Iptables chains typically default to ACCEPT traffic. We'll see how to default to DROP traffic instead, and then we'll see how Iptables chains can work together to help protect your system. We'll install Fail2Ban to monitor authentication attempts, which makes use of Iptables chains.### INPUT Chain Defaults
Instead of defauling to ACCEPT traffic, we can have our INPUT chain default to DROP. This let's us delete the last rule, saying to DROP traffic that doesn't match any of the rules above it.
sudo iptables -P INPUT DROP
Then remove last line of DROP:
sudo iptables -D INPUT -j DROP
Be careful not to set your default behavior of your INPUT chain to DROP without first allowing current and/or SSH connections through! Otherwise you will be cut out of your server!
Fail2Ban, SSH and Chains
Let's learn more about chains and how they work by installing Fail2Ban.
sudo apt-get install -y fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
We enable Fail2Ban by creating a
jail.local file. This is just a copy of
jail.conf. By default, Fail2Ban is setup to monitor your
/var/log/auth.log file for failed SSH logins. It will ban a host from accessing the server after 6 failed login attempts.
Fail2Ban makes use of Iptables to accomplish this.
Check out the IPtables:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 123K 123M Fail2Ban-ssh tcp -- any any anywhere anywhere multiport dports\ ssh 292K 169M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http ... additional omitted ... Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) ... omitted ... Chain OUTPUT (policy ACCEPT 939K packets, 2332M bytes) ... omitted ... Chain Fail2Ban-ssh (1 references) pkts bytes target prot opt in out source destination 1962K 1498M RETURN all -- any any anywhere anywhere
We see a new chain
Fail2Ban-ssh. This chain will be added to in order to block traffic from hosts attempting to log in over SSH.
The video explains how the
Fail2Ban-ssh chain is used (note that it's referenced in the INPUT chain).