From a2e07c92b3702fb4c03ffe855a69297baa7bf048 Mon Sep 17 00:00:00 2001 From: TrudeEH Date: Wed, 19 Feb 2025 09:54:59 +0000 Subject: [PATCH] N: Firewall --- content/.obsidian/app.json | 7 ++- content/.obsidian/workspace.json | 28 +++++----- content/notes/drafts/linux/index.md | 8 +++ content/notes/ready/firewall.md | 87 +++++++++++++++++++++++++++++ 4 files changed, 116 insertions(+), 14 deletions(-) create mode 100644 content/notes/ready/firewall.md diff --git a/content/.obsidian/app.json b/content/.obsidian/app.json index 637902a..43e6a1b 100644 --- a/content/.obsidian/app.json +++ b/content/.obsidian/app.json @@ -1,5 +1,10 @@ { "promptDelete": false, "tabSize": 2, - "alwaysUpdateLinks": true + "alwaysUpdateLinks": true, + "spellcheckDictionary": [ + "bruteforce" + ], + "spellcheck": false, + "vimMode": false } \ No newline at end of file diff --git a/content/.obsidian/workspace.json b/content/.obsidian/workspace.json index 643a019..23a2c77 100644 --- a/content/.obsidian/workspace.json +++ b/content/.obsidian/workspace.json @@ -13,12 +13,12 @@ "state": { "type": "markdown", "state": { - "file": "TODO.md", + "file": "notes/ready/firewall.md", "mode": "source", "source": false }, "icon": "lucide-file", - "title": "TODO" + "title": "firewall" } } ] @@ -78,7 +78,7 @@ } ], "direction": "horizontal", - "width": 300 + "width": 200 }, "right": { "id": "f049c1d8215eafd9", @@ -94,6 +94,7 @@ "state": { "type": "backlink", "state": { + "file": "notes/ready/firewall.md", "collapseAll": false, "extraContext": false, "sortOrder": "alphabetical", @@ -103,7 +104,7 @@ "unlinkedCollapsed": true }, "icon": "links-coming-in", - "title": "Backlinks" + "title": "Backlinks for firewall" } }, { @@ -140,20 +141,21 @@ "state": { "type": "outline", "state": { + "file": "notes/ready/firewall.md", "followCursor": false, "showSearch": false, "searchQuery": "" }, "icon": "lucide-list", - "title": "Outline" + "title": "Outline of firewall" } } - ] + ], + "currentTab": 3 } ], "direction": "horizontal", - "width": 300, - "collapsed": true + "width": 200 }, "left-ribbon": { "hiddenItems": { @@ -167,8 +169,11 @@ "table-editor-obsidian:Advanced Tables Toolbar": false } }, - "active": "ab03f7100c1ce0fb", + "active": "b73f137a8a755c19", "lastOpenFiles": [ + "notes/drafts/linux/index.md", + "notes/ready/firewall.md", + "TODO.md", "_Templates/note.md", "drafts/nvim.md", "drafts/rust.md", @@ -191,9 +196,6 @@ "ready/diodes.md", "ready/encryption.md", "ready/flask.md", - "ready/gdb.md", - "ready/git.md", - "ready/html.md", - "ready/http.md" + "ready/gdb.md" ] } \ No newline at end of file diff --git a/content/notes/drafts/linux/index.md b/content/notes/drafts/linux/index.md index f0452a3..019650d 100644 --- a/content/notes/drafts/linux/index.md +++ b/content/notes/drafts/linux/index.md @@ -9,6 +9,14 @@ title: Linux --- #todo +## Automatic Updates + +### Debian + +```sh +dpkg-reconfigure --priority=low unattended-upgrades +``` + ## Troubleshooting - Read error logs from the last session diff --git a/content/notes/ready/firewall.md b/content/notes/ready/firewall.md new file mode 100644 index 0000000..51846f0 --- /dev/null +++ b/content/notes/ready/firewall.md @@ -0,0 +1,87 @@ +--- +title: Firewall [UFW] +description: +draft: false +tags: + - linux + - tools + - security +author: TrudeEH +showToc: true +--- +A firewall monitors and controls all incoming and outgoing network traffic, and can be implemented in the hardware or software level. + +## See All Open Ports + +All ports opened by a program, including those blocked by a firewall. + +```sh +sudo ss -tupln +``` + +## Software Firewall (UFW) + +```sh +# Enable the SSH port if it is being used +sudo ufw limit 22/tcp # `limit` is used to prevent bruteforce + +# Set default connection settings +sudo ufw default deny incoming +sudo ufw default allow outgoing + +# Open ports for the services running +sudo ufw allow 80/tcp # Web server 1 +sudo ufw allow 443/tcp # Web server 2 + +# Check if UFW is running and is configurations +sudo ufw status numbered + +# Delete an entry +sudo ufw delete 2 # Number given by `status numbered` + +# Enable UFW +sudo ufw enable +``` + +### Block Pings + +Blocking pings prevents hackers from quickly discovering the server. It is still possible to scan all ports on the server and eventually find any open one, but it adds another layer of security. + +```sh +echo "-A ufw-before-input -p icmp --icmp-type echo-request -j DROP" >> /etc/ufw/before.rules +``` + +After running the command above, a reboot is required to apply the setting. + +## Fail2Ban + +Fail2Ban is a software solution to prevent bruteforce attacks. If an IP is detected to attempt login too many times or performs other unwanted actions, it is temporarily blocked. + + +`/etc/fail2ban/jail.local` + +```toml +[DEFAULT] +ignoreip = 127.0.0.1/8 ::1 +bantime = 3600 +findtime = 600 +maxretry = 5 + +[sshd] +enabled = true + +[wordpress] +enabled = true +filter = wordpress +logpath = /var/log/auth.log +maxretry = 3 +port = http,https +bantime = 300 +``` + +After adding your services and tweaking the configuration file, start fail2ban with: + +```sh +sudo systemctl enable fail2ban +sudo systemctl start fail2ban +```