Hey,
I have a major problem with hackers trying to get in my box, what I need is simple to install Firewall software to block these attacks. I have about 5k a day of differnt IP’s trying to log into my box, each several hunrad times.
You could use the linux built in IP tables. I dont really know a lot of it myself, but I’m sure google could help you out with that.
[EDIT]
I added APF to my InterWorx Server. Easy to install and setup and works great!
Although if you dont feel like doing it yourself I believe it will be included in the default InterWorx setup sometime in the next few months.
Check out APF: http://rfxnetworks.com/apf.php
It’s simple to setup / use and will do all you need and then some :).
Chris
I also recomand the use of APF. I find it very usefull.
Very simple to setup and use 
You may also try :
SIM : system intregrity monitor
BFD : Brute force detection
PSAD : Port scan attack detector
In addition, the use of a secure OS may also help. there is for example some projects as bastille or grsecurity…
r-fxnetworx also provide a script : LES = Linux environnement security : that secure redhat/rpm based environnement
Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments (i.e: turbo linux, open linux). It does such by enforcing root-only permissions on system binaries (binaries that have no place being
executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.
The combined usage of all les options provides an increased level of local environment security, in the hopes to stem off environment based attacks. Such attacks would consist of back-dooring system binaries; tainting the $PATH variable to point to alien paths where back-doored binaries are located; alterations to user profile scripts to activate key loggers or process based hi-jacking; traversal exploration of the system paths etc…; the possible
attack trends are endless hence the importance of hardening the local environment space.
An iworx member could tell if there is some known issues with grsecurity ?
Pascal
OK … I’m about to step a bit to the edge of my abilities here.
I was (apparently) having issues with APF/AD and BFD on my server. So, I thought to myself, “Self … it’s about time to learn a bit about IPTables.” It seemed that if I was going to take the time to learn how and why APF was working (or not), I may as well spend the time getting used to the syntax of IPTables.
I did a bunch of searching, found a LOT of common threads, a LOT of reasons to do certain things and not others and have learned enough about myself to know I’ll learn things best if I just jump in and start typing.
[As for a little background, I’ve been a Windows admin for about 10 years and have been looking for a new challenge. So, recently I’ve taken up learning a bit about Linux, hand-coding XHTML and running some game servers. Along with the latter, I’ve put it to myself to wrap my mind around IPSec Policies (the MS flavor of IPTables). “What better place to start,” I thought. “I’ll write my own little (probably useless) firewall script for my Linux web box.” I don’t need the Queen Mary of scripts, just something that cleans it all out and adds only what I need for my situation.]
As it turns out, it seems to work.
Why am I telling you? 'Cause I’d like a second set of eyes on it. Look at it and let me know what you see missing/in error/silly and whatnot.
And more importantly, what should I expect to not work.
Any feedback is appreciated:
#!/bin/bash
# IPTables Firewall Script
# Created by JayBaen -- March 9, 2005
echo "Starting JB's Custom Firewall Setup"
# Define the path
tbl="/sbin/iptables"
# Load the ftp module.
/sbin/insmod ip_conntrack_ftp
echo "Flushing Old Rules . . ."
# Flush *all* old rules
$tbl -F # Policies
$tbl -F -t mangle # Mangle table
$tbl -F -t nat # NAT table
$tbl -X # Chains (user-defined)
# Set up the New User-Defined "FIREWALL" chain
# Anything 'fed' to this chain will DROP by default.
$tbl -N FIREWALL
$tbl -A FIREWALL -j LOG --log-level info --log-prefix "JB-Firewall:"
$tbl -A FIREWALL -j DROP
# Allow Loopback Traffic
$tbl -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT # Localhost communication
echo "Setting up INPUT policies . . ."
# Various INPUT Rules:
#
$tbl -P INPUT DROP # Default Input policy DROP
#
$tbl -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # Drop any other combination
#
$tbl -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Continue to commuicate with established connections
#
$tbl -A INPUT -p tcp --syn --dport 21 -j ACCEPT # ACTIVE FTP (Passive is not a preference).
#
$tbl -A INPUT -p tcp --destination-port 22 -j ACCEPT # SSH from ANY external host (not a preference).
