Comment goes here
You should log in and post some comments! The link is up there in the toolbar. Go nuts!
 

Pre (or post) load iptables rules with CSF/LFD

The world has some really nice people in it. That being said, the world has some really bad people in it. Those bad people want to try to get into your server and use it for their own evil deeds. Your job as a Linux Administrator (one of your many jobs!) is to make it really-really hard for them to do that. I'd say make it impossible for them to crack, but there's no such thing. If they're determined enough, have enough resources (and probably have someone on the 'inside') they'll likely get in.

One of the tools I use often is called ConfigServer Firewall. This is a software firewall script that lets you lock down your server pretty well. It also includes LFD (Login Failure Daemon) to block out crackers with failed logins.

You can edit and set it up via command line by editing the csf.conf file directly or you can use the user interface (UI) feature. It even ties into popular control panels like cPanel.

One of the great features of this software is that you can specify a set of iptables rules that you'd like enabled on CSF startup.

From the README:
17. External Pre- and Post- Scripts
###################################

External commands (e.g. iptables rules not covered by csf) can be run before
and/or after csf sets up the iptables chains and rules.

1. To run external commands before csf configures iptables create the file:

/etc/csf/csfpre.sh

Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.

For example:

#!/bin/sh
/some/path/to/binary -a -b -c etc

Then chmod +x /etc/csf/csfpre.sh

2. To run external commands after csf configures iptables create the file:

/etc/csf/csfpost.sh

Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.

This was a feature that I was wondering about for a while but didn't know it actually existed until recently!

If you're not using CSF/LFD, go check it out @ ConfigServer.com