Solved

How to protect linux server from hackers using iptables

Posted on 2009-04-02
5
838 Views
Last Modified: 2013-12-16
I connected my Linux server in internet using static ip. I want to secure my linux server from hackers using iptables. I am new to iptables. we using only ssh in that server. I have configured RSA key based authendication. I want to know how to secure my linux server from hackers by blocking which port etc...
0
Comment
Question by:rajasekarramasamy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 200 total points
ID: 24047554
Protecting from intruders is not a simple task - it should be done by an expert. However there are some steps that should be followed:

1. Enable only services that are necessary for the server - For example do not run bind if you don't use it.
2. Keep the programs up to date to avoid exploits of known security issues
3. Close all ports but the ones necessary for operation
4. Limit SSH connections to known IPs (or use other protection measures - port knocking)

So iptables configuration depends on what services you wish to run. To allow http (port 80) from all IPs and SSH (port 22) from two IPs write:

iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -INPUT -p tcp --dport 80 -j ACCEPT
iptables -INPUT -p tcp --dport 22 -s 111.111.111.111 -j ACCEPT
iptables -INPUT -p tcp --dport 22 -s 222.222.222.222 -j ACCEPT
iptables -INPUT -j DROP
0
 
LVL 14

Expert Comment

by:cjl7
ID: 24048566
And building on the previous comment the next step is to only allow stuff outbound as well. One primary goal of Crackers (we reserve the name hackers for people that like to hack stuff, i.e. not bad people...) is to be able to send spam.

So blocking outbound mail could be a good idea as well.

Cheers,

Jonas
0
 
LVL 14

Assisted Solution

by:Roachy1979
Roachy1979 earned 25 total points
ID: 24048615
To put it simply, as Baz suggests....block everything, and allow only services that you explicitly need to, and make sure that access only occurs from IP's that you trust.

For example, if you know you need SSH access to the server from home, only permit SSH from your home IP address

Also - block outbound services.....as Jonas states.....unless you explicitly require those services - for example, if outbound mail is routed through a smarthost, permit only email to that host.

Linux is inherently more secure "out-of-the-box" - with no applications listening by default, but job ~1 for me when implementing a linux machine is getting iptables properly configured before installing any additional services....

You can check what ports (and applications ) are listening using

netstat -untap


0
 
LVL 3

Assisted Solution

by:nevvamind
nevvamind earned 25 total points
ID: 24057657
Since your only using SSH, you'll quickly get going with the rules above.

However, this wont save you from the ever so ubiquitous Dictionary based brute-force attacks.
For this you need something which dynamically adaps to persistent unauthorized authentication attempts.
So use either Fail2Ban (http://www.fail2ban.org/wiki/index.php/Main_Page) OR DenyHosts (http://denyhosts.sourceforge.net/).
..... btw, fail2ban is better !
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24057818
You only need to worry about Fail2Ban if you're permitting SSH from any IP:

iptables -INPUT -p tcp --dport 22 -j ACCEPT

If you permit SSH only from specific IP's:

iptables -INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT

then Fail2Ban isn't necessary - it is a great tool though if (like me) you use SSH from anywhere....
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question