Feb 192015
 
Article Server Administration

Any server connected to the internet is exposed to attacks from hackers. They will attempt to break into the server trying every possible vulnerability, to take control of it and use it for their own purposes. To protect the server as much as possible, it is common to use some kind of firewall. On linux systems, the iptables package is one of the most used options to provide this functionality.

This post goes through a sample installation and configuration of iptables on a Debian system, together with other packages such as fail2ban, that automate the detection and reaction agains break-in attempts.

iptables installation

iptables is the default firewall package on Debian systems since the release of debian Lenny. This package provides the packet filtering an network address translation (NAT) functionalities.

Most Debian systems already come with iptables installed, and a default iptables configuration that allows any incoming or outgoing traffic, and thus there is no need to install the package. Nevertheless, apt-get can be used to upgrade the package, in case there is a version more recent than what is installed in the system:

$ sudo apt-get install iptables
Reading package lists... Done
Building dependency tree       
Reading state information... Done
iptables is already the newest version.
$

Option -L of the iptables command can be used to list the configured firewall rules:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As can be seen, the default configuration permits any incoming (INPUT) or outgoing (OUTPUT) traffic, as well as any traffic where the system acts as a router (FORWARD).

Configuring iptables with ufw

iptables firewall rules can be added using the iptables command directly from the command line. They can also be specified in a configuration file that is later read by the iptables service. But the syntax of the rules is complex. It is advisable to use a helper program such as ufw (uncomplicated firewall), or its graphical frontend: gufw.

First, the ufw package is installed with apt-get:

$ sudo apt-get update
$ sudo apt-get install ufw
   ...
Setting up ufw (0.31.1-2) ...

Creating config file /etc/ufw/before.rules with new version

Creating config file /etc/ufw/before6.rules with new version

Creating config file /etc/ufw/after.rules with new version

Creating config file /etc/ufw/after6.rules with new version

Next, we will set up a sample configuration to reject all accesses to the system, other than:

  • Accesses to port 80 (HTTP) or 443 (HTTPS), from any IP address
  • Accesses to port 22 (SSH) from the IP address of the computer used to connect remotely to the server. In this example, this is address 1.2.3.4.

This configuration is established issuing the commands:

$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw allow from 1.2.3.4 to any port 22       <- IMPORTANT, read warning below
$ sudo ufw default deny incoming
$ sudo ufw enable

WARNING: You must double check that the IP address that will be granted access to the server is the IP address of the computer you are using to connect to the server with ssh. Otherwise, the ssh session will be dropped as soon as the firewall is enabled.

Finally, use “ufw status” to review the configuration:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22                         ALLOW       1.2.3.4
80                         ALLOW       Anywhere (v6)
443                        ALLOW       Anywhere (v6)

Dynamic iptables configuration to react to break-in attempts

Instead of just passively protecting the server, restricting access to a limited number of IP addresses that are allowed SSH access, it is possible to use a program such as fail2ban. fail2ban monitors the ssh log file to detect attacks, such as repeated connection attempts with non-existent users. When an attack of this type is detected, fail2ban adds dynamically a firewall rule to temporarily ban access to the system from the attacking IP. fail2ban can work in combination with iptables or TCP wrappers.

fail2ban installation

On a debian or ubuntu system, fail2ban can be easily installed with a call to apt-get:

$ sudo apt-get install fail2ban
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  gamin libgamin0 python-gamin
    ...

The installation of fail2ban creates a set of configuration files:

  • /etc/fail2ban/fail2ban.conf – basic configuration
  • /etc/fail2ban/jail.conf – configuration for the monitoring of several services. The default configuration only activates ssh monitoring with iptables
  • directory /etc/fail2ban/action.d/ – configuration of actions to carry out to reject access from a suspect IP

the section that configures ssh monitoring can be located inside the file /etc/fail2bin/jail.conf:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

In this configuration:

  • ssh monitoring is enabled
  • The log file being monitored is /var/log/auth.log.
  • If more than 6 consecutive failed login attempts from the same IP address, the configured action is executed to protect the server.

In the [ssh] section there is no specific action (banaction) configured. In this case, the default action configured in the preceding [DEFAULT] section is executed.

banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s

This action is identified as “iptables-multiport”. The commands that will be executed can be found in the configuration file with the same name: /etc/fail2ban/action.d/iptables-multiport.conf:

    ...
actionstart = ...

actionstop = ...

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

    ...

The command that will be executed to ban access from the offending IP is the iptables command with option -I (to add a firewall rule).

In the same way, to lift the ban after a configured time has elapsed, the same commmand is executed with iption -D (to delete a firewall rule). The ban time can be configured with the directive “bantime”. The default value can also be established in the [DEFAULT] section of the jail.conf file:

bantime  = 600

Here, the ban time has been configured as 600 seconds (10 minutes)

References

 Posted by at 7:28 pm

 Leave a Reply

(required)

(required)