Brute Force FTP Attacks
-I INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -m recent --set
-I INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
-A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP -j ACCEPT
-A INPUT -p tcp --dport 21 -m recent --update --seconds 20 --hitcount 10 --rttl --name FTP -j LOG --log-prefix "FTP_brute_force "
-A INPUT -p tcp --dport 21 -m recent --update --seconds 20 --hitcount 10 --rttl --name FTP -j DROP
#Block Bad Guys
#-A INPUT -s IPAddressOfBadGuyHere -j DROP
#Now, let's set up EchoLink Proxy Ports (For Ham Radio Operators only)
-A INPUT -p udp -m udp --dport 5198:5199 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5200 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8100 -j ACCEPT
#Open passive ports for VSFTPD
-A INPUT -p tcp -m tcp --dport 60000:60500 -j ACCEPT
###############################End of the custom rules######################
Note: You may want to check out other common attacks as well, so you are prepared to set up your firewall to defend against them if you have a problem.
Hit esc on your keyboard to take the editor back to command mode.
Press :wq (colon, w for write, and q to quit)
Now, let's see if the firewall will restart. Type /etc/init.d/iptables restart
It looks like our configuration was successful!! Contratulations.