Best Firewall
The Ubuntu Server Guide tells me it is ufw - Uncomplicated Firewall.
The book Beginning Ubunto Server Administration tells me it's NetFilter.
The name Shorewall appears many times throughout this foruns.
Someone told me that there's nothing more powerful then Iptables.
I'm a bit lost.
Also, scanning my Linode IP with NMAP return 1467 ports closed, 46 ports filtered, and one port open (22/ssh). It's a brand new Linode. Should I be concerned about the filtered ones?
Thanks a lot.
16 Replies
I'm not sure what "Netfilter" you're referencing; the only one I know is the BSD packet filtering system, equivalent to iptables.
I've used Shorewall in the past, and for complicated setups, it works, but it's probably overkill for a single linode. In particular, the many different configuration files can be confusing. Don't know about the others you mention, but to help, I'll sugest another one: firehol. easy config, good docs.
There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.
@SteveG:
There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.
Having a firewall means you have to make two mistakes to expose your Linode to the bad guys. Also, I use one to restrict some inbound ports to specific source addresses - ssh only from home and work, etc.
Firehol: easy to use, gets the job done.
Shorewall: more versatile, more complicated; learn it on your Linode, use it for more complex situations elsewhere. This is what I use, on Linode and everywhere else.
Thanks for your explanations.
After reading your suggestions I googled a bit more on the subject and here are some conclusions:
Netfilter is not a firewall, is "the packet filter facility built into the 2.4 and later Linux kernels", which means that when we use the iptables command we are defining rules to Netfilter handle.
As Jay said, all firewalls one can found are "interfaces" to "create rules for the packet filtering (both inbound and outbound)".
Firehol is maintained by Debian Linux group and the last release was on May, 2007 (which seems a long time for a firewall application).
ufw, uncomplicated firewall, is an Ubuntu project project to "create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports."
Shorewall seems to have no downsides.
Given this, I'll start by using the iptables command since it's installed by default and offers all the options available. If it's much complicated for me, I'll move to Shorewall.
Good luck with iptables. Just for comparison, on my linode:
# iptables -L |grep -vE '^Chain |^target |^/r> |wc -l
113
# grep -vE '^#|^/r> firehol.conf |wc -l
21
(The greps remove all the noise lines - comments, headers, blanks.)
So the iptables effort is about 5-6 times. Not to mention that the firehol.conf commands are along the lines of "server http accept" and the iptables commands … aren't. I'd really urge you to step up to a higher level than direct iptables. It's easy to make a mistake that bypasses your protections, and difficult to debug. If firehol doesn't suit, that's fine. Shorewall is a great product, just overkill for my tastes and current needs. Coding iptables directly is like coding assembler: sure, it's the most powerful, flexible choice, and some times it's the only way to get the job done. But do you really want to bet you can get it right the firsti time, every time?
Your post made me think twice (mainly the "wc" commands which are far above by knowledge, but I get the point).
After reading a bit more about iptables I got a bit concerned about being locked out, something that doesn't happen when using a "interface".
From the book Beginning Ubuntu Server Administration:
"Do note, however, that the policy (using the iptables command) will become effective immediately, so, if you are configuring your firewall from an external connection, you will be locked out immediately."
And this will be my first server setup, I'm still a noob! So I reconsider and I'll try ufw: it's a brand new solution with a big community behind it, it seems to be even simpler than Firehol and it's the "supported" Ubuntu Firewall. I can even follow the Ubuntu Server Guide
Thanks a lot.
Just one further question: imagine that I want to restrict the ssh access to 3 attempts (After entering 3 wrong pass-phrases the ssh service should shutdown, wait 1 hour and then restart allowing other 3 attempts). How can I achieve this? Is it related to the firewall? Am I being paranoid?
With regard to the ssh server, no, I don't think you are being paranoid. I would suggest looking at fail2ban or another similar program that will help monitor undesirable activity and take the appropriate action. On all of my servers fail2ban is setup to monitor the ssh server log and after three failed attempts willl ban the source ip for a day.
