This tutorial will demonstrate how to create reactive firewall rules. If a device attempts to communicate with known malware command-and-control servers, the potentially compromised device will be added to a blacklist, and its internet access will be immediately disabled.…
read more...My IPTables Configuration Script
I've talked quite a lot about iptables but haven't really shown how I actually put it into practice. Today I'll share a shell script I wrote to set up IPTables on my Fedora 25 Desktop. Download Warning: Make sure you check its appropriate for your needs and you understand its functionality before running it. The shell script sets up the following Multiple user based chains for NFS, SSH, and HTTP Organized TCP / UDP chains Source restriction based on the use of IPsets Structure and Functions of the Script We begin by defining the function configures our SSH hardening chain The…
read more...Using Dynamic Blocklists with IPtables + IPset
In this tutorial, we will learn how to make automatically updated block lists of known bad addresses using ipset and iptables. This provides a proactive security approach that can use external datasets to discover addresses known for malicious activity and prevent them from accessing your web server. A quick overview on IPSet In some of my earlier tutorials, we learned how we could use ipset to create dynamic filtering rules which are independent of iptables. For example, if we wanted to give our friend temporary access to SSH, # create ipset sudo ipset create ssh_ip hash:ip # add friends ip…
read more...IPset: Automatic Blocking of Portscans
In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters. Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows. We start by creating the set: Note we set a timeout of 3600 (1hr) ipset create denied_telnet hash:ip timeout 3600 Next we create a rule to add telnet connections to the set…
read more...