Ubuntu LAMP server security
10 Replies
@fernandoch:
What firewall would you install for a LAMP server?
I use iptables, blocking all but ports 80 and 443 - with an SSH brute force blocker. Here is my boot script:
!/bin/sh
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -p tcp –syn --destination-port 0:79 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSHbruteforce "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
James
Your script then also blocks port 22 for ssh?
What about ufw?
iptables -P INPUT DROP
Why?
@fernandoch:
According to this
your line 2 is wrong it should be like that http://library.linode.com/security/fire … ific-ports">http://library.linode.com/security/firewalls/iptables#sph_block-all-traffic-and-allow-traffic-on-specific-ports iptables -P INPUT DROP
Why?
Basically there are 2 methods:
drop everything and open what you need
accept everything and drop what you don't want
Linode library uses first one, the preferable.
@fernandoch:
Thanks, but never liked iptables, they are too complicated
:( Your script then also blocks port 22 for ssh?
What about ufw?
I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (
@drpks:
@fernandoch:Thanks, but never liked iptables, they are too complicated
:( Your script then also blocks port 22 for ssh?
What about ufw?
I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (
~~[http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/ " target="_blank"> ](http://vincom2.wordpress.com/2010/04/07 … e-logfile/">http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/ ]() if you don't want to see many ufw entries in your syslog file.
+1 for UFW
On zunzun's example, I believe the first three rules (–syn --destination-port …) are a stateless (and necessarily TCP-only) equivalent of the common stateful pattern (as seen in the library article). Basically, it says "drop any new connections to a port that isn't kosher, and accept everything else"; the stateful pattern says "accept any existing connections, accept any new connections to a port that is kosher, and drop everything else".
Technically, zunzun's approach is probably more efficient, as it does not need to maintain a connection tracking table to be checked on every incoming packet. However, for a new design, I'd go stateful and perhaps notch out exceptions if you are doing something like handling ~500 NTP queries per second.
(My local router, based on Linux and powered by an Atheros AR7242 CPU at 400 MHz, has 250 connections in its tracking table and is handling about 430 packets/second, and is at about 8% CPU load. That's probably more than most Linodes…)
@hoopycat:
Under the hood, remember: it's all iptables.
ufw is an automatic transmission. For most stuff it's great. When you have a tough hill to climb you break out iptables.
I'd never again (never say never) use a manual transmission in city traffic.
(My other analogy is a CVT.)
