IPTables GeoIP, Port Knocking and Port Scan Detection
Here's a quick tutorial on how to enable extra IPTables functionality such as "GeoIP", "Port Knocking" and "Port Scan Detection" with modules provided by xtables-addons
. See the full list of available modules.
Note 1: Can be used on dedicated servers or any KVM- or Xen-based VPS. Does NOT work on OpenVZ VPS due to its limitations.
Note 2: If you upgrade your server's Linux kernel later, you must first comment out the relevant IPTables rules, reboot the server, then compile and install xtables-addons
again before re-enabling those rules.
Check the project website of xtables-addons
for the latest versions. Note that if your server's Linux kernel version is older than 3.7 (including 2.6.x), use xtables-addons
version 1.47.1.
See separate instructions below for Ubuntu/Debian and CentOS/RHEL. Credit goes to this HowToForge tutorial and comments, which I used as a reference.
Pre-install steps for Ubuntu/Debian:
Update package index and install required software:
apt-get update apt-get install iptables-dev libtext-csv-xs-perl linux-headers-`uname -r` \
build-essential pkg-config automake wget xz-utils unzip zip
Note: If you use Proxmox, install the kernel headers package with:
apt-get install pve-headers-`uname -r`
Now you can go directly to the install steps.
Pre-install steps for CentOS/RHEL:
First, update your server's Linux kernel and reboot. Note for Linode users: Please enable GRUB and use a CentOS-provided kernel.
# (Recommended) Update all software including the kernel: yum update # Or, update the Linux kernel only: yum update kernel # DigitalOcean users should change kernel settings in the Control Panel, # then power off the droplet and power it on again. Please see: How to update a DigitalOcean server's kernel # For Non-DigitalOcean servers, just reboot: reboot
To avoid issues with xtables-addons
, SELinux must be disabled. Check the current status with sestatus
. It should say:
# sestatus SELinux status: disabled
Otherwise, we need to disable it before proceeding:
setenforce 0 sed -i 's|SELINUX=enforcing|SELINUX=disabled|' /etc/selinux/config
Proceed to install some required software:
yum install gcc gcc-c++ make automake \
iptables-devel wget nano unzip zip xz
Install the kernel source package that matches the running kernel:
yum install kernel-devel-`uname -r`
It is OK if you see "Package already installed". But if the above command fails with "No package available", try these additional steps.
Next, enable the EPEL repository. Required for CentOS/RHEL 6.x users.
yum install epel-release
Finally, install the package perl-Text-CSV_XS
:
yum install perl-Text-CSV_XS
Install steps for both Ubuntu/Debian and CentOS/RHEL:
Create and switch to working directory:
mkdir -p /opt/src cd /opt/src
For CentOS/RHEL 6.x and Proxmox 3, the following workaround is required:
sed -i "s|#define CONFIG_IP6_NF_IPTABLES_MODULE 1|/* #define CONFIG_IP6_NF_IPTABLES_MODULE 1 */|" /lib/modules/`uname -r`/build/include/linux/autoconf.h # After the install succeeds, you may remove the workaround with: # sed -i "s|/\* #define CONFIG_IP6_NF_IPTABLES_MODULE 1 \*/|#define CONFIG_IP6_NF_IPTABLES_MODULE 1|" /lib/modules/`uname -r`/build/include/linux/autoconf.h
Download the xtables-addons
source:
# IMPORTANT: Check your server's Linux kernel version with uname -r # Define the base URL for downloading from SourceForge base_url=http://sourceforge.net/projects/xtables-addons/files/Xtables-addons # Choose ONE from these commands based on the kernel version. # For Linux kernels < 3.7 (including 2.6.x): wget -t 3 -T 30 -qO- $base_url/xtables-addons-1.47.1.tar.xz | tar xJv # Otherwise, if kernel version >= 3.7: wget -t 3 -T 30 -qO- $base_url/xtables-addons-2.12.tar.xz | tar xJv
Compile and install xtables-addons
:
cd xtables-addons-* ./configure make && make install depmod
Fetch and build the GeoIP database:
cd geoip/ ./xt_geoip_dl ./xt_geoip_build GeoIPCountryWhois.csv mkdir -p /usr/share/xt_geoip/ cp -r {BE,LE} /usr/share/xt_geoip/
Now test the GeoIP module. If no error, then the install was successful.
iptables -I INPUT -m geoip --src-cc US iptables -D INPUT -m geoip --src-cc US
If you use the geoip
module, don't forget to update its database monthly from MaxMind. Here's an example update script and cron job.
To use port scan detection, here's an example IPTables rule:
-A INPUT -m psd --psd-weight-threshold 15 --psd-hi-ports-weight 3 -j DROP
Explanation: For incoming packets from any single host, if at least 5 ports on your server are hit within 3 seconds (default delay), then treat it as a port scan and drop further packets. The parameters are all customizable.
The following is from the manual page of xtables-addons
:
psd Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer’s scanlogd. --psd-weight-threshold threshold Total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence. --psd-delay-threshold delay Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence. --psd-lo-ports-weight weight Weight of the packet with privileged (<= 1024) destination port. --psd-hi-ports-weight weight Weight of the packet with non-priviliged destination port.
Here are the default values for these parameters:
weight-threshold: 21, delay-threshold: 300 lo-ports-weight: 3, hi-ports-weight: 1
If you use this psd
module and change your SSH port to a non-standard one (e.g. generate a random port at random.org), it would be more difficult for an attacker to discover the new port by port scanning. Technically, you can pick any port between 1 and 65535. However, some people argue that choosing a port less than 1024 could potentially enhance server security.
Besides geoip
and psd
, the pknock
module is for easy port knocking, and tarpit
is for keeping TCP connections "open" to waste an attacker's resources (someone even used it to "defend against" DDoS). To view detailed usage instructions for all modules, run man xtables-addons
after install, or browse to this online manual.