💡 Zaščita lastnega strežnika Linux 32/64 bit – Ubuntu/Debian/Raspbian – Unix Sistemi
Ko ste postavili vaš strežnik npr. Ubuntu best opcija za poslovne sisteme zelo dobra podpora ali Centos, Fedora,…. ostali Linux OS so prav tako odlična platforma za postavitev vašega podjetniškega strežnika. Spodaj bom predstavil primer namestitve in konfiguracije osnovnega požarnega zida iptables, požarni zid za aplikacije in dodatna zaščita Fail2Ban ter MalTrail oz. Malware Trafic Detection System.
➡ IPTables Namestitev in začetni zaščitni parametri:
Preko SSH namestite iptables in ipset:
sudo apt-get update && sudo apt-get upgrade -y
sudo apt install iptables ipset
Ustvarimo za modul iptables-persistent oz. avtostart parametri spodnje direktive, menjajte vaše interne ipje serverjev ipd… Razlaga spodnjih parametrov zdaj katere porti so spodaj odprti in uporabite samo te, katere boste vi uporabili za vaš strežnik:
Router oz. Svičer IP: 192.168.1.1
Virtualni Serverji in Win10: 192.168.1.77 + 192.168.1.111 + 192.168.1.123 + 192.168.1.222 Windows10 SSH
sudo nano /tmp/v4
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 8338 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 10000 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.111/32 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -j ACCEPT
-A INPUT -s 192.168.1.77/32 -j ACCEPT
-A INPUT -s 192.168.1.123/32 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 21,22,80,443,25,110,143,587,993,995,8338,10000 -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8338 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.77/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.222/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.111/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.123/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3142 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
#-A INPUT -p tcp -m state --state NEW -m recent --set --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22
#-A INPUT -p tcp -m state --state NEW -m recent ! --rcheck --seconds 90 --hitcount 6 --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 20/minute --limit-burst 100 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -j REJECT
-A FORWARD -j DROP
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 84.255.209.79/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 84.255.210.79/32 -p udp -m udp --dport 53 -j ACCEPT
#-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -p udp -m udp -m multiport --dports 123 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 143 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 993 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 110 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 995 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 8338 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 10000 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 873 -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 192.168.1.77/32 -j ACCEPT
-A OUTPUT -d 192.168.1.111/32 -j ACCEPT
-A OUTPUT -d 192.168.1.123/32 -j ACCEPT
-A OUTPUT -d 192.168.1.222/32 -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.222/32 --dport 22 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j DROP
-N block-scan
-A block-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A block-scan -j DROP
COMMIT
Shranite datoteko in dodate še parametre za ipv6, po večini ne rabi odvistno od vašega internetnega dostopa in priključka!
sudo nano /tmp/v6
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# Dissalow input - connections from outsite localhost
-A INPUT -s ::1/128 ! -i lo -j REJECT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries UPD connedtion port ipv4 53 open all ports from 1024 to 65535
-A INPUT -p udp -m udp --dport 53:65535 --sport 53 -j ACCEPT
#-A INPUT -p udp -m udp --dport 1024:65535 --sport 8442 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ftp,ssh,www,https,pop3,smtp,imap,imaps,pop3s,8338,10000
## Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# Completed IPTables Custom Config
Shranite in namestite modul iptables persistent:
prikliči nastavitve in instaliraj modul iptablas autostart:
sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6
sudo apt-get install iptables-persistent
Vsi odgovori YES!!! ko namestite reboot in preverite če so vsi paremetri naloženi:
# PREVERI ČE DELAJO BLOKADE IPTABLES TAKO:
sudo iptables -vL
sudo ip6tables -vL
TEST TERMINAL:[admin@perc ~]# sudo iptables -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3319K 198M f2b-apache-auth tcp — any any anywhere anywhere
4087K 272M f2b-apache-noscript tcp — any any anywhere anywhere
5044K 325M f2b-recidive tcp — any any anywhere anywhere
5044K 325M f2b-postfix-sasl tcp — any any anywhere anywhere
5044K 325M f2b-apache-custom tcp — any any anywhere anywhere
5043K 325M f2b-badbots tcp — any any anywhere anywhere
5042K 324M f2b-apache-fakegooglebot tcp — any any anywhere anywhere
87909 47M ACCEPT all — lo any anywhere anywhere
0 0 REJECT all — !lo any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
0 0 REJECT all — any any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
