3/3: Hardening the Remote Container.
Or: Running Firewall and Intrusion Prevention Servers.
Firewalls and intrusion prevention servers are used to defend my systems from attacks. The following tools, and others like CrowdSec, are foundational to protecting my systems from the barrage of targeted, brute-force, ddos aggression.
NOTE: It is best practice to also use other layers of protection like Cloudflare.
Prerequisites.
A Linux-based distro (I use Ubuntu), and
An LXD installation, if required.
Enabling, and Setting Up, UFW.
Yes, the Uncomplicated FireWall was installed on the homelab
system. This time, I am installing the "hardening" tools within this container.
- From the
homelab
terminal (CTRL
+ALT
+T
) connected to the container, I check the UFW status:
sudo ufw status
- I enable the UFW:
sudo ufw enable
- I install a UFW rule:
sudo ufw allow from 192.168.?.?
NOTE: I use
ip a
in my workstation terminal to find my IP address. I replace the IP address above with the actual address for theworkstation
, e.g. 192.168.188.41.
- I check the status of the UFW and list the rules by number:
sudo ufw status numbered
NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.
NOTE 2: I will update the UFW rules as I deploy other services to the container.
- I delete a UFW rule by number if needed:
sudo ufw delete 1
- I disable UFW if needed:
sudo ufw disable
Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.
Attribution:
digitalocean.com
Installing, and Setting Up, Fail2Ban.
Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.
- From the
homelab
terminal (CTRL
+ALT
+T
) connected to the container, I install Fail2Ban:
sudo apt install fail2ban -y
- I copy the
jail.conf
file asjail.local
:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- I open the
jail.local
file in Nano:
sudo nano /etc/fail2ban/jail.local
- I change a few (SSH-centric) settings in the
jail.local
file, then I save those changes, and exit the Nano editor:
[DEFAULT]
⋮
bantime = 1d
maxretry = 3
⋮
[sshd]
enabled = true
port = ssh,22
- I restart Fail2Ban:
sudo systemctl restart fail2ban
- I check the status of Fail2Ban:
sudo systemctl status fail2ban
- I enable Fail2Ban to autostart on boot:
sudo systemctl enable fail2ban
Now that I have hardened the container, it is time to return to the original post.
And remember: Be safe, be kind, be awesome.