1. Change your source list:-
# nano /etc/apt/sources.list
============================================================
## Debian security updates:
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
## Debian.org:
deb http://ftp.debian.org/debian/ squeeze main contrib non-free
deb-src http://ftp.debian.org/debian/ squeeze main contrib non-free
============================================================
2. Now let’s update the system
#apt-get update
#apt-get upgrade
3. Server should sync the time with the outer world frequently so we need ntp
#apt-get install ntp ntpdate
4. Now we install Apache2 and PHP5
#apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-mysql php5-cli apache2-suexec libapache2-mod-suphp php-pear php5-suhosin php5-xcache
5. Enable the Apache modules now:-
#a2enmod suexec rewrite ssl actions include
6. Now Restart Apache :
#service apache2 restart
7.Now let’s install Mysql
#apt-get install mysql-server mysql-client libmysqlclient15-dev
--------------------------------------------------------------------------------------------------
Optional: Install Support for Scripting:
---------------------------------------
The following commands install Apache support for server-side scripting in PHP, Ruby, Python,
and Perl. Support for these languages is optional based on your server environment.
To install Ruby support, issue the following command:
----------------------------------------------------
#apt-get install libapache2-mod-ruby
To install Perl support, issue the following command:
-----------------------------------------------------
#apt-get install libapache2-mod-perl2
To install Python support, issue the following command:
------------------------------------------------------
#apt-get install libapache2-mod-python
If you need support for MySQL in Python, you will also need to install Python MySQL support:
-------------------------------------------------------------------------------------------
#apt-get install python-mysqldb
=============================================================
---------------------------------------------------------------------------
Your PHP application may require additional dependencies included in Debian.
To check for available PHP dependencies run this command:
---------------------------------------------------------------------------
=============================================================
#apt-cache search php
The output of that command will show you a list of package names and descriptions.
To install them, issue the following command:
#apt-get install libapache2-mod-php5 php5 php-pear php5-xcache
To install the php5-suhosin package, which provides additional security for your PHP installation, issue the following command:
#apt-get install php5-suhosin
-------------------
TUNE UP php CONFIG:
-------------------
Once PHP5 is installed, you'll need to tune the configuration file located
in /etc/php5/apache2/php.ini to enable more descriptive errors, logging, and better performance.
# vim /etc/php5/apache2/php.ini
------------------------------------------------
max_execution_time = 30
memory_limit = 64M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php.log
register_globals = Off
------------------------------------------------
=======================
Multi-Processing Module:
=======================
This multi-processing module can handle a large number of requests quickly by using multiple threads per worker process.
Install the mpm-itk module:
--------------------------
#apt-get install apache2-mpm-itk
Open the /etc/apache2/sites-available/example.net file for editing:
------------------------------------------------------------------
nano /etc/apache2/sites-available/example.net
Add the following lines to the file's <VirtualHost > block:
File excerpt:/etc/apache2/sites-available/example.net
======================================
<IfModule mpm_itk_module>
AssignUserId webeditor webgroup
</IfModule>
======================================
In this example I want this vhost to run as the user webeditor and group webgroup.
If user and group not exist......
# groupadd webgroup
# useradd -s /bin/false -d /home/webeditor -m -g webgroup webeditor (-s /bin/false is used for no login...)
=======================================================
=======================================================
Note:
-----
If you would like to enable Perl support, add the following lines to the VirtualHost entry,
right above the closing </VirtualHost> tag:
File excerpt:/etc/apache2/sites-available/example.net
--------------------------
Options ExecCGI
AddHandler cgi-script .pl
--------------------------
=======================================================
=======================================================
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Configure Apache for Named-Based Virtual Hosting
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1.First we will disable the default Apache virtual host:
# a2dissite default
2.Each virtual host needs its own configuration file in the /etc/apache2/sites-available/ directory.
Now we will create for example.net
# vim /etc/apache2/sites-available/example.net
-------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin webmaster@example.net
ServerName example.net
ServerAlias www.example.net
DocumentRoot /srv/www/example.net/public_html/
ErrorLog /srv/www/example.net/logs/error.log
CustomLog /srv/www/example.net/logs/access.log combined
</VirtualHost>
-------------------------------------------------------------
3. Add or host another domain for better understanding.....(named example.org)
# vim /etc/apache2/sites-available/example.org
-------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin admin@example.org
ServerName example.org
ServerAlias www.example.org
DocumentRoot /srv/www/example.org/public_html/
ErrorLog /srv/www/example.org/logs/error.log
CustomLog /srv/www/example.org/logs/access.log combined
</VirtualHost>
--------------------------------------------------------------
4. We have to create the directories for example.net and example.org to keep website files and store logs.
For example.net:
---------------
mkdir -p /srv/www/example.net/public_html
mkdir /srv/www/example.net/logs
For example.org:
---------------
mkdir -p /srv/www/example.org/public_html
mkdir /srv/www/example.org/logs
5. Finally enable the added sites by following commands:
# a2ensite example.net
# a2ensite example.org
6. Don't forget to restart your apache service to take effect the changes....
# /etc/init.d/apache2 restart
/////////////////////////////////////////////////////////////////////////////
Special Commands:
----------------
1. If you want to enable a particular site:
# a2ensite example.com
2. If you want to disable a particular site:
# a2dissite example.com
3. If you want to enable a mode:
# a2enmod rewrite
4. To disable a module that is currently enabled:
# a2dismod rewrite
/////////////////////////////////////////////////////////////////////////////
=====================================
SSL Support in Debian SQUEEZE (https)
=====================================
1. Install openssl
# apt-get install openssl ssl-cert (it will say already installed as we did above)
2.Generate A certificate
# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
[You are about to be asked to enter information that will be incorporated
into your certificate request.]
