How to Secure Your Server (part 2)
Following from my previous article on how to protect your servers where I reviewed how to improve security of SSH using SSH keys, two factor authentication, and login notifications.
This article covers protecting servers at the IP level, regardless of the port used.
I will walk through two concepts: white-listing and blacklisting IP addresses, and a tool: fail2ban on why they are useful in protecting servers and how you can use them.
You will learn key concepts on how to protect servers at the IP level, keeping attackers away from servers without even accessing a port.
This article will take you about four minutes to read.
Introduction
In my previous article, i talked about how to secure your server using SSH keys, two factor authentication, and login notifications. These work with the login system to improve security. Like making the door of your house harder to open.
This time, I will go over tools to block attackers from reaching your server, at the network level using:
- white-listing
- blacklisting
- fail2ban
It’s like making the door of your house harder to access or even unreachable.
White-listing
This is a technique to only allow clients with an IP address on a list to access the server. If a client from an unspecified IP address tries to reach your server, they will be outright rejected.
Think of this as giving anyone you want access to your house a key, or letting them know where the spare key location is.
You can configure white-lists at the server level, using IP tables, or depending on your host provider, at a network level.
White-listing is good as it allows known IP addresses to always have access to your server. You need to know the IP addresses up-front you want to grant access, such as your home IP address.
If for some reason, your home IP address changes, you may lose access to your server because your new IP address is not on the white-list.
Linux
To use white-listing on Linux, use IP-tables. Here’s an article that shows step by step how to configure.
AWS
On AWS, the default behavior is a white-list entry any new EC2 instances. The only IP address that can access your EC2 instance is the one your computer is using to browse the AWS console.
Blacklisting
The converse to a white-list is a blacklist. The server prevents access on any IP address specified on the blacklist.
It’s like getting a restraining order on people you don’t want to come near your house.
Similar to a restraining order, if you know who or the IP addresses you want to ban, this is an effective technique to prevent attacks on your system.
If you have a targeted method to preset a filter to all the IP addresses/range you want to ban (say by country), this works.
In reality, you have to figure out a way to generate IP address or range to ban. I have found there are numerous different attackers from around the world out there, even on a simple server.
To blacklist a server in Linux, use IP-tables, just like for a white-list entry.
Fail2Ban
If a failure of blacklists is there are numerous IP addresses to list or know, fail2ban takes the approach of:
When an IP address makes a specific number of attempts on a port, update the blacklist to block that IP address for awhile.
It’s like letting your door be accessible by anyone and disabling the doorbell after they ring it ten times.
Fail2ban is a utility on Linux systems that I think of: dynamic blacklists. It dynamically generates the entries for a blacklist based on the current situation.
This allows a server to be openly accessible to the world and make a blacklist entry for the IP addresses of clients that are abusive to the server. There’s no need to configure a blacklist.
The only downside is that configuring fail2ban can be tricky. As fail2ban works directly with IP-tables, a erroneous configuration in fail2ban may lock you out of your own system.
I have an article to configure fail2ban in the default to blacklist every offending IP address. I also explain how to configure fail2ban to white-list IP addresses
Conclusion
Protecting your server using IP addresses is an effective method as it prevents attackers from even reaching your server.
- white-listing is effective when you know and want specific IP addresses to access the server
- blacklisting is effective when you know specific addresses of attackers
- fail2ban can dynamically create blacklist entries of those that are attacking your server
Having a server on the Internet is scary, taking precautions to prevent unauthorized access will give you peace of mind.
Just like keeping people away from your house to prevent unauthorized entry.