Msg#: 4417193 posted 5:03 pm on Feb 25, 2012 (gmt 0)
Sorry for the delay, I hope that I'm not too late :)
Shorewall is a front end for the standard Linux iptables firewall. You can find the configuration files in the /etc/shorewall directory. The file /etc/shorewall/rules would be the best place to add your exception rules to allow webmin and pop3 traffic.
Msg#: 4417193 posted 5:47 pm on Feb 25, 2012 (gmt 0)
Thanks for the reply. For the time being I've turned Shorewall off. I still don't know how to set up the rules to allow email traffic and webmin access, and turning it on/off was too much a hassle. (I know where the rules are ... just now what to put there)
And I still don't know what got this started. After we installed the new box, things were OK for several months and then early February, all of a sudden after a regular apt-get dis-upgrade, Shorewall raised it's head.
I know our provider had installed Fail2ban. I don't know what the difference is with that and Shorewall, and as soon as I can, I'll be looking at that as well.
Msg#: 4417193 posted 6:16 pm on Feb 25, 2012 (gmt 0)
Shorewall works mainly on the packet level. It inspects source and destination IPs, ports and a few other things on the packet level to decide what to do with it.
Fail2ban on the other hand works on a much higher level. It inspects log files and looks for suspicious patterns. It then creates (temporary) firewall rules to ban specific IPs which behave in a non standard way.
As an example, fail2ban is capable of checking the log files for IPs which access your server over an SSH connection and enter an invalid password a number of times. It then blocks that specific IP. Shorewall can also block access to SSH ports, but it is not capable of making those decisions based on what happens in the application layer, like failed passwords.
Msg#: 4417193 posted 4:07 am on Feb 26, 2012 (gmt 0)
There is no better. Shorewall uses the netfilter system which is part of the Linux kernel. This makes it very efficient to handle large amounts of packets without much CPU overhead. This is the type of protection you want against DDOS attacks, blocking access to your SSH and POP3 ports with the exception of a few trusted IP addresses etc.
Fail2ban checks log files and does high level checks and is as far as I know written in Python. It causes therefore a moderate CPU and disk overhead and you don't want to use it to defend against massive attacks on your server. But it is capable to detect suspicious behavior on ports which you cannot simply block on the IP level like multiple failed password attempts on global FTP accounts, scans for PHPMyAdmin installations on your Apache server etc.