Securing your server has never been easier. Here, I'll show how I set up a firewall and lockdown the whole server for anyone to access.
iptables will be the firewall for any incoming traffic, but what do you do with the ports you might want to be open sometimes, for some people? You can use knockd, where a special sequence will open the port for just that IP address.
First, make a file called iptables.sh and copy the following.
#!/bin/sh
#*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]
# INPUT
iptables -F INPUT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
# COMMIT
iptables -L -n -v
if your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport THEPORTHERE -j ACCEPT
Notice that port 22 (SSH) is not here. This means that this will be locked down by running this. So, make a backup and keep your connection with ssh to avoid losing contact with your server.
If your server has more things it does than just serving HTTP/HTTPS, you might want to add those ports:
After this, let's install Knockd. It depends on your OS, how to do this, and where the files are. I'll assume Ubuntu-based servers Fedora will look very similar as well. FreeBSD boys, you will have it in a completely different place, but I guess you'll know!
sudo apt install knockd
The default installation will make /etc/knockd.conf
contains some random stuff. Let's remove that and insert the following instead.
# Insert into /etc/knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 5000,4000,6000,3000
seq_timeout = 200
command = /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT 2 -s %IP% -p tcp --dport 5901 -j ACCEPT
cmd_timeout = 1800
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT && /sbin/iptables -D INPUT -s %IP% -p tcp --dport 5901 -j ACCEPT
tcpflags = syn
This opens port 22 if you knock on the server by opening ports 5000, 4000, 6000, and 3000 in that sequence. And only that sequence.
After this, let's make sure it starts upon restart by calling.
systemctrl enable knockd
service knockd status
reboot
and see that it runs after this. If it doesn't run, do not continue. It must run, as you won't be able to access the server without it.
If
service knockd status
shows it is enabled, it should be enabled. But to be super secure, let's try to enable iptables by running ./iptables.sh
BUT KEEP your existing ssh connection, as this is your lifeline to the server.
After this, let's try to connect using ssh from a different tab.
ssh root@yourIP
this should fail.
Now, let's run.
knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP
If this works, it means we made a successful knock to the server, and it opened up for us.
The last thing is to make iptables permanent, and we can do that by adding the following to the crontab.
knock -d 100 your IP 5000 4000 6000 3000
ssh root@yourIP
This is an inelegant way, but it works and is simple. The "modern" way to do this is by using permanent iptables, but I would rather keep the system simple.
@reboot ./iptables.sh
For these and more thoughts, guides, and insights visit my blog at martinbaun.com