FireHOL – Linux firewalling and traffic shaping for humans
firehol.orgWe have a couple of servers we can’t move to the cloud for a variety of reasons. In addition, they are running some super legacy applications.
Because of this, we’ve really had to focus on OS level security to protect the application (OS is surprisingly Ubuntu 16).
Good Linux Security Software:
- ModSecurity V3...tough to figure out but so worth it. An incredible L7 Firewall. Immediately provides benefits
- UFW...utterly saves you from IPTABLES. Also has some neat brute force protection (ufw limit ssh).
- ModEvasive...Apache Module which is great for preventing automated vuln scanners like Burp Suite
- ClamAV...antivirus, who knows how effective but is popular
- RKHunter...rootkit hunter, hard to tune but can be worth it
Biggest benefit we got though was from setting all HTTPS Headers on the web server (there are 7 of them now I think you can set). The latest headers like “Feature-Policy” which can disable Javascript’s access to webcam, microphone, and more have been very useful.
I find that UFW is more of a pain than its worth when it comes to simple rules everybody needs like "block everything, allow this handful of ports", mostly because the syntax is too english-like and so it's easier to get confused how you're supposed to write the rule.
It also spews a bunch of chains all over iptables, making it harder to understand when you actually need to use it directly for something more advanced like mangling.
Yeah, the documentation isn't great. However,
> block everything, allow this handful of ports
This is trivial.
ufw default deny incoming ufw allow 22
I wonder though, is root kit even detectable? Perhaps most are.
Which headers are you talking about?
Not OP but I have to assume they are referring to Content Security Policy headers: https://content-security-policy.com/
I'm mobile, but has this been updated? I used this in college back in 08 and it was much better than iptables but I don't know if it's kept up with the times.
There was a release this August, but there seems to be a huge gap between 2014 and then.
Don't fix what ain't broke.
Nice to see it posted here, I've been a happy user of FireHOL for a decade, if not more. For a while I was worried it was going to be abandoned, I'm really glad it wasn't.
I'm not a network guy but I was tasked with setting up some servers at a co-lo, including a box to act as the router. FireHOL was a godsend for helping me to setup the rules.
I haven't tried FireQOS yet, but I really want to play with it.
I use their iplists in pfblocker-ng since 3 years. It's incredibly useful, like "let's block all traffic from tor exit nodes appeared online in the last 30 days".
Useful, unless your customers are trying to reach you via Tor.
Yeah, funny. The ones you really need to worry about won't be stopped by that ;)
Cool! Add application-level rules (like LittleSnitch) and I'm buying (literally, I don't mind paying for such a feature).
You might want to look at OpenSnitch [1]. It requires nfqueue and directly accessing /proc to get info in real time, which is why you'll likely never see it as part of a structured firewall builder like this.
ive used fireQOS and it was a lovely tool i highly recommend it.
Firehole? Weird name...
Read this as a firewall for humans. Am disappointed
Being on chemo I was THRILLED
Yeah I expected some kind of a big plastic bag to wear :)
I hear they have one of those in China.
There has been some discussion about building one for the USA.
They have had something similar in Berlin till 1989.