subdirectory and the file gone The howto is good and working, but at some point ISPConfig deleted the subdirectory and the post-rule-setup.sh file. Most probably after the upgrade from 2.2.8 to 2.2.9 Regards, Apostol
During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.
Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again? I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time? Thanks
I have a set of rules I use in /etc/Bastille/firewall.d/post-rule-setup.sh. Since the release of 2.2.16 or so my rules in post-rule-setup.sh are kept after the update.
I've found this on another site to reduce brute force hacking using only iptables : And would like to add it to the firewall rules. Would the two lines just replace the existing reference to Port 22 on the default ISPconfig firewall rules? This seems like a good way to slow down the brute force attacks on servers. Also I've seen this code from the comments on the Denyhost howto. : Both seem like good methods without having to install any seperate software. From looking at them, which would you suggest to be the better method to add? Thanks
Here is what I added to my post-rule-setup.sh for ssh. Code: /sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH /sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
Where did you add those 2 lines to the existing ispconfig firewall rule? Did you just replace the line that refers to port 22 for ssh? Thanks
I see. So if I just put only those 2 lines in the post-rule-setup.sh file, it should work? I need to test this out soon as I'm getting a lot of hack attemts and don't really want to disable root on ssh. Thanks
yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L
That sounds like exactly what i'm looking for. I'll give it a try as well and see if it helps reduce the hack attempts. I'll also post back later and let everyone know if I had to redo the rules after a upgrade as I'll be upgrading soon.
Daveb, I've added the lines to my firewall as you explained, however I'm not certain it's working as I tried connecting to ssh through putty several times with the wrong password and it keeps letting me try. The only thing I've changed is the ETH in your line to "ETH0" for my network card. Here is my iptables -L output. Can you let me know if it looks ok, and how I can test this? Thanks
New iptables rules don't seem to be recognised by Bastille I tried to add the following two rules Code: /sbin/iptables -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 /sbin/iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 based on advice received from URL="http://www.howtoforge.com/forums/showthread.php?t=23889&goto=newpost"]this post [/URL] (The purpose is to relay a http request from any external workstation via an OpenVPN server to an OpenVPN client which has no public IP address). a.b.c.d is obviously replaced with my public IP address on my system. Now, I added a file pre-chain-split.sh to a new directory firewall.d under /etc/Bastille as decribed in this post. The restart runs through just fine: Code: root@blackbird:/etc/Bastille/firewall.d# /etc/init.d/bastille-firewall restart Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. but no iptables rule seems to be appended. The output of iptables -L -v (as shown below) is exctly as before, and a PREROUTING chain is not even mentioned. I deliberately put an error into pre-chain-split.sh to check whether it is even run. And yes, I get an error message, if I build in an error into the file, so we now it is executed fine. Any idea anyone why this might not be working for me? Cheers chillifire Appendix: Output of iptables -L -v Code: root@blackbird:/etc/Bastille/firewall.d# iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- !lo any anywhere 127.0.0.0/8 1505 160K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 37 1924 ACCEPT all -- lo any anywhere anywhere 0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere 19 1046 PUB_IN all -- eth+ any anywhere anywhere 0 0 PUB_IN all -- ppp+ any anywhere anywhere 0 0 PUB_IN all -- slip+ any anywhere anywhere 0 0 PUB_IN all -- venet+ any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 278 packets, 24730 bytes) pkts bytes target prot opt in out source destination 2361 474K PUB_OUT all -- any eth+ anywhere anywhere 0 0 PUB_OUT all -- any ppp+ anywhere anywhere 0 0 PUB_OUT all -- any slip+ anywhere anywhere 0 0 PUB_OUT all -- any venet+ anywhere anywhere Chain INT_IN (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain INT_OUT (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere Chain PAROLE (16 references) pkts bytes target prot opt in out source destination 18 976 ACCEPT all -- any any anywhere anywhere Chain PUB_IN (4 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:smtp 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:domain 16 856 PAROLE tcp -- any any anywhere anywhere tcp dpt:www 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:81 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:https 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:webmin 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius-acct 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:mysql 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:openvpn 2 120 PAROLE tcp -- any any anywhere anywhere tcp dpt:munin 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:2812 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:4960 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 1 70 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn 0 0 DROP icmp -- any any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain PUB_OUT (4 references) pkts bytes target prot opt in out source destination 2357 472K ACCEPT all -- any any anywhere anywhere
Not sure I understand? Hi falko, I am not sure I understand your response. Try what? Looking at your link (earlier posts of this very same thread), suggests to put iptable rules into a file "pre-chain-split.sh" in directory /etc/Bastille/firewall.d, which is exactly what I have done. Is there something else in this post I have overlooked that you want me to try? Cheers
To display the content in the "nat" table (where POSTROUTING and PREROUTING chains are), you should issue an: Code: /sbin/iptables -t nat -L
Great Thanks, now I can see them. It was actually working; I just could not see the entries with iptables -L -v I had to enter iptables -t nat -L for it to work Thanks Hanno PS: I consider myself a reasonable intelligent person, but this iptables business is witchcraft to me, and developed by a pretty deviant witch at that. Is there a decent online tutorial or book that teaches iptables that you can recommend? Please don’t point out the often quoted http://http://iptables-tutorial.frozentux.net/iptables-tutorial.html as this must have been written by that deviant witch
