Solved

Linux Apache Security

Posted on 2006-07-24
8
527 Views
Last Modified: 2012-05-05
I'm noticing several attempts by unfriendly IP's to gain access to my server through SSH.  

Can anyone help me through the steps of configuring my server's firewall to block ALL IP's, except mine of course.

Thanks.
0
Comment
Question by:marcparillo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17167355
For the ssh?

iptables -I INPUT -p tcp --dport ssh -m state --state NEW -j REJECT
iptables -I INPUT -p tcp -s Your.first.IP --dport ssh -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp -s Your.second.IP --dport ssh -m state --state NEW -j ACCEPT

I used -I option (which inserts rule in the fron of chain) becouse You may already have some rules allowing ssh traffic.
If used in script, change -I to -A and reverse order of calls, and put in proper place of the chain
0
 
LVL 3

Author Comment

by:marcparillo
ID: 17167453
Thanks,
Do these changes require Apache to be restarted?
0
 
LVL 3

Author Comment

by:marcparillo
ID: 17167512
And just to double-check -- this is the file I'm updating -- correct?
I would add your lines just below :RH-Firewall-1-INPUT - [0:0]

[root@ ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 43

Expert Comment

by:ravenpl
ID: 17167517
No - they have nothing to do with apache. In fact ssh doen not require to be restarted neither.
They configuring Your local machine's firewall.

Note: if You want block access to apache www server, change -d ssh to -d http
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 250 total points
ID: 17167538
OK, if You prefer modifying iptables config (which is good)
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s your.first.ip --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s your.second.ip --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 3

Author Comment

by:marcparillo
ID: 17167637
Thanks ravenpl --

So for the best blocking, you recommend updating this iptables config file by adding the lines:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s your.first.ip --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s your.second.ip --dport 22 -j ACCEPT

with the IP addresses that are friendly?

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17167948
Yes.
0
 
LVL 3

Author Comment

by:marcparillo
ID: 17168177
Thank you.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question