April 28, 2015

Firewall: Iptables Chains, New Defaults & Fail2Ban

^ Ad space to help offset hosting costs :D

Iptables chains typically default to ACCEPT traffic. We'll see how to default to DROP traffic instead, and then we'll see how Iptables chains can work together to help protect your system. We'll install Fail2Ban to monitor authentication attempts, which makes use of Iptables chains.### INPUT Chain Defaults

Instead of defauling to ACCEPT traffic, we can have our INPUT chain default to DROP. This let's us delete the last rule, saying to DROP traffic that doesn't match any of the rules above it.

sudo iptables -P INPUT DROP

Then remove last line of DROP:

sudo iptables -D INPUT -j DROP

Be careful not to set your default behavior of your INPUT chain to DROP without first allowing current and/or SSH connections through! Otherwise you will be cut out of your server!

Fail2Ban, SSH and Chains

Let's learn more about chains and how they work by installing Fail2Ban.

sudo apt-get install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

We enable Fail2Ban by creating a jail.local file. This is just a copy of jail.conf. By default, Fail2Ban is setup to monitor your /var/log/auth.log file for failed SSH logins. It will ban a host from accessing the server after 6 failed login attempts.

Fail2Ban makes use of Iptables to accomplish this.

Check out the IPtables:

sudo iptables -L -v

Here:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
123K 123M Fail2Ban-ssh tcp -- any any anywhere anywhere multiport dports\ ssh
292K 169M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
... additional omitted ...

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 ... omitted ...

Chain OUTPUT (policy ACCEPT 939K packets, 2332M bytes)
 ... omitted ...

Chain Fail2Ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source     destination
1962K 1498M RETURN     all  --  any    any     anywhere   anywhere

We see a new chain Fail2Ban-ssh. This chain will be added to in order to block traffic from hosts attempting to log in over SSH.

The video explains how the Fail2Ban-ssh chain is used (note that it's referenced in the INPUT chain).

Current

Firewall: Iptables Chains, New Defaults & Fail2Ban

All Topics