Some modern web frameworks have excellent security aspects, and even if you do not have security knowledge, you can take some measures. For example, Django can prevent SQL injection if you use OR mapper, and you can do CSRF measures easily. However, no matter how much you take measures at the application level, if the security of the server itself is good, there is no child. There is a story that even if it is a service that is operated by personal development, it will be stopped due to being attacked or the rental server will be canceled.
Implement a firewall for your service
Attacks such as DDos can be prevented by introducing a packet filter called iptables.
The actual installation and settings are introduced here. The environment I tried is Ubuntu, but other Linux distributions can be configured with the same settings. Each distribution has different ways of starting iptables, so please check each one. The target audience is for those who know a little about iptables, but please be assured that there is a lot of information on iptables itself.
Introducing iptables
It seems that standard Linux is equipped as standard, but if it is not installed, install it.
sudo apt install iptables iptables-persistentYou can see the current settings by typing the following command. Immediately after installation, nothing is set.
sudo iptables -LNext, create a file for setting filtering rules.
sudo / sbin / iptables-save> /etc/iptables/rules.v4Now /etc/iptables/rules.v4let's add rules to. The part to add should :OUTPUT ACCEPTbe added below between * filter ~ COMMIT .
Change policy settings
The first is because all have become ACCEPT INPUTand FORWARDthen only to DROP.
: INPUT DROP [0: 0]
: FORWARD DROP [0: 0]
: OUTPUT ACCEPT [0: 0]Allow local loopback
The local loopback connection is permitted, and addresses 127.0.0.1 to 127.0.0.254 are permitted as the local loopback.
-A INPUT -i lo -j ACCEPT
-A INPUT! -I lo -d 127.0.0.0/8 -j REJECTAllow new and allowed connections and already allowed connections
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPTDiscard empty packets with no data
-A INPUT -p tcp --tcp-flags ALL NONE -j DROPDrop connections that appear to be SYN flood attacks
It is a type of DDos attack.
-A INPUT -p tcp!-Syn -m state --state NEW -j DROPDrop connections that appear to be stealth scans
An enhanced version of port scan. You can scan the port without being logged at the destination.
-A INPUT -p tcp --tcp-flags ALL ALL -j DROPSet limit for ssh connection
Be sure to change the port for ssh connection from 22 to another number. Don’t forget to create your public and private keys.
If you set the first connection once a minute, the number of connections from the same host to 1 and the expiration time in the management table to 120 seconds, the result will be as follows. By the way, hashlimitis a function that can be restricted for each client. For example, if someone attacks a service and temporarily blocks a packet, you can use hashlimit to allow the connection without blocking another client.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --syn --state NEW --dport 40230 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit -htable-expire 120000 -j ACCEPTicmp attack countermeasures
Ping communication corresponds to communication using icmp.
The second line is an instruction to explicitly notify the client that communication has been cut off.
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000- j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibitedDDos attack countermeasures
Specify the port number assigned to the application here. If you want to set multiple ports, you multiportcan specify them all using.
-A INPUT -p tcp -m multiport --dport 80,443 -m state --state NEW -m hashlimit --hashlimit-name web_limit --hashlimit 60/m --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit -htable-expire 360000 -j ACCEPTSave and confirm settings
Finally, apply the settings with the following command.
sudo /usr/sbin/iptables-apply /etc/iptables/rules.v4Confirm that the settings are reflected.
sudo iptables -LTry pinging the filtered server.
I can communicate the first time, but I think that the communication will be cut off when I try to skip the second ping immediately.
Although it will be like a notice, the personal service I developed also has security measures with iptables.
