b.kocik's Old Timey Blog

Don’t look now, but people have been trying to break into your server. Don’t believe me? Okay, look now. Type this command (as root) in your shell: grep "Invalid user" /var/log/secure | wc -l The number you see is the number of times someone has tried to log into your server via ssh with an invalid username. Some of them might be you, but most of them are not. Most of them are people (or robots) all over the Internet who have tried to log into your server - and they’re not doing it in order to lend a helping hand in running the thing. It isn’t that there’s anything wrong with your setup, it just that your server is connected to the Internet, and any time you connect anything to the Internet people (and robots) immediately begin trying to wander in uninvited. Aside from disconnecting it from the Internet altogether (which really sort of hampers its ability to perform in its role as a server), there are a few things you can do to help protect your host. This tutorial will guide you through the installation of two excellent (and free!) utilities that work in concert to help guard against many kinds of attacks. I assume some familiarity with issuing commands at a Unix shell, and proficiency with a text editor such as vi, pico, nano, or emacs. A working knowledge of IP networking in general will also be beneficial, but isn’t strictly required (at a minimum, though, you need to know which ports you want to allow through your firewall). We’ll be installing the following:

APF

The first line of defense for any host or network is usually a firewall of some sort. APF (Advanced Policy Firewall) is a firewall tool provided by R-fx Networks that layers atop the Linux kernel’s iptables packet filtering utility. By itself, iptables is a great static packet filter, but APF adds a number of dynamic behaviors such as reactive address blocking (which is every bit as cool as it sounds), and the ability to subscribe to some popular lists of networks and addresses which are known for being sources of attacks.

BFD

Also from R-fx Networks, Brute Force Detection is a utility that watches system log files for repeated login attempts (like all those failed ssh connections) to various services, and automatically blocks the originating IP address. It works in conjunction with APF (when BFD detects an attacker, it tells APF to block the attacker’s address).

From 0 to Hardened in 10 Minutes (depending on your typing ability)

If you’re in a hurry and just want to get a basic, minimal setup, these quick start instructions are enough to provide a reasonable setup that will suit most needs. Beyond these, we’ll dive a little bit deeper into each of these utilities to explore some of the more interesting options, and to learn about customizing their behaviors to your specific needs. It’s well worth the time investment.

Installing APF

Run the following commands (at least the last two must be run with root privileges): curl -O "http://rfxnetworks.com/downloads/apf-current.tar.gz" tar -zxvf apf-