Mitsu
-
Posts
7 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Jobs Available
Server Database
Third-Party Services
Top Guides
Store
Crowdfunding
Posts posted by Mitsu
-
-
443 too for https requests
-
You should consider to get back DNS block
Your server use DNS request to get reverse of users, or to link some services
please find below some explanation with the modified code :
(comments betwen /* and */ , remove them before use)
/* script start */ #!/bin/sh /* we create a shortcut to call iptables */ IPT=/sbin/iptables /* we flush actual rules for incoming data, outgoing data, and data we are forwarding */ $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD /* first of all, we can consider server is safe, and so we just allow loopback not to be blocked or filtered */ $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT /* set default policy to drop datas */ $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward /* we don't want to be banned as we are running script, so we keep our actual IP, and allow incoming traffic on server from us, and outgoing traffic from server to us */ IPCLIENT=`echo $SSH_CLIENT | sed 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/'` $IPT -A INPUT -s ${IPCLIENT} -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -d ${IPCLIENT} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /* Syn flood is a sort of dos attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive */ /* here we accept SYN requests, but set a limit for that */ # we add some SYN flood protection $IPT -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT $IPT -A INPUT -p udp -m limit --limit 10/s -j ACCEPT $IPT -A INPUT -p tcp --syn -j DROP $IPT -A INPUT -p udp -j DROP /* same here but for ping of death, and so icmp requests (be carefull that setting a strict limite can slow down traffic like TeamSpeak */ # we add some ping flood protection $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j DROP $IPT -A INPUT -p icmp --icmp-type echo-reply -j DROP /* here we accept incoming ssh traffic on server, and request from server */ # Allow incoming TCP port 22 (ssh) traffic $IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT /* we accept here DNS request from and to your server. This is needed since server need to resolve ip-address if option is active. Eventualy, you could only accept DNS traffic from and to your DNS server (see your network configuration, or your provider to get ip address */ # DNS (client) $IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT /* we accept web traffic to server as we want to access phpmyadmin */ # Web server (http, https) $IPT -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT /* i recommand to keep this block as you need this to upgrade your applications (yum update / upgrade like aptitude use http ) */ # Web Client $IPT -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT /* we can remove FTP section as you don't have FTP server /* /* auth section goes with FTP as it is used to authenticate client computer on server. here we can remove this */ /* we just allow your "ragnarok's traffic" */ # Allow Ragnarok Online for PRT in 5121 6121 6900 do $IPT -A INPUT -p tcp --dport $PRT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport $PRT -m state --state RELATED,ESTABLISHED -j ACCEPT done /* we allow remote access on our SQL server. Local access is already accept since it's going directly from system to system, bypassing network */ # Allow MySQL $IPT -A INPUT -p tcp --dport 3306 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 3306 -m state --state RELATED,ESTABLISHED -j ACCEPT -
-1- create a vhost instead of standard pma symlink
-2- set strong passwords
-3- use allow,deny rules in vhost to only accept connections from maint'staff computers
-
#!/bin/bash EADIR="YOU_ATHENA_FOLDER_GOES_HERE" cd ${EADIR} for a in $(find ./ -type d -print) do cd ${a} for b in $(ls | grep .gz) do gunzip -d ${b} done cd ${EADIR} done exit 0(.gz is for gunzip
) -
Just think of why you need fail2ban, what for ?
Then edit your fail2ban config file to fit it to your server and your needs
fail2ban purpose is generally to limit bruteforce attacks on ssh
if some of your users are still being banned by f2b, then search for why they want to initiate a ssh connection
-
i know this topic is old... but if it can helps...
first of all you must understand how "transactions" works
client create a new connection --> request on server --> server looks for an answer --> server request on client to answer through current connection
Then, you must identify client and server for each job
For example : FTP
YOU want to connect to FTP to upload some files on your server
So you do the client job
plus, i don't think it's a good thing to let you server respond on every request
if we take a look at your script onizame, here is some corrections we can do (red for add/modification - blue for del) :
#!/bin/sh
IPT=/sbin/iptables
$IPT -F INPUT
$IPT -f OUTPUT
$IPT -F FORWARD
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "1" > /proc/sys/net/ipv4/ip_forward
IPCLIENT=`echo $SSH_CLIENT | sed 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/'`
/sbin/iptables -A INPUT -s ${IPCLIENT} -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -d ${IPCLIENT} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# we add some SYN flood protection
$IPT -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
$IPT -A INPUT -p udp -m limit --limit 10/s -j ACCEPT
$IPT -A INPUT -p tcp --syn -j DROP
$IPT -A INPUT -p udp -j DROP
# we add some ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-reply -j DROP
# -- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# -- /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow incoming TCP port 22 (ssh) traffic
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# -- /sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# DNS (client)
$IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web server (http & https)
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web client (for example : for apt-get on debian / *buntu)
$IPT -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# FTP server (ftp et ftp-data)
$IPT -A INPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
# FTP client (example : apt-get)
$IPT -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#FTP passive ports
$IPT -A INPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
#auth
$IPT -A INPUT -p tcp --dport 113 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
# -- /sbin/iptables -A INPUT -p udp --dport 6900 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p udp --dport 5121 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p udp --dport 6121 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j ACCEPT
# Allow Ragnarok Online
for PRT in 5121 6121 6900
do
$IPT -A INPUT -p tcp --dport $PRT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport $PRT -m state --state RELATED,ESTABLISHED -j ACCEPT
done
# Allow MySQL
# -- /sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# -- /sbin/iptables -A INPUT -p udp --dport 21 -m state --state NEW -j ACCEPT
#
# Mysql on port 21 oO ??? ...and MySQL open ??
# We don't want outside connection to our MySQL server.
# Ragnarok server use localhost/127.0.0.1 like hosted websites
# Lan to Lan connection aren't filtered. Only Wan <--> Lan
# Have these rules take effect when iptables is started
# -- /sbin/iptables-save
#
# no needs
# just save this in a file like rc.firewall
# then chmod +x rc.firewall
# edit /etc/rc.local and call for this file just before "exit 0"
#
# rc.local :
#
# ...
# /you/folder/where/you/save/the/file/rc.firewall
# exit 0
#
# it will launch you script at server start
# to launch manually, juste execute the file
# #~ /folder/rc.firewall
FTP, Web, and your Ragnarok should works then
enjoy
[ask] Autobackup MySQL Question
in Linux Support
Posted
This should work
#!/bin/bash dbhost='localhost' dbuser='ragnarok' dbpass='ragnarok' dbname='ragnarok' savepath=$(dirname $0) # OR something like '/root/backup' duration=3 # value in days date=$(date +%Y-%m-%d_%H%M) date_old=$(date +%Y-%m-%d_%H%M --date="${duration} days ago") month=$(date +%Y-%m) month_old=$(date +%Y-%m --date="${duration} days ago" ) filename=${savepath}"/"${month}"/"${dbname}"_"${date}".sql" filename_old=${savepath}"/"${month_old}"/"${dbname}"_"${date_old}".sql" if [[ ! -d "$savepath/$month" ]]; then mkdir -p "$savepath/$month" chmod 700 "$savepath/$month" fi mysqldump --opt --host=$dbhost --user=$dbuser --password=$dbpass $dbname > $filename chmod 400 $filename # removing files older than [duration] days based on filename if [[ -f "${filename_old}" ]]; then rm -f "${filename_old}" fi # clean empty folders if [ ! "$(ls -A ${savepath}{month_old})" ]; then rm -rf "${savepath}{month_old}" fi exit 0