Any server connected to the internet is exposed to attacks from hackers. They will attempt to break into the server trying every possible vulnerability, to take control of it and use it for their own purposes. To protect the server as much as possible, it is common to use some kind of firewall. On linux systems, the iptables package is one of the most used options to provide this functionality.
This post goes through a sample installation and configuration of iptables on a Debian system, together with other packages such as fail2ban, that automate the detection and reaction agains break-in attempts.
iptables is the default firewall package on Debian systems since the release of debian Lenny. This package provides the packet filtering an network address translation (NAT) functionalities.
Most Debian systems already come with iptables installed, and a default iptables configuration that allows any incoming or outgoing traffic, and thus there is no need to install the package. Nevertheless, apt-get can be used to upgrade the package, in case there is a version more recent than what is installed in the system:
$ sudo apt-get install iptables Reading package lists... Done Building dependency tree Reading state information... Done iptables is already the newest version. $
Option -L of the iptables command can be used to list the configured firewall rules:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As can be seen, the default configuration permits any incoming (INPUT) or outgoing (OUTPUT) traffic, as well as any traffic where the system acts as a router (FORWARD).
Configuring iptables with ufw
iptables firewall rules can be added using the iptables command directly from the command line. They can also be specified in a configuration file that is later read by the iptables service. But the syntax of the rules is complex. It is advisable to use a helper program such as ufw (uncomplicated firewall), or its graphical frontend: gufw.
First, the ufw package is installed with apt-get:
$ sudo apt-get update $ sudo apt-get install ufw ... Setting up ufw (0.31.1-2) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version
Next, we will set up a sample configuration to reject all accesses to the system, other than:
- Accesses to port 80 (HTTP) or 443 (HTTPS), from any IP address
- Accesses to port 22 (SSH) from the IP address of the computer used to connect remotely to the server. In this example, this is address 220.127.116.11.
This configuration is established issuing the commands:
$ sudo ufw allow 80 $ sudo ufw allow 443 $ sudo ufw allow from 18.104.22.168 to any port 22 <- IMPORTANT, read warning below $ sudo ufw default deny incoming $ sudo ufw enable
WARNING: You must double check that the IP address that will be granted access to the server is the IP address of the computer you are using to connect to the server with ssh. Otherwise, the ssh session will be dropped as soon as the firewall is enabled.
Finally, use “ufw status” to review the configuration:
$ sudo ufw status Status: active To Action From -- ------ ---- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW 22.214.171.124 80 ALLOW Anywhere (v6) 443 ALLOW Anywhere (v6)
Dynamic iptables configuration to react to break-in attempts
Instead of just passively protecting the server, restricting access to a limited number of IP addresses that are allowed SSH access, it is possible to use a program such as fail2ban. fail2ban monitors the ssh log file to detect attacks, such as repeated connection attempts with non-existent users. When an attack of this type is detected, fail2ban adds dynamically a firewall rule to temporarily ban access to the system from the attacking IP. fail2ban can work in combination with iptables or TCP wrappers.
On a debian or ubuntu system, fail2ban can be easily installed with a call to apt-get:
$ sudo apt-get install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: gamin libgamin0 python-gamin ...
The installation of fail2ban creates a set of configuration files:
- /etc/fail2ban/fail2ban.conf – basic configuration
- /etc/fail2ban/jail.conf – configuration for the monitoring of several services. The default configuration only activates ssh monitoring with iptables
- directory /etc/fail2ban/action.d/ – configuration of actions to carry out to reject access from a suspect IP
the section that configures ssh monitoring can be located inside the file /etc/fail2bin/jail.conf:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
In this configuration:
- ssh monitoring is enabled
- The log file being monitored is /var/log/auth.log.
- If more than 6 consecutive failed login attempts from the same IP address, the configured action is executed to protect the server.
In the [ssh] section there is no specific action (banaction) configured. In this case, the default action configured in the preceding [DEFAULT] section is executed.
banaction = iptables-multiport action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s
This action is identified as “iptables-multiport”. The commands that will be executed can be found in the configuration file with the same name: /etc/fail2ban/action.d/iptables-multiport.conf:
... actionstart = ... actionstop = ... actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP ...
The command that will be executed to ban access from the offending IP is the iptables command with option -I (to add a firewall rule).
In the same way, to lift the ban after a configured time has elapsed, the same commmand is executed with iption -D (to delete a firewall rule). The ban time can be configured with the directive “bantime”. The default value can also be established in the [DEFAULT] section of the jail.conf file:
bantime = 600
Here, the ban time has been configured as 600 seconds (10 minutes)
- Debian Wiki – Debian Firewall
- Debian Wiki manpages – iptables
- digitalocean.com – How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server
- Fail2ban Community Portal