A quick how to: Linux Firewalls
Written by Chris Borkowski    Tuesday, 16 March 2010 15:58    PDF Print E-mail

Here's a very brief how to configure your linux software firewall to keep the bad guys out. You'll need root access to your server to perform these actions.

First log in to your server and become root by issuing the "su" command.

Take a look at your logs in /var/log/secure to see who's been trying to get into your server. Issue the following command via a shell

[root@aux cborkowski]# tail /var/log/secure

or

[root@aux cborkowski]# less /var/log/secure

The output will show something like this if there has been failed log in attempts :

Mar 14 16:09:12 aux sshd[10222]: Failed password for root from 24.147.232.255 port 39077 ssh2
Mar 14 16:09:12 aux sshd[10223]: Received disconnect from 24.147.232.255: 11: Bye Bye
d=0 tty=ssh ruser= rhost=c-24-147-232-255.hsd1.ma.comcast.net user=root
Mar 14 16:09:24 aux sshd[10237]: Failed password for root from 24.147.232.255 port 39349 ssh2
Mar 14 16:09:24 aux sshd[10238]: Connection closed by 24.147.232.255
Mar 14 16:12:55 aux sshd[10412]: Invalid user nf3ct from 24.147.232.255
Mar 14 16:12:55 aux sshd[10413]: input_userauth_request: invalid user nf3ct

Clearly someone or something from the ip adresss 24.147.232.255 is trying to get into your server.

You may want to try to find out more about this address. The whois and traceroute commands will give you a bit of information about the IP address.

Issue the folowing command:

[root@aux cborkowski]# whois 24.147.232.255
[Querying whois.arin.net]
[whois.arin.net]
Comcast Cable Communications Holdings, Inc RW2-NORTHEAST-4 (NET-24-147-0-0-1)
24.147.0.0 - 24.147.255.255
Comcast Cable Communications Holdings, Inc NEW-ENGLAND-11 (NET-24-147-128-0-1)
24.147.128.0 - 24.147.255.255

# ARIN WHOIS database, last updated 2010-03-15 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html

Now try the traceroute command:

[root@aux cborkowski]# traceroute 24.147.232.255

traceroute to 24.147.232.255 (24.147.232.255), 30 hops max, 40 byte packets
1 192.168.1.205 (192.168.1.205) 2.559 ms 2.845 ms 3.083 ms
2 192.168.1.36 (192.168.1.36) 1.940 ms 2.004 ms 2.059 ms
3 63.116.182.1 (63.116.182.1) 3.090 ms * *
4 500.MFR425.GW16.NYC9.ALTER.NET (65.194.77.129) 662.010 ms 662.004 ms 662.016 ms
5 0.ge-3-0-0.XT1.NYC9.ALTER.NET (152.63.22.138) 662.052 ms 662.045 ms 662.033 ms

This will give you some idea about who or what is trying to log in to your server. If you deem that login attempt as suspicious it's time to take some action and shut that IP down for good.

Here's some command to issue to get a basic deny rule in place and running on your software firewall. (The paths may differ depending on your flavor build of linx). In this example I am using Red Hat Enterprise Linux 5.

Adding a firewall rule for a single address.

[root@aux cborkowski]# /sbin/iptables -A INPUT -s 24.147.232.255 -j DROP

Adding a firewall rule for a whole subnet range of IP's

[root@aux cborkowski]# /sbin/iptables -A INPUT -s 24.147.232.0/24 -j DROP

Once you added the rule you'll then want to commit the rule to the config file. Issue the following to save the rule:

[root@aux cborkowski]#/sbin/service iptables save

Now that the rule is in place it's time to fire up the software firewall. Issue the following command:

[root@aux cborkowski]# /etc/init.d/iptables start

You now have a software fire wall running. Check the status of your firewall by issuing the following command:

[root@aux init.d]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 202.199.158.0/24 0.0.0.0/0
2 DROP all -- 219.147.173.0/24 0.0.0.0/0
3 DROP all -- 83.242.228.0/24 0.0.0.0/0
4 DROP all -- 202.113.16.0/24 0.0.0.0/0
5 DROP all -- 24.186.183.0/24 0.0.0.0/0
6 DROP all -- 62.212.67.0/24 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

 

There you go ! Repeat the steps to add more IP's if you see suspicious activity in your logs.

It always helps to read the documentation on iptables. So it would be wise to read the documentation. You can call up the manual by issuing the following


[root@aux init.d]# man iptables

Read more here:

http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_ch-iptables.htm

Enhanced by Zemanta

Add this article to your favorite Social Bookmarking websites
Reddit! Del.icio.us! JoomlaVote! Google! Live! Facebook! StumbleUpon! Yahoo! Free social bookmarking plugins and extensions for Joomla! websites!
Comments (0)add comment
feedSubscribe to this comment's feed

Write comment
smaller | bigger

busy
Last Updated ( Saturday, 06 November 2010 23:01 )
 

Your are currently browsing this site with Internet Explorer 6 (IE6).

Your current web browser must be updated to version 7 of Internet Explorer (IE7) to take advantage of all of template's capabilities.

Why should I upgrade to Internet Explorer 7? Microsoft has redesigned Internet Explorer from the ground up, with better security, new capabilities, and a whole new interface. Many changes resulted from the feedback of millions of users who tested prerelease versions of the new browser. The most compelling reason to upgrade is the improved security. The Internet of today is not the Internet of five years ago. There are dangers that simply didn't exist back in 2001, when Internet Explorer 6 was released to the world. Internet Explorer 7 makes surfing the web fundamentally safer by offering greater protection against viruses, spyware, and other online risks.

Get free downloads for Internet Explorer 7, including recommended updates as they become available. To download Internet Explorer 7 in the language of your choice, please visit the Internet Explorer 7 worldwide page.