Originally Posted by ibbo
Remember 1st and foremost that this is only one trench in your in depth defense of your system. I actually think this one is pretty good, well built trench that is very configurable.
Deny everything by default.
Open up services for (a anyone, b local network).
The man pages are very helpful on this and give many examples of the stuff you can do. I.E. notifications
I would also look at deny hosts and look at getting to grips with iptables.
Defense in depth is the key, SELinux is the icing.
I like TCPwrapper (host.allow / hosts.deny) but by default with most distros (Fedora included) Apache does not use tcpwrappers.
If you wish to use tcp wrappers with apache you need to recompile apache.
You can see if an application uses tcp wrappers with "strings"
strings -f /usr/sbin/sshd | grep hosts_access
But not httpd
strings -f /usr/sbin/httpd | grep hosts_access
< -- see no output
So, if you are relying on tcpwrappers take the time to make sure your service in fact uses tcpwrappers.
Last, many servers have ACL (access control lists) or ACL functionality built into the config files.
Using apache as an example , apache is usually public, so rather then deny all and allow some (whitelist) you usually allow all and deny some (blacklist)
< Location />
< Limit GET POST PUT>
allow from all
deny from 188.8.131.524
deny from 184.108.40.2065
Which eventually leads back to iptables, or similar applications, as you can maintain one "central" blacklist rather then service - by - service configuration (assuming you are running multiple services of course).
iptables -A INPUT -j blacklist # check a blacklist (see below)
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
iptables -N blacklist
iptables -A blacklist -s 111.22.333.444/32 -j DROP
iptables -A blacklist -s 111.22.333.555/32 -j DROP
Note: In practice you will need to define your blacklist first or you will get an error with the first command, but I hope the above layout is easier to follow.
A few "simple" iptables rules to check a blacklist, accept ssh from LAN only, accept all traffic on port 80, drop everything else.
While iptables is intimidating at first, taking the time to learn the rules (or use something like shorewall) can pay off in spades (rather then learning tcpwrappers, adding fail2ban, recompile apache there, etc).