cybersecurity basics firewall

Cybersecurity Basics: How to Set up a Firewall

Why is a firewall so important?

Security on an open Internet becomes more important with each day. Along with the growth of Internet and Internet literacy, the benefits of a dedicated/virtual server can now be felt around the world.

For many, personal data and web service accessibility has become an integral part of the daily life. Having the benefit of accessibility means that the service is public facing, making the service susceptible to undesirable and seemingly random connections.

Often conducted using bots and spoofed IP addresses, it’s not uncommon on the open Internet to experience login attempts, port scans, and other intrusive activity.

There are basic security and firewall practices that can help prevent these activities from turning into a more alarming issue.

Without a firewall, your open ports look like this:

First off, to help grasp the motive behind these connections, a newly installed server was used to log incoming connections over 2 days. With no firewall blocking connections to the server, the log data can be analyzed to pinpoint areas of concentration.

Technical Information

OS: CentOS 7 + cPanel

(cPHulk disabled)

– Using iptables to log connections, and logged to the following directory –

/etc/rsyslog.d/my_iptables.conf

:msg,contains,"[netfilter] " /var/log/iptables.log

The following iptables rule was used to log NEW(state) Inbound packets to eth0

iptables -A INPUT -i eth0 -m state --state NEW -j LOG --log-prefix='[netfilter] '

Example Log entry 

Jun 15 08:02:27 gigenet kernel: [netfilter] IN=eth0 OUT= MAC=d6:f4:8e:aa:a7:94:00:25:90:0a:ad:1c:08:00 SRC=<remote IP> DST=<server IP> LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=24288 PROTO=TCP SPT=54102 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0

(IP addresses have been removed)

SRC – Source IP address

DST – Destination IP address

SPT – Source Port

DPT – Destination Port

PROTO – Internet Protocol

A script was created analyze and format log data

[root@gigenet ~]# ./analyze-iptableslog.sh

Log File: iptables-1.log

Log Date

# awk 'NR==1{print "Start Date: " $1, $2, $3;}; END{print "End Date: " $1, $2, $3;}' iptables-1.log

Start Date: Jun 13 08:02:21

End Date: Jun 15 08:02:27

Total Number of New Connections Logged

# wc -l iptables-1.log
 16299 iptables-1.log

Number of Connections per Protocol

# awk '{for (i=1;i<=NF;i++) if( ~/PROTO=/) print $i}' iptables-1.log | sort | uniq -c | sort -rn
15900 PROTO=TCP
366 PROTO=UDP
33 PROTO=ICMP

Number of Unique SRC IP Addresses

# awk '{for (i=1;i<=NF;i++) if( ~/SRC=/) print $i}' iptables-1.log | sort -n | uniq | wc -l
2886 IP Addresses

Number of Enties with a DPT(Total-ICMP)

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-1.log | wc -l
16266 DPT Connections

Number of Unique DPT Hit

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-1.log | sort -n | uniq | wc -l
1531 Unique DPT

Number of Connections per DPT, List Top 15

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-1.log | sort -n | uniq -c | sort -rn | head -n 15
9595 DPT=22
1309 DPT=80
885 DPT=445
742 DPT=23
188 DPT=8000
157 DPT=1433
153 DPT=5060
111 DPT=8080
90 DPT=8545
90 DPT=3389
83 DPT=81
80 DPT=3306
73 DPT=443
67 DPT=2323
44 DPT=8888

How to use firewall mitigate ports

The data show the primary destination ports of contact. As expected, the ports with the largest amount of connections are common for Linux and Windows web services.

Port 22 – Secure Shell(SSH)
Port 23 – telnet
Port 80 – Http
Port 445 – SMB (Windows network file sharing)
Port 1433 – MSSQL
Port 3306 – MYSQL
Port 3389 – RDP

Depending on the services being run, these ports may need to be available to remote services. The ports of note are SSH port 22, telnet port 23, and RDP port 3389.

Ideally, these connections should be restricted by the system firewall to specific IP addresses only. In addition, bots are typically programmed to target default ports. Thus, changing the default SSH and RDP port will help prevent intrusion.

  1. Changing SSH port(Linux, Freebsd)
  2. SSH configuration file:
    /etc/ssh/sshd_config

Modify the line with an uncommon port(0-65535)

  • Port 22

Restart SSHD:

  • CentOS: service sshd restart
  • Debian: service ssh restart
  • FreeBSD: /etc/rc.d/sshd restart

Change RDP port(Windows)

  • Windows RDP should never be open to the public. If necessary, the RPD port should be changed to minimize anonymous connections.

Open Registry Editor

  • Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

Modify the Decimal value to an unused port, click OK. Reboot.

Basic Firewall Setup

There are a number of firewall services that can serve as a primary mode of security. Provided are a few basic rule commands to help get started.

1. To Add iptables Rules

iptables is the most common, and familiar, Linux firewall. The default firewall for CentOS <=6, iptables is often used as the baseline Linux firewall.

