The most vulnerable for hackers in a server is "services".
Each service is running on a process, each service either requires a port or not at all.
common services require ports are FTP, Domain, Samba, Apache, Mail, SSH ....
This open up a big vulnerable exploits if any service is not up-to-date, there's no guaranty those services will not be exploited anytime.
The solution is block the port that you dont use, terminate services that not in use.
So let's say I've blocked all of the ports that i don't use in my server, but some port i MUST open so that i can get into the server to maintain, these ports are 21(FTP) and 22 (SSH), i don't want to leave them open all the time so that some so called "hackers" can "
brute force" my server.
My first solution is to open to only one specific static IP, which is only that IP can access to my server and the rest will be dropped!
something like:
My Pc ------------->Proxy IP-------------->My server which is "one way ticket"
I would recommend you to keep only HTTP port open (80) if you are using web service, other service you may want to keep open is Domain (53), Mail (25) close them if you're using free DNS.
The solution is blocking all of the ports that i don't use and keep port 80 open to the world and port 22 open to only one IP and deny the rest
My favorite firewall is
ufw it simplify the iptables rules.
i don't think i have to guide you to install ufw if you're interested in this post to protect your server, however if you do have trouble of installing
ufw just give me a shout here
to close the port you want, eg: port 110:
root@linux:~# ufw deny 110to allow only from one IP, eg: 192.168.0.4 port 22
root@linux:~# ufw allow from 192.168.0.4 to any port 22to allow port 80 to the world:
root@linux:~# ufw allow 80You may specify multiple ports (comma separated list):
root@linux:~# ufw allow 80,443i've deny everything except port 80 and port 22 to IP 192.168.0.4
now look at the rules
Code:
root@linux:~# ufw status
Status: active
To Action From
-- ------ ----
3306 DENY Anywhere
25 DENY Anywhere
110 DENY Anywhere
143 DENY Anywhere
443 DENY Anywhere
993 DENY Anywhere
995 DENY Anywhere
20 DENY Anywhere
53 DENY Anywhere
80 ALLOW Anywhere
21 ALLOW 192.168.0.4
22 ALLOW 192.168.0.4
21 DENY Anywhere
22 DENY Anywhere
or
root@linux:~#iptables -Lto see actual details
The most important thing here is to
ALLOW the IP 192.168.0.4 BEFORE you deny the rest, if you do deny before then the firewall will just look at the deny rule first and "deny" you before it "allows" you.
Ok the first solution is done, the question is what if your server IP 192.168.0.4 is unreachable in a remote location and it's down, or you are somewhere else, you want to get into the server but the only way to it is shut, or no access to your second server which is 192.168.0.4, only port 80 is open, there's no chance to get in.
well, let's get into server from port 80
think about what
cron job could do, i thought what if i can get the cron to open and shut the port for me when i want.
to do this via port 80 i need
apache and
php enabled.
to get the cron to run
sh /path/to/file/has/commad.shi called up cron job by type in CLI:
root@linux:~#crontab -eRemember you must to be root to execute the cron, to open ports, normal user has no privileges to do such thing.
to get the cron run every 5 minutes:
*/5 * * * * sh /path/to/file/has/commad.shchange it if you want it to run every 1 minute.
if you want to keep log of it:
*/5 * * * * sh /path/to/file/has/commad.sh >> /var/log/opensesami.log 2>&1if you don't want to keep log just point it to the "black hole"
/dev/null
*/5 * * * * sh /path/to/file/has/commad.sh >> /dev/null 2>&1exit and save the cron.
now all i need is to write to the
/path/to/file/has/commad.sh file to tell ufw the port that i want to open.
to do this i have to change the permission for it to read/write by web server.
root@linux:~#chmod 777 /path/to/file/has/commad.shok now create a php file on my website which is hosted on my server to write to this file, now things are getting clearer for you.
i call it
secrete.phpfile: secrete.phpCode:
<?
$start = $_GET["start"];
$fn = "/path/to/file/has/commad.sh";
$content1 = htmlspecialchars(implode("",file($fn)));
if ($start == 1)
{
$content = stripslashes($_POST['content']);
$fp = fopen($fn,"w") or die ("Error opening file in write mode!");
fputs($fp,$content);
fclose($fp) or die ("Error closing file!");
header("location:secrete.php");
}
else{
echo "
<form action='./secrete.php?start=1' method='post'>
<textarea rows='5' cols='40' name='content'>$content1</textarea><br>
<input type='submit' value='Add'>
</form>
";
}
?>
ok, place this file on your website somewhere safe, so you can access it on your web browser, eg: (
secrete/secrete.php)i would recommend you to use password protect directory (.htaccess) to protect it,
now all you have to do is go on your website add in the command for cron to execute example i want to open port 22:
/usr/sbin/ufw allow 22to deny
/usr/sbin/ufw deny 22ok, that's it, just sit there for 1 minute and wait for the port to open and get in
.
you might wondering if both of the solutions are fail, you have No WAY to get in.
then the THIRD solution is just to let the server does the job itself, open and close ports as you wish!
how?
Well, if you've gone this far, i'm sure that you can think of the THIRD solution, if not, give me a shout, i'll write the THIRD solution here.
i'm not trying to hide it, it's just that i don't have much time, i'll continue when i do.
or if you think that your THIRD solution is even better, share it here so that people can experiment.
Thanks for your time.
Login
Register
FAQ
Search
