Just few hours after making my Raspberry Pi visible to the world, i.e. creating web server, I've noticed that my device is being attacked from the outside world. Running
cat /var/log/auth.log | grep Failed
command, revealed numerous attempts to get into my server using random logins, such as: oracle, demo, test, sysadmin, apache, guest, and, of course, root, just to mention a few. This made me think a little about security of my service. Although the attempts were just fail attempts to guess the user and password, I've decided to be safe than sorry and take some precautions.
IPTABLES + SSHBLACK
Raspbian, being a Debian based system, has a pre-installed firewall - iptables. When you install Debian, iptables is there, but it allows all traffic by default. There is a lot of information on iptables on the internet, but much of it is fairly complex. Fortunately, there are For Dummies kind of HowTos written by Linux users. One of them, provided by Ubuntu Documentation, helped me understand the basics of the firewall.
Second thing I did, was to install sshblack, a real-time script for secure shell (ssh). The script monitors log files for suspicious activity and adds attackers to a blacklist, created with iptables. Sshblack is pretty easy to configure. You can determine what kind of addresses should be blacklisted, for what period of time, after how many attempts of failed logins, etc.
While in pure iptables you put the IP of an attacker manually:
iptables -I INPUT -s 192.168.1.1 -j DROP
sshblack creates a rule:
iptables -I INPUT -s ipaddress -j DROP
that predetermined with sshblack variables "tells" iptables to block certain IPs.
Unfortunately, every reboot of the system would wipe out iptables data. To save the configuration, you can use iptables-save and iptables-restore. To make things easier and not running the commands any time I restart the Raspberry, I've added them to boot/shutdown scripts. This is how I did it.
First of all, I've saved my firewall rules to a file
sudo sh -c "iptables-save > /etc/iptables.rules"
Than, I've created two script files for loading and saving iptables rules.
The loading script
prettyprint#!/bin/shiptables-restore and saving script
#!/bin/shiptables-save -c > /etc/iptables.rulesif [ -f /etc/iptables.downrules ]; then iptables-restore
I gave both scripts executive permissions:
sudo chmod +x /etc/network/if-post-down.d/iptablessave sudo chmod +x /etc/network/if-pre-up.d/iptablesload
Next thing, was adding the sshblack script to load with system start. For this, I used init script provided by Vadim Reznik, putting it into my
/etc/init.d directory. Reboot to see if everything is all right and done!
This simple treatment lets me sleep better and makes me feel my server is more secure.