To generate a simple iptables ruleset, you can use any number of the available Web generators. I really like this one:
Once you have your ruleset, just active with:
iptables-restore < /path/to/ruleset
Now that you have a firewall blocking everything but ssh, http, whatever, add sshguard:
I use Gentoo, so it was a simple matter of:
echo "app-admin/sshguard ~x86" >> /etc/portage/package.keywords
emerge sshguard
Once you have the binary installed, adjust syslog-ng.conf (or use the tail method). Again, on Gentoo, it's simply adding this to /etc/syslog-ng/syslog-ng.conf:
destination sshguardproc {
program("/usr/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
filter f_sshlogs { facility(auth, authpriv) and match("sshd"); }; # for sshguard
log { source(src); filter(f_sshlogs); destination(sshguardproc); };
Final step is to add sshguard chain and rule to your iptables ruleset, then importing with iptables-restore.
Here's my ruleset, for example:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]
######################################################################
# Allow all loopback interface traffic
-A INPUT -i lo -j ACCEPT
# Block all attempts to spoof the loopback address
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -d 127.0.0.0/8 -j DROP
# Block all attempts to spoof the local IP address
-A INPUT -s 64.22.124.206 -j DROP
# Block Syn Flood attacks
-A INPUT -p tcp -m tcp --syn -j SYN-FLOOD
# Ensure that TCP connections start with syn packets
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
# Allow session continuation traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Pass ssh traffic to sshguard for processing
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
# Allow selected TCP/IP and/or UDP services
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Block all other TCP/IP and UDP traffic
-A INPUT -j REJECT-PKT
######################################################################
# Syn flood filtering chain
-A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP
######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable
COMMIT
(With exception for my own tweaking, credit for this ruleset goes to
> I fail to see how using an external ip tables rule generator is different than using a local one
Because one requires you install software, and one doesn't, and the original poster commented:
> I'll start by using the iptables command since it's installed by default and offers all the options available.
That's it. I agree that "whatever floats your boat" is best route… my post was more about sshguard.
@SteveG:
There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.
Are you saying that all the distro's linode has available have ports closed by default (like ubuntu's default distro), or that linode has a tool to allow/disallow ports on a lower layer? If the later, where's that tool available?
If the former, never mind
<code>PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
119/tcp open nntp
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
4713/tcp open unknown
6600/tcp open unknown
43651/tcp open unknown
46087/tcp open unknown
55671/tcp open unknown</code>
All of those represent servers I explicitly installed: SSH, Apache, Postfix, NFS, Samba, PulseAudio (4713), and MPD (6600).(The three high ports are NFS related, assigned by rpcbind.) Since, presumably, you'd open holes in the firewall for the servers you have installed, one can argue you don't need a firewall.
OTOH, I've come to the conclusion you can't go wrong with an extra layer. It helps you avoid accidently exposing a service you haven't yet configured. If someone manages to exploit apache and install a botnet, the firewall keeps them from controlling it. So I recommend going ahead and installing a firewall.
I think I will follow your lead as well.
@SteveG:
I'm not sure what "Netfilter" you're referencing; the only one I know is the BSD packet filtering system, equivalent to iptables.
Technically, "netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack."
Older user documents tend to use it instead of the term "iptables".
If you are using ufw on ubuntu, configuring sshguard is not as straightforward (at least for a noob such as myself).
I partially used dfelicia's solution above (for the syslog-ng configuration). Then, I had to go in and add the following in /etc/ufw/before.rules:
# sshguard rules
# first setup a new chain for sshguard
# then setup a rule for before-input to redirect to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard
I also had to do this fairly up-top in the file (I placed mine just after the loopback rules at the top).
I tried putting these lines in the /var/lib/ufw/user.rules file but this did not block as I expected since I believe the ufw-before-input had a more generic iptables rule.
If anyone has a better way of configuring this, please let me know. Otherwise, I hope this helps others!
get fwbuilder which would allow you to administer your iptable rules visually and upload it to your remote server via ssh.
- George