This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision |
| server_configuration:firewall [2021/01/13 19:10] – david | server_configuration:firewall [2025/04/02 09:28] (current) – [Sample Commands] david |
|---|
| View current configuration: | View current configuration: |
| <code bash> | <code bash> |
| | ufw status |
| | </code> |
| | |
| | <code bash> |
| | sudo ufw allow OpenSSH |
| | |
| | sudo ufw allow Postfix |
| | sudo ufw allow Apache Full |
| | </code> |
| | ===== Blocking SSH Testing ===== |
| | |
| | Out of interest, I checked the ''auth.log'' and found lots of scanning/testing/brute force attempts. While ''fail2ban'' should manage some of this (and in reality, with bot networks fail2ban is a bit futile here), the only real solution is mandatory key authentication. But I had some interest blocking the IPs from connecting to ''SSH'' anyway and seeing the differences in logs. |
| | |
| | <code bash> |
| | grep 'sshd.*Received disconnect from' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Connection closed by.*preauth' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Connection closed by invalid user' auth.log | cut -d ' ' -f 12 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Unable to negotiate with.*diffie-hellman-group1-sha1' auth.log | cut -d ' ' -f 10 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | |
| | |
| | vi /etc/ufw/user.rules |
| ufw status | ufw status |
| </code> | </code> |