Appropriate firewall rules heavily depend on the services being run. Below are iptables rulesets to secure your Linode if you’re running a web server. These are given as an example! A real production web server may want or require more or less configuration and these rules would not be appropriate for a file or database server, Minecraft or VPN server, etc.
iptables rules can always be modified or reset later, but these basic rulesets serve only as a beginning demonstration.
IPv4
/tmp/v4
*filter# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-AINPUT -ilo -jACCEPT
-AINPUT ! -ilo -s127.0.0.0/8 -jREJECT# Allow ping and traceroute.
-AINPUT -picmp --icmp-type3 -jACCEPT
-AINPUT -picmp --icmp-type8 -jACCEPT
-AINPUT -picmp --icmp-type11 -jACCEPT# Allow SSH connections.
-AINPUT -ptcp -mstate --stateNEW --dport22 -jACCEPT# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-AINPUT -ptcp --dport80 -jACCEPT
-AINPUT -ptcp --dport443 -jACCEPT# Accept inbound traffic from established connections.
-AINPUT -mstate --stateESTABLISHED,RELATED -jACCEPT# Log what was incoming but denied (optional but useful).
-AINPUT -mlimit --limit5/min -jLOG --log-prefix"iptables_INPUT_denied: " --log-level7# Reject all other inbound.
-AINPUT -jREJECT# Log any traffic which was sent to you
# for forwarding (optional but useful).
-AFORWARD -mlimit --limit5/min -jLOG --log-prefix"iptables_FORWARD_denied: " --log-level7# Reject all traffic forwarding.
-AFORWARD -jREJECTCOMMIT
Optional: If you plan to use Linode Longview, add this additional rule below the section for allowing HTTP and HTTPS connections:
# Allow incoming Longview connections
-A INPUT -s longview.linode.com -m state --state NEW -j ACCEPT
Rsync (Remote Sync) is a most commonly used command for copying and synchronizing files and directories remotely as well as locally in Linux/Unix systems. With the help of rsync command you can copy and synchronize your data remotely and locally across directories, across disks and networks, perform data backups and mirroring between two Linux machines.
This article explains 10 basic and advanced usage of the rsync command to transfer your files remotely and locally in Linux based machines. You don’t need to be root user to run rsync command.
Some advantages and features of Rsync command
It efficiently copies and sync files to or from a remote system.
Supports copying links, devices, owners, groups and permissions.
It’s faster than scp (Secure Copy) because rsync uses remote-update protocol which allows to transfer just the differences between two sets of files. First time, it copies the whole content of a file or a directory from source to destination but from next time, it copies only the changed blocks and bytes to the destination.
Rsync consumes less bandwidth as it uses compression and decompression method while sending and receiving data both ends.
When the Great Firewall of China starts hosing your server with unexpected and unrelated traffic, how do you deal with it?
Discovering a problem
Three times in the last week I’ve had email reports from my Linode’s automatic warning system, informing me that the server had exceeded an average 8Mb/s output for a two hour period. Each time I logged on the traffic had gone right back down, and my website analytics never showed unusual traffic. By the third occurrence I wanted to get to the bottom of it, and I already had suspicions.
Those spikes are not normal.
Earlier in the day I’d stumbled across Craig Hockenberry’s post Fear China, where he was seeing a similar (but larger) problem over a longer period than I was. I looked into my access logs… and discovered I did indeed have the same problem, though it looks like I caught it earlier., or it was less severe.
Being DDOS’d via the Great Firewall of China
Distributed Denial of Service attacks flood a server with pointless requests from many computers all at once.
My logs showed requests for services and URLs that had nothing to do with my server, including an awful lot of BitTorrent URLs. Checking the geolocation of the requesting IPs showed they were all inside China. As Craig’s post covered – it looks a lot like there’s a mis-configuration with China’s state controlled firewall, and people’s normal traffic is sometimes being sent to entirely the wrong servers.
I wondered how bad my server was getting hit, as it didn’t seem to be in the same league as Craig’s:
Almost 27Mb/s out is roughly 95 times greater than normal for that server – close to two orders of magnitude increase, and I didn’t like that – I could imagine this getting worse rapidly.
Blocking China
As Craig discusses, there’s really no option but to block everyone from China. Unfortunately for me, I wasn’t using ipfw as a firewall so I couldn’t follow his advice. Having finally figured out how to do this I thought I’d write a step-by-step guide assuming you’ve not got a firewall already set up.
Few days ago, my friend’s WordPress website went down. After investigation, I have figured out that it was receiving massive amount of posts requests to the xmlrpc.php file, which brings the apache and mysql to eat up all the system resources and the website crashed. Fortunately, I have figured out the way to mitigate this attack using Fail2Ban, which I’ll share in this post.
Install the Fail2Ban package using the following command:
apt-get install fail2ban iptables
Make a local copy of jail.conf file for configuration change:
You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.
Block Access To Outgoing IP Address
The following rule will block ip address 202.54.1.22 from making any outgoing connection:
iptables -A OUTPUT -d 202.54.1.22 -j DROP
The above will block chat server ip address or site having dangerous contains such as viruses or malware.
Block Access To Outgoing IP TCP / UDP Port Number
To block specific port number such tcp port # 5050, enter: iptables -A OUTPUT -p tcp --dport 5050 -j DROP
To block tcp port # 5050 for an IP address 192.168.1.2 only, enter: iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 5050 -j DROP
Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter: # /sbin/service iptables save OR # /etc/init.d/iptables save