Secure Linux / Debian Server with iptables and fail2ban
If you run your own Linux server, you have to secure it yourself. You should pay attention to some basics, otherwise your server will be hacked very quickly.
1. Change the default or automatically assigned root password
passwd rootI recommend a complex password with at least 64 characters or a SSH key instead of a password.
2. Install all updates (regularly!)
apt-get update
apt-get upgradeAutomatic updates can also be used, but require further configuration. I assume that you work on your server regularly and therefore install updates manually.
3. Change SSH port
vi /etc/ssh/sshd_configChanges the SSH port to make automated scans and attacks more difficult. Please do not use a port that is already in use.
service sshd restartAfter that the service has to be restarted.
4. Do not install any software as root
Because this would facilitate escalation of privileges in case of security vulnerabilities of your applications.
5. You don’t need SSH? Just turn off the service.
service ssh stopAfter you disconnect, login is no longer possible. The service remains switched off until the next reboot, so the stop is not permanent.
6. Activate the firewall
Many hosters offer you an upstream firewall, use it and block unused open ports. If you have a fixed IP address (e.g. via your VPN provider or ISP), allow access to administrative ports (e.g. SSH) only to this fixed IP. The same is true for your FTP/SMTP port – if you use your server alone.
7. Firewall with iptables
You can also set firewall rules with iptables on the server, you should not forget to do this in any case. Some administration software (e.g. Plesk) can help you with this.
apt-get install iptables
apt-get install screenThe rules could look like this (web server and FTP allowed, SSH limited to 1.1.1.1):
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -N f2b-apache
iptables -N f2b-modsecurity
iptables -N f2b-recidive
iptables -N f2b-BadBots
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-BadBots
iptables -A INPUT -p tcp -j f2b-recidive
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-modsecurity
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-apache
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 68 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8447 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8447 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8880 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP
iptables -A INPUT -p udp -m udp --dport 137 -j DROP
iptables -A INPUT -p udp -m udp --dport 138 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP
iptables -A INPUT -s 1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i lo -o lo -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A f2b-apache -j RETURN
iptables -A f2b-modsecurity -j RETURN
iptables -A f2b-recidive -j RETURN
iptables -A f2b-BadBots -j RETURN
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPTAlternatively, you can of course restrict access to FTP (1.1.1.2):
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -N f2b-apache
iptables -N f2b-modsecurity
iptables -N f2b-recidive
iptables -N f2b-BadBots
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-BadBots
iptables -A INPUT -p tcp -j f2b-recidive
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-modsecurity
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-apache
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 68 -j DROP
iptables -A INPUT -s 1.1.1.2/32 -p tcp -m tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 49152:65535 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8447 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8447 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8880 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 1.1.1.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP
iptables -A INPUT -p udp -m udp --dport 137 -j DROP
iptables -A INPUT -p udp -m udp --dport 138 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP
iptables -A INPUT -s 1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i lo -o lo -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A f2b-apache -j RETURN
iptables -A f2b-modsecurity -j RETURN
iptables -A f2b-recidive -j RETURN
iptables -A f2b-BadBots -j RETURNIt might also be helpful to save the rules as a shell script and execute it afterwards with screen:
screen -mdS firewall ./iptables.shTo be able to load the rules later (after a reboot) we need an additional package which we can install with
apt-get install iptables-persistentto install it. The rules can be saved later with the following command:
iptables-save > /etc/iptables/rules.v48. Install and set up Fail2Ban
Fail2Ban can also be very helpful to prevent or hinder BruteForce attacks.
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localAfterwards with
nano /etc/fail2ban/jail.localto adjust the appropriate values, including e.g. enabling individual jails with
enabled = trueand with
systemctl restart fail2ban.serviceRestart Fail2Ban.
The logs can be found later e.g. under
nano /var/log/fail2ban.log # General Fail2Ban log
nano /var/log/auth.log # SSHD log
nano /var/log/proftpd/proftpd.log #FTP Log9. FTP server passive ports
If you are running a public FTP server I recommend to change the passive ports accordingly (see ProFTPd server article).
With these simple measures you have already brought the security of your server to a normal level. But depending on the purpose of the server there are some more things to consider. Inform yourself or contact me with confidence
IT-security should be affordable for private persons, small companies and medium-sized businesses. Therefore I always calculate my hourly rates individually according to the degree of difficulty and the actual effort.