👤 Raffi Utama
🗓️ 13 August 2023
The basic concept of hardening a server is thinking about the possible “way” how an attacker can access our server. Often, an attacker will scan our server to find an open port or simply use a common port such as ssh, http, ftp, etc. When the port is accessible the attacker can launch a bot to bruteforce the password or to find vulnerability on the server. Hardening means an effort to protect a server by making it more difficult for bot/attacker to do their action.
As an administrator, restricting the open port on the network is one example of hardening action. On linux, iptables
is the generic way to filter the connection. But, There’s other option using ufw
or firewalld
(in fact that application interacts with iptables
). The concept of iptables
is chaining the rule like the image below
“Iptables diagram” by SUPRIYO BISWAS is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/?ref=openverse.
For simplicity, this article will not dive deep into the concept of iptables
. But, we’ll focus on the INPUT and OUTPUT chain. Let’s think about the INPUT chain is the rules for every connection going to our server and OUTPUT chain is the rules for every connection going out from our server. We’ll try to drop every incoming connection except for SSH in port 22. Make sure you have access to the command line via SSH for implementing this action.
List all of rules applied
To see if our command is correctly applied, we can use the following command to list all rules on all chain
Allow SSH in port 22
Before going to DROP every connection, we must allow SSH to ensure we still can have access if something goes wrong. To allow the SSH connection we can use the following command:
-A
means we’ll append the rules into INPUT chain with -p
protocol tcp and will -m
match tcp connection with --dport
destination port 22. If all the rules match, iptables
must -j
jump to ACCEPT the traffic.
DROP everything
Now, we’ll drop every connection going to our server. Be aware, if something goes wrong you’ll lose the connection to the server.
-P
means we’ll change the policy in the INPUT chain to “DROP”. So every single connection that didn’t match the rules will be dropped/blocked.
Check the configuration
We can try to send an ICMP packet (ping) to the server. If the server didn’t respond, it means our configuration is correct.
Screenshot above is trying to ping server ip address from another machine. It didn’t response that means the iptables
configuration is correct
But wait, can you receive any response from HTTP/DNS service?
Yup, you can’t. The reason is because currently the server only allows incoming traffic targeting port 22. The other service like HTTP/DNS response can’t go through our server because it is blocked by iptables
. To solve this issue, we need to added rules that allow the incoming traffic when the connection is RELATED or ESTABLISHED
The command will add a rules that tell the iptables
to allow a traffic if the state of the connection is ESTABLISHED or RELATED
That’s the end of the article, so far we use iptables
to only allow incoming SSH traffic through our server. We can also, trying to block every OUTPUT conection. If you are interested to learn more about iptables
. You can use the following resources:
https://linux.die.net/man/8/iptables