Secure Linux Servers Using IPTables Rules and WonderShaper
Thursday, March 28th, 2013Secure your Ubuntu Server from Flood and Other Attacks Using IPTables and WonderShaper
The following commands use IPTables to prevent common flooding and other miscellaneous malicious attacks. These commands can prevent a Linux server from lagging and spending resources on malformed packets. Some of these attacks can cause DDoS attacks, so it is best to use these filters and rules. Use at your own risk. A detailed explanation can be found here.
# Explanations here: # http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html sudo apt-get install iptables sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP sudo iptables -A INPUT -f -j DROP sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
If you want to drop ICMP ping requests, click here.
Limiting Download and Upload Speeds / Traffic Globally in Ubuntu
Limiting download and upload speeds globally does not make a server any more secure than before. However, it can aleviate network lag, which in my opinion ensures availability enhancing security. In Ubuntu, it's easy to limit the max download and upload speed that can be used on an interface. It wasn't always this easy, but thanks to a tool called wondershaper, you don't have to worry about any of the complexities. To install, run the following command:
sudo apt-get install wondershaper
Now, we need to tell wondershaper to start limiting our max download and upload rate on our particular interface. To see a list of interfaces, type the following command:
ifconfig
To determine what your max download and max upload speed should be, use SpeedTest to run a couple of bandwidth tests using your connection. With your results, convert the speeds from mbps to kilobits per second. Use this bandwidth calculator / converter to help you out. Then, I'd subtract 20-30% of each value, as you want to leave some room between your max speed so that bandwith will still be available to other computers / nodes on the network.
Once you have your speeds, start wondershaper (modifying the example below to fit your needs):
# wondershaper [interface] [max_download_speed_kilobits] [max_upload_speed_kilobits] sudo wondershaper eth0 8192 2764
Make a backup of the /etc/network/interfaces file:
sudo cp /etc/network/interfaces /etc/network/interfaces.bakup sudo nano /etc/network/interfaces
To run wondershaper upon boot or startup, edit the /etc/network/interfaces file, and add the following (modify to fit your needs if neccessary):
auto lo iface lo inet loopback up /sbin/wondershaper eth0 8192 2764 down /sbin/wondershaper clear eth0
Make sure you change your max download and upload speed in both of the examples. Settings will now apply when the computer boots into Linux.
Exclude LAN from Speed Limits
WonderShaper does not differentiate between LAN traffic and external traffic by default. To prevent WonderShaper from limiting LAN network download and upload speeds, install this updated WonderShaper script:
cd ~/Downloads wget -O wondershaper_exclude_lan.tar.gz www.dinofly.com/files/wondershaper_exclude_lan.tar.gz tar xzvf wondershaper_exclude_lan.tar.gz sudo cp -f wondershaper /sbin/wondershaper sudo chmod +x /sbin/wondershaper sudo nano /sbin/wondershaper
Find:
#Local Network LAN_SUBNET=192.168.0.0
Change it to your LAN's main IP address. For example, if your LAN gateway is 192.168.1.X, change it to:
#Local Network LAN_SUBNET=192.168.1.0
Another example, if your LAN gateway is 192.168.43.X, change it to:
#Local Network LAN_SUBNET=192.168.43.0
Save the file and reboot.
Your local area network (LAN) traffic is not filtered, but external traffic is! Enjoy lag free connections from both the outside and inside while running any type of web server.