0

I have rented this small VPS and i keep get trying to get hacked by brute force attacks. So i want to restrict SSH and VNC to two IP addresses that i have (on separate networks)

I tried to do this with iptable, here's the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s <ip one>/32 -p tcp -m tcp --dport <vnc> -j ACCEPT
-A INPUT -s <ip two>/32 -p tcp -m tcp --dport <vnc> -j ACCEPT
-A INPUT -s <ip one>/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s <ip two>/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport <vnc> -j DROP

It doesn't appear to be working, because the auth.log is still full of hackers trying to get in through sshd.

My logic was "let the two ip's i have come in, and drop everything else".

What am i doing wrong?

fjleon
  • 129
  • 1
  • 4
  • You would be better off disabling password authentication and only allowing key authentication. **A private/public key created at the proper size will make it virtually impossible to access your server without the proper key.** – Ramhound Apr 30 '19 at 21:03
  • 1
    If I am not mistaken, `-P INPUT ACCEPT` is setting your default policy to ACCEPT. Which means you currently are allowing all incoming connections. – Ramhound Apr 30 '19 at 21:15
  • @Ramhound i suspect this may be the case but i thought that -P basically meant "wipe the rule out". Since i'm doing an explicit deny at the end i thought that would be enough. But i clearly need to do what -P does. Maybe i should do -P INPUT -J DROP instead but then i'm afraid it will drop everything and not go through the rest of the entries – fjleon Apr 30 '19 at 21:21
  • According to [this](https://superuser.com/questions/634469/need-iptables-rule-to-accept-all-incoming-traffic?rq=1), it sets the default policy, so you are mistaken in the belief it wipes the rule out. Like I said enable key authentication and it won't matter. – Ramhound Apr 30 '19 at 21:27
  • your suggestion for key authentication is valid and i appreciate it, however it's a workaround and not really an answer to my issue. Also, i investigated what -P mean. Basically it means "what do you want to do if none of the rules on your chain matches". In my case, it's accept, which is what i want (for now). So this means that my problem is that none of my rules are matching and I need to figure out why – fjleon May 01 '19 at 02:44

2 Answers2

1

You need to change 2 things and be mindful of a third -

  1. You probably need to add a rule to allow traffic coming in associated with outgoig traffic through your network with a command like "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"

  2. You need to add a default drop for everything - not just VNC. Add "iptables -A INPUT -j DROP"

  3. Your 0.0.0.0/32 specifications are essentially meaningless as they mean only the IP 0.0.0.0 which is not a valid IP. A /32 is a single host. Never tried.it.but a /0 would be the opposite - but its better to just delete an IP address specification so it will match all addresses.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • it is my understanding that 1) is only needed if i want to accept incoming established connections that the VPS already started (which will be none. VPS is not starting connections, at least not in SSH/VNC). If i would do 2), it would be more efficient to just do -P INPUT -j DROP which is basically an implicit deny if no other rule matches. When i do iptables -L it actually shows source: 0.0.0.0 which means "any ip address" and it's exactly what i want. It doesn't show subnet mask though, and maybe my rule needs the mask to be /0. I will keep testing this – fjleon May 01 '19 at 05:18
  • 1
    Re 1. - You are correct - but why dont you follow best practices and drop all inbound traffic you dont know? With respect of 3, just remove '-s 0.0.0.0/32' and it will drop for all otherwise unspecified IPs. – davidgo May 01 '19 at 05:46
0

My advice would be to find a good tutorial on iptables as you really need to understand the basics. There are many good examples of tutorials and basic and proven iptables rulesets, like, for example these tutorials from DigitalOcean which relate to Ubuntu but can easily be applied to any Linux version,

https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works

and

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04

and

https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands

My advice would also be to use iptable’s connection tracking as explained in the answer by Davidgo here. This will not only work for outgoing but also for incoming connections and can greatly reduce the number of rules that iptables needs to process for each incoming packet.

Also be aware that a good firewall is just one layer in your server's security. You should never rely on it as the only line of defence. I would advise you to add more, where practical (such as key based SSH authentication).

Basically, a simple iptables ruleset could look like this

SETUP POLICIES

Set default policies with -P (i.e. DROP for INPUT, DROP for OUTPUT and ALLOW for FORWARD). These will set the default behaviour when no rules match. You will probably not use the FORWARD chain as it is used for routing.

INPUT CHAIN

  • ALLOW traffic on your lo (loopback) interface (i.e. traffic that stays internal to your VPS and should never be blocked)

  • ALLOW traffic from ESTABLISHED and RELATED connections (i.e. connections that were already given permission before. This saves time and processing resources)

  • ALLOW NEW connections from your IP addresses to the two ports you want to allow incoming sessions on (in your case SSH and VNC)

  • DROP or REJECT everything else (you can do this explicitly or rely on the policy you set before)

OUTPUT CHAIN

  • ALLOW traffic from NEW, ESTABLISHED and RELATED connections. This basically means that all outgoing connections initiated from your VPS will be permitted, as well as outgoing traffic that is part of an already permitted and established incoming connection (i.e. your SSH and VNC sessions).

  • DROP everything else, or rely on your default policy for the OUTPUT chain.

StarCat
  • 1,165
  • 1
  • 7
  • 12