If you have a Linux server out there somewhere in the internet, you probably want to secure it and reflect some of the most common attacks to your server. If you are just starting out with your first server you must know, your server will be attacked. There are automated bots and scripts that scan through the internet in search of it’s victims all the time. Once they settle for an IP they start attacking, bruteforcing common users and running other targeted attacks.
The easiest and most common security you can start with is the IPTables configuration. IPTables enable you alot of configuring and most of which will help your server bounce off most of the attacks mentioned earlier. It is nothing scary to configure, just follow this guide and check out the script. Change the script as you wish to suit your needs.
There are two ways of doing this.. We can create a script with IPTables configuration which will be run on every system boot or we can add the IPTables rules to /etc/sysconfig/iptables file and it will be applied at boot automatically via IPTables initscript.
Secure Your Linux Server with IPTables Now!
1. Bash Script File
Create a new file called iptables.sh at the desired location. I will create a file at location /usr/sbin/iptables.sh and add the following content to it:
# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated. /sbin/iptables --flush # Flush all the rules in filter and nat tables ## PREVENT COMMON ATTACKS # Prevent NONE TCP packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Prevent Syn-Flood /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Prevent XMAS packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Allow loopback rules /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow certain inbound ICMP types (ping, traceroute..) /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j REJECT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j REJECT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j REJECT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j REJECT # Allow HTTP and HTTPS Traffic /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT # Prevent SSH Brute-Force Attacks /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT # Allow SSH access /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # Allow established connections /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block everything else and allow outgoing connections iptables -P OUTPUT ACCEPT iptables -P INPUT DROP
As you can see all of the rules are well explained so probably no extra explanation is needed.
Of course you need to change the rules and ports to suit your needs – maybe you are not running Apache on your server and therefore do not need to allow HTTP and HTTPS traffic or maybe you are running SSH on a different port and so on …
When you are done, save this file and make it executable by running the following command:
[root@geekpeek ~]# chmod +x /usr/sbin/iptables.sh
Next we need to make sure IPTables script is run at system boot. We can achieve this by adding the following two lines at the end of /etc/rc.local file:
# Run IPtables script on boot /usr/sbin/iptables.sh
You can now try to run /usr/sbin/iptables.sh script manually or reboot your server to see if everything works as expected!
PLEASE NOTE: double check the configuration since you can get cut off from your server if you did not configure the ports correctly!
2. Configure via /etc/sysconfig/iptables
This is the correct and official way of configuring IPTables on RHEL or CentOS.
We need to edit the configuration file and add the rules we need to secure our server. The /etc/sysconfig/iptables file already holds default configuration but after our changes it should look something like this:
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ## PREVENT COMMON ATTACKS # Prevent NONE TCP packets -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Prevent Syn-Flood -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Prevent XMAS packets -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Allow loopback rules -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow certain inbound ICMP types (ping, traceroute..) -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j REJECT -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j REJECT -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j REJECT -A INPUT -i eth0 -p icmp --icmp-type echo-request -j REJECT # Allow HTTP and HTTPS Traffic -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT # Prevent SSH Brute-Force Attacks -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT # Allow SSH access -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # Allow established connections -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block everything else and allow outgoing connections -P OUTPUT ACCEPT -P INPUT DROP COMMIT
After you successfully changed the configuration of IPTables you need to restart or reload IPTables service to make changes effective:
[root@geekpeek ~]# /etc/init.d/iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@geekpeek ~]# /etc/init.d/iptables reload iptables: Trying to reload firewall rules: [ OK ]
Voila, your linux server should now be a bit more secure than before! 🙂 If you want to read more about IPTables configuration read my article on Configure IPTables on CentOS 6.