Sunday, October 21, 2012

Linux Security - Am I Genius ?

This is pretty basic stuff to start securing the Linux servers. The basic concept is to allow only the required ports and block everything else out.
I recently started working on my new personal Hosted PBX project and for that I got a new VPS. So the very first thing I wanted to do was secure my server from any hankers. My server has two interfaces. One interface assigned physically  Public IP on it and other on LAN IP. The only access point inside my two/four server zone is this servers WAN interface (eth0)

Without wasting more time on this, here are the lines which I executed.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT

Allow anything that is in ESTABLISHED (already in progress) state.

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
Silently drop incoming ICMP ping requests.Don't let the Auto-scan-bots think that my IP is reachable.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allow SSH port into the system.

NOTE: I highly recommend to change the default SSH port to something other than 22. This reduces the Brute force dictionary attacks by 90+% - As an examples I mostly use 3132 or 5152 or 7172 ports for SSH

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Allow any more ports if required - HTTP port 80 in my case.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p udp --dport 5060 -j ACCEPT
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p udp --dport 10000:40000 -j ACCEPT
Since I need to work on SIP/5060 and RTP/10000:40000 so I also allowed the port(s)

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -j REJECT
This is the Main line - Block everything else out.

Security is a Huge HUGE domain in itself and by no means I've done any justice to that topic here. There are many things left out which needs attention before considering somewhat secure.

To Be or Not to be a "Genius"


Make Sure you don't fall into the "Genius" Category like the following.

Not protecting the server at all. Top of the charts Genius.


Or someone like this: Totally blocking everything and hence losing all access.


I'd rather be somewhat Genius and suggest something like this for myself :


Hope you guys enjoyed this quick blog.

No comments:

Post a Comment