Fail2ban the system security for green hand on linux os

The System Security for green hand on Linux OS

2017/02/12, Hsinchu, DigitalOcean HsinchuPresenter: Monisan

Monisan

2

◎ National Chiao Tung University, Taiwan○ Wireless Internet Laboratory○ Department of Computer Science○ Information Technology Service Center

Network & System Engineer

◎ Familiar with python, mysql, git, linux

◎ You can find me at:https://www.worldplay.com.twTwitter & GitHub (@sufuf3)

https://www.worldplay.com.tw

https://www.worldplay.com.tw

3

How to Protecte host

4

How to Protecte host

5

What is the brute-force attack?

◎ A brute force attack uses a large volume of requests/responses to break into a system.

◎ The attacker try many method to guess the response to a challenge or a request.

6

How to Protect

7

Outline

◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP

8

Outline


9

Introduction

◎ Scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

◎ Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time.

◎ Able to reduce the rate of incorrect authentications attempts.

10

Outline


11

Install (1)

◎ Ubuntu: ○ apt-get install fail2ban

◎ CentOS: ○ yum install fail2ban

12

Install (2)

13

$ sudo service fail2ban status * Status of authentication failure monitor * fail2ban is running$ sudo fail2ban-client statusStatus|- Number of jail: 1`- Jail list: ssh

Outline


14

Configure (1)

◎ the configuration files directory○ /etc/fail2ban

15

$ ls -altotal 56drwxr-xr-x 6 root root 4096 Feb 11 18:15 .drwxr-xr-x 99 root root 4096 Feb 7 08:35 ..drwxr-xr-x 2 root root 4096 Feb 7 08:35 action.d-rw-r--r-- 1 root root 1525 Nov 13 2013 fail2ban.confdrwxr-xr-x 2 root root 4096 Nov 18 2013 fail2ban.ddrwxr-xr-x 2 root root 4096 Feb 11 18:08 filter.d-rw-r--r-- 1 root root 11937 Feb 10 20:32 jail.confdrwxr-xr-x 2 root root 4096 Nov 18 2013 jail.d

Configure (2) - fail2ban.conf

◎ fail2ban.conf

16

Configure (3) - jail.conf (1)

◎ Cause the file would modified by package upgrades, we need copy it so that we can make our changes safely.

17

jail.conf jail.localdefault options

wish to override

Copy


◎ jail.conf○ Typing the following:

18

awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local


● sudo vim /etc/fail2ban/jail.conf● [DEFAULT]

○ ignoreip ■ add additional addresses that fail2ban ignores, separated by

a space.○ bantime

■ sets length of time that a client will be banned when they have failed to authenticate correctly. (second)

19


● sudo vim /etc/fail2ban/jail.conf● the client can tries how many times in findtime.● [DEFAULT]

○ findtime - how long that a client has to authenticate within a window. (second)

○ maxretry - the client can tries how many times

20

Configure (7) - jail.conf (5)● sudo vim /etc/fail2ban/jail.conf● [DEFAULT]● if you want to receive the alerts by email.

○ destemail - the email of recipient who should receive ban messages.

○ sendername - the value of the "From" field in the email○ mta - mail service○ action - there are three choice:

21

action_ ban

action_mw ban & send an e-mail with whois report

action_mwl ban & send an e-mail with whois report and relevant log lines

Outline


22

Individual Jail Settings (1)

◎ if you want to enable

○ uncommenting the header of the section

○ changing the enabled line to be "true"

23

Individual Jail Settings (2)◎ you can see what kind of filters are available by

looking the directory:○ /etc/fail2ban/filter.d

24

$ ls /etc/fail2ban/filter.d/

Remember

if you modify any configoration, you need to restart the fail2ban service.

