- Use Netstat command to check how many IP is making a connection to your Server
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
APF -- Advanced Policy-based Firewall
Get the latest source from the rfxnetworks, and install the software.
# cd /usr/src # mkdir utils # cd utils # wget http://rfxnetworks.com/downloads/apf-current.tar.gz # tar xfz apf-current.tar.gz # cd apf-* # ./install.sh
Lets configure the firewall: vi /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS=”0″
CHANGE TO: USE_DS=”1″
7. Configuring Firewall Ports:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43,2089″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,19638″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Save the changes: :wq
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|–start …………. load firewall policies
-r|–restart ……….. flush & load firewall
-f|–flush|–stop …… flush firewall
-l|–list ………….. list chain rules
-st|–status ……….. firewall status
-a HOST|–allow HOST … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|–deny HOST …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
9. After everything is fine, change the DEV option
BFD -- Brute Force Detection
BFD is a shell script which parses security logs and detects authentication failures. It is a brute force implementation without much complexity, and it works in conjunction with a APF (Advanced Policy-based Firewall).
## Get the latest source and untar. # cd /usr/src/utils # wget http://rfxnetworks.com/downloads/bfd-current.tar.gz # tar xfz bfd-current.tar.gz # cd bfd-* # ./install.sh
Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd.
Find ALERT="0" and replace it with ALERT="1"
Find EMAIL_USR="root" and replace it with EMAIL_USR="username@yourdomain.com"
Edit /usr/local/bfd/ignore.hosts file, and add your own trusted IPs. BFD uses APF and hence it orverrides allow_hosts.rules, so it is important that you add trusted IP addresses to prevent yourself from being locked out.
## Start the program. # /usr/local/sbin/bfd -s
DDoS Deflate
## Get the latest source # cd /usr/src/utils # mkdir ddos # cd ddos # wget http://www.inetbase.com/scripts/ddos/install.sh # sh install.sh
Edit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.
# /usr/local/ddos/ddos.sh -c
RootKit -- Spyware and Junkware detection and removal tool
Go to Rootkit Hunter homepage, and download the latest release.
## Get the latest source and untar # cd /usr/src/utils # wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz # tar xfz rkhunter-*.gz # cd rkhunter # ./installer.sh ## run rkhunter # rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local ## (or similar file depending on Linux version) ## Add the following lines at the bottom of the file /usr/local/sbin/apf --start /usr/local/ddos/ddos.sh -c
