[CentOS] Iptables questions

Tue Aug 10 20:30:16 UTC 2010
Bob Hoffman <bob at bobhoffman.com>


I have read and seen many options for additions to Iptables as a firewall
and security system. All seem to react to logs and not to incoming packets
(as far as I have seen)

I am interested in doing a number of security ideas to the firewall,
iptables, on my webserver. If you have a program you would suggest or
believe iptables is the proper solution, please feel free to post that.

Here are some of the things I would like to do 

1) I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add
them to a reject/ban for a certain period of time, lets say 1 day.

2) there are certain apache hacks (like things that include ../) that I
would prefer to stop at the firewall. I would also like to log these
attempts and begin a reject/ban for a certain period of time. Or just log
until I figure out the best way to safely ban.

3) There are common script kiddie hacks that look for certain files 1
million times a day. I would like to either look for them in the incoming
packets, log, and ban. Or I would like to be able to use my own php program
to route them out and then add to a ban list that iptables can use.

These are just some of the things I am looking at doing. I also want to
start a ban list for mail packets too, why bog down sendmail when I know
what they are?

I realize some things might be done via programs like fail2ban (like my php
program making a list) but others would be better at the firewall as active
reaction security measures.

Any input kindly accepted. 

Thank you for any help or ideas.