Secure Raspberry Pi with iptables, PSAD, Fail2ban and OSSEC
Disable ping
|
1 |
$ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all |
Install iptables and iptables-persistent
|
1 2 |
$ sudo apt-get install iptables iptables-persistent $ sudo service iptables-persistent start |
Create shell script
|
1 |
$ nano reset_iptables.sh |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
#!/usr/bin/env bash iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP # # PACKETS chain # iptables -N PACKET iptables -A PACKET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT iptables -A PACKET -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT #limit ping to 1 per second #iptables -A INPUT -p icmp -j DROP #iptables -A PACKET -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT # # STATE_TRACK chain (connection tracking) # iptables -N STATE_TRACK iptables -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A STATE_TRACK -m state --state INVALID -j DROP # # PORTSCAN chain (drop common attacks) # iptables -N PORTSCAN iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Disable ping response iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT iptables -A INPUT -p icmp -j DROP #allow all outgoing access iptables -A OUTPUT -o eth0 -j ACCEPT iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
1 2 |
$ sudo chmod a+x reset_iptables.sh $ sudo ./reset_iptables.sh |
Install PSAD (Port
Continue reading
Recent Comments