You are not logged in.
HI
I am running mails and web on my server, I would like to put simple firewall on that server to have some prtotection.
Here is my start configuration of iptables
cat /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
As you can see I am opening imap, smtp, web and ssh ports.
MY IDEA is to protect server from strangers who are scaning ports, trying to open all possible web pages and login over some webapp.
I would like to do something like this:
DROP connection if there are to many attempts to open, Let's say if there are more the 5 per 1 second then DROP.
Is it possible to do it in simple way using iptables? and how?
thank you very much.
Last edited by jancici (2012-03-21 21:34:51)
Offline
You can add something like this to your IPtables configuration:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
iptables -A INPUT -m recent --update --seconds 600 --hitcount 5 --rttl --name SSH --rsource -j DROP
After 5 unsuccessful login attempts, IP address will be blocked for 600 seconds. This is for SSH, i suppose it can be applied to other ports too.
Cthulhu Fhtagn!
Offline
Or look into fail2ban, which can do exactly the same. Another thing is to change the ssh port to something more obscure.
Offline
Or simply use keybased authentication for your ssh sessions and never care again about how many times people try to bruteforce the login.
Burninate!
Offline
well, ssh is not problem, I already change to keybased auth ...
sometime I can see in http log that strangers is trying a lot of pages which not exist ...
Offline
it happend just few moments ago, I know it is not me :-)
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
so these are the situation, or reasen why I want to protect my server
Offline
i'm using this script for years now and it's imo the best i've ever seen. enter the tcp/udp ports you would like to open in SERVICES_UDP="" and SERVICES_TCP="80 443 22"
Offline
greate, thank you very much
meanwhile I did find this http://codingfreak.blogspot.com/2010/01 … oming.html
so your post save time ...
Offline