3/3: Hardening the Remote Container.

Or: Running Firewall and Intrusion Prevention Servers.

3/3: Hardening the Remote Container.

Firewalls and intrusion prevention servers are used to defend my systems from attacks. The following tools, and others like CrowdSec, are foundational to protecting my systems from the barrage of targeted, brute-force, ddos aggression.

NOTE: It is best practice to also use other layers of protection like Cloudflare.

Prerequisites.

Enabling, and Setting Up, UFW.

firewall

Yes, the Uncomplicated FireWall was installed on the homelab system. This time, I am installing the "hardening" tools within this container.

  • From the homelab terminal (CTRL + ALT + T) connected to the container, I check the UFW status:
sudo ufw status
  • I enable the UFW:
sudo ufw enable
  • I install a UFW rule:
sudo ufw allow from 192.168.?.?

NOTE: I use ip a in my workstation terminal to find my IP address. I replace the IP address above with the actual address for the workstation, e.g. 192.168.188.41.

  • I check the status of the UFW and list the rules by number:
sudo ufw status numbered

NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.

NOTE 2: I will update the UFW rules as I deploy other services to the container.

  • I delete a UFW rule by number if needed:
sudo ufw delete 1
  • I disable UFW if needed:
sudo ufw disable

Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.

Attribution:
digitalocean.com

Installing, and Setting Up, Fail2Ban.

stop

Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.

  • From the homelab terminal (CTRL + ALT + T) connected to the container, I install Fail2Ban:
sudo apt install fail2ban -y
  • I copy the jail.conf file as jail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • I open the jail.local file in Nano:
sudo nano /etc/fail2ban/jail.local
  • I change a few (SSH-centric) settings in the jail.local file, then I save those changes, and exit the Nano editor:
[DEFAULT]
⋮
bantime = 1d
maxretry = 3
⋮
[sshd]
enabled = true
port = ssh,22
  • I restart Fail2Ban:
sudo systemctl restart fail2ban
  • I check the status of Fail2Ban:
sudo systemctl status fail2ban
  • I enable Fail2Ban to autostart on boot:
sudo systemctl enable fail2ban

Now that I have hardened the container, it is time to return to the original post.

And remember: Be safe, be kind, be awesome.