Example iptables configuration for Web Servers

Setting up a host based firewall on your server to protect it from the nasties of the internet is a very simple step, that can easily backfire when you lock yourself out of SSH….

Below is a very simple script to setup basic firewall restrictions for a web server such as Apache or Nginx, allowing the below:

  • Allow all traffic from the server to its local loopback interface – this is needed for lots of system and application level functions
  • Allow ports 80 and 443 inbound access from all sources for your HTTP and HTTPS websites
  • Allow all connections outbound from your server to the internet and allow the reply traffic from those connection – this is needed to connect to repositories, APIs, send email etc.
  • Allow SSH inbound connections from the internet, but at the same time, blocking anyone trying to connect more than 4 times a minute in order to prevent easy SSH Brute Forcing

Continue reading “Example iptables configuration for Web Servers”

SSL Certificate discovery script

Heartbleed…. well….if you were vulnerable you need to replace (and importantly re-key) all your certificates that may have had their private keys revealed. Remember that although it is only OpenSSL that was vulnerable, if you use a certificate on multiple platforms, you will need to re-certificate everything, not just the devices running the now patched OpenSSL.

Not only is the task of identifying all your vulnerable devices a task in itself, finding where all your certificates are to begin the process of re-installation can be a pretty impressive feat on its own.

Scripting a discovery scan

The below bash script can be used to complete a scan against a list of IP addresses or DNS entries and will report back on the Common Name of the certificate installed.

Continue reading “SSL Certificate discovery script”