Hello,
I have read and seen many options for additions to Iptables as a firewall and security system. All seem to react to logs and not to incoming packets (as far as I have seen)
I am interested in doing a number of security ideas to the firewall, iptables, on my webserver. If you have a program you would suggest or believe iptables is the proper solution, please feel free to post that.
Here are some of the things I would like to do
1) I have switched my SSH to a different port. I would like to still check for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day.
2) there are certain apache hacks (like things that include ../) that I would prefer to stop at the firewall. I would also like to log these attempts and begin a reject/ban for a certain period of time. Or just log until I figure out the best way to safely ban.
3) There are common script kiddie hacks that look for certain files 1 million times a day. I would like to either look for them in the incoming packets, log, and ban. Or I would like to be able to use my own php program to route them out and then add to a ban list that iptables can use.
These are just some of the things I am looking at doing. I also want to start a ban list for mail packets too, why bog down sendmail when I know what they are?
I realize some things might be done via programs like fail2ban (like my php program making a list) but others would be better at the firewall as active reaction security measures.
Any input kindly accepted.
Thank you for any help or ideas.
Bob
On Tue, Aug 10, 2010 at 04:30:16PM -0400, Bob Hoffman wrote:
I am interested in doing a number of security ideas to the firewall, iptables, on my webserver. If you have a program you would suggest or believe iptables is the proper solution, please feel free to post that.
For a set of useful components you might look here:
http://www.gentoo.org/proj/en/dynfw.xml
Not a complete solution, but very useful options for dropping, blocking or rate limiting specific remote IPs at the firewall, that are consistent with varied iptables setups, and can be easily called from whatever scripts you're using to identify bad IPs.
Regards, Whit
On Tue, 2010-08-10 at 16:30 -0400, Bob Hoffman wrote:
Hello,
I have read and seen many options for additions to Iptables as a firewall and security system. All seem to react to logs and not to incoming packets (as far as I have seen)
I am interested in doing a number of security ideas to the firewall, iptables, on my webserver. If you have a program you would suggest or believe iptables is the proper solution, please feel free to post that.
Here are some of the things I would like to do
- I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day.
- there are certain apache hacks (like things that include ../) that I
would prefer to stop at the firewall. I would also like to log these attempts and begin a reject/ban for a certain period of time. Or just log until I figure out the best way to safely ban.
- There are common script kiddie hacks that look for certain files 1
million times a day. I would like to either look for them in the incoming packets, log, and ban. Or I would like to be able to use my own php program to route them out and then add to a ban list that iptables can use.
These are just some of the things I am looking at doing. I also want to start a ban list for mail packets too, why bog down sendmail when I know what they are?
I realize some things might be done via programs like fail2ban (like my php program making a list) but others would be better at the firewall as active reaction security measures.
Any input kindly accepted.
Thank you for any help or ideas.
Bob
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
OSSEC
not exactly 'real-time', though, as it has to parse the logs.
On 08/10/10 1:30 PM, Bob Hoffman wrote:
- I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day.
If nothing is listening on that port, then whats to 'ban' ?
On 10 Aug 2010, at 22:33, John R Pierce pierce@hogranch.com wrote:
If nothing is listening on that port, then whats to 'ban' ?
I experimented with something similar - wrote a small C program that listened on port 22, dumped the source IP to a log which was then picked up by fail2ban.
Worked quite well if remember correctly!
Ben
On Tue, 10 Aug 2010, John R Pierce wrote:
To: CentOS mailing list centos@centos.org From: John R Pierce pierce@hogranch.com Subject: Re: [CentOS] Iptables questions
On 08/10/10 1:30 PM, Bob Hoffman wrote:
- I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day.
If nothing is listening on that port, then whats to 'ban' ?
I think what Bob wants to do is to move his sshd to another non-standard port, and leave port 22 open. Then see what's trying to access that. I guess you could run another 'dummy-sshd' type program to listen on port 22, in place of the real sshd, and then log all incoming packets on that port?
IIRC sshd logs all connection attempts anyway?
IPtables can log packets coming in to any particular port. I don't think the port needs to be open for IPtables to log a packet headed for that particular port?
I log ALL packets coming into my firewall, and then purge the logs with a cron job every 24 hours.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
on 8-10-2010 3:08 PM Keith Roberts spake the following:
On Tue, 10 Aug 2010, John R Pierce wrote:
To: CentOS mailing list centos@centos.org From: John R Pierce pierce@hogranch.com Subject: Re: [CentOS] Iptables questions
On 08/10/10 1:30 PM, Bob Hoffman wrote:
- I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add them to a reject/ban for a certain period of time, lets say 1 day.
If nothing is listening on that port, then whats to 'ban' ?
I think what Bob wants to do is to move his sshd to another non-standard port, and leave port 22 open. Then see what's trying to access that. I guess you could run another 'dummy-sshd' type program to listen on port 22, in place of the real sshd, and then log all incoming packets on that port?
IIRC sshd logs all connection attempts anyway?
IPtables can log packets coming in to any particular port. I don't think the port needs to be open for IPtables to log a packet headed for that particular port?
I log ALL packets coming into my firewall, and then purge the logs with a cron job every 24 hours.
Kind Regards,
Keith Roberts
A tarpit would be good on there... Answer the port and just trickle back the handshake to keep the client waiting for a long time
- there are certain apache hacks (like things that include ../) that I
would prefer to stop at the firewall. I would also like to log these attempts and begin a reject/ban for a certain period of time. Or just log until I figure out the best way to safely ban.
try mod_security application firewall for apache: http://www.modsecurity.org/
-- Eero, RHCE
-
Benjamin Donnachie -
Bob Hoffman -
Eero Volotinen -
John R Pierce -
kalinix -
Keith Roberts -
Scott Silva -
Whit Blauvelt