Can't get your linux server to reboot
February 9, 20097940/7960 SIP settings for Asterisk
February 9, 2009After seeing numerous entries to hack my linux box I decided it is time to learn how to implement iptables for security.
A copy of the log file an be found here log-file.
The way I can tell I’m being attacked is if I open my /var/log/messages file, which you can see in its entirety below. I see what appears to be a brute force SSH attack. I can see the attackers IP is 211.151.64.106. If I do a Arin lookup on this IP I see the network is in Asia and the ISP owns 210.0.0.0 – 211.255.255.255. Lucky for me I don’t need anyone in Asia access my box so I’m going to block this entire network.
First thing I need to do is very iptables is installed by typing:
iptables
The return I get is below this is good means iptables is already installed:
Try `iptables -h’ or ‘iptables –help’ for more information.
Next thing I need to do is list my current iptables rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can see from these rules I have absolutely none configured.
Next I’m going to add my rules to block the IP that is attacking my machine:
iptables -A INPUT -s 210.1.1.1/8 -j DROP
iptables -A INPUT -s 211.1.1.1/8 -j DROP
iptables -A INPUT -s 212.1.1.1/8 -j DROP
These are actually entire subnets that I’m blocking because they’re registered in Asia and my server doesn’t need to communicate with this ISP anyways.
The next thing I’m going to do is save my active iptables to my startup iptables so that these rules load when my computer reboots:
/etc/init.d/iptables save active
The next thing I’m going to do is reboot my server and verify these rules still exist:
shutdown -r now
Once the PC is back online I verify my rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 210.0.0.0/8 anywhere
DROP all — 211.0.0.0/8 anywhere
DROP all — 212.0.0.0/8 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can see now that I have 3 active rules which will block all incoming communication from these three IP addresses.
Now don’t get me wrong I’m no Unix expert and I’m sure there is a way to combine all of these into one but I don’t feel like trying to figure out what it is right now. So this should get the job done.
If you want to delete any of these rules you can type the following respectively:
iptables -D INPUT 1
iptables -D INPUT 2
iptables -D INPUT 3
These three commands will effectively delete all of the entries I’ve made.
After going through my log file and blocking out all these IP’s I noticed a trend. They are all registered to foreign countries. Luckily for me my voice server doesn’t need to communicate with these countries. So I’ve decided to block all traffic to the Asian continent. You can do the same by copying and pasting the code here:
iptable-entry-syntax1
A note on this if you decide you want to start over from scratch you can delete all of your chains by typing in
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
My next step here is monitoring my /var/log/messages for awhile realtime to make sure I’m not getting attacked still. I can do this by typing the following:
tail -f /var/log/messages
