Securing LAMP

Simple script to build a base firewall and Secure LAMP Servers

This script is for securing LAMP servers. It also provides ssh access to specific IP/CIDR addresses and allows only access for ftp, http and https protocols. It also gets set to run at startup. The ipset data is run from a Python application that monitors log and login activity on assorted webservers. To install this setup from the command line on your Linux Server (must be done with root level account):

~]# wget http://dailyblacklist.com/scripts/secure_lamp.sh
~]# chmod +x secure_lamp.sh   # Makes file executable
~]# ./secure_lamp.sh

IPTables

IPTables is the first focus for demonstrating how to identify and eliminate IP blocks to protect a server, protocol or ports. Although there is much ado about firewalld my preference is IPTables for this reason:
I can add, remove or modify the firewall without ever having to restart nftables or iptables. This is the primary reason. From my perspective the general reason for the firewalld firewall is that it is easier for someone less knowledgeable about networking, TCP/IP and protocols perform basic firewall functions. But that is just my perspective after having learned Firewalld, IPTables and Windows Firewall with Advanced Security IPTables is my preferred tool for firewall security. Rocky Linux is my preferred Enterprise Server operating system and became so shortly after IBM purchased CentOS. Debian flavored operating systems were always the Desktop version of Linux and referred to as “The Hackers version of Linux” by my late mentor. Indeed it has taken off through Ubuntu which is based (or was) based out of the UK and to me truly does still live up to the title “Hackers version of Linux” as that is what Kali is built on if anyone has ever heard of that. It is a pretty slick tool though and I run it on occasion as a VPS on my local network with VirtualBox.

Installing IPTables

IPTables is going to be depricated in future versions of Rocky Linux 9.x according to the documentation at Rockylinux.org. However IMHO iptables is still supirior to firewalld in just the simple fact that you can update the firewall dynamically without restarting the firewall. In order to install IPTables:
1. ~]# dnf install iptables-services iptables-utils
2. ~]# systemctl disable firewalld
3. ~]# systemctl enable –now iptables

Append Rule

Appending a rule will add the rule to the end of the chain where as Inserting a rule places the rule at the top of the chain.
Appending a simple rule:
~]# iptables -A INPUT 8.8.8.8 -p tcp -j ACCEPT # Allows all traffic from 8.8.8.8 that is TCP protocol
~]# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT # Allows established connections
~]# iptables -A INPUT -p udp -m udp –dport 53 -j ACCEPT # Allows DNS traffic

Adding an ipset to a rule:
First you need to create the ipset. Here is an example to create an ipset for spoofed IP addresses:
~]# ipset -N spoof-ips hash:net -exist # Sets up ipset with name spoof-ips to use network addresses
~]# ipset -F spoof-ips # flushes spoof-ips data making set empty
~]# ipset -A spoof-ips 192.168.0.0/16 # Appends IP CIDR spoof range
~]# ipset -A spoof-ips 10.0.0.0/8 # Spoof range
~]# ipset -A spoof-ips 172.16.0.0/12 # Spoof range

Now add the IPSet block to your iptables chain with:
~]# iptables -A INPUT -m set –match-set spoof-ips src -j DROP

Inserting Rule

Inserting a rule places the rule at the top of the chain instead of appending it to the bottom and is done like so (this whitelists MXToolbox diagnostic IP Addresses):

iptables -I INPUT -p tcp -s 64.20.227.128/28 -j ACCEPT
iptables -I INPUT -p tcp -s 208.123.79.32/27 -j ACCEPT
iptables -I INPUT-p tcp -s 54.164.124.219 -j ACCEPT
iptables -I INPUT -p tcp -s 54.88.4.135 -j ACCEPT
iptables -I INPUT -p tcp -s 54.84.234.24 -j ACCEPT

Delete Rule

To drop a rule in IPTables do the following:
1. Find the full rule you want to drop with:
]# iptables -S | grep Durango # For example this returns:
-A INPUT -m set –match-set US-CO.Durango src -j DROP
2. Prefix the next line with iptables -D then complete the rule you got from step 1 as follows:
]# iptables -D INPUT -m set –match-set US-CO.Durango src -j DROP

IPSet Delete IP

]# ipset del set-name 127.0.0.1 # Deletes 127.0.0.1 from ipset

IPSet Add IP

Adding an ipset to a rule:
First you need to create the ipset. Here is an example to create an ipset for spoofed IP addresses:
~]# ipset -N spoof-ips hash:net -exist # Sets up ipset with name spoof-ips to use network addresses
~]# ipset -F spoof-ips # flushes spoof-ips data making set empty
~]# ipset -A spoof-ips 192.168.0.0/16 # Appends IP CIDR spoof range
~]# ipset -A spoof-ips 10.0.0.0/8 # Spoof range
~]# ipset -A spoof-ips 172.16.0.0/12 # Spoof range

Now add the IPSet block to your iptables chain with:
~]# iptables -A INPUT -m set –match-set spoof-ips src -j DROP

Firewall Builds

Firewall and Blacklist Builds for Rocky/RedHat Linux

These builds have been tested only on Rocky Linux 9.x using VirtualBox locally and Windows Hyper-V remotely. Some of these scripts have also been tested on CentOS 7.9. Also, these scripts are dependent on IPTables as the wrapper for nftables and IPSet.

Country Blacklist – Blacklist selected or all countries currently only available for Rocky/RedHat Linux
Email Blacklist – Spammers and Login fishing.
WordPress – Login failures and form spammers
Base LAMP Firewall – Script to build a base firewall and start at boot. This script is also useful for setting up IPTables.