1,035
edits
Linode/Setup: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
=== [[Fail2Ban]] === | === [[Fail2Ban]] === | ||
Install | ==== Install ==== | ||
<pre> | <pre> | ||
apt install fail2ban | apt install fail2ban | ||
| Line 66: | Line 67: | ||
systemctl restart fail2ban | systemctl restart fail2ban | ||
</pre> | </pre> | ||
=== IPTables === | |||
Again following [[Mastodon/Setup]] | |||
==== Install ==== | |||
<pre> | |||
apt install -y iptables-persistent | |||
</pre> | |||
==== Configuration ==== | |||
* '''IPv4:''' Edit <code>/etc/iptables/rules.v4</code> | |||
:<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |||
# Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks | |||
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
* '''IPv6:''' Edit <code>/etc/iptables/rules.v6</code> | |||
:<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d ::1/128 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmpv6 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
Then reload the rules: | |||
<syntaxhighlight lang="bash"> | |||
iptables-restore < /etc/iptables/rules.v4 | |||
ip6tables-restore < /etc/iptables/rules.v6 | |||
</syntaxhighlight> | |||
== Setting up an SMTP server == | == Setting up an SMTP server == | ||
By default, Linode disables SMTP ports 587 etc. This requires a manual human-facing support ticket to remove. (Done by @Jonny on Nov 25 2022) | By default, Linode disables SMTP ports 587 etc. This requires a manual human-facing support ticket to remove. (Done by @Jonny on Nov 25 2022) | ||