Skip to content

Instantly share code, notes, and snippets.

@sudheendrach

sudheendrach/server-security.md

Last active August 29, 2015 14:05
Show Gist options
  • Save sudheendrach/1e6a1c4ed984373be9de to your computer and use it in GitHub Desktop.
Save sudheendrach/1e6a1c4ed984373be9de to your computer and use it in GitHub Desktop.
Download ZIP
Configuring IPTables and Fail2Ban
Raw
server-security.md

Installing fail2ban

apt-get install fail2ban

The fail2ban service keeps its configuration files in the /etc/fail2ban directory. There is a file with defaults called jail.conf.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Installing nginx, sendmail and iptables for more security apt-get install nginx sendmail iptables-persistent

Allowing only certain ports, i.e., setting firewall

root@projectx:~# iptables -A INPUT -i lo -j ACCEPT
root@projectx:~# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@projectx:~# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
root@projectx:~# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
root@projectx:~# iptables -A INPUT -j DROP
root@projectx:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-ssh -j RETURN

sudo nano /etc/fail2ban/jail.local
bantime = 1800 // half an hour
destemail = [email protected]

action_mwl = bans and sends email with whois log

action = %(action_mwl)s

[nginx-http-auth]
enabled = true

service fail2ban stop
service fail2ban start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment