| View previous topic :: View next topic |
| Author |
Message |
Naib
Watchman
Joined: 21 May 2004
Posts: 6069
Location: Removed by Neddy
|
 Posted: Mon May 04, 2015 2:46 pm Post subject: ufw, firehol or iptables |
 |
|
For quite some time I relied on tcpwrapper to "protect" my box against attack - it sits behind a router that exposes http and sshd.
sshd dropped support for tcpd and thus the prospect of a firewall rose again.
So what to use
ufw? firewall for dummies? nothing wrong with that as it is simple and (sort of) just works
firehol? scripting language on top of iptables that attempts to unobtrusify iptables - I use to use this
iptables?
I sort of have an iptables setup that interacts with fail2ban (I have tested it) but the issue is well... not fully sure about what it does
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
| Back to top |
|
 |
thoughtform
l33t
Joined: 24 May 2004
Posts: 600
|
| Posted: Tue May 05, 2015 10:31 pm Post subject: |
|
|
I personally love iptables + fail2ban.
I'm no iptables expert but I've found it helpful to verify your fail2ban setup is working by issuing this command as root:
iptables -L -v -n
If you see some IP addresses banned under a chain named f2b-* or fail2ban-*, then you're somewhat protected. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3491
|
| Posted: Wed May 06, 2015 8:06 pm Post subject: |
|
|
I've been simply using block-all-except-what-I-explicitly-want-to-receive iptables set + public key login to ssh. I suppose disabling password login (and direct root login) provides sufficient protection againt dictionary and bf attacks even with extremaly week passwords 
Blocking rogue traffic completly can of course reduce bandwidth usage slightly, but roughly 1-2 dozens of thousents of attempts every day wasn't even a noticable traffic.
Not like I was against f2b. I just didn't find it necessary for me. Your millage might vary.
Obvious downside is you need to carry your key with you, but do you ever use someone's else device to connect?
Also if you trust those devices with your password, why not to trust it with your key? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54808
Location: 56N 3W
|
| Posted: Wed May 06, 2015 8:30 pm Post subject: |
|
|
Naib,
shorewall is a good iptables rule generator but it may be overkill for what you want.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