Basic rules

  • Allow Established Connections: iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
  • Allow INPUT Policy: iptables -P INPUT ACCEPT
  • Allow IP: iptables -A INPUT -s 120.0.0.1/32 -j ACCEPT
  • Allow IP/Port: iptables -A INPUT -s 120.0.0.1/32 -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
  • Allow lo(localhost) interface: iptables -A INPUT -i lo -j ACCEPT
  • Allow Ping: iptables -A INPUT -p icmp -j ACCEPT
  • Allow Port: iptables -A INPUT -p tcp –dport 22 -j ACCEPT
  • Insert Allow IP(pos. 5): iptables -I INPUT 5 -s 120.0.0.1/32 -j ACCEPT
  • Insert Allow IP/multiport: iptables -I INPUT 5 -s 127.0.0.1/32 -p tcp -m state –state NEW -m multiport –dport port#1,port#2 -j ACCEPT

(Alternatively, substitute “ACCEPT” with “DROP” to deny)
Remove an Existing Rule using the -D option:

  •  Remove Allow IP: iptables -D INPUT -s 120.0.0.1/32 -j ACCEPT

Reject the rest, rejects(blocks) all connections not defined in previous rules.

  • Iptables -A -j REJECT –reject-with icmp-host-prohibited

Flush rules

  • iptables -F

2. Basic firewalld Commands

Firewalld features prominently in CentOS 7. Firewalld essentially provides more human readable commands for committing iptables rules.

Operational, print current state information

  • State: firewall-cmd –state
  • Start/Stop: systemctl start/stop firewalld.service
  • Start On Boot: systemctl enable firewalld

Zone Information, pinrt zone parameters

  • Default Zone: firewall-cmd –get-default-zone
  • Default Zone Info: firewall-cmd –list-all
  • List Zones: firewall-cmd –get-zones
  • Zone Info: firewall-cmd –zone=public –list-all

Modify Zone

  • Create New Zone: firewall-cmd –permanent –new-zone=new_zone – Change Default Zone: firewall-cmd –set-default-zone=public
  • Change Interface: firewall-cmd –zone=public –change-interface=eth0

Modify Rules, subnet of a zone

  • Allow Service: firewall-cmd –zone=public –add-service=http
  • Allow Port: firewall-cmd –zone=public –add-port=22/tcp
  • List Services: firewall-cmd –get-services
  • List Services Allowed: firewall-cmd –zone=public –list-services
  • List Ports Allowed: firewall-cmd –list-ports
  • Allow IP/Port/Proto using rich-rule,  explicit rules
  • firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”127.0.0.1/32″ port protocol=”tcp” port=”22″ accept’

(Use the –permanent option to create persistent rules for reboots)

3. Basic ufw rules

Introduced as ufw(UncomplicatedFirewall), supported in Ubuntu 8.04+, it is shipped as the default firewall for Ubuntu systems.

Operational

  • Enable/Disable: ufw enable/disable
  • Print Rules: ufw status verbose

Allow Rules

  • Allow Port: ufw allow 22
  • Allow IP: ufw allow from 127.0.0.1
  • Allow IP/Port/TCP: ufw allow from 127.0.0.1 to any port 22 proto tcp
  • (Alternatively, substitute “allow” for “deny” for deny rules)

Delete Existing Rules

  • ufw delete allow from 127.0.0.1

4. Windows Firewall(Windows Server 2008 a newer)

Control Panel >> Windows Firewall >> Advanced Settings >> Inbound/Outbound >> New Rule

Bonus: cPanel tools – cpHulk(?)

As a test case, WHM’s cPHulk Bruteforce Protection was enabled with default settings. During the 24 hours logged, there has been significantly fewer new connections as recorded by iptables.

[root@gigenet ~]# ./analyze-iptableslog.sh

Log File: iptables-cphulk.log

Log Date

# awk 'NR==1{print "Start Date: " $1, $2, $3;}; END{print "End Date: " $1, $2, $3;}' iptables-cphulk.log

Start Date: Jun 19 04:31:43

End Date: Jun 20 04:53:53

Total Number of New Connections Logged

# wc -l iptables-cphulk.log
3223 iptables-cphulk.log

Number of Connections per Protocol

# awk '{for (i=1;i<=NF;i++) if( ~/PROTO=/) print $i}' iptables-cphulk.log | sort | uniq -c | sort -rn
2974 PROTO=TCP
213 PROTO=UDP
36 PROTO=ICMP

Number of Unique SRC IP Addresses

# awk '{for (i=1;i<=NF;i++) if( ~/SRC=/) print $i}' iptables-cphulk.log | sort -n | uniq | wc -l
1432 IP Addresses

Number of Enties with a DPT(Total-ICMP)

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-cphulk.log | wc -l
3187 DPT Connections

Number of Unique DPT Hit

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-cphulk.log | sort -n | uniq | wc -l
943 Unique DP

Number of Connections per DPT, List Top 15

# awk '{for (i=1;i<=NF;i++) if( ~/DPT=/) print $i}' iptables-cphulk.log | sort -n | uniq -c | sort -rn | head -n 15
415 DPT=445
270 DPT=23
257 DPT=22
233 DPT=80
97 DPT=5060
72 DPT=1433
59 DPT=8545
53 DPT=8000
50 DPT=81
49 DPT=8080
46 DPT=443
41 DPT=3389
34 DPT=25
33 DPT=3306
27 DPT=2323