Re: Fail2Ban Question: Can I do this without restarting the service?
On 8/17/2018 6:50 PM, cyaiplexys wrote:
On 08/17/2018 10:55 AM, Dave Sherohman wrote:
On Thu, Aug 16, 2018 at 02:07:02PM -0400, cyaiplexys wrote:
See, that all is way over my head. I don't understand this stuff as I'm
pretty much a total beginner in this.
OK, fair enough. Let's see what help I can offer.
Greatly appreciated. :)
Does Debian and Debian based systems have the firewall installed and
running by default?
No. For general-purpose firewalling, I would suggest installing ufw
(`sudo apt-get install ufw`), as it's much simpler to manage than using
iptables (the underlying firewall control scheme used by both ufw and
fail2ban to communicate with the kernel) directly.
After installing ufw, the following commands should get you started (all
of them need to be run with sudo or from a root shell):
If I'm following you so far, ufw is a firewall like iptables? Or a
replacement for iptables?
No -- ufw is a "front end" to iptables.
Ufw is easy to configure and will translate to a format understood by
iptables.
In other words, "iptables" is the firewall and UFW, Shorewall ... allows
you to control that wall between you and the internet.
Also, a server without firewall capibility should never be facing internet.
ufw allow to any port 22 from [your IP address] proto tcp
(If you're using ssh to connect to the server, you *must* do this one
before enabling the firewall, or else you'll lock yourself out.
I *never ever* use port 22 for ssh. I pick some random port that I know
isn't going to be used for anything else on the server and set ssh to
use that port instead. How do I set ufw to use the ssh port of my choosing?
In the following line change 22 to the port of your liking.
ufw allow to any port 22 from [your IP address] proto tcp
Also, port numbers are codified.
I would suggest you to stick with that codification.
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
> If you need to connect with ssh from multiple addresses, you can
> either run it multiple times with different addresses, or specify a
> network in CIDR notation.)
That's not going to be possible to determine. I and the other admin (who
also doesn't know about this stuff) both connect remotely via ssh and we
both have dynamic IPs that are set (and changed) periodically (and at
times we have no idea) by our ISP. Neither of us can afford a static IP
to our homes. >> ufw enable
(Starts the firewall.)
ufw logging off
(...because it will otherwise flood your logs with reports of pretty
much every packet recieved on the network interface.)
ufw allow 80,443/tcp
(Opens port 80 (http) and 443 (https) for connections from anywhere on
the internet.)
> Repeat the last one with the appropriate port numbers for any other
> service that you want to make publicly available.
Can I do this too?
ufw deny 22/tcp # Deny connection to port 22 (ssh default port)
ufw allow [new-ssh-port]/tcp # Allow connection to new chosen ssh port
In general, Any ports that are not opend are closed!
Note that I don't know ufw or iptables per say.
--
John Doe
Reply to: