Home » Linux OS and Software » Security » Basic Firewall Script
Wed, 11 June 2008 18:19 Go to next message
Registered: November 2007
Messages: 505
A common problem among Linux server admins is how to firewall their server. Here is a simple firewall script that leaves the server open on ports 22 (ssh) and enables web and dns access. All outgoing ports are open but all other incoming ports are blocked.

This script also includes a brute force shield on the ssh port, to prevent password guessing of your server. Too many connections to ssh will cause a temporary rejection of the IP for 20 seconds. Another attempt will cause a delay of 200 seconds etc.

To ensure the script runs when the server is rebooted, call it from /etc/rc.local
------------------------------------------------------------ -
#!/bin/bash

set -x

# Clear any existing firewall stuff before we start

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Create a brute force shield over the ssh port
iptables -N ssh
iptables -N blacklist
iptables -A blacklist -m recent --name blacklist --set
iptables -A blacklist -j DROP
iptables -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP
iptables -A ssh -m recent --set --name counting1
iptables -A ssh -m recent --set --name counting2
iptables -A ssh -m recent --set --name counting3
iptables -A ssh -m recent --set --name counting4
iptables -A ssh -m recent --update --name counting1 --seconds 20 --hitcount 10 -j blacklist
iptables -A ssh -m recent --update --name counting2 --seconds 200 --hitcount 25 -j blacklist
iptables -A ssh -m recent --update --name counting3 --seconds 2000 --hitcount 80 -j blacklist
iptables -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist
iptables -A ssh -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j ssh

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device

iptables -A INPUT -i lo -j ACCEPT

# Related and established connections: see
# http://www.sns.ias.edu/~jns/security/iptables/iptables_connt rack.html
#
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
#
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the
# ip_conntrack_ftp module is loaded)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections on selected ports to the firewalled computer:
# 22 ssh (allowed in shield above)
# 80 http
# 443 https
# 53 DNS (udp and tcp)

iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow icmp input so that people can ping us

iptables -A INPUT -p icmp -j ACCEPT

# Change DROP to REJECT to be polite and allow people connecting to a blocked port
# to receive a "connection refused" message instead of timing out after 30 seconds.

iptables -A INPUT -j REJECT


[Updated on: Sat, 08 August 2009 00:20]

Mon, 22 June 2009 06:18 Go to previous messageGo to next message
Registered: August 2008
Messages: 3
does this script ok for Lenny?
Tue, 23 June 2009 02:30 Go to previous messageGo to next message
Registered: November 2007
Messages: 505
It should work for any distribution of Linux that has iptables installed.
Thu, 02 July 2009 10:29 Go to previous messageGo to next message
Registered: May 2009
Messages: 21
I found another funny tool: fail2ban
It does the same by analyzing logfiles of any application, like Apache, Webmin, Tomcat, and SSH of course Wink
Thu, 06 August 2009 15:27 Go to previous messageGo to next message
Registered: August 2009
Messages: 1
I'm running your basic Ubuntu LAMP template and when I run your basic firewall script I get:
FATAL: Could not load /lib/modules/2.6.18-12-fza-686-bigmem/modules.dep: No such file or directory

Any advice? I need to get passiv ftp going asap...

Thanks!

[Updated on: Thu, 06 August 2009 15:28]

Thu, 06 August 2009 23:09 Go to previous messageGo to next message
Registered: November 2007
Messages: 505
That is strange. Please open a support ticket so we can track that problem down.
Thu, 03 September 2009 16:48 Go to previous messageGo to next message
Registered: September 2009
Messages: 2
DogFather - are you sure you ran the script as root? I had the same error, then ran as sudo and it worked...
Thu, 03 September 2009 22:38 Go to previous messageGo to next message
Registered: April 2009
Messages: 14
A few comments about your brute force shield.

First I don't think it acts quite as you intended.

staff wrote on Wed, 11 June 2008 18:19


This script also includes a brute force shield on the ssh port, to prevent password guessing of your server. Too many connections to ssh will cause a temporary rejection of the IP for 20 seconds. Another attempt will cause a delay of 200 seconds etc.



Reading the script I'm going to assume you intended for 10 logins to result in a 20 second ban, 25 logins to result in 200 seconds, 80 logins to result in 2000 seconds, and 400 logins to result in 20000 seconds.

