Mageia forum

[xboxboy]

Hi all.

The back ground to this is: I've configured my webhost server to do a complete site backup automatically via cron. It's got several sub domains, so a full site backup works for me.

the webhost server then sends the *.tar.gz file to my ftp server here at my shop. So I've had to setup a FTP server, then using the firewall wizard I opened ftp, and setup the router for port forwarding. It seems to be working fine.

Question is, can/how do I configure the firewall to only allow ftp connections from my webhost IP, and block any other attemps for access?

TIA

[doktor5000]

It might help if you would have added what ftp server you're using, but anyways - short search shows
http://serverfault.com/questions/146569 ... cific-port
http://unix.stackexchange.com/questions ... ip-address
http://unix.stackexchange.com/questions ... connection
http://stackoverflow.com/questions/7143 ... ic-ip-only

[xboxboy]

Ah, thanks Doktor. I didn't know there were different ftp servers.

It appears I have proftp, I just installed using drakwizard. I wasn't sure if one drak tools could take care blocking ip's or not.

Another question, do I need ssh open to use ftp?

[doktor5000]

Another question, do I need ssh open to use ftp?

Simple answer would be no.

But it actually depends, pure ftp (e.g. via proftpd) requires port 20/21. But sftp is usually handled by sshd via port 22 (which is the same port as for ssh).
So if you use e.g. filezilla or winscp they will usually try sftp instead of pure ftp as the latter is pretty insecure.
Complete answer hence would be: No (s)ftp does not require ssh, but with the default configuration sshd should be running and port 22 should be allowed.

[xboxboy]

Ok, so after having the ftp and ssh ports open, and the script working, I checked the logs.

OH MY GOD, the number of attempted logins via SSH is frightening.

So, I'm about to do a clean Mageia5 install on this box. This time I'll run mega heavy passwords on both root and user.
Is it possible to restrict SSH and FTP to only one IP address?
Is it possible to make ALL the files delivered by FTP read only (in case someone tries to drop a script) or is that silly?
Any other ideas for locking this box down even more is greatly appreciated.


I'm sorry if I seem paranoid, but I've been hacked on my hosted site too many times, and it takes forever to clean it.

[doktor5000]

Well, you didn't mention the interface where you run ssh and ftp is internet-facing or publicly connectible.
You should ensure to use some nonstandard port instead of the default and probably use keys instead of passwords.
For the question to limit the access to only some hosts, check man pages for hosts.allow and hosts.deny - but I must say I'm not uptodate there,

Best read up on that as it's a pretty wide topic, some pointers:
http://www.cyberciti.biz/tips/linux-uni ... tices.html
http://xmodulo.com/how-to-protect-ssh-s ... l2ban.html
https://stribika.github.io/2015/01/04/s ... shell.html
http://it.slashdot.org/story/13/02/16/2 ... high-ports
(the latter two are more food for thought)

[xboxboy]

Thanks Doktor: It is a publicly viewable website, so I guess it is publicly connectible.

I'll look into changing port, that might not be possible.

Wide topic??? It's huge! and frightening.

[doktor5000]

Wide topic??? It's huge! and frightening.

Yep, widely frightening and huge. A wide topic

[jiml8]

ssh is a very commonly attacked port. If you employ proper security on the ssh setup, no one will be getting in.

However, the relentless attacks that show in the log are not a good thing; it is best to defend against it. I personally have used blockhosts ( http://www.aczoom.com/blockhosts/ ) for many years and it works very well. Essentially, it allows a configurable number of attempts to connect, then upon failure it sets iptables to block the ip address that failed, for a week.

I monitor this, and when one ip subnet is becoming too annoying, I just block the whole subnet using iptables at the router.

Blockhosts will also protect ftp the same way. Be aware that ftp is VERY insecure, and having an internet facing ftp port is probably ill-advised unless you know what you are doing.

To configure your system to permit access from one and only one ip address, you need some iptables rules to be permanently installed in your system. This means you need to create and debug the rules, then create a systemd service to start that ruleset every time you boot.

Here are the rules you need. Note I have not tested this and won't swear absolutely to the syntax, but it's close. Don't enter the comments I have put in parentheses.

Code: Select all

modprobe ip_conntrack_ftp  (to make sure passive connections are allowed)
iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address -dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT (allow my.allowed.ip.address to connect to ftp)
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --dport 21 --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -dport 21 -j DROP  (drop anything for ftp that reaches this rule)
iptables -A INPUT -p tcp -dport 20 -j DROP  (and this rule)

iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address --sport 1024: --dport 1024: -m conntrack  --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT


Also, of course, my.allowed.ip.address is the ip address of the computer you wish to allow to connect via ftp.

Note that I constructed these rules with some help from here: http://unix.stackexchange.com/questions ... coming-ftp

[jiml8]

I should note that blockhosts requires syslog, which is no longer installed by default on Mageia. I keep using syslog because many older things on my system (including blockhosts) need it.

[xboxboy]

Thanks Jim: I've been to busy to set this up properly: I'll get to it over the coming weeks.

[jiml8]

I did not think about this before, but you can also restrict ftp using tcp_wrappers and the /etc/hosts.allow file. This is a lot easier than iptables, but I am not certain it is quite as secure. I would recommend doing it both ways; multiple layers of defense are always best.

Presuming your are using Mageia, and the proftpd server that is provided by default in Mageia, you would add the following lines to hosts.allow (ahead of the last line which would be ALL: ALL: allow)

Code: Select all

proftpd: my.allowed.ip.address: allow
proftpd: ALL: deny


If you are using something other than proftpd, you would put the appropriate name in the server field.

[xboxboy]

Thanks for the follow up Jim. Unfortunately my web host server was completely compromised, and I didn't have a clean backup. I'm in the process of building a new site locally, then I'll upload that and start again.

I've learned lots of little tricks about securing both my local boxes and my webhost's. The more people I talk to, the more I learn, that hacking is a MASSIVE issue, and it seems to be getting exponentially worse

[jiml8]

Yes, the threat is exploding. I'm no longer working on satcom; now I'm working on network security. That's where the money is, and the future looks VERY bright for this particular industry. We have a cloud managed firewall/router product (https://simplewan.com) that is getting a lot of notice in the marketplace.

I remembered the hosts.allow mechanism because in the last few days I have been tightening up the security on my LAN. While my defenses are quite good, they are never perfect and my clueless housemate continues to open email attachments willy-nilly. Because she won't stop doing that, I have to anticipate compromised systems on her LAN. This would not be too bad, but I allow her access to my NAS because she comes to me for support all the time, and I make my life easy by keeping backups of...well...everything of hers...on my NAS. Thus, her cracked computer won't be limited to her LAN...it has some access to my LAN as well.

So when (not if...when) she gets cracked, my NAS will have to be able to defend itself until I become aware of the threat. That won't take long...I'll know pretty quickly... but I've been somewhat lackadaisical about NAS security on my LAN (though the one internet-facing service - owncloud - is locked down tight). Now I'm tightening that up, and also being tighter about the access she has through my router. Too bad I have to leave SMB open...

The NAS runs FreeBSD and is very secure anyway, but when someone starts hammering on the door...you just never know.