If you’ve been hacked before (as I was), you know the importance of hardening your Linux box. Over a year ago, another server I managed had been hacked through a phpBB upload form. We’ve been lucky enough not to lose any data. The hacker sent us a security report by email and said that he had a computer security business he was running from his home and he was offering us his services.
I finally tracked down the guy as he had an email account from the same ISP as me. I found out he was like 16 years old. Even though he didn’t do any harm, I still managed to inform my ISP. I don’t think illegal intrusions are part of a good marketing plan.
Of course since then I put a little more effort into securing my server. That include a number of ways but today we’re gonna see two of my favorite tools: Advanced Policy Firewall (APF) and Brute Force Detection (BFD). Both these tools are made by RFX Networks and they work in combination with each other.
Advanced Policy Firewall
APF is an iptables based firewall. Basically it manages a set of rules that are then applied with iptables. The filtering performed by APF can be static, connection based or sanity based. You can get more information about Advanced Policy Firewall at http://www.rfxnetworks.com/apf.php.
Brute Force Detection
This tool is pretty simple: all it does is it analyzes your log files to detect failed authentication attempts. When it does, it triggers APF to block the IP address from further access to the server. More information on BFD is available at http://www.rfxnetworks.com/bfd.php.
Installation
As with any other major changes to your operating system, I strongly suggest you make backup copies before going further. If you mess up with iptables, you might not be able to access your server remotely.
1. Download APF and BFD
# wget http://www.r-fx.ca/downloads/apf-current.tar.gz
# wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
2. Extract all files from both archives
# tar xvzf apf-current.tar.gz
# tar xvzf bfd-current.tar.gz
3. Launch the APF installation script
# cd apf-[current version]
# ./install.sh
4. Execute the BFD installation script
# cd ../bfd-[current version]
# ./install.sh
5. Add your workstation’s IP address to the allowed hosts list
# apf -a [ip address]
6. Check that a cron task has been added automatically in /etc/cron.d/ to trigger BFD every ten minutes. You can alter the bfd cron file in order to execute BFD at a different interval. You can also set the MAILTO parameter in this file to email you a warning each time BFD detects an intrusion attempt.
Over time, your denied hosts list may grow significantly. This may slow down your server’s startup time as a DNS lookup is performed for each denied IP address listed. One of my servers had been collecting IP addresses for over a year. At some point I had to reboot it for maintenance purposes and it took over 30 minutes to come back online. That being said, you might want to clean up your denied hosts list once in a while. To do this, simply edit /etc/apf/deny_hosts.rules and remove some of the older entries. When done, simply issue apf –r to flush and reload firewall rules.
Top Commentators