PHP Developers Network

Hi, I am about to run a script to install a very basic firewall. The full script is in the code below with comments (the basic criteria is near the top). I am a bit uncertain about this command.
"iptables -A INPUT -i lo -j ACCEPT"
On place I was reading it is needed for loop back. Initially I thought this meant that Putty and WinSCP (which I am using) may be using it to check the signals they are sending. I understood this until I read that this command is for local host only. It went on to say "Suppose we have 2 separate interfaces, eth0 which is our internal LAN connection and ppp0 dialup modem (or maybe eth1 for a nic) which is our external internet connection. We may want to allow all incoming packets on our internal LAN but still filter incoming packets on our external internet connection. We could do this as follows:"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT

then it went on to say "But be very careful - if we were to allow all packets for our external internet interface (for example, ppp0 dialup modem):"
iptables -A INPUT -i ppp0 -j ACCEPT
we would have effectively just disabled our firewall!

So from the above am I correct in assuming I should be using this (comments after the commands are my assumptions - or guesses). The confusion is one says it is for loop back yet the last statement says it could disable the firewall (implying that I would be thinking I have a firewall but I in fact do not).
iptables -A INPUT -i lo -j ACCEPT #loop back for local host just in case the host provider wants to communicate with my VPS across their intranet
iptables -A INPUT -i eth1 -j ACCEPT #loop back for any internet connections coming from a computer using a nic card.

Thanks,
John

If I ran the script below and it stopped any functions I was planning on running these two commands to clear it so everything works again.
iptables -P INPUT ACCEPT
iptables -F

Close port 22, have sshd listen on some other port. Doesn't accomplish much, but your log files will thank you.

_________________
Supported PHP versions No longer supported versions

Thanks Celauran. John.

While we're on the topic of modifying sshd configurations, I'd strongly recommend disabling password authentication (use RSA keys instead) and disallowing root logins.

_________________
Supported PHP versions No longer supported versions

Yes, I have these on my list (a list of 87 items to do - LOL - not too big). I have huge passwords for now (22 characters and 25 characters) both of which I have memorized with upper and lower case and numbers. I also want to put in a time-limit on the passwords or maybe it is a try limit (5 tries is easily safe enough with my huge passwords). I need to get back to that one as well. There is nothing to steal on my database except passwords but I warn users not to use financial passwords. I gather the main threat is people trying to use my VSP to send their spam email out (a free email server using my bandwidth). I shut down FTP that is on the list and I finally did it. The slow down is I have to learn each thing one at a time. Long passwords was easy. So I am trying to pick off one thing a day of the 87 items. So in 87 days maybe I will have the most secure VPS on the web :-; Probably not but it will be a lot better than it is now. I gather https is expensive. I won't bother with that one.

That's potentially a big problem. There should not be passwords in your database. Password hashes, sure, but not actual passwords.

_________________
Supported PHP versions No longer supported versions

Sorry, I forgot to mention that the passwords are hashed.

Regarding the loopback question I found the link that mentioned it. It was he one you recommended I read (the first one I read). I copied the text below.
https://help.ubuntu.com/community/IptablesHowTo


This command is still in as is (shown above) and everything seems to be working fine.
iptables -A INPUT -i lo -j ACCEPT

On second thought lets delete the last post. I was thinking there are a few ways or variants to do all this (maybe all are good).

The keys idea is probably one of the easiest and most secure. I am not clear on everything yet so I can't do it until a few days pass. No one has explained how you log in with it.

Using a macro program to log in is a help. It executes macros in windows. I just tested it and it can be programmed to execute Putty then send key strokes to log you in and give you a beep sound once you are logged in. So you can set the largest possible length of random password and logging in is a simple shortcut key operation done perfectly every time. It took me 45 minutes to get it to work only because I was having trouble doing a load which would set the background colour of the Unix screen to white. Setting The Macro Program to log min in to WinSCP took about 5 minutes.

Setting up a special regular user for login is better than root login. The Macro Program would help because you could create a very ling random user ID and a very long random password and still log in perfectly every single time.

Fail2Ban is a good idea. I tried setting it to block the IP address for 24 hours. However it does not seem to work. Some Bots come back after 3 hours and try again but get kicked out on the first fail. I discovered today you an set it to ban permanently (see below).

This idea can basically be done with fail2ban (see below). This idea may be good too but a lot of work up front. In the past I was really good with bash, sed and awk. I was good enough that I probably could write a script to read the iptables file and the /var/log/secure file and create a new iptable file that had all the IP addresses to block with no duplication of IP addresses (skipping my ip address of course). I am assuming there is no limit to the number I can put in. I could have cron run this script maybe once a month. Eventually it would have all IP addresses of all brute force hacker attempts that failed with maybe only a few additions a month after that (if that). Unfortunately it would take me a few months to get all these skills back - LOL. Yeah, I use to spend 3 hours a day 7 days a week perfecting these skills for a few years there. I was a bit obsessed with shell scripting I think. I don't plan on doing this again.

I was reading about rolling the log file to keep it small. It could probably be set up to coordinate with the above mentioned script. Unfortunately I don't know how to do it yet.

Updates:
I plan on doing as much as I can on my list to increase security but here is what I have done with fail2ban.
**I set the bandtime = -1. This bans the IP address permanently until you restart fail2ban.
**I set the ignoreip = parameter to ignore my public IP (I tested with a 1 minute bantime and it works).
**I also I added the main ip from my windows ipconfig screen to "ignoreip =" just to feel safe since I am not an expert.
**I will check my public IP has not changed each morning using google search "what is my ip address". If it has I will know to add the new one to my list in "ignoreip ="
**I also am using the Macro Program to log in now and it basically never messes up the login regardless of how long it is so I am not concerned.
**To avoid a large IP list I decided not to use the special programming from this page http://www.looke.ch/wp/list-based-perma ... h-fail2ban
This programming allows you to maintain the list across restarts of fail2ban. It was modified to remove duplicate ip addresses.
The reason is I already have a very large password and may increase it when I shut off root login probably this week. This link says max password size is unlimited?
http://superuser.com/questions/148971/w ... nux-system
So for now things are better. The brute force login attempts has clearly dropped from 27 per hour when I first put fail2ban in down to about 1 or 2 per hour (major drop).
I don't know what it was before fail2ban. I cleared the btmp file and the secure file in /var/log since they were huge (need to learn to roll the logs).