3.Set appropriete permission
# chmod 600 /etc/apache2/apache.pem
4. Enable SSL Support
# a2enmod ssl (it will say already enabled as we did above)
5. Configuring SSL Certificate to Virtual Hosts in Apache2:
# vim /etc/apache2/sites-available/default
------------------------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
################## ALL THE VIRTUAL HOSTS ###############
NameVirtualHost 172.16.0.250:80
NameVirtualHost 172.16.0.250:443
<VirtualHost 172.16.0.250:80>
ServerName mithu.com
ServerAlias www.mithu.com
DocumentRoot /var/www
CustomLog /var/www/logs/mithu.log combined
ErrorLog /var/www/logs/mithu.log
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mithu.com
ServerAlias www.mithu.com
DocumentRoot /var/www
CustomLog /var/www/logs/mithu.log combined
ErrorLog /var/www/logs/mithu.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
<VirtualHost 172.16.0.250:80>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
==============================================================
6. Now restrat our apache web server using the following comamnd
# /etc/init.d/apache2 restart
//////////////////////////////////////////////////////////////////////////////
Special Note:
----------------
If we don't follow the above steps as described, phpmyadmin will not work
properly.(At least in my case I completely failed to load default phpmyadmin page.)
//////////////////////////////////////////////////////////////////////////////
######################################################################
@@@@@@@ FULL IPTABLES SCRIPT FOR SERVER @@@@@@
######################################################################
#!/bin/sh
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
# Allow HTTP & HTTPS with rate limiting
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 80,443 -j ACCEPT
# Allow FTP with Rate Limiting
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -m multiport --sport 20,21 -j ACCEPT
# Allow Dynamic Ports (to update & upgrade or downloading required packages. Uncomment the follwing lines while needed)
iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 1024:65535 -j ACCEPT
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# nano /etc/apt/sources.list
============================================================
## Debian security updates:
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
## Debian.org:
deb http://ftp.debian.org/debian/ squeeze main contrib non-free
deb-src http://ftp.debian.org/debian/ squeeze main contrib non-free
============================================================
2. Now let’s update the system
#apt-get update
#apt-get upgrade
3. Server should sync the time with the outer world frequently so we need ntp
#apt-get install ntp ntpdate
4. Now we install Apache2 and PHP5
#apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-mysql php5-cli apache2-suexec libapache2-mod-suphp php-pear php5-suhosin php5-xcache
5. Enable the Apache modules now:-
#a2enmod suexec rewrite ssl actions include
6. Now Restart Apache :
#service apache2 restart
7.Now let’s install Mysql
#apt-get install mysql-server mysql-client libmysqlclient15-dev
--------------------------------------------------------------------------------------------------
Optional: Install Support for Scripting:
---------------------------------------
The following commands install Apache support for server-side scripting in PHP, Ruby, Python,
and Perl. Support for these languages is optional based on your server environment.
To install Ruby support, issue the following command:
----------------------------------------------------
#apt-get install libapache2-mod-ruby
To install Perl support, issue the following command:
-----------------------------------------------------
#apt-get install libapache2-mod-perl2
To install Python support, issue the following command:
------------------------------------------------------
#apt-get install libapache2-mod-python
If you need support for MySQL in Python, you will also need to install Python MySQL support:
-------------------------------------------------------------------------------------------
#apt-get install python-mysqldb
=============================================================
---------------------------------------------------------------------------
Your PHP application may require additional dependencies included in Debian.
To check for available PHP dependencies run this command:
---------------------------------------------------------------------------
=============================================================
#apt-cache search php
The output of that command will show you a list of package names and descriptions.
To install them, issue the following command:
#apt-get install libapache2-mod-php5 php5 php-pear php5-xcache
To install the php5-suhosin package, which provides additional security for your PHP installation, issue the following command:
#apt-get install php5-suhosin
-------------------
TUNE UP php CONFIG:
-------------------
Once PHP5 is installed, you'll need to tune the configuration file located
in /etc/php5/apache2/php.ini to enable more descriptive errors, logging, and better performance.
# vim /etc/php5/apache2/php.ini
------------------------------------------------
max_execution_time = 30
memory_limit = 64M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php.log
register_globals = Off
------------------------------------------------
=======================
Multi-Processing Module:
=======================
This multi-processing module can handle a large number of requests quickly by using multiple threads per worker process.
