Category: security

computer security related topic

Posted on

Securing SSH port and limiting IP address connection with Firewall in Ubuntu

UFW: Securing SSH
UFW or Uncomplicated Firewall is a firewall package in Ubuntu. UFW can be used to secure SSH ports in Ubuntu server.

In order to secure OpenSSH, we must first disable UFW and allow all SSH rule. 

sudo ufw disable
sudo ufw delete allow ssh

Then we add IP Address to be allowed to connect to SSH port. In this case I assume that “192.168.1.10” would be allowed to be connected to the server. You can replace IP Address, with any IP Address that you prefer.

sudo ufw allow from 192.168.1.10 to any port ssh

You can also add other IP Address that can be connected to SSH port. In this case, I chose em>”172.25.100.1″.

sudo ufw allow from 172.25.100.1 to any port ssh

Alternatively, you could also specify port number and protocol

sudo ufw allow from 192.168.1.10 to any port 22 proto tcp

Only allow SSH connections from certain subnets

sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp

Note: Adding firewall rules to only allow SSH connection from certain subnets would increase the server security, further reducing brute-force attack.

Further Reading: Ubuntu Server Administrator Reference

Posted on

How to quickly become firewall expert with UFW !

Uncomplicated Firewall (UFW) is a helper tool which allows you to quickly setup iptables firewall in any Ubuntu server. It is installed by default and it allows you to secure your server at no time!

Basic UFW

Basic UFW: Check Status
You can check UFW by running this command. The verbose argument prints additional information such as UFW profiles, logging settings.

The ‘numbered’ argument prints the list of rules with line number. I’ll explain later on the use of this feature.

sudo ufw status
sudo ufw status verbose
sudo ufw status  numbered

Basic UFW: Enable and Disable Firewall
You can easily enable and disable firewall by specifying ‘disable’ and ‘enable’ argument.

Warning : Please do not enable UFW if you’re connecting using SSH connection to your Ubuntu box, you might be disconnected.

sudo ufw disable
sudo ufw enable

Basic UFW: Setting up default rule and Enabling SSH
A lot of you might be connecting to Ubuntu box using SSH connections, so the first step is to setup a default rule and enabling SSH connection.

Deny incoming connection

sudo ufw default deny incoming

Allow incoming SSH connection 

sudo ufw allow ssh

Alternatively you can write:

sudo ufw allow 22/tcp

Finally, enable firewall

sudo ufw enable

You can check the firewall rules by running 

sudo ufw status

Basic UFW: Enabling other service: HTTP, HTTPS

Enabling web server port and https is as easy as running

sudo ufw allow http
sudo ufw allow https

Basic UFW: Deleting rule
You can delete UFW rule by running

sudo ufw delete allow https

or by specifying its port and protocol

sudo ufw delete allow 443/tcp

Additionally you could also delete rule using its number by running “ufw status numbered” first

sudo ufw status numbered

ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22/tcp                     ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)

Then pick a firewall rule based on its number to delete, I picked number 3 and 6, because I want to delete https rule

sudo ufw delete 3
sudo ufw delete 6

UFW will print a confirmation prompt and you can continue deleting the firewall rules

/home/mypapit# ufw delete 6
Deleting:
 allow 443
Proceed with operation (y|n)? y   
Rule deleted (v6)

/home/mypapit# ufw delete 3
Deleting:
 allow 443
Proceed with operation (y|n)? y
Rule deleted

Intermediate UFW

Intermediate UFW: Deny access from ip address or ip block
You can prevent certain ip address or ip blocks / subnets from reaching your server by running:

sudo ufw deny from 172.18.44.12

Deny an ip address subnet

sudo ufw deny from 172.18.44.0/24

Deny an ip address subnet, example #2

sudo ufw deny from 172.16.0.0/16

Intermediate UFW: Allow services to be connected from certain ip address or subnet
In this case, I will only allow certain ip address to connect to my SSH port.

First we delete the old – “allow all” SSH rule

sudo ufw disable
sudo ufw delete allow ssh

Then we add ip address to be allowed to connect to SSH port

sudo ufw allow from 192.168.20.40 to any port ssh

Alternatively, you could also specify port number and protocol

sudo ufw allow from 192.168.20.40 to any port 22 proto tcp

Only allow SSH connections from certain subnets

sudo ufw allow from 192.168.20.0/24 to any port 22 proto tcp

Note: Adding firewall rules to only allow SSH connection from certain subnets would increase the server security, further reducing brute-force attack.

