diff --git a/other/iptables.rules b/other/iptables.rules index 891c69a..dbbcae4 100644 --- a/other/iptables.rules +++ b/other/iptables.rules @@ -1,13 +1,15 @@ ############################### # SIMPLE FIREWALL RULES FOR IPTABLES # -# By Pekka Helenius (~Fincer), 2018 # # These rules are intended to be used -# without UFW. If you have additional -# firewall settings in your system/iptables, -# take care adapting these rules in to your -# current firewall ruleset. +# without other firewalls such as UFW. +# If you have additional firewall settings +# in your system/iptables, take care adapting +# these rules in to your current firewall ruleset. +# +# It is highly recommended to remove all conflicting +# firewall configuration # # I do not take responsibility of breaking # your working firewall configuration! @@ -19,14 +21,13 @@ # A) do not respond to incoming ping requests # Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting # -# B) drop all incoming traffic by default, except for -# SSH, HTTP and HTTPS protocols +# B) Reject connection if connection cycle is too intense +# from one client. This setting may be useful against all kind of intense brute force +# attacks. # -# C) start dropping packets if connection cycle is too intense -# from one client. This setting may be useful against port scanners. +# C) drop all incoming traffic by default, except for +# SSH, HTTP and HTTPS protocols # -# Ruleset C) by Anthony Maro: -# https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans # ############ # @@ -53,7 +54,7 @@ # HTTP: 80 # HTTPS: 443 # -# Default setting for C) is 10 maximum connection attempts in 30 seconds +# Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds # Adapt the values to your server environment. # # 5) Save this file to /etc/iptables/iptables.rules @@ -79,6 +80,7 @@ # # https://www.thegeekstuff.com/scripts/iptables-rules # https://gist.github.com/thomasfr/9712418 +# http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31 # ############################### # @@ -88,76 +90,81 @@ *filter ############################### -# DEFAULT POLICY FOR THIS CHAIN - DROP ALL INPUT TRAFFIC -# -# THIS IS A DANGEROUS SETTING. IF YOU DROP ALL INCOMING -# CONNECTIONS, MAKE SURE YOU HAVE ACCEPTED AT LEAST SSH CONNECTION INPUT BELOW -# OTHERWISE YOU WILL BE LOCKED OUT FROM THE SERVER! +# Default policy for this chain - drop all input traffic +# This is a dangerous setting. If you drop all incoming connections, +# make sure you have accepted at least incoming SSH connection below. +# Otherwise you will be locked out from the server! # -# DO NOT USE 'REJECT' BECAUSE IT GIVES A RESPONSE TO A HOSTILE CLIENTS (PORT SCANNERS) -# INSTEAD, DROP INCOMING PACKETS AND DO NOT GIVE RESPONSE AT ALL +# Do not use 'REJECT' because it gives a response to hostile clients such +# as bruteforcers and port scanners. Instead, drop incoming packets +# and do not give reponse at all. # -P INPUT DROP ############################### -# WE ARE NOT A ROUTER, WE DROP ALL (NON-EXISTENT) FORWARD CONNECTIONS +# We are not a router, we drop all (non-existent) forward connections # -P FORWARD DROP ############################### -# BY DEFAULT, ALL OUTGOING TRAFFIC FROM THE SERVER IS ACCEPTED +# By default, all outgoing traffic from the server is accepted # -P OUTPUT ACCEPT ############################### -# DROP ALL INCOMING PING REQUESTS +# Drop all incoming ping requests # -A INPUT -p icmp --icmp-type echo-request -j DROP ############################### -# ALLOW LOOPBACK CONNECTIONS +# Allow loopback connections # -A INPUT -i lo -j ACCEPT #-A OUTPUT -o lo -j ACCEPT ############################### -# ALLOW INCOMING SSH CONNECTIONS +# Block bruteforce attacks +# Works against dirbuster, nmap and similar tools. # +# +# Default values are allowing max 10 connections from a client within 30 seconds +# Please adjust these values for your server environment +# +# Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server + +# If you need to enable this for specific TCP ports, add the following parameter: +# -m multiport --dports 80 --A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT -#-A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT +-A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource +#-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected " +-A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset + +############################### +# Allow incoming SSH connections +# + +-A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT +#-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT ############################### -# ALLOW INCOMING HTTP/HTTPS CONNECTIONS +# Allow incoming HTTP/HTTPS connections # -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT #-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT ############################### -# ALLOW ESTABLISHED AND RELATED CONNECTIONS +# Allow established and related connections # -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -############################### -# RULESET C) -# -# IF 10 NEW CONNECTIONS TO ANY PORT WITHIN 30 SECONDS IS REQUESTED BY A CLIENT, START DROPPING PACKETS FOR THE CLIENT -# -# SHOULD FREEZE NMAP AND OTHER PORT SCANNERS -# -# Source: https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans - --A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource --A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP - ############################### COMMIT