HowtoForge

Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 5

11. Hardening you system

First of all, make sure that you have set the security level to High, in Server Config - Web (tab) of ISPConfig3 panel.

The following instructions are just a demostration. Please fully understand them (by reading documentation over the Internet), before you apply and use them.

In general, if you follow them, you can rate limit traffic on specific ports, reduce syn connections and prevent intrusions that use known bad packets. To apply them create the folder /root/scripts (if it doesn't exist) and the following 5 files. (loadfw, unloadfw, IPs, fwrules and reloadfail2ban). The first will contain the script to load the rules, the second the script to unload the rules, the third will contain the "BAD" IPs and the "BAD" networks, the fourth the custom rules and the fifth some commands to reload eveything (including fail2ban).

mkdir /root/scripts
touch /root/scripts/loadfw
touch /root/scripts/unloadfw
touch /root/scripts/IPs
touch /root/scripts/fwrules
touch /root/scripts/reloadfail2ban
cd /root/scripts
nano loadfw

Paste the following:

#!/bin/bash
# Simple iptables IP/subnet load script
# ----------------------------------------------------------

cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -I INPUT $fwrule

done < /root/scripts/fwrules

for ipblock in $BADIPS
do
$IPT -I INPUT -s $ipblock -j DROP
$IPT -I INPUT -s $ipblock -j LOG --log-prefix "$DROPMSG"
done

Edit unloadfw:

nano unloadfw

Paste the following:

#!/bin/bash
# Simple iptables IP/subnet unload script
# ---------------------------------------------------------


cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -D INPUT $fwrule

done < /root/scripts/fwrules
for ipblock in $BADIPS
do
$IPT -D INPUT -s $ipblock -j DROP
$IPT -D INPUT -s $ipblock -j LOG --log-prefix "$DROPMSG"done

Edit IPs:

nano IPs

Paste the annoying IPs (e.g. IPs banned multiple times by fail2ban) or whole networks. You can add here IPs or netwroks at any time, but before you make any modification (especially if you remove sth) you have to run "/root/scripts/unloadfw". Afterward you can edit the file, inserting IPs or networks and finally you have to run "/root/scripts/loadfw" (see below)

#IP
x.y.z.w
x.q.a.r

#netwroks
d.r.t.h/24

#mailservers
a.g.h.j

(You can use http://www.countryipblocks.net to see the networks that are assosiated with each country). Edit fwrules:

nano fwrules

Paste the following (and anything else that can be inserted (-I) or deleted (-D) in/from INPUT chain. The rules are for servers with a single network interface (eth0). Please change them to fit your needs (e.g. change eth0 if your network interface is different).

-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50022 -j DROP
-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50022 -j LOG --log-prefix "LMfwport50022"
-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --set --name fw50022
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50000 -j DROP
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50000 -j LOG --log-prefix "LMfwport50000"
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --set --name fw50000
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw10000 -j DROP
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw10000 -j LOG --log-prefix "LMfwport10000"
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --set --name fw10000
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw25 -j DROP
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw25 -j LOG --log-prefix "LMfwport25"
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set --name fw25
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw110 -j DROP
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw110 -j LOG --log-prefix "LMfwport110"
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --set --name fw110
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50443 -j DROP
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50443 -j LOG --log-prefix "LMfwport50443"
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --set --name fw7443
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw22 -j DROP
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw22 -j LOG --log-prefix "LMfwport22"
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set --name fw22
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw20 -j DROP
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw20 -j LOG --log-prefix "LMfwport20"
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --set --name fw20
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw21 -j DROP
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw21 -j LOG --log-prefix "LMfwport21"
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --set --name fw21
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw143 -j DROP
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw143 -j LOG --log-prefix "LMfwport143"
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --set --name fw143
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw53 -j DROP
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw53 -j LOG --log-prefix "LMfwport53"
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --set --name fw53
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw443 -j DROP
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw443 -j LOG --log-prefix "LMfwport443"
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set --name fw443
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw8081 -j DROP
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw8081 -j LOG --log-prefix "LMfwport8081"
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --set --name fw8081
-p icmp -j DROP
-p icmp -m limit --limit 2/s -j ACCEPT
-p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn80"
-p tcp --syn --dport 443 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 443 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn443"
-p tcp --syn --dport 50443 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 50443 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn50443"
-p tcp --syn --dport 50022 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 50022 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn50022"
-p tcp --syn --dport 22 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 22 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn22"
-p tcp --syn --dport 50000 -m connlimit --connlimit-above 15 -j DROP
-p tcp --syn --dport 50000 -m connlimit --connlimit-above 15 -j LOG --log-prefix "BLfwsyn50000"
-p tcp --syn --dport 10000 -m connlimit --connlimit-above 15 -j DROP
-p tcp --syn --dport 10000 -m connlimit --connlimit-above 15 -j LOG --log-prefix "BLfwsyn10000"
-p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn25"
-p tcp --syn --dport 20 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 20 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn20"
-p tcp --syn --dport 21 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 21 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn21"
-p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn110"
-p tcp --syn --dport 143 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 143 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn143"
-p tcp --syn --dport 53 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 53 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn53"
-i eth0 -p tcp --tcp-flags ALL ALL -j DROP
-i eth0 -p tcp --tcp-flags ALL ALL -j LOG --log-level 4 --log-prefix "FLAAfw"
-i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level 4 --log-prefix "FINGfw"
-i eth0 -f -j DROP
-i eth0 -f -m limit --limit 6/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FRAGfw"
-i eth0 -p tcp --tcp-flags ALL NONE -j DROP
-i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULLfw"
-i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMASfw"
-i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 4 --log-prefix "SYNRTSfw"
-i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level 4 --log-prefix "SYNRTSACKfw"
-i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level 4 --log-prefix "SYNRTSYNSfw"
-i eth0 -p tcp ! --syn -m state --state NEW -j DROP
-i eth0 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "DROSYNCfw"

Edit reloadfail2ban:

nano reloadfail2ban

Paste the following:

#!/bin/bash

/etc/init.d/fail2ban restart
sleep 2
/root/scripts/unloadfw
sleep 2
/root/scripts/loadfw

Keep in mind that the reloadfail2ban script just unloads the custom rules in fwrules, restarts fail2ban and loads the rules in fwrules again. It doesn't do a full firewall restart. So before you edit the rules in this file (or IPs file), unload them with unloadfw. The role of reloadfail2ban is to test the functionality of fail2ban

Finally execute:

chmod 700 reloadfail2ban
chmod 700 unloadfw
chmod 700 loadfw
/root/scripts/reloadfail2ban

If you want the custom rules to load after every reboot paste the line: /root/scripts/loadfw in the end of /etc/init.d/rc.local:

nano /etc/init.d/rc.local

and append:

[...]
/root/scripts/loadfw

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It creates a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). To install (D)DoS Deflate:

cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Edit /usr/local/ddos/ddos.conf and apply the follow changes that will disable APF firewall and use plain iptables, email events to root and block IP with more than 100 connections per minute.

[...]
APF_BAN=0
EMAIL_TO="root"
NO_OF_CONNECTIONS=100
[...]

The above are just a bunch of suggestions. You can extend them as you like.

The implementation is just one approach of many. You can use a firewall solution like APF, Shorewall etc. I would be gland to include more different approaches in companion with this one.

Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 5