Compare commits

...

1 Commits

Author SHA1 Message Date
Adrian 46d73724bb Improve iptables and add port knocking for SSH 2020-05-24 12:24:00 +02:00
6 changed files with 33 additions and 19 deletions

View File

@ -1,9 +1,10 @@
# Iptables # Iptables
```sh ```sh
sudo cp *.rules /etc sudo cp default.rules empty.rules /etc
sudo cp *.service /etc/systemd/system sudo cp *.service /etc/systemd/system
sudo systemctl enable iptables sudo systemctl enable iptables
sudo systemctl start iptables
``` ```
## Apply and Report Rate Limits ## Apply and Report Rate Limits
@ -12,5 +13,7 @@ The `ratelimit.rules` file adds new chains to
limit the rate of new connections based on /16 subnets. limit the rate of new connections based on /16 subnets.
```sh ```sh
sudo iptables-restore -n < ratelimit.rules sudo iptables-restore -n blackwhite.rules
sudo iptables-restore -n ratelimit.rules
sudo iptables-restore -n knock.rules
``` ```

View File

@ -0,0 +1,16 @@
*raw
:BLACKLIST -
:WHITELIST -
-A PREROUTING -j BLACKLIST
-A PREROUTING -j WHITELIST
-A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
COMMIT

View File

@ -5,8 +5,8 @@ Wants=network-pre.target
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=iptables-restore /etc/default.rules ExecStart=iptables-restore -c /etc/default.rules
ExecStop=iptables-restore /etc/empty.rules ExecStop=iptables-save -c -f /etc/default.rules ; iptables-restore /etc/empty.rules
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]

View File

@ -0,0 +1,10 @@
*raw
:KNOCK -
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK
-A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN
-A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP
-A KNOCK -p tcp -m tcp --dport 22 -j DROP
COMMIT

View File

@ -1,23 +1,10 @@
*raw *raw
:BLOCK -
:RATELIMIT - :RATELIMIT -
:WHITELIST -
-A PREROUTING -j WHITELIST
-A PREROUTING -j BLOCK
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
-A BLOCK -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
-A BLOCK -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
-A RATELIMIT -p tcp -m tcp --dport 22222 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name ratelimit-ssh --hashlimit-srcmask 16 -j DROP
-A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP -A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP
-A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP -A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP
-A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP -A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP
-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
COMMIT COMMIT

View File

@ -1,9 +1,7 @@
UseDNS no UseDNS no
Port 22222
AllowUsers sshlogin git backup-* AllowUsers sshlogin git backup-*
ClientAliveInterval 10 ClientAliveInterval 10
LoginGraceTime 10
MaxAuthTries 2 MaxAuthTries 2
Match User backup-* Match User backup-*