0

I have rented this small VPS and i keep get trying to get hacked by brute force attacks. So i want to restrict SSH and VNC to two IP addresses that i have (on separate networks)

I tried to do this with iptable, here's the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s <ip one>/32 -p tcp -m tcp --dport <vnc> -j ACCEPT
-A INPUT -s <ip two>/32 -p tcp -m tcp --dport <vnc> -j ACCEPT
-A INPUT -s <ip one>/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s <ip two>/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport <vnc> -j DROP

It doesn't appear to be working, because the auth.log is still full of hackers trying to get in through sshd.

My logic was "let the two ip's i have come in, and drop everything else".

What am i doing wrong?

fjleon
  • 129

2 Answers2

1

You need to change 2 things and be mindful of a third -

  1. You probably need to add a rule to allow traffic coming in associated with outgoig traffic through your network with a command like "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"

  2. You need to add a default drop for everything - not just VNC. Add "iptables -A INPUT -j DROP"

  3. Your 0.0.0.0/32 specifications are essentially meaningless as they mean only the IP 0.0.0.0 which is not a valid IP. A /32 is a single host. Never tried.it.but a /0 would be the opposite - but its better to just delete an IP address specification so it will match all addresses.

davidgo
  • 73,366
0

My advice would be to find a good tutorial on iptables as you really need to understand the basics. There are many good examples of tutorials and basic and proven iptables rulesets, like, for example these tutorials from DigitalOcean which relate to Ubuntu but can easily be applied to any Linux version,

https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works

and

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04

and

https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands

My advice would also be to use iptable’s connection tracking as explained in the answer by Davidgo here. This will not only work for outgoing but also for incoming connections and can greatly reduce the number of rules that iptables needs to process for each incoming packet.

Also be aware that a good firewall is just one layer in your server's security. You should never rely on it as the only line of defence. I would advise you to add more, where practical (such as key based SSH authentication).

Basically, a simple iptables ruleset could look like this

SETUP POLICIES

Set default policies with -P (i.e. DROP for INPUT, DROP for OUTPUT and ALLOW for FORWARD). These will set the default behaviour when no rules match. You will probably not use the FORWARD chain as it is used for routing.

INPUT CHAIN

  • ALLOW traffic on your lo (loopback) interface (i.e. traffic that stays internal to your VPS and should never be blocked)

  • ALLOW traffic from ESTABLISHED and RELATED connections (i.e. connections that were already given permission before. This saves time and processing resources)

  • ALLOW NEW connections from your IP addresses to the two ports you want to allow incoming sessions on (in your case SSH and VNC)

  • DROP or REJECT everything else (you can do this explicitly or rely on the policy you set before)

OUTPUT CHAIN

  • ALLOW traffic from NEW, ESTABLISHED and RELATED connections. This basically means that all outgoing connections initiated from your VPS will be permitted, as well as outgoing traffic that is part of an already permitted and established incoming connection (i.e. your SSH and VNC sessions).

  • DROP everything else, or rely on your default policy for the OUTPUT chain.

StarCat
  • 1,280