# Basic Firewall Rules
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Default deny
iptables -P INPUT DROP
iptables -P FORWARD DROP# Rate limiting
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Port knocking
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH2 -j ACCEPT
iptables -A INPUT -p tcp --dport 3456 -m recent --remove --name SSH1
iptables -A INPUT -p tcp --dport 2345 -m recent --remove --name SSH0
iptables -A INPUT -p tcp --dport 1234 -m recent --set --name SSH0 -j DROP# snort.conf
# Network variables
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
# Rule sets
include $RULE_PATH/local.rules
include $RULE_PATH/emerging-threats.rules
# Custom rule example
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (
msg:"SSH Brute Force Attempt";
flow:to_server,established;
threshold:type threshold, track by_src, count 5, seconds 60;
classtype:attempted-admin;
sid:1000001; rev:1;
)# suricata.yaml
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
EXTERNAL_NET: "!$HOME_NET"
# HTTP exploits detection
alert http $EXTERNAL_NET any -> $HOME_NET any (
msg:"SQL Injection Attempt";
flow:established,to_server;
http.uri; content:"%27";
classtype:web-application-attack;
sid:1000002; rev:1;
)# Server Configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
compress lz4-v2
persist-key
persist-tun# ipsec.conf
conn site-to-site
authby=secret
left=%defaultroute
leftid=@site1
leftsubnet=192.168.1.0/24
right=203.0.113.2
rightid=@site2
rightsubnet=192.168.2.0/24
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!
keyingtries=%forever
ikelifetime=1h
lifetime=8h
type=tunnel
auto=start# Cisco Switch Configuration
conf t
vlan 10
name SERVERS
vlan 20
name USERS
vlan 30
name GUESTS
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security maximum 2# Extended ACL
ip access-list extended RESTRICT_GUEST
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
interface Vlan30
ip access-group RESTRICT_GUEST in# Logstash Pipeline
input {
beats {
port => 5044
}
}
filter {
if [type] == "firewall" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IP:src_ip} %{WORD:action} %{IP:dst_ip}" }
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "security-logs-%{+YYYY.MM.dd}"
}
}# Elasticsearch Watcher
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"indices": ["security-logs-*"],
"body": {
"query": {
"bool": {
"must": [
{ "match": { "action": "blocked" } }
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 100
}
}
},
"actions": {
"email_admin": {
"email": {
"to": "admin@example.com",
"subject": "High number of blocked connections"
}
}
}
}