ufw, firehol or iptables

Message

Naib · Post by **Naib** » Mon May 04, 2015 2:46 pm

For quite some time I relied on tcpwrapper to "protect" my box against attack - it sits behind a router that exposes http and sshd.

sshd dropped support for tcpd and thus the prospect of a firewall rose again.
So what to use

ufw? firewall for dummies? nothing wrong with that as it is simple and (sort of) just works
firehol? scripting language on top of iptables that attempts to unobtrusify iptables - I use to use this
iptables?

I sort of have an iptables setup that interacts with fail2ban (I have tested it) but the issue is well... not fully sure about what it does

thoughtform · Post by **thoughtform** » Tue May 05, 2015 10:31 pm

I personally love iptables + fail2ban.
I'm no iptables expert but I've found it helpful to verify your fail2ban setup is working by issuing this command as root:

iptables -L -v -n

If you see some IP addresses banned under a chain named f2b-* or fail2ban-*, then you're somewhat protected.

szatox · Post by **szatox** » Wed May 06, 2015 8:06 pm

I've been simply using block-all-except-what-I-explicitly-want-to-receive iptables set + public key login to ssh. I suppose disabling password login (and direct root login) provides sufficient protection againt dictionary and bf attacks even with extremaly week passwords

Blocking rogue traffic completly can of course reduce bandwidth usage slightly, but roughly 1-2 dozens of thousents of attempts every day wasn't even a noticable traffic.
Not like I was against f2b. I just didn't find it necessary for me. Your millage might vary.

Obvious downside is you need to carry your key with you, but do you ever use someone's else device to connect?
Also if you trust those devices with your password, why not to trust it with your key?

Post by **NeddySeagoon** » Wed May 06, 2015 8:30 pm

Naib,

shorewall is a good iptables rule generator but it may be overkill for what you want.