3/3: Hardening the Remote Container.
Or: Running Firewall and Intrusion Prevention Servers.
Thank you for reading this post.
My name is Brian and I'm a developer from New Zealand. I've been interested in computers since the early 1990s. My first language was QBASIC. (Things have changed since the days of MS-DOS.)
I am the managing director of a one-man startup called Digital Core (NZ) Limited. I have accepted the "12 Startups in 12 Months" challenge so that DigitalCore will have income-generating products by April 2024.
This blog will follow the "12 Startups" project during its design, development, and deployment, cover the Agile principles and the DevOps philosophy that is used by the "12 Startups" project, and delve into the world of AI, machine learning, deep learning, prompt engineering, and large language models.
I hope you enjoyed this post and, if you did, I encourage you to explore some others I've written. And remember: The best technologies bring people together.
Firewalls and intrusion prevention servers are used to defend my systems from attacks. The following tools, and others like CrowdSec, are foundational to protecting my systems from the barrage of targeted, brute-force, ddos aggression.
NOTE: It is best practice to also use other layers of protection like Cloudflare.
Prerequisites.
A Linux-based distro (I use Ubuntu), and
An LXD installation, if required.
Enabling, and Setting Up, UFW.
Yes, the Uncomplicated FireWall was installed on the homelab system. This time, I am installing the "hardening" tools within this container.
- From the
homelabterminal (CTRL+ALT+T) connected to the container, I check the UFW status:
sudo ufw status
- I enable the UFW:
sudo ufw enable
- I install a UFW rule:
sudo ufw allow from 192.168.?.?
NOTE: I use
ip ain my workstation terminal to find my IP address. I replace the IP address above with the actual address for theworkstation, e.g. 192.168.188.41.
- I check the status of the UFW and list the rules by number:
sudo ufw status numbered
NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.
NOTE 2: I will update the UFW rules as I deploy other services to the container.
- I delete a UFW rule by number if needed:
sudo ufw delete 1
- I disable UFW if needed:
sudo ufw disable
Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.
Attribution:
digitalocean.com
Installing, and Setting Up, Fail2Ban.
Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.
- From the
homelabterminal (CTRL+ALT+T) connected to the container, I install Fail2Ban:
sudo apt install fail2ban -y
- I copy the
jail.conffile asjail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- I open the
jail.localfile in Nano:
sudo nano /etc/fail2ban/jail.local
- I change a few (SSH-centric) settings in the
jail.localfile, then I save those changes, and exit the Nano editor:
[DEFAULT]
⋮
bantime = 1d
maxretry = 3
⋮
[sshd]
enabled = true
port = ssh,22
- I restart Fail2Ban:
sudo systemctl restart fail2ban
- I check the status of Fail2Ban:
sudo systemctl status fail2ban
- I enable Fail2Ban to autostart on boot:
sudo systemctl enable fail2ban
Now that I have hardened the container, it is time to return to the original post.
And remember: Be safe, be kind, be awesome.
