Dynamic Firewall
Written by Mrfroasty (Ufundi) // 30/07/2009 // Isio-gawanyo // Zima maoni
After suffering lots of brutal force attacks especially on FTP services, we decided to install some kind of dynamic firewall.It has been tested and its known to work.
This is simple how to that explains how to install a dynamic firewall.
Requirements:
*iptables support in the kernel:
Device Drivers--->Networking Support--->Networking Options---->Network Packet Filtering (replace Ipchains)--->Netfilter Configuration
#emerge -av iptables
Put on some general rules on the firewall /etc/iptables.bak:
#Firewall for Mzalendo Server
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# permit people to ssh into this computer
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# permit ftp and web hosting services
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# reject all other packets coming into the computer, even from other computers in the local area network
#-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
Load the rules:
#iptables-restore /etc/iptables.bak
#/etc/init.d/iptables restart
#rc-update add iptables default
Installing a dynamic deamon:
#emerge -av fail2ban
Configuring the deamon:
Edit the file /etc/fail2ban/jail.conf, enable the services that you want to apply the daemon, and well dont forget to change your email 
#fail 2 ban for fileserver
[DEFAULT]
ignoreip = 127.0.0.1
#Bantime in Secs
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
#SSH
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=mrfroasty@gmail.com]
logpath = /var/log/auth.log
maxretry = 3
#PROFTP
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
mail-whois[name=ProFTPD, dest=user@gmail.com]
logpath = /var/log/auth.log
bantime = 3600
maxretry = 3
#Spammer robots crawling the web
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
mail-whois[name=BadBots, lines=5, dest=user@gmail.com]
#mail-buffered[name=BadBots, lines=5, dest=user@gmail.com]
logpath = /var/log/apache/access_log
bantime = 3600
maxretry = 1
Start the daemon:
#/etc/init.d/fail2ban start
#rc-update add fail2ban default
Check if fail2ban is working:
#fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/proftpd.conf
Caution:100% Guarantee check if this is working, lets try to abuse the ftp service and then look if we’ve banned
Try this with caution, you are trully going to be banned!!
On the client machine, try running the following to check if this dynamic firewall will react to the abuse by running like 5 times.
#wget -O - -q -t 1 ftp://admin:xxxx@domain.com
Check on the server for evidence that this client has been banned:
#iptables -L|grep DROP
#DROP all -- gendesktop.mzalendo.net anywhere
Resources:
http://en.gentoo-wiki.com/wiki/Fail2ban
http://forums.gentoo.org/viewtopic.php?t=159133
http://www.gentoo-wiki.info/HOWTO_Iptables_for_newbies
Loading ...
