All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Tutorial] IPTables GeoIP, Port Knocking and Port Scan Detection
Here's a quick tutorial on how to enable extra IPTables functionality such as "GeoIP", "Port Knocking" and "Port Scan Detection" using the xtables-addons
package. A full list of available modules can be found here.
Note 1: Does NOT work on OpenVZ VPS (unless the host node provides these modules).
Note 2: If you upgrade your Linux kernel later, you must either recompile and reinstall these modules, or comment out the relevant IPTables rules. Otherwise your IPTables will stop loading!
See compile and install instructions for CentOS at the link below. Steps to use GeoIP are also discussed at that link. By the way, I installed "perl-Text-CSV_XS" from "EPEL" instead of "RPMForge", and it worked just fine. See here for how to enable the "EPEL" Repo for CentOS.
http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering
The latest version (click to download) for 2.6.x kernels is 1.47.1, and for 3.x kernels is 2.4 (as of 03/29/14). If one version does not compile on your kernel, try the other.
For Ubuntu, follow same instructions from link above, but install the required packages with:
apt-get update apt-get install libtext-csv-xs-perl linux-headers-`uname -r` \ iptables-dev xz-utils build-essential automake unzip zip
For port scan detection, the actual IPTables rule is, for example (put it before your SSH "ACCEPT" rule):
-A INPUT -m psd --psd-weight-threshold 15 --psd-hi-ports-weight 3 -j DROP
What this means: For connections from any single host, if at least 5 different ports on your server are hit within 3 seconds (default delay), then treat it as a port scan and drop further packets from that host. The parameters are all customizable.
The following is from the man page of "xtables-addons" (for psd
module):
psd Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer’s scanlogd. --psd-weight-threshold threshold Total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence. --psd-delay-threshold delay Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence. --psd-lo-ports-weight weight Weight of the packet with privileged (less than or equal to 1024) destination port. --psd-hi-ports-weight weight Weight of the packet with non-priviliged destination port.
It looks like the default values are:
weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
If you use this psd
module and move your SSH port to a non-standard one (e.g. generate a random port at random.org), it is extremely difficult for an attacker to find your SSH port by port scanning. Don't forget your SSH port number! Or you may lock yourself out
Thanks to Flapadar from VPSBoard for pointing out that for security, you should choose a SSH port smaller than 1024. See also related responses from serverfault.
Besides geoip
and psd
, the pknock
module can be used for EASY port knocking, and tarpit
module for keeping TCP connections "open" to waste an attacker's resources (someone even uses it to defend against DDoS). After install, please use command man xtables-addons
to view detailed usage instructions on these modules.
The latest version of this tutorial (and others) can be found on my tech blog:
https://blog.ls20.com
Feel free to reply with your question or comments.
Comments
CORRECTION: It seems that xtables-addons (version 1.47.1) does not compile on the latest CentOS 6.5 kernel. There is a workaround as stated in this comment. Basically, that commenter says you need to do the following:
The workaround works without error as of kernel version 2.6.32-431.11.2.el6.x86_64. If you use an older kernel, first try without the workaround.
Also - To update the GeoIP database every month (e.g. via cron job), here is an example script and cron job.
Hello,
is there any OVZ VPS provider with xtables-addons installed on Nodes already?
it shouldnt be that hard to enable on OpenVZ nodes.
Here is a guides for RHEL/centos;
http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering
http://blog.centralserv.co.uk/centos-redhat-6-5-xtables-addons-installation-puppet-xtables-addons/
@volkank I doubt that any provider has enabled the
xtables-addons
modules on their OpenVZ nodes by default. However, they may be able to make an exception for your VPS if you ask nicely in a ticket (or PM). Alternatively, use a KVM/XEN VPS instead.To all - Updated instructions for Debian and Proxmox 3 can be found here.