Install the mpm-itk module:
--------------------------
#apt-get install apache2-mpm-itk
Open the /etc/apache2/sites-available/example.net file for editing:
------------------------------------------------------------------
nano /etc/apache2/sites-available/example.net
Add the following lines to the file's <VirtualHost > block:
File excerpt:/etc/apache2/sites-available/example.net
======================================
<IfModule mpm_itk_module>
AssignUserId webeditor webgroup
</IfModule>
======================================
In this example I want this vhost to run as the user webeditor and group webgroup.
If user and group not exist......
# groupadd webgroup
# useradd -s /bin/false -d /home/webeditor -m -g webgroup webeditor (-s /bin/false is used for no login...)
=======================================================
=======================================================
Note:
-----
If you would like to enable Perl support, add the following lines to the VirtualHost entry,
right above the closing </VirtualHost> tag:
File excerpt:/etc/apache2/sites-available/example.net
--------------------------
Options ExecCGI
AddHandler cgi-script .pl
--------------------------
=======================================================
=======================================================
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Configure Apache for Named-Based Virtual Hosting
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1.First we will disable the default Apache virtual host:
# a2dissite default
2.Each virtual host needs its own configuration file in the /etc/apache2/sites-available/ directory.
Now we will create for example.net
# vim /etc/apache2/sites-available/example.net
-------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin webmaster@example.net
ServerName example.net
ServerAlias www.example.net
DocumentRoot /srv/www/example.net/public_html/
ErrorLog /srv/www/example.net/logs/error.log
CustomLog /srv/www/example.net/logs/access.log combined
</VirtualHost>
-------------------------------------------------------------
3. Add or host another domain for better understanding.....(named example.org)
# vim /etc/apache2/sites-available/example.org
-------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin admin@example.org
ServerName example.org
ServerAlias www.example.org
DocumentRoot /srv/www/example.org/public_html/
ErrorLog /srv/www/example.org/logs/error.log
CustomLog /srv/www/example.org/logs/access.log combined
</VirtualHost>
--------------------------------------------------------------
4. We have to create the directories for example.net and example.org to keep website files and store logs.
For example.net:
---------------
mkdir -p /srv/www/example.net/public_html
mkdir /srv/www/example.net/logs
For example.org:
---------------
mkdir -p /srv/www/example.org/public_html
mkdir /srv/www/example.org/logs
5. Finally enable the added sites by following commands:
# a2ensite example.net
# a2ensite example.org
6. Don't forget to restart your apache service to take effect the changes....
# /etc/init.d/apache2 restart
/////////////////////////////////////////////////////////////////////////////
Special Commands:
----------------
1. If you want to enable a particular site:
# a2ensite example.com
2. If you want to disable a particular site:
# a2dissite example.com
3. If you want to enable a mode:
# a2enmod rewrite
4. To disable a module that is currently enabled:
# a2dismod rewrite
/////////////////////////////////////////////////////////////////////////////
=====================================
SSL Support in Debian SQUEEZE (https)
=====================================
1. Install openssl
# apt-get install openssl ssl-cert (it will say already installed as we did above)
2.Generate A certificate
# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
[You are about to be asked to enter information that will be incorporated
into your certificate request.]
3.Set appropriete permission
# chmod 600 /etc/apache2/apache.pem
4. Enable SSL Support
# a2enmod ssl (it will say already enabled as we did above)
5. Configuring SSL Certificate to Virtual Hosts in Apache2:
# vim /etc/apache2/sites-available/default
------------------------------------------------------------------------------
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
################## ALL THE VIRTUAL HOSTS ###############
NameVirtualHost 172.16.0.250:80
NameVirtualHost 172.16.0.250:443
<VirtualHost 172.16.0.250:80>
ServerName mithu.com
ServerAlias www.mithu.com
DocumentRoot /var/www
CustomLog /var/www/logs/mithu.log combined
ErrorLog /var/www/logs/mithu.log
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mithu.com
ServerAlias www.mithu.com
DocumentRoot /var/www
CustomLog /var/www/logs/mithu.log combined
ErrorLog /var/www/logs/mithu.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
<VirtualHost 172.16.0.250:80>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
<VirtualHost 172.16.0.250:443>
ServerName mehedi.com
ServerAlias www.mehedi.com
DocumentRoot /var/www/mehedi
CustomLog /var/www/logs/mehedi.log combined
ErrorLog /var/www/logs/mehedi.log
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>
==============================================================
6. Now restrat our apache web server using the following comamnd
# /etc/init.d/apache2 restart
//////////////////////////////////////////////////////////////////////////////
Special Note:
----------------
If we don't follow the above steps as described, phpmyadmin will not work
properly.(At least in my case I completely failed to load default phpmyadmin page.)
//////////////////////////////////////////////////////////////////////////////
######################################################################
@@@@@@@ FULL IPTABLES SCRIPT FOR SERVER @@@@@@
######################################################################
#!/bin/sh
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 100 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
# Allow HTTP & HTTPS with rate limiting
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 80,443 -j ACCEPT
# Allow FTP with Rate Limiting
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -m multiport --sport 20,21 -j ACCEPT
# Allow Dynamic Ports (to update & upgrade or downloading required packages. Uncomment the follwing lines while needed)
iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 1024:65535 -j ACCEPT
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
No comments:
Post a Comment