Customizing Digitalocean Floating IPs

Digitalocean allows, for free, the option to add an additional IP address to your virtual machine ("droplet"). These floating IPs are similiar to Amazon AWS Elastic IPs and are tied to your account and location, rather than any specific instance This means that when an instance is destroyed, you can still preserve the floating address and migrate it to your new instance, providing it's in the same datacenter location. Floating IPs also have load balancing features, where if a site/instance goes down, it can automatically redirect to a backup instance. It is for these reasons it is…

read more...

Routeable Loopback Addresses

Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…

read more...

Comprehensive OpenVPN Tutorial

In this tutorial, we will look at managing an openvpn server and certificate authority and will provide a detailed breakdown of the configuration options Table of contents Setting up a CA Build the CA environment Generate the CA certificate Generate the CRL certificate Server Preparation Build the server environment Generate DH parameters Generate the certificate signing request Remove the passphrase on the server key Setting up the HMAC/TLS auth static key Creating a template for clientsIptables Firewall settings Client preparation Build the client environment Generate the certificate request Connecting clients Signing requests on the CA Importing a requestSigning a…

read more...

Rate-limiting logging on the Ubiquiti EdgeRouter Lite

The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…

read more...

Docker Firewalling - Unpublishing a port

Intro I have a Docker container that has a port unconditionally published (e.g. -p 2368:2368). I've changed my mind and decided I don't want this port exposed to the entire internet; only the docker host should see it. How do I fix this without having to rebuild the container? Table of contents Intro Port publishing: What is it, how does it work? Looking at Docker iptables Changing the rules Using Docker Isolation (it's here where we lockdown our container) Intro This question (and its lack of immediately obvious answer) is one of the many annoying teething pains I've…

read more...

My IPTables Configuration Script

I've talked quite a lot about iptables but haven't really shown how I actually put it into practice. Today I'll share a shell script I wrote to set up IPTables on my Fedora 25 Desktop. Download Warning: Make sure you check its appropriate for your needs and you understand its functionality before running it. The shell script sets up the following Multiple user based chains for NFS, SSH, and HTTP Organized TCP / UDP chains Source restriction based on the use of IPsets Structure and Functions of the Script We begin by defining the function configures our SSH hardening chain The…

read more...

Using Dynamic Blocklists with IPtables + IPset

In this tutorial, we will learn how to make automatically updated block lists of known bad addresses using ipset and iptables. This provides a proactive security approach that can use external datasets to discover addresses known for malicious activity and prevent them from accessing your web server. A quick overview on IPSet In some of my earlier tutorials, we learned how we could use ipset to create dynamic filtering rules which are independent of iptables. For example, if we wanted to give our friend temporary access to SSH, # create ipset sudo ipset create ssh_ip hash:ip # add friends ip…

read more...

IPtables: Constructing user chains

Now that we are familiar with how iptables is organized we can start defining our own chains. This allows for greater control, flexibility, and in some cases, better efficiency. The most profound efficiency gain is not in the processing by the system, it's in the maintenance, upkeep, and auditing by the sysadmin. We'll begin with a simple "LOG 'N DROP" that we will use in place of -j DROP so we can keep tabs of what the system is filtering Creating a logging chain Next we will create a chain called `LOGDROP` This chain logs packets passing through…

read more...

IPset: Automatic Blocking of Portscans

In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters. Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows. We start by creating the set: Note we set a timeout of 3600 (1hr) ipset create denied_telnet hash:ip timeout 3600 Next we create a rule to add telnet connections to the set…

read more...

Dynamic Rules with IPSet

Wouldn't it be good if port scanning IPs could trigger a rule that adds themselves to a 'known offenders' firewall list? Wouldn't it be good if you could combine white and black ACLs into single unified rules. Typically IPTables operates statically from a predefined collection of rules. This has the advantage of allowing you to filter packets to very exact parameters. However at the cost of a lot of tedious and manual work, and when you're manually adding a bunch of these, easy mistakes are all to common with potentially quite severe consequences on a production system. The idea is…

read more...