Your server is now providing two services - sshd for remote login, and apache2 for web access. These services are by default provided on specific well-known TCP/IP “ports” - 22 and 80.
As a sysadmin you need to understand what ports you have open on your servers, because each open port is also a potential focus of attacks. You need to be be able to put in place monitoring and controls on them as appropriate.
First we'll look at a couple of ways of determining what ports are open on your server:
- netstat - this is a standard utility
- nmap - this "port scanner" won't normally be installed by default
There are a wide range of options that can be used with netstat, but first try: netstat -lnp
The output lines show which ports are open on which interfaces:
$ sudo netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 11539/systemd-resol
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 929/sshd
tcp6 0 0 :::80 :::* LISTEN 1000/apache2
tcp6 0 0 :::22 :::* LISTEN 929/sshd
udp 0 0 127.0.0.53:53 0.0.0.0:* 11539/systemd-resol
udp 0 0 172.31.9.201:68 0.0.0.0:* 11524/systemd-netwo
raw6 0 0 :::58 :::* 7 11524/systemd-netwo
The lines above show ports 80 and 22 open "to the world", and because we’ve used the "-p" switch, we can see which process and program is servicing each port.
Now install nmap with apt-get. This works rather differently, actively probing 1,000 or more ports to check whether they're open. It's most famously used to scan remote machines - please don't - but it's also very handy to check your own configuration, by scanning your server:
$ nmap localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-17 02:18 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00042s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Port 22 is providing the ssh service, which is how you're connected, so that will be open. If you have Apache running then port 80/http will also be open. Every open port is an increase in the "attack surface", so it's Best Practice to shut down services that you don't need.
The Linux kernel has built-in firewall functionality called "netfilter". We configure and query this via various utilities, the most low-level of which are the iptables command, and the newer nftables. These are powerful, but also complex - so we'll use a more friendly alternative - ufw - the "uncomplicated firewall".
First let's list what rules are in place by typing sudo iptables -L
You will see something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, essentially no firewalling - any traffic is accepted to anywhere.
Using ufw is very simple. First we need to install it with:
sudo apt-get install ufw
Then, to allow SSH, but disallow HTTP we would type:
sudo ufw allow ssh
sudo ufw deny http
(BEWARE - do not “deny” ssh, or you’ll lose all contact with your server!)
and then enable this with:
sudo ufw enable
Typing iptables -L now will list the detailed rules generated by this - one of these should now be:
“DROP tcp -- anywhere anywhere tcp dpt:http”
The effect of this is that although your server is still running Apache, it's no longer accessible from the "outside". Test for yourself! You will probably want to reverse this with:
sudo ufw allow http
sudo ufw enable
In practice, ensuring that you're not running unnecessary services is often enough protection, and a host-based firewall is unnecessary, but this very much depends on the type of server you are configuring. Regardless, hopefully this session has given you some insight into the concepts.
BTW: For this test/learning server you should allow access again now, because those access.log files will give you a real feel for what it's like to run a server in a hostile world.
Occasionally it may be reasonable to re-configure a service so that it’s provided on a non-standard port. (This is particularly common advice for ssh). This will reduce the attacking traffic that you see, which may be useful, but would be scoffed at by experts as “security by obscurity” - equivalent to moving the keyhole on your front door in an unusual place rather than improving the lock itself.
- As always, feel free to post your progress, or questions, to the forum.
- UFW - Uncomplicated Firewall (https://help.ubuntu.com/community/UFW)
- Collection of basic Linux Firewall iptables rules (http://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules)
- 10 Netstat Command Example (http://www.thegeekstuff.com/2010/03/netstat-command-examples/)
- UFW Uncomplicated Firewall (http://www.youtube.com/watch?v=nc3A5Dy4xE0&feature=relmfu) (video)
- How to install nftables in Ubuntu (https://www.liquidweb.com/kb/how-to-install-nftables-in-ubuntu/)
Even after denying access, it might be useful to know who's been trying to gain entry. Check out these discussions of logging and more complex setups:
- How to Log Linux IPTables Firewall Dropped Packets to a Log File (http://www.thegeekstuff.com/2012/08/iptables-log-packets/)
- Firewalling with iptables - One approach (http://www.pettingers.org/code/firewall.html)