Shifting the SSH listening port to non-22 and enabling fail2ban filters are solid steps toward hardening your server environment. Let’s take it a step further and leverage the power of the iptables firewall.
The following is a basic configuration for web, email, and SSH traffic.
Allow already established connections on all available interfaces, in this case eth0 and eth1:
Allow TCP connection attempts for SSH, replace
Allow HTTP and HTTPS:
Allow SMTP and IMAP, ports 25 and 993 respectively:
Change the default policy for the INPUT chain to DROP all, i.e. drop all connections and only allowed traffic for the policies that match the above. *Only implement this once you have confirmed you can maintain access to the server over SSH:
Save your new ruleset, for Debian:
Your configuration should look something like this:
1 2 3 4 5 6 7 8 9 10 11 12
Edit: Feb 3, 2014
I’ve posted part two of this ever-evolving series of security-related posts–whitelisting ICMP traffic.