Firewall & IDS/IPS

🔥 Vibe Prompt

"Set up iptables firewall rules. Configure Snort IDS for SQLi detection."

Iptables Firewall

# Default policies (drop all)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (rate limited)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4

# Save
iptables-save > /etc/iptables/rules.v4

Snort IDS Rules

# SQLi detection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
  msg: "SQL Injection - UNION";
  content: "UNION"; nocase;
  content: "SELECT"; nocase; within: 30;
  classtype: web-application-attack;
  sid: 1000001;
)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
  msg: "SQL Injection - OR true";
  content: "OR"; nocase;
  pcre: "/(\d+|')\s*OR\s*[\d=]+"/i;
  classtype: web-application-attack;
  sid: 1000002;
)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
  msg: "XSS Attempt";
  content: "<script>"; nocase;
  classtype: web-application-attack;
  sid: 1000003;
)

Fail2Ban

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[nginx-botsearch]
enabled = true
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 86400

Defense Layers

Internet → WAF (Layer 7, app-level)
              ↓
          Firewall (Layer 3/4, IP/port)
              ↓
          IDS/IPS (Layer 7, signatures + anomaly)
              ↓
          HIDS (host-level, file integrity)

Best Practices

  • Defense in depth: never rely on single layer
  • Default deny all inbound
  • Log all blocked traffic
  • Regular rule review (eliminate stale rules)
  • Automate with IaC (Ansible, Terraform)

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


為什麼要學防火牆與入侵偵測?

防火牆與入侵偵測 是 security-network 課程的核心章節之一。

在真實世界中

防火牆與入侵偵測 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 防火牆與入侵偵測 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

會員專屬免費教學

本章節為註冊會員專屬的免費開放內容!請先登入或註冊會員,即可立即解鎖閱讀。

立即登入 / 註冊