Dans cette article nous allons mettre en place une solution bas\u00e9e sur iptables-persistent et fail2ban afin de s\u00e9curiser notre serveur.<\/p>\n
A la fin de l’article :<\/p>\n
<\/p>\n
Nous avons besoin :<\/p>\n
Plan d’adressage :<\/p>\n
<\/p>\n
[pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bb%23%20Vider%20les%20tables%20actuelles%0Aiptables%20-t%20filter%20-F%0A%0A%23%20Vider%20les%20r%C3%B4les%20personnelles%0Aiptables%20-t%20filter%20-X%0A%0A%23%20Interdire%20toute%20connexion%20entrante%20et%20sortante%0Aiptables%20-t%20filter%20-P%20INPUT%20DROP%0Aiptables%20-t%20filter%20-P%20FORWARD%20DROP%0Aiptables%20-t%20filter%20-P%20OUTPUT%20DROP%0A%0A%23%20—%0A%0A%23%20Ne%20pas%20casser%20les%20connexions%20etablies%0Aiptables%20-A%20INPUT%20-m%20state%20–state%20RELATED%2CESTABLISHED%20-j%20ACCEPT%0Aiptables%20-A%20OUTPUT%20-m%20state%20–state%20RELATED%2CESTABLISHED%20-j%20ACCEPT%0A%0A%23%20Autoriser%20loopback%0Aiptables%20-t%20filter%20-A%20INPUT%20-i%20lo%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-o%20lo%20-j%20ACCEPT%0A%0A%23%20ICMP%20(Ping)%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20icmp%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20icmp%20-j%20ACCEPT%0A%0A%23%20—%0A%0A%23%20Autoriser%20les%20connexion%20ssh%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%2022%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%2022%20-j%20ACCEPT%0A%0A%23%20DNS%20In%2FOut%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%2053%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20udp%20–dport%2053%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%2053%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20udp%20–dport%2053%20-j%20ACCEPT%0A%0A%23%20NTP%20Out%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20udp%20–dport%20123%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20HTTP%20%2B%20HTTPS%20%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%2080%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%20443%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%2080%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%20443%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%208443%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20%C3%A0%20l’interface%20Proxmox%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%208006%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%208006%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20FTP%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%2020%3A21%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%2020%3A21%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20INPUT%20-m%20state%20–state%20ESTABLISHED%2CRELATED%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20au%20serveur%20Mail%20SMTP%3A25%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%2025%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%2025%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20au%20serveur%20Mail%20POP3%3A110%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%20110%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%20110%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20au%20serveur%20Mail%20IMAP%3A143%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%20143%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%20143%20-j%20ACCEPT%0A%0A%23%20Autoriser%20les%20connexions%20au%20serveur%20Mail%20POP3S%3A995%0Aiptables%20-t%20filter%20-A%20INPUT%20-p%20tcp%20–dport%20995%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20OUTPUT%20-p%20tcp%20–dport%20995%20-j%20ACCEPT%0A%0A%23%20Protection%20contre%20les%20flood%0Aiptables%20-A%20FORWARD%20-p%20tcp%20–syn%20-m%20limit%20–limit%201%2Fsecond%20-j%20ACCEPT\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n
<\/p>\n
[pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbapt-get%20install%20iptables-persistent\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n
A l’installation on vous demande d’activer ou pas IP V6.<\/p>\n
ATTENTION : Depuis debian 8, les services sont g\u00e9r\u00e9s via systemctl et le nom du service change \u00e9galement.<\/p>\n
[pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbservice%20netfilter-persistent%20start%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n
[pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables-save%20%3E%20%2Fetc%2Fiptables%2Frules.v4%0Aservice%20netfilter-persistent%20restart%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n
<\/p>\n
Afin de permettre aux VM de pouvoir communiquer avec le grand internet tout puissant :), Une interface virtuelle \u00ab\u00a0bridg\u00e9e\u00a0\u00bb sur l’interface principale est cr\u00e9\u00e9e, comme le montre la capture ci-dessous :<\/p>\n
[pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbvmbr0%20%20%20%20%20Link%20encap%3AEthernet%20%20HWaddr%2014%3A18%3A77%3A5f%3A0c%3Ad2%0A%20%20%20%20%20%20%20%20%20%20inet%20addr%3AWWW.XXX.YYY.ZZZ%20%20Bcast%3AWWW.XXX.YYY.255%20%20Mask%3A255.255.255.0%0A%20%20%20%20%20%20%20%20%20%20inet6%20addr%3A%20%0A%20Scope%3ALink%0A%20%20%20%20%20%20%20%20%20%20UP%20BROADCAST%20RUNNING%20MULTICAST%20%20MTU%3A1500%20%20Metric%3A1%0A%20%20%20%20%20%20%20%20%20%20RX%20packets%3A17080091%20errors%3A0%20dropped%3A4173%20overruns%3A0%20frame%3A0%0A%20%20%20%20%20%20%20%20%20%20TX%20packets%3A3969016%20errors%3A0%20dropped%3A0%20overruns%3A0%20carrier%3A0%0A%20%20%20%20%20%20%20%20%20%20collisions%3A0%20txqueuelen%3A1000%0A%20%20%20%20%20%20%20%20%20%20RX%20bytes%3A3780244041%20(3.5%20GiB)%20%20TX%20bytes%3A3224313133%20(3.0%20GiB)%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n
Comme indiqu\u00e9 en pr\u00e9ambule de cet article nous souhaitons avoir un sous r\u00e9seau pour nos VM. Pour ce faire nous allons cr\u00e9er une deuxieme interface virtuelle.<\/p>\n
Nous allons donc ajouter dans le fichier\u00a0\/etc\/network\/interfaces<\/strong> l’interface vmbr1 qui permettra aux VM de communiquer avec notre serveur proxmox via le sous r\u00e9seau.<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbauto%20vmbr1%0Aiface%20vmbr1%20inet%20static%0A%20%20%20%20%20%20%20%20address%20%20192.168.122.1%0A%20%20%20%20%20%20%20%20netmask%20%20255.255.255.0%0A%20%20%20%20%20%20%20%20bridge_ports%20none%0A%20%20%20%20%20%20%20%20bridge_stp%20off%0A%20%20%20%20%20%20%20%20bridge_fd%200%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Une fois le fichier \u00e0 jour il faut d\u00e9marrer notre interface nouvellement cr\u00e9er. Notre r\u00e9seau local aura donc une plage de 192.168.122.0\/32.<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbifup%20vmbr1%0A%0AWaiting%20for%20vmbr1%20to%20get%20ready%20(MAXWAIT%20is%202%20seconds).%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Comme nous avons autoris\u00e9 ICMP dans iptables, nous pouvons donc faire un ping sur notre nouvelle interface pour en v\u00e9rifier son bon fonctionnement<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbping%20192.168.122.1%0APING%20192.168.122.1%20(192.168.122.1)%2056(84)%20bytes%20of%20data.%0A64%20bytes%20from%20192.168.122.1%3A%20icmp_seq%3D1%20ttl%3D64%20time%3D0.031%20ms%0A64%20bytes%20from%20192.168.122.1%3A%20icmp_seq%3D2%20ttl%3D64%20time%3D0.039%20ms%0A64%20bytes%20from%20192.168.122.1%3A%20icmp_seq%3D3%20ttl%3D64%20time%3D0.045%20ms%0A%5EC%0A—%20192.168.122.1%20ping%20statistics%20—%0A3%20packets%20transmitted%2C%203%20received%2C%200%25%20packet%20loss%2C%20time%201998ms%0Artt%20min%2Favg%2Fmax%2Fmdev%20%3D%200.031%2F0.038%2F0.045%2F0.007%20ms%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Comme expliqu\u00e9 plus haut :<\/p>\n il faut donc autoriser notre plage d’ip locale \u00e0 acc\u00e9der \u00e0 internet.<\/p>\n Etape 1 : on autorise les entr\u00e9es et le transfert des paquets depuis l’interface vmbr0<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables%20-t%20filter%20-A%20INPUT%20-i%20vmbr0%20-j%20ACCEPT%0Aiptables%20-t%20filter%20-A%20FORWARD%20-i%20vmbr0%20-j%20ACCEPT\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Etape 2 : on fait du masquerade sur les interfaces et la plage d’adresse locale :<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables%20-t%20nat%20-A%20POSTROUTING%20-o%20vmbr0%20-j%20MASQUERADE%0Aiptables%20-t%20nat%20-A%20POSTROUTING%20-o%20vmbr1%20-j%20MASQUERADE%0Aiptables%20-t%20nat%20-A%20POSTROUTING%20-s%20192.168.122.0%2F32%20-o%20vmbr0%20-j%20MASQUERADE\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n A partir de la nous pouvons tester un update sur une de nos VM pour contr\u00f4ler que les paquets se mettent bien \u00e0 jour.