Tuesday, August 25, 2015

Adding a security layer (APF) to your server!

Maybe you are in charge of a whole Datacenter or just only managing your home multimedia server, in both cases (and hoping you were working with linux :P) port security is recommended.

In my experience when just plug a new server (server without any configuration) into the "cloud" immediately sense many unexpected connections pointing the well-know ports like 23(telnet) or 22(ssh), so have to considering enable firewall rules with iptables.

One tool I used to use for easy management of iptables is APF (Advanced Policy Firewall) and here I am going to show you how to install in a few steps. This time I am using Ubuntu 14.04 server.

With sudo user:

root@ngnix1:/home/wmunguiam# apt-get install apf-firewall
Se instalarán los siguientes paquetes NUEVOS: 
apf-firewall iproute
¿Desea continuar? [S/n] S
Configurando iproute (1:3.12.0-2ubuntu1) ...
Configurando apf-firewall (9.7+rev1-3) ...
* apf-firewall disabled, please adjust the configuration to your needs 
* and then set RUN to 'yes' in /etc/default/apf-firewall to enable it.
Processing triggers for ureadahead (0.100.0-16) ...
Of course, as recommended, we have to adjust configuration to fit our needs. As we want to only allow HTTP and SSH we will edit:

APF is disabled and we can review status of iptables rules:

root@ngnix1:/home/wmunguiam# iptables -L
Chain INPUT (policy ACCEPT)target     prot opt source               destination
Chain FORWARD (policy ACCEPT)target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination

So we edit configuration file:

 vim /etc/apf-firewall/conf.apf

Changes made:

Then we edit start-production flag file:

 vim /etc/default/apf-firewall


Now we Start APF service:
apf -s 

Messages will be shown:
apf(1495): {glob} status log not found,
createdapf(1495): {glob} activating firewall
apf(1495): {glob} firewall initalized

NOTE: Maybe APF will not start because a kernel "difference", In the NEXT POST I will deal with that case.

No comments:

Post a Comment