I need a firewall. What are my options?
You should be running a firewall.
The firewalls that come with your system don't usually have the required ports open, nor to they have the ability to automatically block attacking IPs.
Most people use option #3:
- The free plugin called CSF is a popular choice:
- Alternatively, we provide a free iptables script for the Brute Force Monitor (BFM), including several scripts to link it with DA such that DA can monitor and act on attacks, blocking IPs.
- Both: If you decide to use CSF, there are a set of scripts which can be used to link the BFM to CSF, so you get the best of both. It will use the iptables configuration, and all features of CSF, plus the added benefit of the BFM to find some extra cases which triggers the blocks using CSF.
Fast version of the above guide:
- Shorewall: Guide provided by client:
For FTP with TLS, you must explicitly tell iptables to open ports 35000-35999 because the ip_conntrack_ftp cannot decrypt the ftp data port, so can't open it on the fly.
For CSF: http://forum.directadmin.com/showthread.php?t=50759&p=262589#post262589
For block_ip/iptables: http://forum.directadmin.com/showthread.php?t=50759&p=262346#post262346