Hardening your Ubuntu 9.10 Server – Firewall
Having bought a Linode.com VPS, I began experimenting more with Linux, at only $20 a month, its a great setup, your own virtual server, and the rights to do as you please. However with that power, comes responsibility (I should hope..). So we need to setup our firewall properly to reduce the chance of attack, and hacks.
Below is the IPTABLES script that I’ve developed based on multiple sources:
#!/bin/sh IPT="/sbin/iptables" # Flush old rules, old custom tables $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT # Set default policies for all three default chains $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT # Enable free use of loopback interfaces $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # All TCP sessions should begin with SYN $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP # Lets log and drop stuff $IPT -N LOGNDROP $IPT -A INPUT -j LOGNDROP $IPT -A LOGNDROP -p tcp -m limit --limit 4/min -j LOG --log-prefix "Denied TCP: " --log-level 7 $IPT -A LOGNDROP -p udp -m limit --limit 4/min -j LOG --log-prefix "Denied UDP: " --log-level 7 $IPT -A LOGNDROP -p icmp -m limit --limit 4/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 $IPT -A LOGNDROP -j DROP # X-mas tree protection $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGNDROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOGNDROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOGNDROP # block IANA reserved $IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j LOGNDROP $IPT -A INPUT -i eth0 -s 172.16.0.0/12 -j LOGNDROP $IPT -A INPUT -i eth0 -s 192.168.0.0/16 -j LOGNDROP # Accept inbound TCP packets $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH $IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP $IPT -A INPUT -j LOGNDROP
The script is fairly straight forward, but includes a few little ‘gems’, those include X-mas tree protection (fully lit up packets – SYN, FIN etc;). As well as blocking IANA reserved ip’s (which you should not get on an external box!).
The only ports that I open are port 80 for HTTP.
Port 443 for HTTPS and 22 for SSH (altho I should move it to a non-standard port to reduce bruteforce attacks).
What kind of gems do you guys have in your iptables for protection? One of my next plans is to either add a port-knock (for ssh) or a tarpit (also for ssh – which should slow down bruteforce attempts).