Locking Down Your Linux Server
No matter what your Linux, you need to protect it with an iptables-based firewall.
Yes! You’ve just set up your first Linux server and you’re ready to rock and roll! Right? Uh, no.
By default, your Linux box is not secure against attackers. Oh sure, it’s more secure than Windows XP, but that’s not saying much.
To summarize, you must — first — turn off the services you don’t need. Of course to do that, you need to know what network services you’re running in the first place.
You can find out what those are with the shell command:
Netstat will tell you what services you’re running and what ports they’re using. If you don’t need a particular service or port, you should turn it off. For example, unless you’re running a website, you don’t need to be running the Apache or Nginx web servers or have the 80 or 8080 ports open.
In short, when in doubt, turn it off or close it down.
On a plain vanilla Linux server, with nothing extra, you’ll see SSH, RPC, and NTPdate up and running with open ports. Do not add such old and insecure shell programs as telnet or the hackers will rise up and slap your server right out of your control. Yeah, maybe you loved telnet back on your SunOS box in the 80s, but that was then and this is now.
So much for closing your doors; let’s talk about using iptables to lock them from intruders.
When you start your Linux server it has no — nada — rules. That means all traffic is allowed. This is NOT GOOD. So, you need to setup your firewall … as soon as possible!
Iptables is a shell utility that sets network rule policies for netfilter, Linux’s default firewall, using a set of rules to allow or block traffic. When someone tries to connect with your system — and someone will every day, without fail — iptables looks to match the request with its rules list. If it can’t find a match, it will resort to whatever the default action is.
That action should be to “Drop” the connection, which will block those outsiders wanting in. But it won’t let them know what happened to their attempts to knock on your server’s network door. (You could also “Reject” the connection, but that let’s them know you have a Linux firewall up and running. These days, the less information a stranger has about my system, the better. At least, that’s my philosophy.)
Now, you could set up your firewall with just iptables. I’ve done it. But then, I used to ride a bike to work six miles away, uphill both directions. These days, I drive.
That means I use FirewallD for the Fedora distributions and UFW [Uncomplicated Firewall] for the Debian family. These are easy-to-use, shell front-ends to iptables. For the finer details on how use either, see these Linode guides: FirewallD and UFW.
Both come with default rule sets that, in essence, put up “No Trespassing” signs around your server. Use them.
But don’t get too excited about shutting down all your connections. For example:
sudo ufw default deny incoming
may look like a good idea. After all, it blocks everything!
Well, yes. Yes, it does. That means it also blocks ssh. And that means you can no longer get to your shiny new server. Whoops!
Still, if you’re going to err, err on the side of blocking more connections. You see — the hackers really are out to get you.
Or, to be more exact, it’s not you or your servers personally. Sure, you’re not the National Security Agency (NSA), which gets — no kidding — 300-million hacking attempts per day. But a hacking script doesn’t care. It just screens the internet looking for a server with a known hole. My own quiet little servers get hundreds of attacks — on a slow day.
So, what are you waiting for? Go, lock down your network services. Install FirewallD or UFW and secure your servers. You’ll be glad you did.
Please feel free to share below any comments or insights about your experience locking down a Linux server with an IPtables-based firewall. And if this blog was useful, consider sharing it through social media.
About the blogger: Steven J. Vaughan-Nichols is a veteran IT journalist whose estimable work can be found on a host of channels, including ZDNet.com, PC Magazine, InfoWorld, ComputerWorld, Linux Today and eWEEK. Steven’s IT expertise comes without parallel. And while his views and cloud situations are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Twitter (@sjvn).