Hi I have installed ISPconfig and must say think it is a fantastic application :), thankyou so much to the developers.

I was wondering if it is possible to configure the ISPconfig firewall so that you can limit ssh access to certain IP addresses?

With my other linux server I have an explicit REJECT in /etc/sysconfig/iptables for port 22 and then just add an ACCEPT in for the source IP addresses I want to accept and it works well.

-A RH-Firewall-1-INPUT -p tcp -m tcp -s 172.16.8.35 --dport 22 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j REJECT

Where is the script or config file for the ISPconfig firewall? Can I manually edit the script without breaking anything? I dont like having ssh access open to anyone.

Thanks in advance

Matt.

The script is:

/etc/Bastille/bastille-firewall.cfg

You will have to change the master file too:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then run:

/etc/init.d/bastille-firewall restart

Great, thanks Till.

Regards

Matt

The script is:

/etc/Bastille/bastille-firewall.cfg

You will have to change the master file too:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then run:

/etc/init.d/bastille-firewall restart

I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script.

After doing some reading, here is my how-to and hopefully others will find it useful:

In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs)

I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d

#cd /etc/Bastille
#mkdir firewall.d

You then need to create a new file within the newly created directory called post-rule-setup.sh

#cd firewall.d
#vi post-rule-setup.sh


This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough.
So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this:

/sbin/iptables -I INPUT -p tcp -m tcp -s 123.34.56.789 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT


The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied.

Ok now we have our rule we need to restart bastille.cfg

#/etc/init.d/bastille-firewall restart

A successfully read script will yield the following

Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done

The last line is the one we are interested in. If your IPTABLES rules are not understood or written incorrectly then you will get the following output when you restart bastille.cfg

Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules..../post-rule-setup.sh: line 5: -I: command not found
done

You will need to go back into your post-rule-setup.sh and modify it.

You can specify a subnet simply by using for example 192.168.0.0/24 notation in your rule set

Cheers

Matt

That's a great solution. :)

Thnx for the mini-howto ! works perfect! :D

Glad you found it useful :)

Thanks punto for you explanation.

Just something extra in case people came across the same problem I did..

In additional to the file "post-rule-setup.sh" you can also add a file called "pre-chain-split.sh" in the same directory. Any commands you put in "pre-chain-split.sh" will be executed BEFORE the standard firewall rules.

This is useful when you want to allow packets through which are normally dropped due to preceding firewall rules.

e.g. I added rules to allow samba just for my home IP address:

iptables -A INPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A INPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT

There is 4 rules to account for the variations of UDP/TCP and INPUT/OUTPUT chains.

The iptables commands explained:
-A Which chain to append the rule to
-s The source address(es)
-p protocol (udp/tcp for samba)
-m Modules to load (in this case multiport)
--destination-ports The parameter to the mulitport module specifying the samba ports.
-j Jump to another chain. In this case ACCEPT

Strange it does not work at my linux box :(


I made following rule:

/sbin/iptables -I INPUT -p tcp -m tcp -s 213.143.90.139 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT

213.143.90.139 is PC from which i want to access my linux box.
(Later on i would copy/paste first line for few other IP's )

When I restart firewall everything seems ok:

krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

But after it I cant SSH to my linux box.

213.143.90.139 is PC from which i want to access my linux box.
(Later on i would copy/paste first line for few other IP's )

Are both systems in the same local network?

Are both systems in the same local network?

Actually is its a bit complicated.

Yes they are, but some special vlans were made etc...

However if I check some last -i

admin pts/0 213.143.90.139 Mon Nov 20 19:27 - 20:26 (00:59)

So iam logged in from 213.143.90.139 IP.
My server is on 212.72.115.185

I hope I can solve this somehow
I also tried to allow one ip from remote location, but it also does not work.

krneki:/etc/Bastille/firewall.d # vi post-rule-setup.sh
krneki:/etc/Bastille/firewall.d # ll
total 4
-rw-r--r-- 1 root root 150 2006-11-24 17:12 post-rule-setup.sh
krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d #

What's the output of iptables -L?

rule disabled
krneki:/ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-un
reachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:soap-http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:soap-http
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

rule enabled:

krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
ACCEPT tcp -- 89.212.94.160 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:soap-http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:soap-http
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

rule enabled:

krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
krneki:/etc/Bastille/firewall.d # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
ACCEPT tcp -- 89.212.94.160 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:soap-http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:soap-http
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Why does it say 89.212.94.160? :confused:

That was IP of remote PC Iam trying to add to allow list.
(curently Iam at home and trying to connect to it )

But it does not allow me to connect.

Please switch off the firewall, then try to connect to the system and have a look at /var/log/auth.log at the same time. Is the IP address of the system that you're connecting from logged correctly? Or is a different IP address logged (maybe due to NATting)?

Cant find auth.log anywhere

krneki:/var/log # ll
total 35508
-rw-r----- 1 root root 5262 2006-11-24 16:04 acpid
drwxr-x--- 2 root root 4096 2006-11-26 22:01 apache2
-rw-r----- 1 root root 0 2006-11-15 21:50 boot.log
-rw-r--r-- 1 root root 32252 2006-11-24 16:04 boot.msg
-rw-r--r-- 1 root root 35654 2006-11-24 16:02 boot.omsg
drwxr-xr-x 2 wwwrun root 4096 2006-11-26 22:01 cacti
-rw------- 1 root root 288168 2006-11-20 21:44 faillog
drwxr-xr-x 2 root root 4096 2006-11-27 00:30 httpd
-rw-r--r-- 1 root root 18799 2006-11-23 18:28 ispconfig_install.log
drwx------ 2 root root 4096 2006-05-02 09:03 krb5
-rw-r--r-- 1 root tty 3506044 2006-11-27 18:29 lastlog
-rw-r----- 1 root root 4220 2006-11-21 18:34 localmessages
-rw-r----- 1 root root 2913193 2006-11-27 18:29 mail
-rw-r----- 1 root root 146 2006-11-24 16:04 mail.err
-rw-r----- 1 root root 3211790 2006-11-27 18:29 mail.info
-rw-r----- 1 root root 299694 2006-11-26 22:01 mail.info-20061126.bz2
-rw-r--r-- 1 root root 11936823 2006-11-26 23:59 mail.ispconfigsave
-rw-r----- 1 root root 613 2006-11-26 21:48 mail.warn
-rw-r----- 1 root root 854429 2006-11-27 18:30 messages
lrwxrwxrwx 1 root root 23 2006-11-15 22:19 mysqld.log -> ../lib/mysql/mysqld.log
drwxr-x--- 2 news news 4096 2006-11-15 21:27 news
-rw-r--r-- 1 root root 5418 2006-11-24 16:08 ntp
-rw-r--r-- 1 root root 11760 2006-11-24 17:48 scpm
-rw-r----- 1 root root 136511 2006-11-27 16:34 warn
-rw-rw-r-- 1 root tty 61440 2006-11-27 18:29 wtmp
-rw-rw-r-- 1 root tty 9504 2006-11-17 22:00 wtmp-20061117.bz2
-rw-rw-r-- 1 root tty 10888 2006-11-25 22:00 wtmp-20061125.bz2
-rw-r--r-- 1 root root 566138 2006-11-27 18:29 xferlog
-rw-r--r-- 1 root root 14558779 2006-11-26 23:59 xferlog.ispconfigsave
drwx------ 3 root root 4096 2006-11-24 18:11 YaST2
-rw-r----- 1 root root 373772 2006-11-27 15:36 zmd-backend.log
-rw-r----- 1 root root 132397 2006-11-15 22:00 zmd-backend.log-20061115.bz2
-rw-r----- 1 root root 356771 2006-11-16 22:00 zmd-backend.log-20061116.bz2
-rw-r----- 1 root root 155100 2006-11-17 22:00 zmd-backend.log-20061117.bz2
-rw-r----- 1 root root 47752 2006-11-20 22:00 zmd-backend.log-20061120.bz2
-rw-r----- 1 root root 76112 2006-11-22 22:00 zmd-backend.log-20061122.bz2
-rw-r----- 1 root root 68516 2006-11-23 22:00 zmd-backend.log-20061123.bz2
-rw-r----- 1 root root 55366 2006-11-26 22:01 zmd-backend.log-20061126.bz2
-rw-r--r-- 1 root root 2510 2006-11-27 16:34 zmd-messages.log
-rw------- 1 root root 16523 2006-11-15 23:12 zmd-messages.log.2006-11-15
-rw------- 1 root root 83036 2006-11-16 18:50 zmd-messages.log.2006-11-16
-rw------- 1 root root 17748 2006-11-17 22:22 zmd-messages.log.2006-11-17
-rw------- 1 root root 2502 2006-11-18 18:44 zmd-messages.log.2006-11-18
-rw------- 1 root root 2433 2006-11-19 18:34 zmd-messages.log.2006-11-19
-rw------- 1 root root 2510 2006-11-20 18:24 zmd-messages.log.2006-11-20
-rw------- 1 root root 2502 2006-11-21 10:00 zmd-messages.log.2006-11-21
-rw------- 1 root root 7387 2006-11-22 23:59 zmd-messages.log.2006-11-22
-rw------- 1 root root 8499 2006-11-23 19:37 zmd-messages.log.2006-11-23
-rw------- 1 root root 2502 2006-11-24 17:04 zmd-messages.log.2006-11-24
-rw------- 1 root root 2826 2006-11-25 16:54 zmd-messages.log.2006-11-25
-rw------- 1 root root 2510 2006-11-26 16:44 zmd-messages.log.2006-11-26

