Welcome to the Linux Foundation Forum!

Re:Share some iptables configuration options

Not sure if i am allowed to post here, but

I am looking for an IPtables config that will try to stop brute force imap logins.

is there a way i can put a time limit on the amount of attempts that an ip has to log into IMAP port and block the address if its exceeded?

Many thanks in advance.

Comments

  • mfillpot
    mfillpot Posts: 2,177
    This is my old firewall script with the comments included, this simple one worked pretty well.

    Since then I have made a much more complicated and modular one, I will share that when it is complete.
    #!/bin/bash
    ########################################################
    # START THE FIREWALL SCRIPT                            #
    ########################################################
    
    
    # Flush the current rules
    iptables -F
    
    # Block all forwarding
    iptables -A FORWARD -s 0/0 -j DROP
    
    # Allow all input into loopback
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow 4 pings per minute to block ping DOS attacks
    iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT
    
    # Allow all echo replies including destination unreachable and time exceeded
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    
    # Block all other icmp traffic
    iptables -A INPUT -p icmp -j DROP
    
    # Allow all response traffic
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # block all other incoming traffic
    iptables -A INPUT -j DROP
    
    # Display confirmation message
    RED=$'\e[31;01m'
    NORMAL=$'\e[0m'
    echo "${RED}Firewall Started.....${NORMAL}"
    
  • mfillpot
    mfillpot Posts: 2,177
    That is a nice addition, that can be usful to work with the invalid attempt option in sshd to prevent breakins.
  • mfillpot
    mfillpot Posts: 2,177
    I am not fully versed in the communication methods and ports used for IMAP communication, but if you can pin down the basic packet structure of IMAP logins then you can develop n iptable rule to accomplish your task.
  • I think the best way to prevent brute force attack's to your logins on any service is not in the firewall, try using pam modules, for ssh try pam-abl (http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection).
  • mfillpot
    mfillpot Posts: 2,177
    Tha pam option is definitely a good recommendation, in general I prefer to avoid pam because of the frequency in which vulnerabilities are discovered.
  • roobal
    roobal Posts: 25
    I don't know now that you'd like firewall setings for servers or desktops but I think that for desktops it's enough this simple rules:
    iptables -F
    
    # Security policy
    
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    # Accept loopback
    
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A FORWARD -o lo -j ACCEPT
    
    # Incoming and forward rules
    
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Outgoing rules
    
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    

    If someone want, can also log traffics and attacks attempt :)
  • mfillpot
    mfillpot Posts: 2,177
    Thank you for the script roobal, your submission is simple and clean which makes it perfect for new users.

Categories

Upcoming Training