5061K 299M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all — any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all — !eth0 any anywhere anywhere
9 432 ACCEPT tcp — any any anywhere anywhere tcp flags:ACK/ACK
306 16377 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:http
4747 263K ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:https
31 1568 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:ftp
27 1388 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:smtp
28 1600 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:imap2
50 2852 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:imaps
29 1608 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:pop3
21 1148 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:pop3s
931 50392 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:8338
10714 557K ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:webmin
76687 6086K ACCEPT all — any any 192.168.1.0/24 anywhere
0 0 ACCEPT all — any any perc.ddns.net anywhere
0 0 ACCEPT all — any any 192.168.1.222 anywhere
0 0 ACCEPT all — any any 192.168.1.77 anywhere
0 0 ACCEPT all — any any 192.168.1.123 anywhere
20 1044 ACCEPT tcp — any any anywhere anywhere tcp multiport dports ftp,ssh,http,https,smtp,pop3,imap2,submission,imaps,pop3s,8338,webmin
0 0 ACCEPT all — wlan0 any anywhere anywhere
64 8639 ACCEPT all — eth0 any anywhere anywhere
0 0 ACCEPT tcp — any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp — any any 192.168.1.222 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh
0 0 DROP tcp — any any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:pop3
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:imap2
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:submissions
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:imaps
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:pop3s
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8338
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:webmin
0 0 ACCEPT udp — any any anywhere anywhere state NEW,ESTABLISHED udp dpt:domain
0 0 ACCEPT udp — any any anywhere anywhere udp spt:domain
0 0 ACCEPT tcp — any any 192.168.1.0/24 anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — any any 192.168.1.77 anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — any any 192.168.1.222 anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — any any perc.ddns.net anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — any any 192.168.1.123 anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — eth0 any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:mysql
0 0 ACCEPT tcp — any any 192.168.1.0/24 anywhere ctstate NEW,ESTABLISHED tcp dpt:postgresql
0 0 ACCEPT tcp — eth0 any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:postgresql
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:3142
0 0 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp — any any 192.168.1.222 anywhere tcp dpt:ssh
0 0 DROP tcp — any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:http limit: avg 20/min burst 100
0 0 ACCEPT tcp — any any 192.168.1.0/24 anywhere ctstate NEW,ESTABLISHED tcp dpt:rsync
0 0 ACCEPT udp — any any anywhere anywhere state NEW udp dpt:mdns
0 0 ACCEPT icmp — any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:auth
0 0 ACCEPT udp — any any anywhere anywhere udp spt:ntp
0 0 ACCEPT udp — any any anywhere anywhere state NEW udp dpt:ntp
0 0 DROP tcp — any any anywhere anywhere tcp dpts:nfs:2050
0 0 DROP tcp — any any anywhere anywhere tcp dpts:x11:6063
0 0 DROP tcp — any any anywhere anywhere tcp dpts:bbs:7010
0 0 LOG all — any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix “iptables denied: “
0 0 DROP all — any any anywhere anywhere ctstate INVALID
0 0 REJECT all — any any anywhere anywhere reject-with icmp-port-unreachable
0 0 DROP all — any any anywhere anywhere
0 0 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all — any any anywhere anywhere state INVALID
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all — any any anywhere anywhere reject-with icmp-port-unreachable
0 0 DROP all — any any anywhere anywhere
0 0 ACCEPT all — wlan0 eth0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all — eth0 wlan0 anywhere anywhere
0 0 ACCEPT all — eth0 wlan0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all — wlan0 eth0 anywhere anywhere
0 0 ACCEPT all — eth0 any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2855K 14G ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
116K 9561K ACCEPT udp — any any anywhere anywhere udp dpt:domain
0 0 ACCEPT udp — any any anywhere dns.google udp dpt:domain
0 0 ACCEPT udp — any any anywhere dns.google udp dpt:domain
0 0 ACCEPT udp — any any anywhere dnslj1.t-2.net udp dpt:domain
0 0 ACCEPT udp — any any anywhere dnsmb1.t-2.net udp dpt:domain
0 0 ACCEPT all — any any anywhere anywhere ctstate ESTABLISHED
6041 408K ACCEPT all — any any anywhere anywhere
0 0 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
0 0 ACCEPT udp — any any anywhere anywhere udp multiport dports ntp state NEW
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:http
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:https
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:ftp
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:smtp
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:imap2
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:imaps
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:pop3
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:pop3s
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:mysql
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:8338
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:webmin
0 0 ACCEPT tcp — any eth0 anywhere anywhere ctstate ESTABLISHED tcp spt:mysql
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:postgresql
0 0 ACCEPT tcp — any eth0 anywhere anywhere ctstate ESTABLISHED tcp spt:postgresql
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:ssh
0 0 ACCEPT tcp — any any anywhere anywhere ctstate ESTABLISHED tcp spt:rsync
0 0 ACCEPT all — any any anywhere 192.168.1.0/24
0 0 ACCEPT all — any any anywhere 192.168.1.77
0 0 ACCEPT all — any any anywhere perc.ddns.net
0 0 ACCEPT all — any any anywhere 192.168.1.123
0 0 ACCEPT all — any any anywhere 192.168.1.222
0 0 ACCEPT tcp — any any 192.168.1.222 anywhere tcp dpt:ssh
0 0 DROP tcp — any any anywhere anywhere tcp dpt:ssh
Chain block-scan (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp — any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP all — any any anywhere anywhere
Chain f2b-apache-auth (1 references)
pkts bytes target prot opt in out source destination
3319K 198M RETURN all — any any anywhere anywhere
Chain f2b-apache-custom (1 references)
pkts bytes target prot opt in out source destination
18 876 REJECT all — any any 47.106.177.157 anywhere reject-with icmp-port-unreachable
20 1384 REJECT all — any any zg-0506a-125.stretchoid.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 213.186.1.137 anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any ip-54-36-148-127.a.ahrefs.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any ip18.ip-51-222-253.net anywhere reject-with icmp-port-unreachable
1 40 REJECT all — any any 41.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 5.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any hostglobal50env2.com anywhere reject-with icmp-port-unreachable
20 968 REJECT all — any any static.cmcti.vn anywhere reject-with icmp-port-unreachable
5043K 325M RETURN all — any any anywhere anywhere
Chain f2b-apache-fakegooglebot (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all — any any 45.144.112.133 anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 178-159-11-18.as42831.net anywhere reject-with icmp-port-unreachable
5042K 324M RETURN all — any any anywhere anywhere
Chain f2b-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
4087K 272M RETURN all — any any anywhere anywhere
Chain f2b-badbots (1 references)
pkts bytes target prot opt in out source destination
28 1396 REJECT all — any any petalbot-114-119-144-188.petalsearch.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any petalbot-114-119-155-170.petalsearch.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any petalbot-114-119-146-215.petalsearch.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any ip18.ip-51-222-253.net anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 41.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
1 40 REJECT all — any any 5.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
5042K 324M RETURN all — any any anywhere anywhere
Chain f2b-postfix-sasl (1 references)
pkts bytes target prot opt in out source destination
5044K 325M RETURN all — any any anywhere anywhere
Chain f2b-recidive (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all — any any ip-54-36-148-127.a.ahrefs.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any ip18.ip-51-222-253.net anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 41.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 5.8.10.202 anywhere reject-with icmp-port-unreachable
35 4398 REJECT all — any any scanner-25.ch1.censys-scanner.com anywhere reject-with icmp-port-unreachable
5 200 REJECT all — any any 26.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
5 300 REJECT all — any any scanner-07.ch1.censys-scanner.com anywhere reject-with icmp-port-unreachable
11 660 REJECT all — any any 45.9.20.101 anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 31.44.185.235 anywhere reject-with icmp-port-unreachable
15 760 REJECT all — any any 193.56.29.147 anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 16.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 13.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
0 0 REJECT all — any any 11.bl.bot.semrush.com anywhere reject-with icmp-port-unreachable
5044K 325M RETURN all — any any anywhere anywhere
[admin@perc ~]#
➡ Fail2Ban Namestitev in začetni zaščitni parametri nekaj custom filtrov npr. za wordpress in ostalo:
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Zdaj nastavite po vaših merah požarni zid primer spodaj extra filtri nastavitev za Fail2Ban:
Za DDoS napade smo že zaščitli preko iptables vendar lahko uporabite npr. za vaš Server Apache druge mogule kot je modevasive ali modsecurity, vendar je nesmiselno, ker bomo v tem postopku praktično zaklenili celotno naše omrežje z par enostavnimi triki.
PCS-HCS@2000 Audio Server DEMO
Programska Oprema – Audio Server je dostopna preko DDLeWD (Spletni Disk – PSDrive) – AS-2000 WEBApp php/SQL public audio player
Primer postavitve extra filtrov osebne nastavitve:
sudo nano /etc/fail2ban/jail.local
########################################################################
# PERC CUSTOM SETTINGS - PIRAMIDE STUDIO NET SLOVENIA EU HCS@2000 ####
########################################################################
[error]
enabled = true
filter = error
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
maxretry = 12
bantime = 6h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[apache-custom]
enabled = true
filter = apache-custom
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 1h
banaction = %(banaction_allports)s
[badbots]
enabled = true
filter = badbots
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
#banaction = iptables-multiport
#findtime = 600
maxretry = 1
bantime = 30m
banaction = %(banaction_allports)s
########################################################################
[apache-mod_evasive]
enabled = true
filter = apache-mod_evasive
logpath = %(syslog_daemon)s
maxretry = 1
bantime = 24h
banaction = %(banaction_allports)s
action = %(action_mwl)s
########################################################################
### Malware Trafic Detection System Sensor in Server Service MALTRAIL ##
[malwarenetworks]
enabled = true
filter = malwarenetworks
logpath = /var/log/maltrail/*-*-*.log
port = all
maxretry = 1
bantime = 24h
banaction = %(banaction_allports)s
#action = %(action_mwl)s
[media-server]
enabled = true
filter = media-server
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
#findtime = 600
maxretry = 6
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[ddlenigma]
enabled = true
filter = ddlenigma
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
#findtime = 60
maxretry = 6
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[ninjafirewall]
enabled = true
filter = ninjafirewall
port = http,https
#logpath = /var/log/auth.log
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
maxretry = 1
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[ninjafirewall-syslog]
enabled = true
filter = ninjafirewall-syslog
port = http,https
#logpath = /var/log/auth.log
logpath = %(syslog_ftp)s
backend = %(syslog_backend)s
maxretry = 6
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[wordpress]
enabled = true
filter = wordpress
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
#findtime = 60
maxretry = 6
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[wordpress-hard]
enabled = true
filter = wordpress-hard
port = http,https
logpath = /var/log/auth.log
maxretry = 2
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[wordpress-soft]
enabled = true
filter = wordpress-soft
port = http,https
logpath = /var/log/auth.log
maxretry = 2
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
[wordpress-extra]
enabled = true
filter = wordpress-extra
port = http,https
logpath = /var/log/auth.log
maxretry = 1
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
enabled = true
filter = audio
port = http,https
#logpath = %(apache_access_log)s
logpath = /var/log/apache2/access.log
#findtime = 600
maxretry = 6
bantime = 1h
banaction = %(banaction_allports)s
action = %(action_mwl)s
########################################################################
########################################################################
➡ Maltrail namestitev in integracija:
#Ubuntu/Debian install:
sudo apt-get install -y git python3 python3-dev python3-pip libpcap-dev build-essential procps schedtool && sudo pip3 install pcapy-ng && sudo apt-get install git python3-pcapy -y
SSL za python extra moduli:
sudo apt-get install -y python3-openssl python3-openssl python-openssl-doc && sudo pip3 install pcapy-ng && sudo pip3 install pyopenssl
Namestitev Senzor in Server:
sudo su
cd /opt/
git clone --depth 1 https://github.com/stamparm/maltrail.git
#Start server on same machin:
[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python3 sensor.py &
sudo nano /opt/maltrail/maltrail.conf
Testirate če vse dela npr. iz vašega windows terminala poizvedba ip serverja:
curl -A "Masscan" 89.212.137.96
curl -I "Masscan" 89.212.137.96
curl -I -A "Masscan" 89.212.137.96
ali
### Test
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
AutoStart Maltrail maltrail sensor and server automatically at OS boot?
