Gathered security tips | FWCloud Forum

Gathered security tips

ukro

Member
Greetings everyone,
i would like to use this form to gather interesting security rules for security purpose. I would like to have it in one place.
Anybody who have something to share please do, will update this post.If i have some errors please comment.
Interesting apps/apis for security:
1.https://github.com/tower9/hostblock
2.https://github.com/mrash/psad
3.https://www.abuseipdb.com/
4.https://www.fail2ban.org/

Rules
#1-Spoofing (https://security.stackexchange.com/questions/146432/iptables-rules-to-prevent-ip-spoofing)
iptables -N spoofing
iptables -I spoofing -j LOG --log-prefix "Spoofed source IP"
iptables -I spoofing -j DROP
iptables -A INPUT -s 255.0.0.0/8 -j spoofing
iptables -A INPUT -s 0.0.0.8/8 -j spoofing

#2-interesting security rules (https://sharadchhetri.com/how-to-pr...and-smurf-attack-in-linux-server-by-iptables/)
### DROPspoofing packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

#for SMURF attack protection
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# flooding of RST packets, smurf attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
Port to protect: 139
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside
#iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with DROP)
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#3-Old but interesting (https://www.techrepublic.com/blog/10-things/10-iptables-rules-to-help-secure-your-linux-box/)
Block DDOS attack on specific port
Port to protect: 25
iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Catch drop portscans doesnt remove after time.
iptables -N port-scan
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP

#4-Spoof ip protection settings (https://quickpacket.com/billing/knowledgebase/17/How-to-protect-your-network-from-IP-spoofing.html)
Strict mode – the router confirms whether the source address is reachable through the interface on which the packet is received
nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0

#5-sysctl security settings (https://www.techrepublic.com/article/how-to-properly-secure-sysctl-on-linux)

#6-secure nginx web server (https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html)
 
Last edited:

Carles Munyoz

Administrator
Staff member
Hi,
It is a great idea, thank you!

At this moment you can add these security blocks manually by means of the hook scripts feature. But for simplicity we will add a new section in the firewall setup for manage these security options and generate special rules for them.

I think we can add fail2ban too to the list of extra security features.

We will generate a new issue about it in the FWCloud projects.
 

Carles Munyoz

Administrator
Staff member
I'm sorry but not at this moment.
We want create a new section in our website for it.

FYI, at this moment we are working in these main feature that will be available soon in next releases:
- Docker, CrowdSec and Fail2Ban compatibility.
- 2FA.
- FWCloud SaaS.
- Audit logs.
 

Carles Munyoz

Administrator
Staff member
Hi again,
Do you know about the FWCloud hook scripts feature?
You can see here a video tutorial about it.

Maybe you can use this feature for apply GEO restrictions until we have it implemented into FWCloud.
 
Top