Further Reading: Ubuntu Server Administrator Reference

Posted on

How to Hide OpenSSH Ubuntu version from Nmap and other scanners

In Ubuntu or Debian, a default OpenSSH server will display OpenSSH version alongside with Ubuntu/Debian distribution banner:

$ telnet repeater.my 172.16.91.20 22 
Trying 172.16.91.20...
Connected to 172.16.91.20.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

You can hide the identifying part of Ubuntu-2ubuntu2 from the server banner by editing /etc/ssh/sshd_config file, and adding “DebianBanner no” either at the end of the file, or just under “Port 22” configuration in “/etc/ssh/sshd_config

#/etc/ssh/sshd_config 
# What ports, IPs and protocols we listen for

Port 22
DebianBanner no

Save and restart OpenSSH server by typing

sudo service ssh restart

Now the response will just be:

Trying 172.16.91.20...
Connected to 172.16.91.20.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1

Happy trying!

Further Reading: Ubuntu Server Administrator Reference

Posted on

An easy way to Install OpenVPN in CentOS – snippet

Source: https://zulfah.my/files/openvpnsetup/vpn_install.txt

Got this while surfing the internet. A no brainer way to install and setup OpenVPN in CentOS. The only thing left is to open port 1194/udp 1337/udp from firewall / router

yum update -y && yum -y install nano unzip wget gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

cd /home

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm && rpm -Uvh epel-release-6-8.noarch.rpm

yum update -y && yum -y install openvpn

cd /etc/openvpn

wget https://zulfah.my/files/openvpnsetup/configuration-OpenVPN/server.conf.txt

wget https://zulfah.my/files/openvpnsetup/configuration-OpenVPN/easy-rsa-2.2.0_master.tar.gz

mv server.conf.txt server.conf

tar -zxvf easy-rsa-2.2.0_master.tar.gz

cd /etc/openvpn/easy-rsa-2.2.0_master/easy-rsa/2.0

rm -rf vars

rm -rf openssl-1.0.0.cnf

wget https://zulfah.my/files/openvpnsetup/configuration-OpenVPN/easyrsa/vars

wget https://zulfah.my/files/openvpnsetup/configuration-OpenVPN/easyrsa/openssl-1.0.0.cnf

chmod 755 *

source ./vars

./vars

./clean-all

./build-ca
*change hostname

./build-key-server server
*change hostname

./build-dh

cd /etc/openvpn/easy-rsa-2.2.0_master/easy-rsa/2.0/keys

cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

service iptables save

nano -w /etc/sysctl.conf
*change net.ipv4.ip_forward = 1

sysctl -p

echo 0 > /selinux/enforce

cd /etc/openvpn

wget https://zulfah.my/files/openvpnsetup/configuration-OpenVPN/openvpn-auth-pam.zip

unzip openvpn-auth-pam.zip

service openvpn start

chkconfig openvpn on

useradd testuser -d /dev/null

passwd testuser
Posted on

Simple SSH Tunnelling tips

SSH tunelling is usually used to avoid firewall restriction or to ensure point-to-point encrypted communication.

For example, if you want to send email to smtp server “smtp.yourserver.com” on port 587, but your organization currently blocking smtp port 25 and 587, then you can benefit from SSH tunelling to avoid from being blocked.

To get around that, you need an intermediate server, fastssh.com currently provide SSH tunneling service with 7days trial account.

Simple SSH tunnelling command, if you’re using fastssh.com service.

ssh -f fastssh.com-username@sg.fastssh.com -L 2000:smtp.yourserver.com:587 -N

So in your mail setting, you can safely put, SMTP Server = “127.0.0.1”, SMTP port = “2000” in your setting, in order to automagically connect to “smtp.yourserver.com” port 587 without firewall restriction.

Please refer here, for port forwarding in Microsoft Windows environment using PuTTY

Posted on

IPdeny.com – Download collections of Country IP Addresses

IPdeny.com is a service which offers a free collection of Regional and Country IP address blocks list.

ipdeny

The IP address blocks is useful for application developer and system administrator to enhance their system. For example, application developer can use the information redirect users from certain countries to regional websites or pages, or a system administrator can use the IP address information to isolate users from different countries.