Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1332 posts

Uber Geek
+1 received by user: 152
Inactive user


Topic # 84206 26-May-2011 20:18 Send private message

Hey all,

I am messing about with iptables on a VPS and have some questions.

I have drawn myself a little mind map of what I want flowing in and out of the server and was hoping you'd all take a look and make sure I am not missing anything spectacular.

I haven't written any rules yet but here is what I want:

IPv6: Drop all in and outbound.

Allow all established and related connections.

Inbound:
SSH - Allow (custom port)
IRC - Allow (custom port)
HTTP - Allow (80)

Block everything else (drop silently)

Outbound:
DNS - Allow (53)
IRC - Allow (6697, 7000)
HTTP - Allow (80)

Block everything else (drop silently)

Have I forgotten anything that is essential to the server operating? As you can see this VPS will not be doing a lot (IRC bouncer, webserver) but I'd like to make sure it is as secure as I can.

Does anyone have a good tutorial they could link me to as well. I am getting there in terms of understanding but like to have things spelled out the first time I do 'em.

Create new topic
1339 posts

Uber Geek
+1 received by user: 177

Trusted

  Reply # 474543 26-May-2011 20:20 Send private message

For your inbound rules don't forget to allow "established" sessions in. Otherwise the reply to your output IRC/HTTP etc request will be dropped.

Also, if it's a simple VPS, why are you bothering with IPTABLES rules at all?  Just for the sake of it?
Dropping packets to ports that aren't listening for connections anyway doesn't get you anything at all for a single box.  If you were a firewall in front of a /24 network I'd say it was worthwhile.

If you want to make it more secure I'd be building your own linux kernel with loadable modules disabled (hard to modprobe in a backdoor then).  I'd actually be patching it with the grsecurity.net kernel patch, but that might be a too complex if you've not built your own kernels before.

Also look at mod_security for your (I assume) apache server.  With the core-rules for it, it can block a lot of SQL and other nasty exploits in the wild.






Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!
Android user? Checkout MightyText - text messaging from your browser.



1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 474575 26-May-2011 21:38 Send private message

Thanks for the reply. I have the established connections under the IPv6 blocking. Probably not in the right order but I was just mind farting out a basic plan.

I am still learning about Linux so am just playing with iptables for the sake of it. I realise that it won't do much but wanna do it anyway :)

I can't think of any services I might have missed out allowing through so I'll take a crack after finishing reading some more documentation.

Building kernels will probably be my next project but I'm not sure how much flexibility I have with a VPS. I'll probably do it at home first.

The website is, at the moment, just hosting static content so I was looking at nginx or perhaps lighttpd as slightly lighter options to apache.

2329 posts

Uber Geek
+1 received by user: 79


  Reply # 474578 26-May-2011 21:47 Send private message

Why are you blocking IPv6?

103 posts

Master Geek
+1 received by user: 8


  Reply # 474599 26-May-2011 22:20 Send private message

Personally I find the tutorial in linuxhomenetworking.com quite comprenhensive and practical, for example

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables


Building kernels will probably be my next project but I'm not sure how much flexibility I have with a VPS. I'll probably do it at home first.


Probably you won't be able. Most VPS (specially the cheaper ones) are based in Virtuozzo/OpenVZ, where the guests (nodes or VPS) use the same kernel that the physical host.



1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 474667 27-May-2011 08:54 Send private message

kyhwana2: Why are you blocking IPv6?


I don't use it. Playing with IPv6 is a few projects away. One thing at a time ;-) 



1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 474669 27-May-2011 08:56 Send private message

Cheers for the LHN link. I think I have it bookmarked for reading :)

104 posts

Master Geek


  Reply # 474841 27-May-2011 15:12 Send private message

Also this is a great, easy to follow iptables tutorial

Cheers

https://help.ubuntu.com/community/IptablesHowTo 



1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 475170 28-May-2011 16:42 Send private message

Nice find, was just thinking that the Ubuntu forums/documentation would have something simple to start on.

Would I be correct in thinking configuring iptables for each server is a good idea from a layered security perspective?

A border firewall is a good first line but if something was able to infect or access your machine, configuring iptables to drop traffic on all outbound ports except the ones you will be using and monitoring could be a good idea.

27 posts

Geek


  Reply # 475668 30-May-2011 09:29 Send private message

Configuring iptables on each machine (as long as it is done correctly) isn't a bad idea. It might be overkill depending on what exactly the machine is doing, but there is no harm in it.

I've got it set up on my VPS and my home server (actually this one is openbsd running pf, but the principle is the same), but not my desktop or laptop. If I was going to set it up on my other machines, I wouldn't bother filtering outbound connections.

One thing I would probably add to your list is rate limiting/blacklisting on the ssh and possibly irc ports. Running on non-standard ports is a start but identifying those services based on their output isn't particularly difficult and then the brute forcing attempts will start. On my machines more than 3 connections in 1 minute or more than 6 connections in 5 minutes to ssh will get your address put in a blacklist for 24 hours.

If you have multiple users on your machine you may also want to limit who can logon through ssh (although that isn't really related to iptables).



1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 475685 30-May-2011 10:24 Send private message

Cheers for the input, I've already got fail2ban & exclusive public/private key validation. Combined with a non-standard port and I am all set SSH-wise.

I am glad to know I am not the only crazy setting up iptables on a regular VPS :P

Were you able to enable connection tracking on your VPS? I think I might have a crippled one as adding:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

gave me an error, but:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

worked fine.

27 posts

Geek


  Reply # 475700 30-May-2011 11:29 Send private message

It might be slightly unnecessary on some servers, but really for the amount of effort involved in setting it up it is cheap insurance in my mind.

I think my current VPS Just Worked but with one or two of the other providers I have used I had to log a support call asking for certain modules to be loaded.

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

22nd Only: PB Tech BROTHER HL1110 Mono laser Printer $15 shipped(after $30 cashback)
Created by loceff13, last reply by tardtasticx on 22-Oct-2014 23:41 (21 replies)
Pages... 2


Who Audits IRD?
Created by gundar, last reply by charsleysa on 22-Oct-2014 15:52 (18 replies)
Pages... 2


HERE Maps beta available to all Android 4.4 devices and up
Created by freitasm, last reply by farcus on 22-Oct-2014 22:36 (17 replies)
Pages... 2


Spark Socialiser
Created by freitasm, last reply by freitasm on 22-Oct-2014 18:39 (34 replies)
Pages... 2 3


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


Another Trade Me competitor: SellShed
Created by freitasm, last reply by SellShed on 22-Oct-2014 11:54 (42 replies)
Pages... 2 3


Snap have failed our company!
Created by dafman, last reply by nunz on 22-Oct-2014 22:45 (26 replies)
Pages... 2


Abnormal upstream data usage - Vodafone Cable Wellington
Created by otherside, last reply by Aredwood on 22-Oct-2014 22:13 (13 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.