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT # SMTP
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT # DNS (tcp)
#
$tbl -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT # DNS (udp)
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT # HTTP
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT # POP3
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT # IMAP
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT # HTTPS/SSL
#
#$tbl -A INPUT -p tcp -m state --state NEW --dport 465 -j ACCEPT # SMTPS/STARTTLS
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 783 -j ACCEPT # SpamAssasin Daemon
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 993 -j ACCEPT # IMAPS
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 995 -j ACCEPT # POP3S
#
#$tbl -A INPUT -p tcp -m state --state NEW --dport 953 -j ACCEPT # DNS/BIND9
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 2080 -j ACCEPT # Nodeworx Horde/Squirrelmail
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 2306 -j ACCEPT # Nodeworx mySQL
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 2443 -j ACCEPT # Nodeworx SSL
#
$tbl -A INPUT -p tcp -m state --state NEW --dport 3306 -j ACCEPT # mySQL
#
$tbl -A INPUT -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type 8 -j ACCEPT # Limited Ping for everyone
echo "Setting up OUTPUT policies . . ."
# Various OUTPUT rules:
$tbl -P OUTPUT ACCEPT # Allow everything out.
echo "Setting up INPUT policies . . ."
# Various FORWARD rules:
$tbl -P FORWARD DROP # Do not forward by default.
echo "Setting up TRUSTED policies . . ."
# Setup TRUSTED Chain
$tbl -N TRUSTED # Giving it a name
#
# In the following rules,
# -s entry should be your Trusted Host
# -d will be the destination IP in the rules below:
$tbl -A TRUSTED -s ss.ss.ss.ss -d dd.dd.dd.dd -p icmp -m icmp --icmp-type 8 -j ACCEPT # Non-Limited Ping for Trusted Host Only
$tbl -A TRUSTED -s ss.ss.ss.ss -d dd.dd.dd.dd -p tcp --destination-port 22 -j ACCEPT # SSH for Trusted Host Only
$tbl -A INPUT -j TRUSTED
# If none of the above apply, the DROP via the "FIREWALL" chain
$tbl -A INPUT -p icmp -j FIREWALL
$tbl -A INPUT -p tcp --syn -j FIREWALL
$tbl -A INPUT -p udp -j FIREWALL
echo "Finished setting up JB's custom firewall."
# This firewall will not be active on next startup unless you save the policies
# $tbl-save > /etc/sysconfig/iptables # Leave commented out until you're *sure* of the results.
#
(N.B. I’ve left out PASV FTP on purpose).
JB
In APF you only have to define which ports has to be open for Input and Output (if you choose to filter your output).
You do this by editing the /etc/apf/conf.apf file. That’s all
APF has already a ton of rules set in up.
But your script seems to be correct for me. Maybe a pbm with passive mod with FTP. Did you test it using a FTP client ?
EDIT :
Oups, forget the ftp pasv mod problem, I didn’t see you comment
Pascal
I use KissMYFirewall, its a fantastic ready to install script that works great, you can get it here http://www.geocities.com/steve93138/.
You’ll have to update the tcp ports to include the iworx port lest you get shut out…
Also godboko,
the single best protection you can do is to disable telnet, and then access the system and create a user of at least 16 characters or more.
Assign this user a password of 25 characters or more, phrases work well and are easy for you to remember, think of things like favorite song passages, you’ll be amazed its actually much easier to remember them than complicated password schemes and because of the length it’s much much harder to crack.
Phrases like “myneighborbobisabigfatuglyjerkwithgreenteeth” tend to be easy to remember and impossible to crack.
Then access your ssh settings and disable root login and set ssh to only allow this one user to log into the system.
You now have created a situation where one the userid would have to be guessed which is highly unlikely and two once they got that they would have to somehow crack a password that’s greater than 25 characters, is not found in any dictionary and is not any of the millions and millions of comon password schemes.
Of course, if they get past all of that then this user can’t really do anything and they would have to su to root where you have another long phrase password like “mywifeisthemostbeautifulwomaninthewholewideworld” this is especially a great password if you actually ever have to give it to your wife:>)
In addition consider changing the ssh port to some obscure number that would be hard to guess as well, I use a 5 digit number. Make sure that this port is permitted in any firewall scripts also and the default one of 22 is closed.
Do all of that and I’m pretty sure that you’ll see these attackers go away…
Hey all, forgot about this post, They never got into the system, I already have a good password and username sceme set up for ssh and telnet is not on my box.
Anyway they have seemed to stop for the most part.
PS I will lookinto the firewalls, I have one set up now, but not liking it.