As a serious security researcher, I'm looking for an answer to securing a Ubuntu installation against unwanted intrusion. This should include how I can:
- Log and alert remote connection attempts,
- Log and alert when a file changes, as well as restoration of those files on request,
- Is it necessary to Harden the TCP/IP stack of the machine?
My end use case scenario is going to be in Virtualbox for ease of restoration, so it would be great to know what I need to do to get the image started.
Would the following iptables
definitions work the same as fail2bans purpose?:
$ iptables -N IN_SSH
$ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
$ iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
$ iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
$ iptables -A IN_SSH -m recent --name sshbf --set -j Accept
$ iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
P.S.: Would some one give the code to properly box off scripting?