Linode Forum :: Ubuntu LAMP server security

What firewall would you install for a LAMP server?

According to this http://library.linode.com/security/fire ... ific-ports your line 2 is wrong it should be like that

iptables -P INPUT DROP

Why?

Thanks, but never liked iptables, they are too complicated

Your script then also blocks port 22 for ssh?

What about ufw?

fernandoch wrote:

Thanks, but never liked iptables, they are too complicated

Your script then also blocks port 22 for ssh?

What about ufw?

I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/) if you don't want to see many ufw entries in your syslog file.

Under the hood, remember: it's all iptables.

Author:	fernandoch [ Wed Sep 28, 2011 12:03 pm ]
Post subject:	Ubuntu LAMP server security
What firewall would you install for a LAMP server?

Author:	zunzun [ Wed Sep 28, 2011 12:39 pm ]
Post subject:	Re: Ubuntu LAMP server security
fernandoch wrote: What firewall would you install for a LAMP server? I use iptables, blocking all but ports 80 and 443 - with an SSH brute force blocker. Here is my boot script: #!/bin/sh iptables -P FORWARD DROP iptables -P INPUT ACCEPT iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:79 -j DROP iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP James

Author:	fernandoch [ Wed Sep 28, 2011 12:44 pm ]
Post subject:
Thanks, but never liked iptables, they are too complicated Your script then also blocks port 22 for ssh? What about ufw?

Author:	fernandoch [ Wed Sep 28, 2011 12:49 pm ]
Post subject:
According to this http://library.linode.com/security/fire ... ific-ports your line 2 is wrong it should be like that iptables -P INPUT DROP Why?

Author:	drpks [ Wed Sep 28, 2011 2:00 pm ]
Post subject:
fernandoch wrote: According to this http://library.linode.com/security/fire ... ific-ports your line 2 is wrong it should be like that iptables -P INPUT DROP Why? Basically there are 2 methods: - drop everything and open what you need - accept everything and drop what you don't want Linode library uses first one, the preferable.

Linode Forum https://forum.linode.com/

Ubuntu LAMP server security https://forum.linode.com/viewtopic.php?f=19&t=7826	Page 1 of 1

Author:	drpks [ Wed Sep 28, 2011 2:04 pm ]
Post subject:
fernandoch wrote: Thanks, but never liked iptables, they are too complicated Your script then also blocks port 22 for ssh? What about ufw? I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/) if you don't want to see many ufw entries in your syslog file.

Author:	jzimmerlin [ Wed Sep 28, 2011 4:23 pm ]
Post subject:
drpks wrote: fernandoch wrote: Thanks, but never liked iptables, they are too complicated Your script then also blocks port 22 for ssh? What about ufw? I use ufw in my Debian box because I don't like "plain" iptables too. You should try ufw and look at this (http://vincom2.wordpress.com/2010/04/07/logging-ufw-to-a-seperate-logfile/) if you don't want to see many ufw entries in your syslog file. +1 for UFW

Author:	hoopycat [ Wed Sep 28, 2011 5:31 pm ]
Post subject:
Under the hood, remember: it's all iptables. On zunzun's example, I believe the first three rules (--syn --destination-port ...) are a stateless (and necessarily TCP-only) equivalent of the common stateful pattern (as seen in the library article). Basically, it says "drop any new connections to a port that isn't kosher, and accept everything else"; the stateful pattern says "accept any existing connections, accept any new connections to a port that is kosher, and drop everything else". Technically, zunzun's approach is probably more efficient, as it does not need to maintain a connection tracking table to be checked on every incoming packet. However, for a new design, I'd go stateful and perhaps notch out exceptions if you are doing something like handling ~500 NTP queries per second. (My local router, based on Linux and powered by an Atheros AR7242 CPU at 400 MHz, has 250 connections in its tracking table and is handling about 430 packets/second, and is at about 8% CPU load. That's probably more than most Linodes...)

Author:	jebblue [ Wed Sep 28, 2011 10:42 pm ]
Post subject:
hoopycat wrote: Under the hood, remember: it's all iptables. ufw is an automatic transmission. For most stuff it's great. When you have a tough hill to climb you break out iptables. I'd never again (never say never) use a manual transmission in city traffic.

Author:	hoopycat [ Wed Sep 28, 2011 11:44 pm ]
Post subject:
Yup, totally. But I ain't installing an automatic transmission on the lawn mower. (My other analogy is a CVT.)

Author:	derfy [ Thu Sep 29, 2011 12:29 am ]
Post subject:
What's with all the car analogies? Is this /. all of a sudden? ;p

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/