<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables%20-t%20filter%20-A%20FORWARD%20-d%20192.168.122.100%2F32%20-p%20tcp%20-m%20tcp%20–dport%2022%20-m%20state%20–state%20NEW%20-j%20ACCEPT\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n <\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables%20-t%20nat%20-A%20PREROUTING%20-d%20XXX.XXX.XXX.XXX%2F32%20-p%20tcp%20-m%20tcp%20–dport%2010022%20-j%20DNAT%20–to-destination%20192.168.122.100%3A22″ message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbiptables-save%20%3E%20%2Fetc%2Fiptables%2Frules.v4%0Aservice%20netfilter-persistent%20restart\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Si vous n’avais pas configurer les 2 interfaces de votre VM vous devrais le faire manuellement<\/p>\n Les champs n\u00e9cessaires :<\/p>\n Une fois la connexion \u00e9tablie la commande ifconfig nous confirmeras que l’interface avec l’ip locale est bien active<\/p>\n [pastacode lang=\u00a0\u00bbbash\u00a0\u00bb manual=\u00a0\u00bbifconfig%20eth1%0Aeth1%20%20%20%20%20%20Link%20encap%3AEthernet%20%20HWaddr%2022%3A72%3A12%3A40%3ABE%3AE0%0A%20%20%20%20%20%20%20%20%20%20inet%20addr%3A192.168.122.100%20%20Bcast%3A192.168.122.255%20%20Mask%3A255.255.255.0%0A%20%20%20%20%20%20%20%20%20%20inet6%20addr%3A%20fe80%3A%3A2072%3A12ff%3Afe40%3Abee0%2F64%20Scope%3ALink%0A%20%20%20%20%20%20%20%20%20%20UP%20BROADCAST%20RUNNING%20MULTICAST%20%20MTU%3A1500%20%20Metric%3A1%0A%20%20%20%20%20%20%20%20%20%20RX%20packets%3A326%20errors%3A7%20dropped%3A0%20overruns%3A0%20frame%3A7%0A%20%20%20%20%20%20%20%20%20%20TX%20packets%3A320%20errors%3A0%20dropped%3A0%20overruns%3A0%20carrier%3A0%0A%20%20%20%20%20%20%20%20%20%20collisions%3A0%20txqueuelen%3A1000%0A%20%20%20%20%20%20%20%20%20%20RX%20bytes%3A36856%20(35.9%20KiB)%20%20TX%20bytes%3A37628%20(36.7%20KiB)%0A\u00a0\u00bb message=\u00a0\u00bb\u00a0\u00bb highlight=\u00a0\u00bb\u00a0\u00bb provider=\u00a0\u00bbmanual\u00a0\u00bb\/]<\/p>\n Nous venons de configurer les acc\u00e8s \u00e0 notre serveur et \u00e0 ses VM.<\/p>\n Nous pouvons aller plus loin en se prot\u00e9geant des attaques du grand internet grace \u00e0\u00a0fail2ban<\/a><\/p>\n Pr\u00e9ambule But de cet article Dans cette article nous allons mettre en place une solution bas\u00e9e sur iptables-persistent et fail2ban afin de s\u00e9curiser notre serveur. A la fin de l’article : Notre serveur h\u00f4te : Bloquera les diff\u00e9rentes attaques du grand internet. Il faut le reconna\u00eetre qu’elles viennent souvent de Chine, de Russie ou d’Inde. … Continuer la lecture de « S\u00e9curiser son serveur d\u00e9di\u00e9 proxmox avec iptables »<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-280","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/posts\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=280"}],"version-history":[{"count":18,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":314,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions\/314"}],"wp:attachment":[{"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/communaute-omr.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Autoriser nos VM \u00e0 se connecter \u00e0 internet<\/h2>\n
\n
Permettre les connexions ssh sur les VM depuis internet<\/h1>\n
Les r\u00e8gles \u00e0 mettre en place<\/h2>\n
\n
\n
Mise en place des r\u00e8gles<\/h2>\n
Etape 1 : Autoriser la redirection sur le port ssh de la VM.<\/h4>\n
Etape 2 : on redirige le port ssh et l’ip public vers le port ssh et l’ip locale de la VM<\/h4>\n
Etape 4 : On sauve les r\u00e8gles dans iptables-persistent<\/h4>\n
Etape 5 : On configure les interfaces r\u00e9seau de la VM<\/h4>\n
\n
Etape 6 : On configure putty pour se connecter au serveur<\/h4>\n
\n
Pour aller plus loin<\/h1>\n
<\/h1>\n","protected":false},"excerpt":{"rendered":"