Moje osebne nastavitve skript autostart maltrail za python2:
sudo su
cd /opt/maltrail/
echo “Setting up the Maltrail Server service”
echo “[Unit]” >> /etc/systemd/system/maltrail_server.service
echo “Description=Maltrail Server service” >> /etc/systemd/system/maltrail_server.service
echo “After=network.target elasticsearch.service kibana.service” >> /etc/systemd/system/maltrail_server.service
echo “[Service]” >> /etc/systemd/system/maltrail_server.service
echo “Type=simple” >> /etc/systemd/system/maltrail_server.service
echo “ExecStart=/usr/bin/python /opt/maltrail/server.py” >> /etc/systemd/system/maltrail_server.service
echo “Restart=on-failure” >> /etc/systemd/system/maltrail_server.service
echo “RestartSec=30” >> /etc/systemd/system/maltrail_server.service
echo “StandardOutput=journal” >> /etc/systemd/system/maltrail_server.service
echo “[Install]” >> /etc/systemd/system/maltrail_server.service
echo “WantedBy=multi-user.target” >> /etc/systemd/system/maltrail_server.service
echo “Setting up the Maltrail Sensor service”
echo “[Unit]” >> /etc/systemd/system/maltrail_sensor.service
echo “Description=Maltrail Sensor service” >> /etc/systemd/system/maltrail_sensor.service
echo “After=network.target elasticsearch.service kibana.service” >> /etc/systemd/system/maltrail_sensor.service
echo “[Service]” >> /etc/systemd/system/maltrail_sensor.service
echo “Type=simple” >> /etc/systemd/system/maltrail_sensor.service
echo “ExecStart=/usr/bin/python /opt/maltrail/sensor.py” >> /etc/systemd/system/maltrail_sensor.service
echo “Restart=on-failure” >> /etc/systemd/system/maltrail_sensor.service
echo “RestartSec=30” >> /etc/systemd/system/maltrail_sensor.service
echo “StandardOutput=journal” >> /etc/systemd/system/maltrail_sensor.service
echo “[Install]” >> /etc/systemd/system/maltrail_sensor.service
echo “WantedBy=multi-user.target” >> /etc/systemd/system/maltrail_sensor.service
zdaj štartajte in akrivirajte skript ter reboot:
sudo systemctl start maltrail_sensor.service
sudo systemctl start maltrail_server.service
sudo systemctl enable maltrail_sensor.service
sudo systemctl enable maltrail_server.service
reboot
Preverite če dela z status komando – spisek komand za server in senzor maltrail:
sudo systemctl enable maltrail_sensor.service
sudo systemctl enable maltrail_server.service
sudo systemctl disable maltrail_sensor.service
sudo systemctl disable maltrail_server.service
sudo systemctl status maltrail_sensor.service
sudo systemctl status maltrail_server.service
sudo systemctl restart maltrail_sensor.service
sudo systemctl restart maltrail_server.service
sudo systemctl stop maltrail_sensor.service
sudo systemctl stop maltrail_server.service
sudo systemctl start maltrail_sensor.service
sudo systemctl start maltrail_server.service
sudo systemctl restart maltrail_server.service
sudo systemctl start maltrail_server.service
sudo systemctl status maltrail_server.service
sudo systemctl restart maltrail_sensor.service
sudo systemctl start maltrail_sensor.service
sudo systemctl status maltrail_sensor.service
V mapi vaše namestitve maltrail avtomatizirajte še fail2ban, maltrail in iptables preko skripta npr. tako:
sudo su
cd /opt/maltrail/
nano /opt/maltrail/maltrail-ips.sh
#!/bin/bash
ipset -q flush maltrail
ipset -q create maltrail hash:net
for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done
iptables -I INPUT -m set --match-set maltrail src -j DROP
## Shrani in spremeni pooblastila:
chmod +x /opt/maltrail/maltrail-ips.sh
## Vstavi v kronološka opravila ta skript:
sudo crontab -e
* * * * * /opt/maltrail/maltrail-ips.sh
Poberite si BadIPs mojo lisko preko url in jo integrirajte v vaš maltrail custom trails:
https://piramide.zapto.org/iplist.txt