Implement fail2ban on Ubuntu
In a secure IT enviroment every weak spot of the system could create a door for a malicious software. Even those servers behind firewalls need to be administered and accessed. The easiest way to do so , and more secure is with SSH.
But SSH uses mechanisms that encrypt our session , but there is always an option for a hacker to perform a dictionary attack against the users that is configuring the server. One great app that is written in Python is called fail2ban and presents itself as a great way to prevent password attacks.
Fail2ban is simple enough, it uses the logs of the servers and scans trough them. After the analysis it bans certain IP addresses that are used to often and those that could be used for password attacks, repeating login attemtps.
I am using a virtualized Ubuntu 12.04 version as a test machine. First step is to install the package, and backup the default configuration file in case we make a mistake in the configuration.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.backup
After a backup copy file is created we can now alter the jail.conf file and temper with the defaults. I am always using the nano editor, it is quick and effective.
sudo nano /etc/fail2ban/jail.local
Using the editor we can change the default IP address that should not be locked out for a certain amount of time. One can use multiple addresses with a space typed in between. Also the timeout and the login retries can be adjusted to the following needs.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
I always leave the bantime to 10 minutes as default and level up the retries to 5 (sometimes I use the wrong keyboard with an input language :D ). Entering your local IP assures you that your servers that you are using for administration will not be timed out.
As the IP address is detected an action must be applied, in our case an ban action. So look at the rest of the conf file and its contents.
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
[...]
The banaction parameter is used to define actions. The iptables-multiport actions can be found in the /etc/fail2ban/action.d/iptables-multiport.conf file. The MTA is the mailing feature that will allow us to configur what email client or daemon we are using (postfix, sendmail etc.). By default fail2ban is monitoring tcp protocol, you can change it to UDP if you have services on the server that are listening on this protocol.
The SSH configuration that we are interested in is by default enabled in the conf file. We can choose to change the default port of the SSH connections , if we have changed this or to disable the SSH filtering (I do not advize this).
sudo nano /etc/fail2ban/jail.local
Using the editor we can change the default IP address that should not be locked out for a certain amount of time. One can use multiple addresses with a space typed in between. Also the timeout and the login retries can be adjusted to the following needs.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
I always leave the bantime to 10 minutes as default and level up the retries to 5 (sometimes I use the wrong keyboard with an input language :D ). Entering your local IP assures you that your servers that you are using for administration will not be timed out.
As the IP address is detected an action must be applied, in our case an ban action. So look at the rest of the conf file and its contents.
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
[...]
The banaction parameter is used to define actions. The iptables-multiport actions can be found in the /etc/fail2ban/action.d/iptables-multiport.conf file. The MTA is the mailing feature that will allow us to configur what email client or daemon we are using (postfix, sendmail etc.). By default fail2ban is monitoring tcp protocol, you can change it to UDP if you have services on the server that are listening on this protocol.
The SSH configuration that we are interested in is by default enabled in the conf file. We can choose to change the default port of the SSH connections , if we have changed this or to disable the SSH filtering (I do not advize this).
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
To adopt all of the changes we should restart the FAIL2BAN service.
sudo service fail2ban restart
Those people that are familiar with the iptables can review after this, what kind of settings did the fail2ban implement to the firewall rules.
sudo iptables -L
That is all there is to it. You can test it very simple, with more than 5 unsuccesful login attempts , and than see the logs. If one had many iptable rules , than they should use the iptables-save to backup the current config before applying the settings.
Thanks.
No comments:
Post a Comment