My iptables example (with some fail2ban additions) with error logging

Support for security such as Firewalls and securing linux
Post Reply
Posts: 78
Joined: 2016/04/04 07:42:58

My iptables example (with some fail2ban additions) with error logging

Post by aegersz » 2018/01/15 13:43:53

ready to be loaded ... it me a while to get right and it's a good example to base yours on. the IP addresses, ports and fail2ban data needs modification and or removal and kernel debugging needs enabling for logging.

:ATTACKED - [0:0]
:ATTK_CHECK - [0:0]
:SSHATTACK - [0:0]
:SSHA_CHECK - [0:0]
:syn-flood - [0:0]
:rst-flood - [0:0]
:f2b-SSH - [0:0]
:f2b-apache-overflows - [0:0]
:f2b-dovecot - [0:0]
:f2b-dovecot-pop3imap - [0:0]
:f2b-postfix - [0:0]
:f2b-webmin - [0:0]
# "Hardening: Drop sync"
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# "Hardening: Drop Fragments"
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# "Hardening: Drop NULL packets"
-A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets " --log-level 7
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# "Hardening: Drop XMAS"
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets " --log-level 7
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# "Hardening: Drop FIN packet scans"
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan " --log-level 7
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# "Hardening: Log and get rid of broadcast / multicast and invalid"
-A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast " --log-level 7
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast " --log-level 7
-A INPUT -m pkttype --pkt-type multicast -j DROP
-A INPUT -m state --state INVALID -j LOG --log-prefix " Invalid " --log-level 7
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
# Whitelist
-A INPUT -s x.x.0.0/16 -j ACCEPT
-A INPUT -s x.x.x.x/32 -j ACCEPT
# etc.
# Blacklist
-A INPUT -s x.x.0.0/16 -j DROP
-A INPUT -s x.x.x.x/32 -j DROP
# etc.
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 3600 --name SSHBAN --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHA_CHECK
-A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH
-A INPUT -p tcp -m multiport --dports 80,443,25,2525,587,110,995,143,993,4190 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j f2b-dovecot-pop3imap
-A INPUT -p tcp -m multiport --dports 110,995,143,993,587,465,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 10000 -j f2b-webmin
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j rst-flood
-A INPUT -p tcp -m multiport --dports 21,110,143,993,995 -m recent --update --seconds 3600 --name BANNED --rsource -j DROP
-A INPUT -p tcp -m multiport --dports 21,110,143,993,995 -m state --state NEW -j ATTK_CHECK
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2525 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8020 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8021 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "portscan:" --log-level 7
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
-A ATTACKED -m recent --set --name BANNED --rsource -j DROP
-A ATTK_CHECK -m recent --set --name ATTK --rsource
-A ATTK_CHECK -m recent --update --seconds 3600 --hitcount 16 --name ATTK --rsource -j ATTACKED
-A ATTK_CHECK -m recent --update --seconds 360 --hitcount 6 --name ATTK --rsource -j ATTACKED
-A SSHATTACK -j LOG --log-prefix "Anti SSH-Bruteforce: " --log-level 7
-A SSHATTACK -m recent --set --name SSHBAN --rsource -j DROP
-A SSHA_CHECK -m recent --set --name SSHA --rsource
-A SSHATTACK -m recent --set --name SSHBAN --rsource -j DROP
-A SSHA_CHECK -m recent --set --name SSHA --rsource
-A SSHA_CHECK -m recent --update --seconds 3600 --hitcount 15 --name SSHA --rsource -j SSHATTACK
-A syn-flood -m limit --limit 10/sec --limit-burst 20 -j RETURN
-A syn-flood -j LOG --log-prefix "SYN flood: " --log-level 7
-A syn-flood -j DROP
-A rst-flood -m limit --limit 10/sec --limit-burst 20 -j RETURN
-A rst-flood -j LOG --log-prefix "RST flood: " --log-level 7
-A rst-flood -j DROP
-A f2b-SSH -s -j REJECT --reject-with icmp-port-unreachable
# etc.
-A f2b-apache-overflows -j RETURN
-A f2b-dovecot -j RETURN
-A f2b-dovecot-pop3imap -j RETURN
-A f2b-postfix -s -j REJECT --reject-with icmp-port-unreachable
# etc.
-A f2b-postfix -j RETURN
-A f2b-webmin -j RETURN

Post Reply