Firewall

How to protecting linux server against denial of service “DOS” attacks

4 Comments

Denial Of Service “DOS” attack is according to Wikipedia:

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

But most of the times this kind of attacks are attempted against web servers, and that is the one I’m going to show you how  to protecting linux server against denial of service “DOS” attacks using fail2ban.

What is Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Installation

Open a Terminal “CTRL+ALT+T” and type this command line:

Debian / Ubuntu

# sudo -i 
# apt-get install fail2ban

Red Hat / CentOS

# su
# yum install fail2ban

Configuration

Depending on the distribution you are using, now to configure it, consider that there are two main configuration files.

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf

Make a ‘local’ copy the jail.conf  or fail2ban.conf file in /etc/fail2ban 

cd /etc/fail2ban
cp jail.conf jail.local

Now edit the file:

nano jail.local

Basic configurations are listed under the [DEFAULT] heading in the configuration file for fail2ban.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

 

Protect SSH/SFTP

After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.

Example:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 3
# service fail2ban restart

Protect your FTP server:

Example:

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 5
# service fail2ban restart

 

How to Setup iptables on LInux Debian / Ubuntu

Leave a comment

A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. This internal network can be a large LAN at a business or your networked home PCs. The firewall in it’s simplest form is like a one-way street. It allows people on the internal network to access the external network (the Intenet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network.

A firewall has two network connections, one for the external network and one for the internal network. Traffic that is allowed to flow between the two networks is internally “bridged” (using a FORWARD rule) between these two connections. Disallowed traffic is not. This decision-based bridging of traffic between two connections is called “routing” or “IP forwarding”. What this means is that any firewall, by its very nature, is a router (but not all routers block traffic, so not all routers are firewalls).

Login as root

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:

sudo -i

Install UFW

“This software is used for managing a Linux firewall and aims to provide an easy to use interface for the user”.

Type this command line:

apt-get install ufw

Find status of firewall

Type the following command:

ufw status verbose

Sample outputs:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

Enable firewall

Type the following command to enables firewall on boot:

ufw enable

Sample outputs:

Firewall is active and enabled on system startup

Disable firewall

Type the following command to disables firewall on boot:

ufw disable

Sample outputs:

Firewall stopped and disabled on system startup

 

Restart firewall

Type the following command to restart firewall:

ufw reload

Sample outputs:

Firewall reloaded

Note: that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

ufw show raw

 You can also read the rules files in /etc/ufw (the files whose names end with .rules).

iptbles

Allow and Deny (specific rules)

 Allow

ufw allow <port>/<optional: protocol>

example: To allow incoming tcp and udp packet on port 53 

  • ufw allow 53

     

example: To allow incoming tcp packets on port 53 

  • ufw allow 53/tcp

     

example: To allow incoming udp packets on port 53 

  • ufw allow 53/udp

     

Deny

ufw deny <port>/<optional: protocol>

example: To deny tcp and udp packets on port 53 

  • ufw deny 53

     

example: To deny incoming tcp packets on port 53 

  • ufw deny 53/tcp

     

example: To deny incoming udp packets on port 53 

  • ufw deny 53/udp

     

Delete Existing Rule

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: 

deny 80/tcp

Use this to delete it: 

ufw delete deny 80/tcp

Services

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services: 

less /etc/services

Allow by Service Name

ufw allow <service name>

example: to allow ssh by name 

  • ufw allow ssh

     

Deny by Service Name

ufw deny <service name>

example: to deny ssh by name 

ufw deny ssh

Logging

To enable logging use: 

ufw logging on

To disable logging use: 

ufw logging off

Advanced Syntax

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.

Allow Access

This section shows how to allow specific access.

Allow by Specific IP

ufw allow from <ip address>

example:To allow packets from 107.46.232.182: 

  • ufw allow from 107.46.232.182

     

Allow by Subnet

You may use a net mask : 

ufw allow from 192.168.1.0/24

Allow by specific port and IP address

ufw allow from <target> to <destination> port <port number>

example: allow IP address 192.168.0.4 access to port 22 for all protocols 

  • ufw allow from 192.168.0.4 to any port 22

     

Allow by specific port, IP address and protocol

ufw allow from <target> to <destination> port <port number> proto <protocol name>

example: allow IP address 192.168.0.4 access to port 22 using TCP 

  • ufw allow from 192.168.0.4 to any port 22 proto tcp

     

Enable PING

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines: 

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the “ACCEPT” to “DROP” 

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access

Deny by specific IP

ufw deny from <ip address>

example:To block packets from 107.46.232.182: 

  • ufw deny from 107.46.232.182

     

Deny by specific port and IP address

ufw deny from <ip address> to <protocol> port <port number>

example: deny ip address 192.168.0.1 access to port 22 for all protocols 

  • ufw deny from 192.168.0.1 to any port 22

Working with numbered rules

Listing rules with a reference number

You may use status numbered to show the order and id number of rules: 

ufw status numbered

Editing numbered rules

Delete numbered rule

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list. 

ufw delete 1

Insert numbered rule

ufw insert 1 allow from <ip address>

Advanced Example

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp 

ufw deny from 192.168.0.1 to any port 22
ufw deny from 192.168.0.7 to any port 22
ufw allow from 192.168.0.0/24 to any port 22 proto tcp