Linode Forum

[fernandoch]

What firewall would you install for a LAMP server?

[zunzun]

fernandoch wrote: What firewall would you install for a LAMP server?

I use iptables, blocking all but ports 80 and 443 - with an SSH brute force blocker. Here is my boot script:

#!/bin/sh
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:79 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP


James

[fernandoch]

Thanks, but never liked iptables, they are too complicated :(

Your script then also blocks port 22 for ssh?

What about ufw?

[fernandoch]

According to this http://library.linode.com/security/firewalls/iptables#sph_block-all-traffic-and-allow-traffic-on-specific-ports your line 2 is wrong it should be like that

iptables -P INPUT DROP

Why?

[drpks]

fernandoch wrote: According to this http://library.linode.com/security/firewalls/iptables#sph_block-all-traffic-and-allow-traffic-on-specific-ports your line 2 is wrong it should be like that

iptables -P INPUT DROP

Why?

Basically there are 2 methods:
- drop everything and open what you need
- accept everything and drop what you don't want

Linode library uses first one, the preferable.

[drpks]

fernandoch wrote: Thanks, but never liked iptables, they are too complicated :(

Your script then also blocks port 22 for ssh?

What about ufw?

I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/) if you don't want to see many ufw entries in your syslog file.

[jzimmerlin]

drpks wrote: fernandoch wrote: Thanks, but never liked iptables, they are too complicated :(

Your script then also blocks port 22 for ssh?

What about ufw?

I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/) if you don't want to see many ufw entries in your syslog file.
+1 for UFW

[hoopycat]

Under the hood, remember: it's all iptables.

On zunzun's example, I believe the first three rules (--syn --destination-port ...) are a stateless (and necessarily TCP-only) equivalent of the common stateful pattern (as seen in the library article). Basically, it says "drop any new connections to a port that isn't kosher, and accept everything else"; the stateful pattern says "accept any existing connections, accept any new connections to a port that is kosher, and drop everything else".

Technically, zunzun's approach is probably more efficient, as it does not need to maintain a connection tracking table to be checked on every incoming packet. However, for a new design, I'd go stateful and perhaps notch out exceptions if you are doing something like handling ~500 NTP queries per second.

(My local router, based on Linux and powered by an Atheros AR7242 CPU at 400 MHz, has 250 connections in its tracking table and is handling about 430 packets/second, and is at about 8% CPU load. That's probably more than most Linodes...)

[jebblue]

hoopycat wrote: Under the hood, remember: it's all iptables.

ufw is an automatic transmission. For most stuff it's great. When you have a tough hill to climb you break out iptables.

I'd never again (never say never) use a manual transmission in city traffic.

[hoopycat]

Yup, totally. But I ain't installing an automatic transmission on the lawn mower. :-)

(My other analogy is a CVT.)

[derfy]

What's with all the car analogies? Is this /. all of a sudden? ;p