IPtables, how secure is too secure?

[beemer832]

Hi everyone. I have been a lurker on the forums here getting some useful information for different projects that I have been currently working on.

I setup a Centos 5 box at my house which I am starting to learn how to configure things, secure, get apache running, FTP server, ssh, etc. One of these was to make sure I secure the server from unwanted intruders.

Since I have apache and VSFTPD running with secure username and password, along with root password, I wanted to check on my access and error logs to see who was attempting to get into these services. There is no domain name set for this IP address yet so it would all be based on IP scanning.

Anyways, I wrote a bash script to email me the httpd access and error logs every day so I can see the traffic. I started noticing people trying to look for the "easy" hacks. When I wrote my IPtables script, i created a DENY_HOSTS variable that I can add IP's to so I can explicitly block traffic from particular people.

I started adding these unauthorized attempts to my DENY_HOSTS variable one by one. The problem I am running into is this is not scalable as I cannot keep adding IP addresses to this script to block traffic.

So my question is, how concerned do i need to be about these unauthorized attempts? I don't have anything running on the apache server right now, just the default webpage that apache loads. Also vsftpd is locked down to an unprivlidged system user account and you cannot get out of their home directory.

Thanks
-Josh

[peter]

I wouldn't be too worried about it as long as you keep your packages constantly up to date to protect against security flaws. This webserver has been graciously spared due to this strategy. Use unguessable passwords and also backup frequently so that you can recover data if you ever get hacked.

I use IP address blocking sparingly, and only for IP addresses that are causing the site to slow down dramatically. Many ISPs hide many users behind single IP addresses, so you always run the risk of blocking legitimate users of your site.

[beezlebubsbum]

I agree with Peter. I too run my own web server (though not with a site as nice as this) and have been lucky in the fact that I haven't been hacked. I install all OS and software updates twice a week, and actually use anti-virus software on the machine (avast for Linux). Apt-get upgrade is so easy and handy

[beemer832]

I agree with Peter. I too run my own web server (though not with a site as nice as this) and have been lucky in the fact that I haven't been hacked. I install all OS and software updates twice a week, and actually use anti-virus software on the machine (avast for Linux). Apt-get upgrade is so easy and handy

Thanks for the feedback guys. I guess will stop adding IP addresses to my deny_host variable

Could I just use yum update (package name) to keep updated as well? The server is strictly CLI, I did not install kde, gnome, or X.

thanks again for the info.

I am working on getting a mythtv box setup ATM. I will probably be posting for help with this later.

-josh

[beezlebubsbum]

i suppose yum is basically the same as apt-get, just distro specific

[mcguffeyd]

I don't have the book here in front of me, but there are some iptables tricks to limit the number of attempts of certain activities. If I remember, you can configure it to wait for N attempts, in M seconds/minutes/hours, and then DENY/DROP for X seconds/minutes/hours or permanently. This is used to stop port scans and brute force attempts against certain ports (e.g., ssh).