I believe the ban length will only ever be 600 seconds with this script. The ban length begins when a user performs 10 logins in 20 seconds or 25 logins in 200 seconds or 80 logins in 2000 seconds or 400 logins in 20000 seconds.

The below is a sketch of what i use for an iptables brute force shield. It's a sketch because gentoo saves / loads the iptables state so I don't have a need for a script that sets it up all the time, i just create the tables once and gentoo remembers it for me. Hence, the below is simply editing your example to follow the logic i have in place.

# Level one blacklist chain
iptables -N blacklist1
iptables -A blacklist1 -m recent --name blacklist1 --set
iptables -A blacklist1 -j DROP

# Level two blacklist chain
iptables -N blacklist2
iptables -A blacklist2 -m recent --name blacklist2 --set
iptables -A blacklist2 -j DROP

# ssh chain
iptables -N ssh

# Increment the counter
iptables -A ssh -m recent --set --name counting

# If you were added to blacklist2 within 3600 seconds, readd to blacklist2 and DROP.
iptables -A ssh -m recent --update --name blacklist2 --seconds 3600 --hitcount 1 -j blacklist2

# If you were added to blacklist1 within 60 seconds, readd to blacklist1 and DROP.
iptables -A ssh -m recent --update --name blacklist1 --seconds 60 --hitcount 1 -j blacklist1

# If you've tried to access the server 25 times in the past 120 seconds, add to blacklist2 and DROP
iptables -A ssh -m recent --update --name counting --seconds 120 --hitcount 25 -j blacklist2

# If you've tried to access the server 10 times in the past 30 seconds, add to blacklist1 and DROP
iptables -A ssh -m recent --update --name counting --seconds 30 --hitcount 10 -j blacklist1

# Accept anything that gets through the blacklisting
iptables -A ssh -j ACCEPT


I stress that this is untested! And because I'm security conscience I recommend waiting for an update from 'staff'. Your firewalls have been working up till now, why go off and change things because a user that seems knowledgeable told you to?

The code describes what it does fairly well. Basically, access the server 10 times in 30 seconds results in a level one blacklist. To get off this list you need to wait 60 seconds in-between attempts, if you try and access the server say ever 40 seconds you will remain blacklisted for ever. If you access the server 25 times in 120 seconds you get a level two blacklist which you have to wait 3600 seconds to get off of.

Staff, at the very least I recommend testing your blacklist. I havn't actually tested it myself as this is my first time reading it but you might find out the rules behaves differently then expected. Though, I could be the one that has a miss understanding of iptables, in which case I'd like to know my model is incorrect.

Danger

Thu, 03 September 2009 22:42 Go to previous messageGo to next message
Registered: April 2009
Messages: 14
TheDogFather wrote on Thu, 06 August 2009 15:27

I'm running your basic Ubuntu LAMP template and when I run your basic firewall script I get:
FATAL: Could not load /lib/modules/2.6.18-12-fza-686-bigmem/modules.dep: No such file or directory

Any advice? I need to get passiv ftp going asap...

Thanks!



bookup wrote on Thu, 03 September 2009 16:48

DogFather - are you sure you ran the script as root? I had the same error, then ran as sudo and it worked...


I'll have to agree, should be a simply permission issue. The below is the output i get as a user.

FATAL: Could not load /lib/modules/2.6.18-14-fza-amd64/modules.dep: No such file or directory
iptables v1.4.3.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Tue, 22 September 2009 09:05 Go to previous messageGo to next message
Registered: November 2007
Messages: 505
Modules do not need to be loaded in your VPS, all of them are already loaded and configured in your kernel.

You can avoid that error by just creating the file its looking for.
/lib/modules/2.6.18-14-fza-amd64/modules.dep

Just create a blank file at that location and create the directories as well if you have to.
Tue, 16 February 2010 20:28 Go to previous message
Registered: May 2009
Messages: 21
[deleted duplicate post] Razz

[Updated on: Tue, 16 February 2010 20:29]

Previous Topic:Failsafe console
Next Topic:GENTOO iptables: pkttype kernel built-in modules broken
Goto Forum:
  


Current Time: Fri Sep 22 04:09:18 EDT 2017
.:: Contact :: Home ::.

Powered by: FUDforum 2.7.7.
Copyright ©2001-2006 FUD Forum Bulletin Board Software