Secure Linux / Debian Server with iptables and fail2ban

Secure Linux / Debian Server with iptables and fail2ban

If you run your own Linux server, you have to secure it yourself. You should pay attention to some basics, otherwise your server will be hacked very quickly.

1. Change the default or automatically assigned root password

passwd root

I recommend a complex password with at least 64 characters or a SSH key instead of a password.

2. Install all updates (regularly!)

apt-get update
apt-get upgrade

Automatic updates can also be used, but require further configuration. I assume that you work on your server regularly and therefore install updates manually.

3. Change SSH port

vi /etc/ssh/sshd_config

Changes the SSH port to make automated scans and attacks more difficult. Please do not use a port that is already in use.

service sshd restart

After that the service has to be restarted.

4. Do not install any software as root

Because this would facilitate escalation of privileges in case of security vulnerabilities of your applications.

5. You don’t need SSH? Just turn off the service.

service ssh stop

After you disconnect, login is no longer possible. The service remains switched off until the next reboot, so the stop is not permanent.

6. Activate the firewall

Many hosters offer you an upstream firewall, use it and block unused open ports. If you have a fixed IP address (e.g. via your VPN provider or ISP), allow access to administrative ports (e.g. SSH) only to this fixed IP. The same is true for your FTP/SMTP port – if you use your server alone.

7. Firewall with iptables

You can also set firewall rules with iptables on the server, you should not forget to do this in any case. Some administration software (e.g. Plesk) can help you with this.

apt-get install iptables
apt-get install screen

The rules could look like this (web server and FTP allowed, SSH limited to 1.1.1.1):

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -N f2b-apache
iptables -N f2b-modsecurity
iptables -N f2b-recidive
iptables -N f2b-BadBots
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-BadBots
iptables -A INPUT -p tcp -j f2b-recidive
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-modsecurity
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-apache
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 68 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8447 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8447 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8880 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP
iptables -A INPUT -p udp -m udp --dport 137 -j DROP
iptables -A INPUT -p udp -m udp --dport 138 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP
iptables -A INPUT -s 1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i lo -o lo -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A f2b-apache -j RETURN
iptables -A f2b-modsecurity -j RETURN
iptables -A f2b-recidive -j RETURN
iptables -A f2b-BadBots -j RETURN
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT

Alternatively, you can of course restrict access to FTP (1.1.1.2):

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -N f2b-apache
iptables -N f2b-modsecurity
iptables -N f2b-recidive
iptables -N f2b-BadBots
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-BadBots
iptables -A INPUT -p tcp -j f2b-recidive
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-modsecurity
iptables -A INPUT -p tcp -m multiport --dports 80,443,7080,7081 -j f2b-apache
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 68 -j DROP
iptables -A INPUT -s 1.1.1.2/32 -p tcp -m tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 49152:65535 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8447 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8447 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8880 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 1.1.1.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP
iptables -A INPUT -p udp -m udp --dport 137 -j DROP
iptables -A INPUT -p udp -m udp --dport 138 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 445 -j DROP
iptables -A INPUT -s 1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j DROP
iptables -A INPUT -s 1.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i lo -o lo -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A f2b-apache -j RETURN
iptables -A f2b-modsecurity -j RETURN
iptables -A f2b-recidive -j RETURN
iptables -A f2b-BadBots -j RETURN

It might also be helpful to save the rules as a shell script and execute it afterwards with screen:

screen -mdS firewall ./iptables.sh

To be able to load the rules later (after a reboot) we need an additional package which we can install with

apt-get install iptables-persistent

to install it. The rules can be saved later with the following command:

iptables-save > /etc/iptables/rules.v4

8. Install and set up Fail2Ban

Fail2Ban can also be very helpful to prevent or hinder BruteForce attacks.

apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Afterwards with

nano /etc/fail2ban/jail.local

to adjust the appropriate values, including e.g. enabling individual jails with

enabled = true

and with

systemctl restart fail2ban.service

Restart Fail2Ban.

The logs can be found later e.g. under

nano /var/log/fail2ban.log # General Fail2Ban log
nano /var/log/auth.log # SSHD log
nano /var/log/proftpd/proftpd.log #FTP Log

9. FTP server passive ports

If you are running a public FTP server I recommend to change the passive ports accordingly (see ProFTPd server article).

With these simple measures you have already brought the security of your server to a normal level. But depending on the purpose of the server there are some more things to consider. Inform yourself or contact me with confidence

IT-security should be affordable for private persons, small companies and medium-sized businesses. Therefore I always calculate my hourly rates individually according to the degree of difficulty and the actual effort.

Leave a Reply

Your email address will not be published.