When you have a server that is accessible by the public, you need to make it secure. There’s all kinds of threats out there looking for ways to get into your system and take it over. In this page I will describe what I have done to try and protect my system.
Filtering network traffic
There’s a packet filter called ip_tables packet_filter since Linux kernels 2.4. It contains rules sets for packets that come along.
The utility iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset. It is targeted towards system administrators. You can check wether it is present on your system by giving this command:
sudo apt list iptables
This will tell you the version information, if it is installed. This is what it says on my system:
iptables/stable,now 1.6.0+snapshot20161117-6 amd64 [installed]
On my system, Debian 9, it came preinstalled. If it’s not, you can of course install it by using:
sudo apt install iptables
Configuring a firewall
Making the packet filter do what you want (configuring it) is a complicated matter with iptables though. There’s another program that can make this job much easier for us.
ufw, the Uncomplicated Fire Wall
I believe ufw came not preinstalled on Debian, so we have to install it ourselves. Just check:
sudo apt list iptables
Information about ufw and how to install it can be found here on the Debian wiki.
Now, having a firewall is not all. As you probably know there are people out there trying to break in (hack) your system. We do not want them to succeed, at least I don’t… When we detect malicious behavior, ideally we would want to block these people. Fortunately there is a wealth of utilities that can help us with that. The one I chose is fail2ban.
Now this is a cool utility that reads the log files and can detect this malicious behavior we spoke of. It can, as the name already indicates, ban IP addresses from which brute force hack attempts are performed for a specified amount of time.
There is enough information on fail2ban on the internet, the information I used to install and configure it is this page, by my hosting provider.
I configured fail2ban to protect the open ports and protocols by blocking IP’s that show repeated offenses. It comes with a number useful number of standard filters for login and email protection.
What wasn’t packaged by default was protection for the WordPress website I’m hosting, so I had to install that seperatly. There is a WP plugin called WPf2b that comes with a couple of fail2ban filters. Find more info about installation and configuration here. The plugin detects stuff and writes it to log files, where they can be picked up and acted upon by fail2ban.