Firewall Setups

[goodvikings]

Hey everyone

I have a webserver I want to set up a firewall on. At this stage, it seems like I'll end up going with ufw, but lets have a bit of an explanation first...

The end goal is to have SSH and HTTPS only accessible from predefined IP addresses which should be simple enough for any firewall. However there is a trickier goal I'd like

I want to be able to have something that actively monitors the apache2 logs and if it sees a certain number of 404's from a given source ip, to add a rule to the firewall blocking that IP for all ports. I hear fail2ban might be suitable, but I don't know much about it, ie how active it is among other things.

The method of detection doesn't have to be monitoring logs, that just seems like a basic way of doing it.

Suggestions?

Cheers

Ramo

[haqking]

Hey everyone

I have a webserver I want to set up a firewall on. At this stage, it seems like I'll end up going with ufw, but lets have a bit of an explanation first...

The end goal is to have SSH and HTTPS only accessible from predefined IP addresses which should be simple enough for any firewall. However there is a trickier goal I'd like

I want to be able to have something that actively monitors the apache2 logs and if it sees a certain number of 404's from a given source ip, to add a rule to the firewall blocking that IP for all ports. I hear fail2ban might be suitable, but I don't know much about it, ie how active it is among other things.

The method of detection doesn't have to be monitoring logs, that just seems like a basic way of doing it.

Suggestions?

Cheers

Ramo

Well UFW/GUFW, Firestarter etc etc are not firewalls themselves, they are merely Interfaces to interact with the Linux Built in Firewall which is in the kernel called IPTables/Netfilter.

I would look at IPTables directly from the command line if i was you it is much more powerful.

Also remember if you are behind a router then there will be a firewall function on that

[goodvikings]

Hmmm ok thanks, thats very useful to know.

So i guess the question then becomes "Whats a good way to actively monitor apache, and what will work well with that to add firewall rules the best?"

I only looked very quickly at ufw, and it seems that its very easy to add rules with it.

[Frogs Hair]

If you choose to go with an interface , Firestarter is an old program and though it is in the repository I would avoid it .

[haqking]

Hmmm ok thanks, thats very useful to know.

So i guess the question then becomes "Whats a good way to actively monitor apache, and what will work well with that to add firewall rules the best?"

I only looked very quickly at ufw, and it seems that its very easy to add rules with it.

you might wanna take a look at apachetop for apache monitoring or just the old fashioned way in the apache logs themselves.

[haqking]

If you choose to go with an interface , Firestarter is an old program and though it is in the repository I would avoid it .

+1 yeah avoid that at all costs.

CLI for IPTables is much more powerful though not as user friendly as the GUI's

[goodvikings]

Meh its a server anyway, so GUI is out of the question.

I'll give apachetop a look. Is it able to detect something like several 404's from one IP and run a script / command when it does? If thats the case then we can forget about fail2ban

[hsweet]

First part should be doable with ufw, but the bit about monitoring the log and automatically updating the iptables rules would require writing iptables rules directly.

It were me, I would write a perl script to parse the error log, and spit out a rule revision in my iptables file for any ip with too many 404's. Run the script via cron with enough permission to write iptables rules

iptables -A INPUT -s 64.90.32.6 -j DROP (something like this)

Rules can be added on the fly if I remember correctly -A adds the new rule to the end of the list.

But I'm a bit rusty. One thing, you can lock yourself out of a remote computer playing with iptables so it's good to learn on a local text box.

[goodvikings]

Yeah i did think of that but I want it to be much more active. You know, without telling cron to run that job every 5 seconds or so...

[hsweet]

How about an Apache module? No idea how to do that, but it would be part of the apache process, maybe good enough for other folks to use.