You just provisioned a fresh Linux server.
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
You might be interested in crowdsec. Joining that your server becomes a honeypot for this kinda bruteforce attack. If they fail a few times their IP gets submitted by your server and banned on all of them. Gets you an automatic banlist before they even reach your server. -
You might be interested in crowdsec. Joining that your server becomes a honeypot for this kinda bruteforce attack. If they fail a few times their IP gets submitted by your server and banned on all of them. Gets you an automatic banlist before they even reach your server.
@npub1600yr4qg5vcfp7svf6ysj0008tn7aphnu0gjs6lw5hjn74n0laasjx889v I know them. Had that on my servers in the past. Nowadays, I have a static IP and restrict SSH to my servers only to my personal IP addresses.
-
R relay@relay.mycrowd.ca shared this topic
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz
Please bear in mind that nft is a userland interface to the nftables kernelland interface to netfilter. You can configure netfilter via nftables with iptables.Thanks for sharing 🫰
-
@npub1600yr4qg5vcfp7svf6ysj0008tn7aphnu0gjs6lw5hjn74n0laasjx889v I know them. Had that on my servers in the past. Nowadays, I have a static IP and restrict SSH to my servers only to my personal IP addresses.
I went the tried and trusted SSH key method instead. They can bruteforce me all they want and waste their compute trying. -
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz FOSS FTW!
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz One of the "hidden" problems I run into on cloud servers is half open SYN attacks on port 80. Disparate providers and regions, no connections between servers I'm running.
For whatever reasons, it appears the Brazilian telco systems are... compromised? (not sure) - I'm up to 33 .br subnets (/19 to /22 size) having been dropped for targeting all my random servers with port 80 SYN floods. The process is currently manual - when on a server, look at `ss -tn` then cull subnets out of whois.
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz I went a different direction. I have #OpenVPN on my servers and only allow SSH from OpenVPN connected hosts. I originally started with #WireGuard, but too many public Wifi block WireGuard.
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz My favourite solution is port knocking. It's the best log cleaning money can buy. Anything that shows up in your logs is of interest.
-
You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
@Larvitz Could mention bpfilter: https://github.com/facebook/bpfilter
-
@nathanael wdym?