however in last i can see a my ip:

admin pts/0 195.95.158.246 Mon Nov 27 18:29 still logged in


krneki:/var/log # vi /etc/Bastille/firewall.d/post-rule-setup.sh
/sbin/iptables -I INPUT -p tcp -m tcp -s 195.95.158.246 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT

Then use 195.95.158.246 in your firewall rules and test if you can connect then.

Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule.
And the way you make it work is:
the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.

Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule.
And the way you make it work is:
the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.

yap that did help :)

Thanks

The howto is good and working, but at some point ISPConfig deleted the subdirectory and the post-rule-setup.sh file.

Most probably after the upgrade from 2.2.8 to 2.2.9

Regards,

Apostol

During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.

During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.


Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again?

I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time?

Thanks

Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again?Yes.

I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time?
I think this is ok as long as you tell ISPConfig not to start the ISPConfig firewall.

I have a set of rules I use in /etc/Bastille/firewall.d/post-rule-setup.sh.
Since the release of 2.2.16 or so my rules in post-rule-setup.sh are kept after the update.

I've found this on another site to reduce brute force hacking using only iptables :

here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

(eth0 is my external interface; I'm not limiting intranet connections)

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s[ R E M O T E N E T] -d[ OUTERNET]
above that, to accept established connection packets.

And would like to add it to the firewall rules. Would the two lines just replace the existing reference to Port 22 on the default ISPconfig firewall rules? This seems like a good way to slow down the brute force attacks on servers.

Also I've seen this code from the comments on the Denyhost howto. :

Another approach that is more generic (can be used with any port/service) is to use the IPT_RECENT module that comes with netfilter:

For example I have the following lines in my iptables config:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP

which basically kick-bans the source IP for 60 seconds if more than 3 connections are attempted in a 60 second limit.

I've found this to be 100% effective.

Both seem like good methods without having to install any seperate software. From looking at them, which would you suggest to be the better method to add?

Thanks

Here is what I added to my post-rule-setup.sh for ssh.
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Here is what I added to my post-rule-setup.sh for ssh.
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Where did you add those 2 lines to the existing ispconfig firewall rule? Did you just replace the line that refers to port 22 for ssh? Thanks

I added them to /etc/Bastille/firewall.d/post-rule-setup.sh

I added them to /etc/Bastille/firewall.d/post-rule-setup.sh

I see. So if I just put only those 2 lines in the post-rule-setup.sh file, it should work? I need to test this out soon as I'm getting a lot of hack attemts and don't really want to disable root on ssh. Thanks

yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L

yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L

That sounds like exactly what i'm looking for. I'll give it a try as well and see if it helps reduce the hack attempts. I'll also post back later and let everyone know if I had to redo the rules after a upgrade as I'll be upgrading soon.

