Feb 192015
 
Article Server Administration

Any server connected to the internet is exposed to attacks from hackers. They will attempt to break into the server trying every possible vulnerability, to take control of it and use it for their own purposes. To protect the server as much as possible, it is common to use some kind of firewall. On linux systems, the iptables package is one of the most used options to provide this functionality.

This post goes through a sample installation and configuration of iptables on a Debian system, together with other packages such as fail2ban, that automate the detection and reaction agains break-in attempts.

iptables installation

iptables is the default firewall package on Debian systems since the release of debian Lenny. This package provides the packet filtering an network address translation (NAT) functionalities.

Most Debian systems already come with iptables installed, and a default iptables configuration that allows any incoming or outgoing traffic, and thus there is no need to install the package. Nevertheless, apt-get can be used to upgrade the package, in case there is a version more recent than what is installed in the system:

Option -L of the iptables command can be used to list the configured firewall rules:

As can be seen, the default configuration permits any incoming (INPUT) or outgoing (OUTPUT) traffic, as well as any traffic where the system acts as a router (FORWARD).

Configuring iptables with ufw

iptables firewall rules can be added using the iptables command directly from the command line. They can also be specified in a configuration file that is later read by the iptables service. But the syntax of the rules is complex. It is advisable to use a helper program such as ufw (uncomplicated firewall), or its graphical frontend: gufw.

First, the ufw package is installed with apt-get:

Next, we will set up a sample configuration to reject all accesses to the system, other than:

  • Accesses to port 80 (HTTP) or 443 (HTTPS), from any IP address
  • Accesses to port 22 (SSH) from the IP address of the computer used to connect remotely to the server. In this example, this is address 1.2.3.4.

This configuration is established issuing the commands:

WARNING: You must double check that the IP address that will be granted access to the server is the IP address of the computer you are using to connect to the server with ssh. Otherwise, the ssh session will be dropped as soon as the firewall is enabled.

Finally, use “ufw status” to review the configuration:

Dynamic iptables configuration to react to break-in attempts

Instead of just passively protecting the server, restricting access to a limited number of IP addresses that are allowed SSH access, it is possible to use a program such as fail2ban. fail2ban monitors the ssh log file to detect attacks, such as repeated connection attempts with non-existent users. When an attack of this type is detected, fail2ban adds dynamically a firewall rule to temporarily ban access to the system from the attacking IP. fail2ban can work in combination with iptables or TCP wrappers.

fail2ban installation

On a debian or ubuntu system, fail2ban can be easily installed with a call to apt-get:

The installation of fail2ban creates a set of configuration files:

  • /etc/fail2ban/fail2ban.conf – basic configuration
  • /etc/fail2ban/jail.conf – configuration for the monitoring of several services. The default configuration only activates ssh monitoring with iptables
  • directory /etc/fail2ban/action.d/ – configuration of actions to carry out to reject access from a suspect IP

the section that configures ssh monitoring can be located inside the file /etc/fail2bin/jail.conf:

In this configuration:

  • ssh monitoring is enabled
  • The log file being monitored is /var/log/auth.log.
  • If more than 6 consecutive failed login attempts from the same IP address, the configured action is executed to protect the server.

In the [ssh] section there is no specific action (banaction) configured. In this case, the default action configured in the preceding [DEFAULT] section is executed.

This action is identified as “iptables-multiport”. The commands that will be executed can be found in the configuration file with the same name: /etc/fail2ban/action.d/iptables-multiport.conf:

The command that will be executed to ban access from the offending IP is the iptables command with option -I (to add a firewall rule).

In the same way, to lift the ban after a configured time has elapsed, the same commmand is executed with iption -D (to delete a firewall rule). The ban time can be configured with the directive “bantime”. The default value can also be established in the [DEFAULT] section of the jail.conf file:

Here, the ban time has been configured as 600 seconds (10 minutes)

References

 Posted by at 7:28 pm

 Leave a Reply

(required)

(required)