I'm pretty noob on linux but my pos server is on a cloud vps so i would like to secure it with the best firewall setting avaible and i need your help! Also i hope this thread can facilitate this process to many users as possible. This server runs only decred software and is an Ubuntu Server 14.04.3 LTS on Cloud. This is the procedure i have adopted. I have used iptables. Block all input: Code: sudo iptables -P INPUT DROP Block all Forward: Code: iptables -P FORWARD DROP Local traffic on : Code: iptables -A INPUT -i lo -j ACCEPT SSH brute force 60 sec wait: Code: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT Then i open all the decred port OUT and IN , SSH port IN and NTP OUT and IN : SSH tcp INPUT ( for login from remote) Code: sudo iptables -A INPUT -p tcp --dport XXXX -j ACCEPT Decred tcp INPUT Code: sudo iptables -A INPUT -p tcp --dport 9108 -j ACCEPT Decred tcp OUTPUT Code: sudo iptables -A OUTPUT -p tcp --dport 9108 -j ACCEPT NTP ( udp 123 ) NTP INPUT Code: sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT NTP OUTPUT Code: sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT I have also modified sshd_config file with PermitRootLogin no and changed the default ssh port 22 to another. Ok so this is my actual security setup...but because i'm a linux noob i have some question! 1- Are my setting correct...any suggestion?Can anyone ceck if my code are correct? 2- How can i run all the time the firewall in background also if i logout?(i'm in cloud) I have used this 2 commands with decred to run it in backgroun when i logout. Code: nohup dcrd & nohup dcrwallet & --enablestakemining --balancetomaintain=X --ticketmaxprice=X & I have to do the same with iptables or when enabled also if i logout is still working? edit: i have found this procedure: Code: sudo apt-get install iptables-persistent -y sudo service iptables-persistent start Thanks!! @davecgh @ceejep @Dyrk
I have done the settings again with UWF: (The XXX are my SSH port ) Command in uwf : Code: sudo ufw allow 123/udp sudo ufw allow 9108/tcp sudo ufw allow XXX/tcp and Code: sudo iptables -L looks like : Code: Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG tcp -- anywhere anywhere tcp dpt:XXX state NEW recent: SET name: SSH side: source mask: 255.255.255.255 LOG tcp -- anywhere anywhere tcp dpt:XXX state NEW recent: UPDATE seconds: 60 hit_count: 2 TTL-Match name: SSH side: source mask: 2255.255 LOG level warning prefix "SSH_brute_force" DROP tcp -- anywhere anywhere tcp dpt:XXX state NEW recent: UPDATE seconds: 60 hit_count: 2 TTL-Match name: SSH side: source mask: 2255.255 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere and Code: sudo ufw status verbose looks like : Code: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- XXXX ALLOW IN Anywhere 123/udp ALLOW IN Anywhere 9108/tcp ALLOW IN Anywhere XXXX (v6) ALLOW IN Anywhere (v6) 123/udp (v6) ALLOW IN Anywhere (v6) 9108/tcp (v6) ALLOW IN Anywhere (v6)
Lock ssh to your IP address only, or to the IP address range of your ISP. That keeps china (unles you are in china) from scanning you. Install fail2ban.
If you are looking for Dedicated Server, then no other better provider than Innovative Hosting Corporation. It is one best provider which provide service on time, 100% up-time results, etc. https://www.innovativehostingcorp.com/dedicated-servers/
If you are looking for extra and fast bandwidth then it is best to Dedicated Server service. Innovative Hosting Corporation is one of best provider of the hosting service. However it provide 24 X 7 incredible support. So what are you thinking, just register or contact to know more and its best services. Dedicated Server
Since you decided to spam the group, I thought I would reply. Innovative hosting? Really? What is innovative about your business? 23 guys in India to support 10,000 servers in Florida is not new. (All India contacts, but they say the servers are hosted in Florida) Also, if those pictures really are your servers, I recommend not covering all of the venting with a 8.5x11 sheet of paper with your logo on it. Not good for cooling. Also, your prices (which I had to convert manually. Really, currency conversion is easy to add to a website.) are quite high. The cheapest is $114! If someone wants no name dedicated servers, you can go to all of these for less. https://www.soyoustart.com/us/essential-servers/ http://www.kimsufi.com/us/en/servers.xml https://www.nocix.net/dedicated/ Also, your posts include many factual misstatements. "100% up-time" But your website says 5 9s. Which is good since 100% uptime is not possible with physical servers. "If you are looking for extra and fast bandwidth then it is best to Dedicated Server service." Well, not only does this sentence not parse, it is comparing two unrelated things. Dedicated vs virtual has noting to do with networking. You can have dedicated servers on poor connections, and you can have virtual servers on good connections. No one seems to think AWS is slow, for example. "It is one best provider which provide service on time" There is only one company that provides on time service? Uhm... No. So, in conclusion... Between your blatantly false statements in the posts, the boiler plate website with no special content, the servers a 20 hour flight from support, and a language barrier that makes support more difficult, I will pass. And the next time your choose to spam, take a look at your market.