Security is always a concern in today world, your house, your car, and your server, I do not know about your house or car, but I can give some advice to implement a real good security system using three doors the intruder will have to pass in order to gain access to your system.

In the first place we will use a script I got on the Internet a long time ago, which implements a real good firewall using IPtables, then, we will have knockd to open the firewall when we want to enter and finally we will have fail2ban, in case the intruder discover our knockd combination, this final step will make it really difficult to guess our password.

This is somehow a compilation of other posts I have written before, I will summarize them here, and make little changes to make it work together for a web server configuration, you can tweak it to work in other scenarios.

Lets start with the iptables script

  • Get the code
  • Download the firewall iptables script
  • Edit it and make changes only to one line
  • As this example is for a web server I will only open tcp port 80 So search for this line
    PERMIT=""
    
    And change it to this
    PERMIT="0.0.0.0:80/tcp"
    
  • Make it automatic
  • Follow the instructions of Linux security post to make it automatic, or adapt it to your distro
  • Install Fail2Ban
  • Follow the instructions in How to install and configure Fail2Ban
  • Install Knockd
  • Follow the instructions in Knockd server howto
  • Reconfigure knockd to work with the other doors
  • We need to edit the file /etc/knockd.conf and change this line.
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    
    To this:
    command     = /usr/sbin/iptables -I INPUT 3 -s %IP% -p tcp --dport 22 -j ACCEPT
    
    This is because we need to insert a rule in our firewall and not add one to the end of it.

Now enable all daemons.

Tip: To make the firewall start automatically, you can also run the script for the first time, then run this command, on Debian or Ubuntu <p class="codigo">/etc/init.d/iptables save</p> On Arch Linux <p class="codigo">/etc/rc.d/iptables save</p>

Now be sure you have iptables, knockd, and fail2ban running, it worked for me, if you have any problems or suggestions please use the comments.