Hello, I have read and seen many options for additions to Iptables as a firewall and security system. All seem to react to logs and not to incoming packets (as far as I have seen) I am interested in doing a number of security ideas to the firewall, iptables, on my webserver. If you have a program you would suggest or believe iptables is the proper solution, please feel free to post that. Here are some of the things I would like to do 1) I have switched my SSH to a different port. I would like to still check for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day. 2) there are certain apache hacks (like things that include ../) that I would prefer to stop at the firewall. I would also like to log these attempts and begin a reject/ban for a certain period of time. Or just log until I figure out the best way to safely ban. 3) There are common script kiddie hacks that look for certain files 1 million times a day. I would like to either look for them in the incoming packets, log, and ban. Or I would like to be able to use my own php program to route them out and then add to a ban list that iptables can use. These are just some of the things I am looking at doing. I also want to start a ban list for mail packets too, why bog down sendmail when I know what they are? I realize some things might be done via programs like fail2ban (like my php program making a list) but others would be better at the firewall as active reaction security measures. Any input kindly accepted. Thank you for any help or ideas. Bob
On Tue, Aug 10, 2010 at 04:30:16PM -0400, Bob Hoffman wrote:> I am interested in doing a number of security ideas to the firewall, > iptables, on my webserver. If you have a program you would suggest or > believe iptables is the proper solution, please feel free to post that.For a set of useful components you might look here: http://www.gentoo.org/proj/en/dynfw.xml Not a complete solution, but very useful options for dropping, blocking or rate limiting specific remote IPs at the firewall, that are consistent with varied iptables setups, and can be easily called from whatever scripts you're using to identify bad IPs. Regards, Whit
On Tue, 2010-08-10 at 16:30 -0400, Bob Hoffman wrote:> Hello, > > I have read and seen many options for additions to Iptables as a firewall > and security system. All seem to react to logs and not to incoming packets > (as far as I have seen) > > I am interested in doing a number of security ideas to the firewall, > iptables, on my webserver. If you have a program you would suggest or > believe iptables is the proper solution, please feel free to post that. > > Here are some of the things I would like to do > > 1) I have switched my SSH to a different port. I would like to still check > for anyone trying to hit the old port 22 and log them. At the same time add > them to a reject/ban for a certain period of time, lets say 1 day. > > 2) there are certain apache hacks (like things that include ../) that I > would prefer to stop at the firewall. I would also like to log these > attempts and begin a reject/ban for a certain period of time. Or just log > until I figure out the best way to safely ban. > > 3) There are common script kiddie hacks that look for certain files 1 > million times a day. I would like to either look for them in the incoming > packets, log, and ban. Or I would like to be able to use my own php program > to route them out and then add to a ban list that iptables can use. > > > These are just some of the things I am looking at doing. I also want to > start a ban list for mail packets too, why bog down sendmail when I know > what they are? > > > I realize some things might be done via programs like fail2ban (like my php > program making a list) but others would be better at the firewall as active > reaction security measures. > > > Any input kindly accepted. > > Thank you for any help or ideas. > > > Bob > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosOSSEC http://www.ossec.net/ not exactly 'real-time', though, as it has to parse the logs. -- Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 ================================================Putt's Law: Technology is dominated by two types of people: Those who understand what they do not manage. Those who manage what they do not understand.
On 08/10/10 1:30 PM, Bob Hoffman wrote:> 1) I have switched my SSH to a different port. I would like to still check > for anyone trying to hit the old port 22 and log them. At the same time add > them to a reject/ban for a certain period of time, lets say 1 day.If nothing is listening on that port, then whats to 'ban' ?
Forgive me if this does not go with the right topic, I am on digest and responding to a topic sometimes makes it start a new one. My reason for the iptables questions is to not follow the practice of putting up a wall and ignoring hackers. I want to be more proactive. If I have set my ssh port to 55994 and am not using port 22, but hackers are pounding on my port 22 looking for Ssh, then I want to not only know about it, I want to log them and prevent them access to my server and web applications. At least temporarily. I see now that many of the programs are log users and not real time. And many like fail2ban actually add chains to iptables that I Could do myself. It looks like getting some books on netfilter may be the way to go. I would rather stop stuff at the firewall then trust apache, php, sendmail, vsftp, etc. I would rather use them as back up failsafes while I work on hack proofing the single point of entry. I have a server sitting right on the net and the constant barrage of 100s of Ips trying thousands of times at port 22 is insane. I examine my logs and see so much in the way of dns posion attacks, ssh-mail-ftp, etc attacks that I do not want to just sit back and Think I am fine because I have a firewall and centos will send me bug fixes. That firewall seems like the 100% way of going at stopping and preventing issues. If an IP is doing something it should not be doing, most likely you do not want it probing anything else either. That's why I ask.
> 2) there are certain apache hacks (like things that include ../) that I > would prefer to stop at the firewall. I would also like to log these > attempts and begin a reject/ban for a certain period of time. Or just log > until I figure out the best way to safely ban.try mod_security application firewall for apache: http://www.modsecurity.org/ -- Eero, RHCE