Layer 3 Security and Linux

Layer-3-Security-LinuxYour web server has been defaced for the third time in two months and your customers are starting to wonder. Some may even start to fear their personal information is at risk. With recent security breaches from big corporations like Michaels, Neiman Marcus, and Target2, you would be hard pressed to come up with a reason why they shouldn’t be. These days, the Internet can be a caustic place and computer security (especially of the web variety) is becoming much more important to everyone, from the lowly startup to the great big software corporations.

The fact is the majority of visitors to a website may not be actual people at all butautomated bots searching pages for weaknesses (think computer programs that scan the web)1. This information creates a very scary scenario of an Internet where malicious users can accomplish things automatically and in heavy volume.

However information one knows can also help them be prepared, which in this case would be fighting fire with a firewall. Many users have the IPTABLES service running on their Linux boxes right now, but have little to no idea how to configure it. It works as a firewall with rules set in place to allow network traffic in or out. Manually configuring IPTABLES can be a bear, especially when you are talking about possibly hundreds of unique IP’s hitting a server in an hour. It would be impossible for someone to be as dynamic as the Internet when it comes tomalicious traffic.

In order to counter the ever-increasing stream of garbage from the Internet, one could enlist the help of dynamic services like fail2ban to add an extra bit of security to their system. Fail2ban is a service that runs while your system is live and scans logs for diversions in a baseline that you can configure. It’s safe to say that a malicious user trying to break a system via the login screen of your web page will not be successful on the first go. Well with fail2ban, the malicious user might get 3 tries before fail2ban sees the login failures in the log file and bans the host by adding their IP to a jail file. Once in the jail, the host won’t even be able to request the page that it’s trying to break, effectively stopping the automated attack. The rules for what and when to ban are entirely up to the administrator, and work in tandem with many “native” Linux services. New filters can be applied using regex that looks for specific strings or methods of attack. Basically, if a person is consistent with their maintenance, they will be able to mitigate most bot-based attacks, at least of the web variety. The best part is that since fail2ban is just a daemon, you can run it on both virtualized and stand-alone servers without any issue.

Since fail2ban sits on the server and watches interactions with the logs, it doesn’t care what type of virtualization it might be using in regards to a VPS. However you do have to keep semi-decent logging for it to watch, which shouldn’t be an issue if your installs are defaulted. In short, fail2ban and other types of dynamic log monitoring services are great for watching real-time data and protecting from malicious users out on the net. That being said, there is no replacement for strong authentication protocol to include frequent password changes. In our next article, your premier Colorado data center will address the truth about passwords and what makes them strong or weak, as well as the importance of a firm password policy.