0

I plan on buying a server soon. I'd like the server to be as secure as possible, only having POP3, SMTP, SSH and HTTP open. I know how to write an iptables script to only allow those connections and drop everything else, but I have no clue how to prevent attacks.

Is there any example scripts out there that cater for as many different attacks as possible (block and optionally log)? A script that will stop DDoS attacks (SYN floods, ICMP floods, etc), port scans, brute force attacks, etc. Everything (or as close to it as we can get)

Simon
  • 19
  • 2
  • You're kind of asking three questions here. 1. "Gimme iptables config" 2. "Prevent attacks" 3. "Stop DDoS, port scans, brute force, etc." The first one is answerable, the second is vague and ill-defined and the third has been answered many times both [here](http://serverfault.com/search?q=ddos) and on [Security.SE](http://security.stackexchange.com/search?q=ddos) however the answer is always expensive and difficult. – Ladadadada Mar 13 '12 at 11:46

4 Answers4

3

Security is like an onion, it's made of layers. I'll list you couple of useful components.

fail2ban helps you blocking & logging various kinds of attacks, ranging from ssh brute force attacks to Apache attacks to spammers.

Apache's mod_security is a heavy-weight security add-on for Apache. It can deny requests from known blacklisted IP addresses, it can detect SQL injection attempts, and many many more attacks.

Suhosin helps you to protect PHP quite a bit.

SELinux or grsecurity can provide you additional protection by hardening the OS. With those security frameworks a vulnerability in some application might restrict the damage or even prevent someone getting root access.

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
2

In addition to the previous suggestions, I suggest you take a look at OSSEC, it's a pretty good IDS. It blocks people trying to bruteforce your server and sends you an email when there was an incident. It also tracks the hashes of certain files so you can see if something fishy was edited. I've also written a tutorial on howto use in on my blog.

Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
1

Something like this answers your first question:

iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -p FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you also want IMAP and the secure (SSL/TLS) versions of these, add these rules in as well:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
Ladadadada
  • 26,337
  • 7
  • 59
  • 90
0

Start somewhere like this http://wiki.centos.org/HowTos/OS_Protection and end up somewhere like this https://help.ubuntu.com/community/Security

SuperBOB
  • 460
  • 3
  • 7