OSSEC HIDS

It's a pretty popular host based intrusion *detection* system

It does *not* fix intrusions, but it definitely does a good job at finding them when they happen.

You can run them together.

CSF does something entirely different. CSF manages a firewall.

Honestly, firewall rules aren't that hard for a webserver, and you really don't need a special tool for it.

660 is used for SSH, though you can change that to any port you want. I recommend against port 22. Literally any other unused port is better.

I use SSH keys, so ssh doesn't require a password, and can't be brute forced.

This is my *entire* iptables firewall ruleset. I made this by hand. You're welcome to copy it. Just make sure you make SSH function on the port you choose for SSH.


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1329:3824279]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,660 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
COMMIT

I'll explain this, incase it doesn't make sense
Line 1 sets up the next set of lines.
Line 2 and 3 drop incoming traffic that isn't explicitly allowed.
Line 3 allows all outgoing traffic.
Line 5 drops malformed packets.
Line 6 Allows incoming traffic related to outgoing traffic
Line 7 opens ports 80, 443, and 660. 80 and 443 are used for http, and https traffic respectively. I used 660 for ssh.
Line 8 allows loopback connections.
Line 9 allows ICMP type 3.
Line 10 allows ICMP type 4. These 2 ICMP types are necessary for effective TCP traffic.
Line 11 pushes it into a functioning configuration.

If you *really* want to up the ante on your web security, I'd consider using a WAF. The fastest and by far most secure WAF out there is naxsi, though it's fairly complicated to setup.
 
Back
Top Bottom