Fun with Firewalls
Firewalls are not fun. I've got to open with that statement as I've been doing a lot of work with firewalls in the past couple of weeks. It's not been the most enjoyable of experiences, but I can see why it is needed.
I've been working with some during my day job in order to tighten security around our servers, basic stuff really as there's some important stuff on there. But my most recent experience was this week when I got an e-mail from from my hosting company to inform me that my server had been blacklisted for sending spam.
This intrigued me as I've never set up a mail server on it, let alone users to be able to connect and send mail; but black listed I was. I had 48 hours to figure out what had happened, and then put measures in place to stop it. My first thoughts were that someone had accessed the server via FTP, but then I saw that it was disabled (I make a point of only enabling FTP when I am uploading something), and I knew it wasn't ssh access, as that doesn't have access via username and password. It's locked down to log in using a private key to unlock, and not even I know the password for the key (my password manager does).
Into the logs we go!
There were some rather large mail logs, so I took a look at them and saw that there were hundreds of requests for connection and using it as a relay. Excellent, not something I had factored in when I got the server. My first thought was to ask the hosting company for a firewall to configure, but then I remembered that the hosts provide servers and basic services to keep costs down. If you want a firewall, you've got to do it yourself. Brilliant!
After a short amount of time googling I found there was a simple firewall for Ubuntu (because Debian wasn't an option when I got the server) which meant I wouldn't have to use IPTABLES. That's the one for me! A few settings later, access was allowed for HTTP and SSH access. Port 25 and 23 (smtp and telnet) were closed off and everything was tighter than before. A quick removal of the logs and a bit of checking for a couple of days and voila! no more spam from my server (for now).
I'm certain there's more I can do to lock it down, but it's a start. Always factor in the firewall when setting up a new server. If it's not connected to one, connect one or install one!