25

$ sudo service fail2ban restart

Outline


26

Testing the Banning Policies

◎ SSH◎ mysqld-auth

27

SSH (1)

28

Server Attacker

SSH (2)

29

Server Attacker

$ ssh username@server_IPThe authenticity of host 'server_IP (server_IP)' can't be established.ECDSA key fingerprint is SHA256:DpIDl7AZU........yUMzXq+0lvPGHo2GA.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'server_IP' (ECDSA) to the list of known hosts.username@server_IP's password: Permission denied, please try again.username@server_IP's password: Permission denied, please try again.username@server_IP's password: Permission denied (publickey,password).$ ssh username@server_IPusername@server_IP's password: Permission denied, please try again.username@server_IP's password:

SSH (3)

30

Server Attacker

$ sudo tail -f /var/log/fail2ban.log 2017-02-10 20:03:11,437 fail2ban.server : INFO Exiting Fail2ban2017-02-10 20:03:12,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.112017-02-10 20:03:12,167 fail2ban.jail : INFO Creating new jail 'ssh'2017-02-10 20:03:12,203 fail2ban.jail : INFO Jail 'ssh' uses pyinotify2017-02-10 20:03:12,239 fail2ban.jail : INFO Initiated 'pyinotify' backend2017-02-10 20:03:12,241 fail2ban.filter : INFO Added logfile = /var/log/auth.log2017-02-10 20:03:12,243 fail2ban.filter : INFO Set maxRetry = 62017-02-10 20:03:12,245 fail2ban.filter : INFO Set findtime = 6002017-02-10 20:03:12,246 fail2ban.actions: INFO Set banTime = 6002017-02-10 20:03:12,319 fail2ban.jail : INFO Jail 'ssh' started2017-02-10 20:06:28,496 fail2ban.actions: WARNING [ssh] Ban attacker_IP

SSH (4)

31

ServerAttacker

$ sudo fail2ban-client status sshStatus for the jail: ssh|- filter| |- File list: /var/log/auth.log | |- Currently failed: 1| `- Total failed: 16`- action |- Currently banned: 2 | `- IP list: 14.189.180.193 attacker_IP `- Total banned: 2

SSH (5)

32

Server Attacker

mysqld-auth (1)

33

Server Attacker

mysqld-auth (2)

34

Server Attacker

$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)...$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 2003 (HY000): Can't connect to MySQL server on 'server_IP' (111)

mysqld-auth (3)

35

Server Attacker

$ sudo tail -f /var/log/fail2ban.log 2017-02-11 18:07:17,257 fail2ban.actions: WARNING [mysqld-auth] Ban attacker_IP

$ sudo tail -f /var/log/mysql/error.log170211 18:07:14 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)...170211 18:07:16 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)

mysqld-auth (4)

36

ServerAttacker

$ sudo fail2ban-client status mysqld-authStatus for the jail: mysqld-auth|- filter| |- File list: /var/log/mysql/error.log | |- Currently failed: 0| `- Total failed: 43`- action |- Currently banned: 1 | `- IP list: attacker_IP `- Total banned: 2

mysqld-auth (5)

37

Server Attacker

Outline


38

How to Unblock IP

39

$ sudo fail2ban-client set ssh unbanip attacker_IP

Thank YouQ & A

40

References (1)

◎ Fail2ban○ http://www.fail2ban.org/wiki/index.php/Main_Page

◎ How To Protect SSH with Fail2Ban on Ubuntu 14.04○ https://www.digitalocean.com/community/tutorials/how-

to-protect-ssh-with-fail2ban-on-ubuntu-14-04

41

http://www.fail2ban.org/wiki/index.php/Main_Page

http://www.fail2ban.org/wiki/index.php/Main_Page

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04



References (2)

◎ 《分享》Ubuntu安裝fail2ban○ http://www.shunze.info/forum/thread.php?threadid=188

9&boardid=3&sid=e1e02be23bf8adf2ba4bf92be652791b

◎ CentOS安裝fail2ban記事○ http://blog.pulipuli.info/2011/07/centosfail2ban.html

42

http://www.shunze.info/forum/thread.php?threadid=1889&boardid=3&sid=e1e02be23bf8adf2ba4bf92be652791b




http://blog.pulipuli.info/2011/07/centosfail2ban.html

