Setup A Firewall On Linux Decred Dedicated Server

Discussion in 'Technical Support' started by Blizzy, Feb 13, 2016.

  1. 2017/12/15 - Decred v1.1.2 released! → Release Notes  → Downloads
  1. Blizzy

    Blizzy Full Member

    Jan 4, 2016
    225
    109
    Male
    #1 Blizzy, Feb 13, 2016
    Last edited: Feb 13, 2016
    I'm pretty noob on linux but my pos server is on a cloud vps so i would like to secure it with the best firewall setting avaible and i need your help! Also i hope this thread can facilitate this process to many users as possible.

    This server runs only decred software and is an Ubuntu Server 14.04.3 LTS on Cloud.

    This is the procedure i have adopted. I have used iptables.


    Block all input:

    Code:
    sudo iptables -P INPUT DROP
    Block all Forward:

    Code:
    iptables -P FORWARD DROP
    Local traffic on :

    Code:
    iptables -A INPUT -i lo -j ACCEPT
    SSH brute force 60 sec wait:

    Code:
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
            iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
            iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
            iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    Then i open all the decred port OUT and IN , SSH port IN and NTP OUT and IN :

    SSH tcp INPUT ( for login from remote)

    Code:
    sudo iptables -A INPUT -p tcp --dport XXXX -j ACCEPT
    Decred tcp INPUT

    Code:
    sudo iptables -A INPUT -p tcp --dport 9108 -j ACCEPT
    Decred tcp OUTPUT

    Code:
    sudo iptables -A OUTPUT -p tcp --dport 9108 -j ACCEPT 
    NTP ( udp 123 )

    NTP INPUT

    Code:
    sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
    NTP OUTPUT

    Code:
    sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
    I have also modified sshd_config file with PermitRootLogin no and changed the default ssh port 22 to another.

    Ok so this is my actual security setup...but because i'm a linux noob i have some question!

    1- Are my setting correct...any suggestion?Can anyone ceck if my code are correct?

    2- How can i run all the time the firewall in background also if i logout?(i'm in cloud)

    I have used this 2 commands with decred to run it in backgroun when i logout.
    Code:
    
    nohup dcrd &
    
    nohup dcrwallet & --enablestakemining --balancetomaintain=X --ticketmaxprice=X &
    I have to do the same with iptables or when enabled also if i logout is still working?

    edit:

    i have found this procedure:

    Code:
    sudo apt-get install iptables-persistent -y
    
    sudo service iptables-persistent start
    
    Thanks!!

    @davecgh @ceejep @Dyrk
     
  2. Blizzy

    Blizzy Full Member

    Jan 4, 2016
    225
    109
    Male
    I have done the settings again with UWF:

    (The XXX are my SSH port )

    Command in uwf :

    Code:
    sudo ufw allow 123/udp
    sudo ufw allow 9108/tcp
    sudo ufw allow XXX/tcp
    and

    Code:
    sudo iptables -L
    looks like :

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ufw-before-logging-input  all  --  anywhere             anywhere
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    ufw-after-logging-input  all  --  anywhere             anywhere
    ufw-reject-input  all  --  anywhere             anywhere
    ufw-track-input  all  --  anywhere             anywhere
    DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
               tcp  --  anywhere             anywhere             tcp dpt:XXX state NEW recent: SET name: SSH side: source mask: 255.255.255.255
    LOG        tcp  --  anywhere             anywhere             tcp dpt:XXX state NEW recent: UPDATE seconds: 60 hit_count: 2 TTL-Match name: SSH side: source mask: 2255.255 LOG level warning prefix "SSH_brute_force"
    DROP       tcp  --  anywhere             anywhere             tcp dpt:XXX state NEW recent: UPDATE seconds: 60 hit_count: 2 TTL-Match name: SSH side: source mask: 2255.255
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-logging-forward  all  --  anywhere             anywhere
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    ufw-after-logging-forward  all  --  anywhere             anywhere
    ufw-reject-forward  all  --  anywhere             anywhere
    ufw-track-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-logging-output  all  --  anywhere             anywhere
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    ufw-after-logging-output  all  --  anywhere             anywhere
    ufw-reject-output  all  --  anywhere             anywhere
    ufw-track-output  all  --  anywhere             anywhere
    
    and

    Code:
    sudo ufw status verbose
    looks like :

    Code:
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    XXXX                     ALLOW IN    Anywhere
    123/udp                    ALLOW IN    Anywhere
    9108/tcp                   ALLOW IN    Anywhere
    XXXX (v6)                  ALLOW IN    Anywhere (v6)
    123/udp (v6)               ALLOW IN    Anywhere (v6)
    9108/tcp (v6)              ALLOW IN    Anywhere (v6)
    
     
  3. Lee Sharp

    Lee Sharp Sr. Member

    Dec 28, 2015
    308
    217
    Male
    Independent Consultant
    Houston, Texas
    Lock ssh to your IP address only, or to the IP address range of your ISP. That keeps china (unles you are in china) from scanning you.

    Install fail2ban.
     
    drunkenmugsy and Blizzy like this.
  4. innovativehosting

    innovativehosting New Member

    Apr 1, 2016
    2
    0
    Male
  5. innovativehosting

    innovativehosting New Member

    Apr 1, 2016
    2
    0
    Male
    If you are looking for extra and fast bandwidth then it is best to Dedicated Server service. Innovative Hosting Corporation is one of best provider of the hosting service. However it provide 24 X 7 incredible support. So what are you thinking, just register or contact to know more and its best services.

    Dedicated Server
     
  6. Lee Sharp

    Lee Sharp Sr. Member

    Dec 28, 2015
    308
    217
    Male
    Independent Consultant
    Houston, Texas
    Since you decided to spam the group, I thought I would reply.

    Innovative hosting? Really? What is innovative about your business? 23 guys in India to support 10,000 servers in Florida is not new. (All India contacts, but they say the servers are hosted in Florida) Also, if those pictures really are your servers, I recommend not covering all of the venting with a 8.5x11 sheet of paper with your logo on it. Not good for cooling. Also, your prices (which I had to convert manually. Really, currency conversion is easy to add to a website.) are quite high. The cheapest is $114! If someone wants no name dedicated servers, you can go to all of these for less. https://www.soyoustart.com/us/essential-servers/ http://www.kimsufi.com/us/en/servers.xml https://www.nocix.net/dedicated/

    Also, your posts include many factual misstatements.

    "100% up-time" But your website says 5 9s. Which is good since 100% uptime is not possible with physical servers.
    "If you are looking for extra and fast bandwidth then it is best to Dedicated Server service." Well, not only does this sentence not parse, it is comparing two unrelated things. Dedicated vs virtual has noting to do with networking. You can have dedicated servers on poor connections, and you can have virtual servers on good connections. No one seems to think AWS is slow, for example.
    "It is one best provider which provide service on time" There is only one company that provides on time service? Uhm... No.

    So, in conclusion... Between your blatantly false statements in the posts, the boiler plate website with no special content, the servers a 20 hour flight from support, and a language barrier that makes support more difficult, I will pass.

    And the next time your choose to spam, take a look at your market.
     

Share This Page