Saturday, March 2, 2013

Fail2ban

Ok, maybe it's paranoia because of what I see at my job.....or maybe it's all the attempted logins I have seen in my authentication log, but it's time to secure my system....at least a little bit.  Primarily I'm considered with what I see in /var/log/auth.log Many repeated (failed) attempts to login to my ssh daemon from IP addresses not related to myself.  Probably some script kiddies or something, but the last thing I want to do is open myself to brute force attacks, or denial-of-service.  

 After some research I settled on a software called fail2ban. Basically, it monitors various system logs, and after a number of failed accesses from a certain user/ip/whatever it bans the IP address is associated with that access by making a rule in iptables.  Similar to denyhosts, fail2ban will work on many different services in addition to ssh, which is perfect for when I get my web authentication and LDAP server up and running.   There are pretty good guides already out there, but this is specific to Ubuntu 12.04 and my server. 

 To install
sudo apt-get install fail2ban
Whew, with that out of the way you can modify the config file.
sudo vi /etc/fail2ban/jail.conf
Pretty straightforward, there are a couple particulars to Ubuntu, and myself.  First off, I 
think the 10 minute ban-time is a little short, so I bumped it to 60 minutes.
bantime  = 3600
Apparently Debian has some issues with python-gamin (not sure if this is true with 12.04, but what the hell) so set the following
backend = polling
Restart fail2ban
sudo service restart fail2ban 
And that's it!  By default, ssh is enabled, and checks /var/log/auth.log.  However, I did notice an issue while testing.  rsyslog is the service responsible authentication logging.  Upon quickly repeated attempts to access the service, it may only print 1 message for multiple logins and just says something like "Previous message repeated 3 times".  As such, fail2ban is under-counting the number of accesses.  To fix this, you need to change the rsyslog.conf.
sudo vi /etc/rsyslog.conf
change the value RepeatedMsgReduction to 
RepeatedMsgReduction = off
 And restart the logger
sudo service rsyslog restart
To check the banning, try logging in from another system, over 3 times.  Then do
sudo iptables -L 
You should see a rule for iptables-ssh in the INPUT chain.
Chain INPUT (policy ACCEPT)
target        prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
And fail2ban-ssh section with 1 reference.
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  192.168.100.100      anywhere
RETURN     all  --  anywhere             anywhere

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)