to create a first container and do some
[[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki.
== SECURE IT ! == Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within It may be a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE good idea to activate iptables on boot. That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down. Now see what rules are already configured. Issue this command inside your container[[http: iptables -L The output will be similar to this: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination This allows anyone access to anything from anywhere. === New iptables rules === Let's tighten that up a bit by creating a test iptables file: nano /etc/iptableswiki.testdebian.rules In this file enter some basic rules: *filter # Allows all loopback (lo0) traffic and drop all traffic to 127org/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections for script kiddies # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT # Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs. # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier. Activate these new rules: iptables-restore < /etc/iptables.test.rules And see the difference: iptables -L Now the output tells us that only the ports defined above are open. All the others are closed. Once you are happyDebianFirewall][secure your container]], save the new rules to the master iptables file: iptables-save > /etc/iptables.up.rules To make sure the iptables rules are started on a reboot we'll create a new file: nano /etc/network/if-pre-up.d/iptables Add these lines to it: #!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules The file needs is connected to be executable so change the permissions: chmod +x /etc/network/if-pre-upinternet.d/iptables
[[Category: HOWTO]]
[[Category: Debian]]
[[Category: Installation]]