Thank God For Firewalls

[Anthony Parsons]

I was looking at my denied IP's today, having to fix a user who got caught due to unsuccessful login attempts. Looking at the list of attempted SSH logins, OMFG... China, Russia, Korea, etc etc. I assume hacking programs constantly sniffing the web for insecure logins?

I remember getting hosting years ago, where config firewall had to be asked for installation. Funnily enough, when I got my recent dedi via ServInt, config firewall came pre-installed and running this time around.

 

[Ghan_04]

This is why I move SSH off of port 22. Automated scripts have a hard time finding SSH on a high level port to try brute forcing a login.

 

[Floren]

Ya, first thing I do when I setup a box is change the SSH port and install Selinux.
I hear a lot of people complaining about Selinux, I never had a problem with it. If you want to really secure your ssh login, just use a two-step authentication. There is no way anyone can hack into your box, once you implement it.

 

[yavuz]

Might worth mentioning ConfigServer Security & Firewall if you have WHM which comes with a bundle of must have security addons and features. Mod security is also proven to be effective when setup properly.

 

[Floren]

Might worth mentioning ConfigServer Security & Firewall if you have WHM which comes with a bundle of must have security addons and features. Mod security is also proven to be effective when setup properly.

Interesting, I never used that firewall. How do you find it compared to Selinux?
I think the major security issues we all have rely on web based attacks, i.e XSS/SQL injections,RFI, uploads, evading etc. I'm working as we speak on Nginx packages that include Naxsi firewall, which is designed to effectively eliminate all those issues. The Redhat/CentOS6 RPM packages are finalized, I'm almost done with the Redhat/CentOS5 ones which are a real pester due to enormous number of missing libraries.

Here it is a nice Naxsi graph showing the possible attacks blocked on a default XenForo forum:

 

[Will]

CSF is good. Have used it for a couple years now and haven't had any issues. Never tried Selinux though so I don't how it compares.

 

[yavuz]

Interesting, I never used that firewall. How do you find it compared to Selinux?
I think the major security issues we all have rely on web based attacks, i.e XSS/SQL injections,RFI, uploads, evading etc. I'm working as we speak on Nginx packages that include Naxsi firewall, which is designed to effectively eliminate all those issues. The Redhat/CentOS6 RPM packages are finalized, I'm almost done with the Redhat/CentOS5 ones which are a real pester due to enormous number of missing libraries.

Here it is a nice Naxsi graph showing the possible attacks blocked on a default XenForo forum:

View attachment 31932

It has its own fireall rules but also works integrated with mod_security - if you choose to activate it - so it detects web based attacks successfully. I'm stuned how much http based attacks our server gets; automated scripts, login attempts, sql injections.... A server admin's must have if I might say so. There are a lot of detailed statistics, php hardening suggestions a lot of firewall configuration options that can be viewed from it's panel I'm away at the moment from my PC. I'll post some screenshots when possible.

 

[Anthony Parsons]

Config firewall is excellent... hence my opening post, as it catches all attempts automatically for me, instantly banning the IP.

 

[Naatan]

ServInt is awesome But the SSH attempts happen everywhere. I don't think I've ever had a server that didn't have failed login attempts from China. And they seem to rotate their machines pretty well so a firewall isn't that useful. Long as you don't have a common username & password and disable root logins you'll be fine though

 

[Anthony Parsons]

Yer, I disable SSH period. I only enable it when I need it accessed, otherwise it remains disconnected as a login method.

 

[Floren]

Yer, I disable SSH period.

Tony, I'm wondering how do you access the server if you disable SSH... through a DRAC card?

 

[Anthony Parsons]

WHM is installed...

Quite honestly, once everything is installed I see no reason to access my server... it just runs nicely. I have the attitude of, "if it ain't broke, don't fix it."

I only turn SSH on via WHM when SSH is absolutely needed.

 

[Hackfall]

I have fixed IP address at home so I have my iptables set to only accept connections from that IP number for port 995 ie SSH. Anyone else tries and the connection is dropped.

 

[Adam Howard]

On one of my servers

3 step vitrification (Ip, phone, time key generated code)
DNS routing
physical firewall
software firewall
ssh secure key, on different port, and time based (only accepts log-ins between accepted times)

There maybe a lot of ways to hack something, but you're not getting that way

 

[Floren]

There maybe a lot of ways to hack something, but you're not getting that way

This is what you would get if you try to login into one of my servers:



You will have to know my ssh port (not 22), password and... steal my phone to get the verification code that changes every 15 seconds.

 

[Adam Howard]

This is what you would get if you try to login into one of my servers:

View attachment 32094

You will have to know my ssh port (not 22), password and... steal my phone to get the verification code that changes every 15 seconds.

Same, but also your IP would have to be on the approval list, you would also need to know the time keygen code, and ssh secure key code. You would also have to do it at the right time of day