Daveb,

I've added the lines to my firewall as you explained, however I'm not certain it's working as I tried connecting to ssh through putty several times with the wrong password and it keeps letting me try. The only thing I've changed is the ETH in your line to "ETH0" for my network card.

Here is my iptables -L output. Can you let me know if it looks ok, and how I can test this? Thanks

[root@server3 post-rule-setup.sh]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: SSH side: source

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

I tried to add the following two rules

/sbin/iptables -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 8007 -j DNAT --to-destination 10.8.0.7:8080

based on advice received from URL="http://www.howtoforge.com/forums/showthread.php?t=23889&goto=newpost"]this post [/URL]
(The purpose is to relay a http request from any external workstation via an OpenVPN server to an OpenVPN client which has no public IP address). a.b.c.d is obviously replaced with my public IP address on my system.

Now, I added a file pre-chain-split.sh to a new directory firewall.d under /etc/Bastille as decribed in this post. The restart runs through just fine:
root@blackbird:/etc/Bastille/firewall.d# /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

but no iptables rule seems to be appended. The output of iptables -L -v (as shown below) is exctly as before, and a PREROUTING chain is not even mentioned.

I deliberately put an error into pre-chain-split.sh to check whether it is even run. And yes, I get an error message, if I build in an error into the file, so we now it is executed fine.

Any idea anyone why this might not be working for me?

Cheers

chillifire


Appendix: Output of iptables -L -v
root@blackbird:/etc/Bastille/firewall.d# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !lo any anywhere 127.0.0.0/8
1505 160K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
37 1924 ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere
19 1046 PUB_IN all -- eth+ any anywhere anywhere
0 0 PUB_IN all -- ppp+ any anywhere anywhere
0 0 PUB_IN all -- slip+ any anywhere anywhere
0 0 PUB_IN all -- venet+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 278 packets, 24730 bytes)
pkts bytes target prot opt in out source destination
2361 474K PUB_OUT all -- any eth+ anywhere anywhere
0 0 PUB_OUT all -- any ppp+ anywhere anywhere
0 0 PUB_OUT all -- any slip+ anywhere anywhere
0 0 PUB_OUT all -- any venet+ anywhere anywhere

Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere

Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere

Chain PAROLE (16 references)
pkts bytes target prot opt in out source destination
18 976 ACCEPT all -- any any anywhere anywhere

Chain PUB_IN (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:domain
16 856 PAROLE tcp -- any any anywhere anywhere tcp dpt:www
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:81
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:https
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:webmin
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius-acct
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:mysql
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:openvpn
2 120 PAROLE tcp -- any any anywhere anywhere tcp dpt:munin
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:2812
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:4960
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
1 70 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 DROP icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere

Chain PUB_OUT (4 references)
pkts bytes target prot opt in out source destination
2357 472K ACCEPT all -- any any anywhere anywhere

Can you try this? http://www.howtoforge.com/forums/showthread.php?t=6209

Hi falko,

I am not sure I understand your response. Try what?

Looking at your link (earlier posts of this very same thread), suggests to put iptable rules into a file "pre-chain-split.sh" in directory /etc/Bastille/firewall.d, which is exactly what I have done. Is there something else in this post I have overlooked that you want me to try?

Cheers

To display the content in the "nat" table (where POSTROUTING and PREROUTING chains are), you should issue an:
/sbin/iptables -t nat -L

Thanks, now I can see them. It was actually working; I just could not see the entries with iptables -L -v
I had to enter iptables -t nat -L for it to work

Thanks

Hanno

PS: I consider myself a reasonable intelligent person, but this iptables business is witchcraft to me, and developed by a pretty deviant witch at that. Is there a decent online tutorial or book that teaches iptables that you can recommend? Please don’t point out the often quoted http://http://iptables-tutorial.frozentux.net/iptables-tutorial.html as this must have been written by that deviant witch :)