On Fri, Aug 17, 2018 at 12:50:16PM -0400, cyaiplexys wrote: > If I'm following you so far, ufw is a firewall like iptables? Or a > replacement for iptables?
ufw is a more user-friendly front end for managing iptables rules. Under the hood, it's still iptables doing the actual firewalling. (After ufw is activated, you can use iptables -L to see the rules created by both ufw and fail2ban if you're curious. But be warned, they will be voluminous and may become rather complex, since they're not meant for human consumption.) > >ufw allow to any port 22 from [your IP address] proto tcp > >(If you're using ssh to connect to the server, you *must* do this one > >before enabling the firewall, or else you'll lock yourself out. > > I *never ever* use port 22 for ssh. I pick some random port that I know > isn't going to be used for anything else on the server and set ssh to use > that port instead. How do I set ufw to use the ssh port of my choosing? In the ufw rule, just change "port 22" to whatever port you actually run it on. The important thing, of course, is just that you don't block the ssh port if you're doing this over ssh. > > If you need to connect with ssh from multiple addresses, you can > > either run it multiple times with different addresses, or specify a > > network in CIDR notation.) > > That's not going to be possible to determine. I and the other admin (who > also doesn't know about this stuff) both connect remotely via ssh and we > both have dynamic IPs that are set (and changed) periodically (and at times > we have no idea) by our ISP. Neither of us can afford a static IP to our > homes. If you collect your DHCP-assigned addresses across a few changes, you should be able to guess pretty accurately at the range of possible addresses you might be assigned. Also, even with a single address, your odds are pretty good if you just use the /24 CIDR block containing that address, since most DHCP pools aren't going to be larger than that. So, e.g., I'm currently at a hotel with IP address 83.244.xxx.85. I could almost certainly give access to the hotel's entire range of dynamically-assigned IP addresses by allowing access from 83.244.xxx.0/24. > Can I do this too? > > ufw deny 22/tcp # Deny connection to port 22 (ssh default port) You could, but there's generally no point because all ports are denied by default. You usually don't need to create specific deny rules unless you have a port that you want to have open to the world, but then close it for specific addresses, or if there's an IP address that you want to allow access to all ports, except for a few specific ports. > ufw allow [new-ssh-port]/tcp # Allow connection to new chosen ssh port This would work, and would allow every IP address in the world to connect to your custom ssh port. (Which is not, IMO, a bad thing, but your level of paranoia may vary.) > Thing is, the bots hitting the server aren't getting 404 errors. They are > trying to do php XSite injection on Wordpress sites and hitting actual web > sites (HTTP 202). It just so happens I have a jail like that on a couple of my servers, too. I have the filter in /etc/fail2ban/filter.d/http-get-dos.conf --- [Definition] failregex = ^<HOST> -.*\"(GET|POST).* ignoreregex = ^ -.*^<HOST> -.*\"(GET|POST).*Googlebot --- This will match all GET and POST requests (even though the filter name just says "get"... I forgot to change the name when I added POSTs), unless they're coming from a Googlebot user agent (because it's a public server with several hundred thousand pages which we do want indexed). The corresponding jail definition is: --- [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/*access.log maxretry = 600 findtime = 300 bantime = 600 ignoreip = 10.0.0.0/8 --- Based on what you've said so far, I expect you'll want to adjust the maxretry/findtime/bantime values, but my experience has been that banning offending IP addresses for 10 minutes generally seems to be enough for them to give up and go bother someone else. Banning for months at a time is unlikely to be necessary unless you're dealing with a targeted attack. > >'ignoreip' is a list of IP addresses which should never be blocked. > > Can I separate a list with commas like done for port? fail2ban uses space-separated lists rather than comma-separated. Aside from that, though, yes, you can list as many addresses as you like. e.g., ignoreip = 8.8.8.8 127.0.0.1 > >After setting up these files, you can either restart fail2ban or run > >`sudo fail2ban-client reload` to activate the new jail. > > When using 'reload', does that just ensure changes take effect *without* > restarting fail2bain service, right? Correct > (though Ubuntu seems to do things differently for Debian but that's OK > since I would assume this stuff is the same for Debian and Ubuntu as > for fail2ban/ufw?) I have limited experience with Ubuntu, but my impression is that their differences (aside from release schedule) are primarily dealing with end-user-focused applications. Networking and firewall management are deep enough in the guts that I'm 99% sure they'll be the same in both distros. -- Dave Sherohman
