It's important to make sure your server is properly protected by a firewall, but configuring IPtables rulesets by hand can be confusing and it's easy to make mistakes.
One easy solution is to use APF (Advanced Policy Firewall), along with it's companion application BFD (Brute Force Detection). APF allows you to manage IPtables using some simple configuration files, while BFD checks the server logs for failed login attempts - blocking the source IPs once a pre-determined limit is reached (25 failed logon attempts is the default).
To install them, download the latest stable versions:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
Unpack the files using 'tar -xzf' and then run the install.sh script for each.
APF:
You won't be able to see APF running as a process (running ps or top), so to check the status use this command:
/usr/local/sbin/apf-st (or –status)
If APF hasn't started automatically, start it by running:
/etc/init.d/apf start
To start adding rules, open the main config file:
vim /etc/apf/conf.apf
To allow specific TCP and UDP ports, you'll need to add them one of four sections within the config file:
Common inbound (ingress) TCP ports
Common inbound (ingress) UDP ports
Common outbound (egress) TCP ports
Common outbound (egress) UDP ports
Add any ports you want to allow, using an underscore to separate ranges, e.g. -
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,25,80,110,143,222,443,587,43,2077_2087,"
This will allow inbound access to the TCP ports 21,25,80,110,143,222,443,587,43 and the range 2077 to 2087.
You can also enabled third-party block lists, such as DROP and DShield, by editing the Remote Rule Imports section. Each list entry starts with a DLIST_[ListName] option set to '0', Change this to '1' to enable it.
Host-based rules can exist in one of two states - allow or deny - each of which has it's own config file:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
You grant an IP address unrestricted access, just add it to the allow_hosts.rules file and then restart apf.
To grant the IP address access only to specific ports, add a ruling using this syntax:
protocol:flow[s/d]=port:[s/d]=ip(/mask)
Note: s = source, d = destination, flow = packet flow in/out
For example, assume we've blocked access to port 110 (by NOT listing it in conf.apf) and want to allow POP downloads only from the specific IP address 10.0.0.1, you would add a rule like this:
tcp:in:d=110:s=10.0.0.1
tcp:out:d=110:s=10.0.0.1
This would allow inbound and outbound access to port 110 from 10.0.0.1. IP ranges can be allowed by adding a netmask in CIDR notation after the IP address, e.g. 10.0.0.1/16.
To block IP addresses, add them to the deny_hosts.rules file and restart apf.
You can also block access to specific ports, using the same syntax described above to allow ports. The example given, if added to deny_hosts.rules, would block access to port 110 from the IP address 10.0.0.1, instead of granting access.
Note: Always remember to restart apf after adding any rules to make sure they take effect. You can also force a reload using:
/etc/apf/apf -r
You can also check for changes and errors in the apf log:
tail -f /var/log/apf_log
BFD:
The main BFD config file is:
/usr/local/bfd/conf.bfd
There are several options, but the main two you might want to edit are:
1) TRIG="25"
This option allows you to set the number of failure events per IP address before it is blocked. The default is usually 25, but you can add a lower or higher value as required.
2) EMAIL_ADDRESS="root"
By default, all alerts are sent to the root user. If you want them to be sent to an external e-mail address, add the address here. Multiple addresses can be added by comma separating them.
If BFD blocks an IP address it will be written to the deny_hosts.rules file, blocking all access to any port from that IP address. The service which initiated the block will be listed next to the IP address, e.g. {bfd.pure-ftpd} would indicate that more than 25 failed FTP login attempts have originated from the blocked IP address.
To allow access again, remove IP address from deny_hosts.rules and restart apf.
For more information, see the README files at:
http://www.rfxn.com/appdocs/README.apf
http://www.rfxn.com/appdocs/README.bfd
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment