IPTABLES – better version for webserver like wordpress

IPTABLES for WordPress

Thanks to:
http://bencane.com/2012/09/17/iptables-linux-firewall-rules-for-a-basic-web-server/
http://www.linux.org/threads/base-iptables-rules-that-will-apply-to-virtually-any-web-server.10/ (used this script with modifications)

NOTES:

Here is a simple script that allows all outbound connections and the inbound connections coming back from those outbound connections (conntrack). Also port 80 and port 22 and port 443 are allowed in. A few more rules as well. Some rules are commented out for your use. Make sure you have an alternate connection because if you block yourself out of ssh, you might be out of luck (restarting the pc/server will clear the rules, unless you have a setting that says on boot read these iptables)

CLEAR ALL:

Clear all rules (this is good to keep handy, maybe save it as a script called iptables-clear-all.sh):

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Lire la suite…

How to manage a DDOS or DOS attempt directed at your Linux Server

Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task.  Frequently, these attacks become more than just a nuisance, they completely immobilize your server’s services and keep your users from using your website.

We’ve found a few common sense ways to help ease the pain of DDOS and/or DOS attacks.  While no method is fool proof, we certainly can minimize the profound effect these attacks have on your users and subsystems.

Identify the Source

Good luck with that one.  Many DDOS and DOS attacks are from roaming IP addresses.  A distributed denial of service attack can come from many different IP addresses and it quickly becomes impossible for the Linux system administrator to isolate and confine each IP with a firewall rule.

Wikipedia does a great job of describing the various types of attacks here: http://en.wikipedia.org/wiki/Denial-of-service_attack.  For the purpose of this tutorial, I’ll leave the research on the types of attacks up to you, and address the most common form that we’ve encountered over the years, the Apache directed DDOS or DOS attack.

Apache Based Attacks

Symptoms of the Apache DDOS or DOS attack:

  • Website(s) serve slow
  • You notice hanging processes
  • Apache Top tells you that the same IP address is requesting a system resource
  • The system resource continues to multiplex, causing more processes to spawn
  • The Command:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  • Says that you have a few too many connections to feel comfortable with.

The end result:

  • Apache goes down
  • System load goes sky high
  • Server stops responding
  • You cant ssh to the server node
  • You’ve lost connectivity completely and a reboot is mandatory in order to restore access to the system

Preventative Measures and Counter Measures:

  • Enable SYN COOKIES at the kernel level
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • Enable and Configure iptables to prevent the attack or at least work to identify the attack
    /sbin/iptables -N syn-flood
    /sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
    /sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
    /sbin/iptables -A syn-flood -j DROP
  • Install the APF firewall to work to identify risky behavior
    • APF stands for Advanced Policy Firewall.  Its a rock solid firewall that normally plays nice with iptables.  You can grab a the most recent copy here: http://www.rfxn.com/projects/
  • Install (D)DosDeflate
    • Great software, rock solid, and plays nice with either APF or iptables.  Install and configure the service in seconds using the commands below.  Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with.  Set a few configuration settings and you’re done.
    • To Install (D)DosDeflate:
      wget http://www.inetbase.com/scripts/ddos/install.sh
      chmod 0700 install.sh
      ./install.sh
  • If it doesnt workout, its simple to uninstall too.  To uninstall:
    wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
    chmod 0700 uninstall.ddos
    ./uninstall.ddos

So a few tools are outlined above.  We’ve found that this will stop 90% of the attacks that are out there.  Some nice firewall rules above your server (at the router or switch level) also help.  Most of the time we can identify suspicious traffic before it even hits your servers, so a shameless plug here is probably in order.

Source: Liquid Communications

How do I change, sort, add, remove graphs with Munin?

Graphs on Munin

Enable and disable plugins on each node

graphs muninGraphs are added and removed via symlinks in the /etc/munin/plugins/ directory of the node.

To remove a graph you must remove the symlink and restart the node:

rm /etc/munin/plugins/diskstats
service munin-node restart

To add a graph you must add a symlink in the plugins directory to an executable. eg:

ln -s /usr/share/munin/plugins/diskstats /etc/munin/plugins/diskstats
service munin-node restart

When you restart munin-node it runs immediately and any issues with the plugins appears in /var/log/munin/munin-node.log. If all is going well you’ll see a CONNECT logged every cycle; this records the fact that the master connected to collect the latest data.

Process Backgrounded
2014/03/10-15:59:47 Munin::Node::Server (type Net::Server::Fork) starting! pid(32231)
Resolved [*]:4949 to [::]:4949, IPv6
Not including resolved host [0.0.0.0] IPv4 because it will be handled by [::] IPv6
Binding to TCP port 4949 on host :: with IPv6
2014/03/10-16:00:04 CONNECT TCP Peer: "[::ffff:203.28.51.227]:45965" Local: "[::ffff:50.23.111.122]:4949"
2014/03/10-16:05:04 CONNECT TCP Peer: "[::ffff:203.28.51.227]:46109" Local: "[::ffff:50.23.111.122]:4949"
2014/03/10-16:10:04 CONNECT TCP Peer: "[::ffff:203.28.51.227]:46109" Local: "[::ffff:50.23.111.122]:4949"

Lire la suite…

thegeekstuff: useful iptables rules

17/05/2024 Categories: Réseau, Sécurité Tags: , Aucun commentaire

Source: thegeekstuff

# Modify this file accordingly for your specific requirement.
# http://www.thegeekstuff.com
# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

# 4. Allow ALL incoming SSH
#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# 16. Allow outbound DNS
#iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT

# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
Categories: Réseau, Sécurité Tags: ,

How to use netfilter and iptables to stop a DDoS Attack?

Source: Phil Chen

This how to article will go over stopping a DDoS attack when all you have access to is the targeted Linux host using netfilter and iptables. The two methods are either to simply drop packets from the offending IP/range or to only allow the offending IP/range X number of requests per second, if the range exceeds the requests per second rate traffic is dropped from the range.

*NOTE This method is for small attacks on services you are running on your Linux host. For large attacks using your gateway’s (firewall, load balancer, switch, or router) anti DDoS features maybe necessary or even having your ISP mitigating maybe the only option. I do often see attacks on HTTP from a hundred hosts or so and this article works on that scale.

Here is a example of a script for dropping packets from a offending IP/range lets say for our purposes the range is 206.250.230.0/24

#!/bin/bash
/sbin/iptables -I INPUT 1 -s 206.250.230.0/24 -j DROP
/sbin/iptables -I OUTPUT 1 -d 206.250.230.0/24 -j DROP
/sbin/iptables -I FORWARD 1 -s 206.250.230.0/24 -j DROP
/sbin/iptables -I FORWARD 1 -d 206.250.230.0/24 -j DROP

Here is a example of a script for dropping packets from a offending IP/range if it exceeds 30 requests per second lets say for our purposes the range is 206.250.230.0/24

#!/bin/bash
/sbin/iptables -I INPUT 1 -m limit --limit 30/sec -s 206.250.230.0/24 -j ACCEPT
/sbin/iptables -I INPUT 2 -s 206.250.230.0/24 -j DROP
 
/sbin/iptables -I OUTPUT 1 -m limit --limit 30/sec -d 206.250.230.0/24 -j ACCEPT
/sbin/iptables -I OUTPUT 2 -d 206.250.230.0/24 -j DROP
 
/sbin/iptables -I FORWARD 1 -m limit --limit 30/sec -s 206.250.230.0/24 -j ACCEPT
/sbin/iptables -I FORWARD 2 -s 206.250.230.0/24 -j DROP
 
/sbin/iptables -I FORWARD 1 -m limit --limit 30/sec -d 206.250.230.0/24 -j ACCEPT
/sbin/iptables -I FORWARD 2 -d 206.250.230.0/24 -j DROP

You can see your changes applied by running iptables -L command as seen below:

-bash-4.1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  206.250.230.0/24     anywhere            limit: avg 30/sec burst 5 
DROP       all  --  206.250.230.0/24     anywhere            
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             206.250.230.0/24    limit: avg 30/sec burst 5 
DROP       all  --  anywhere             206.250.230.0/24    
ACCEPT     all  --  206.250.230.0/24     anywhere            limit: avg 30/sec burst 5 
DROP       all  --  206.250.230.0/24     anywhere            
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             206.250.230.0/24    limit: avg 30/sec burst 5 
DROP       all  --  anywhere             206.250.230.0/24