Upload
monisan-fu
View
58
Download
0
Embed Size (px)
Citation preview
The System Security for green hand on Linux OS
2017/02/12, Hsinchu, DigitalOcean HsinchuPresenter: Monisan
Monisan
2
◎ National Chiao Tung University, Taiwan○ Wireless Internet Laboratory○ Department of Computer Science○ Information Technology Service Center
Network & System Engineer
◎ Familiar with python, mysql, git, linux
◎ You can find me at:https://www.worldplay.com.twTwitter & GitHub (@sufuf3)
3
How to Protecte host
4
How to Protecte host
5
What is the brute-force attack?
◎ A brute force attack uses a large volume of requests/responses to break into a system.
◎ The attacker try many method to guess the response to a challenge or a request.
6
How to Protect
7
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
8
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
9
Introduction
◎ Scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
◎ Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time.
◎ Able to reduce the rate of incorrect authentications attempts.
10
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
11
Install (1)
◎ Ubuntu: ○ apt-get install fail2ban
◎ CentOS: ○ yum install fail2ban
12
Install (2)
13
$ sudo service fail2ban status * Status of authentication failure monitor * fail2ban is running$ sudo fail2ban-client statusStatus|- Number of jail: 1`- Jail list: ssh
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
14
Configure (1)
◎ the configuration files directory○ /etc/fail2ban
15
$ ls -altotal 56drwxr-xr-x 6 root root 4096 Feb 11 18:15 .drwxr-xr-x 99 root root 4096 Feb 7 08:35 ..drwxr-xr-x 2 root root 4096 Feb 7 08:35 action.d-rw-r--r-- 1 root root 1525 Nov 13 2013 fail2ban.confdrwxr-xr-x 2 root root 4096 Nov 18 2013 fail2ban.ddrwxr-xr-x 2 root root 4096 Feb 11 18:08 filter.d-rw-r--r-- 1 root root 11937 Feb 10 20:32 jail.confdrwxr-xr-x 2 root root 4096 Nov 18 2013 jail.d
Configure (2) - fail2ban.conf
◎ fail2ban.conf
16
Configure (3) - jail.conf (1)
◎ Cause the file would modified by package upgrades, we need copy it so that we can make our changes safely.
17
jail.conf jail.localdefault options
wish to override
Copy
Configure (4) - jail.conf (2)
◎ jail.conf○ Typing the following:
18
awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
Configure (5) - jail.conf (3)
● sudo vim /etc/fail2ban/jail.conf● [DEFAULT]
○ ignoreip ■ add additional addresses that fail2ban ignores, separated by
a space.○ bantime
■ sets length of time that a client will be banned when they have failed to authenticate correctly. (second)
19
Configure (6) - jail.conf (4)
● sudo vim /etc/fail2ban/jail.conf● the client can tries how many times in findtime.● [DEFAULT]
○ findtime - how long that a client has to authenticate within a window. (second)
○ maxretry - the client can tries how many times
20
Configure (7) - jail.conf (5)● sudo vim /etc/fail2ban/jail.conf● [DEFAULT]● if you want to receive the alerts by email.
○ destemail - the email of recipient who should receive ban messages.
○ sendername - the value of the "From" field in the email○ mta - mail service○ action - there are three choice:
21
action_ ban
action_mw ban & send an e-mail with whois report
action_mwl ban & send an e-mail with whois report and relevant log lines
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
22
Individual Jail Settings (1)
◎ if you want to enable
○ uncommenting the header of the section
○ changing the enabled line to be "true"
23
Individual Jail Settings (2)◎ you can see what kind of filters are available by
looking the directory:○ /etc/fail2ban/filter.d
24
$ ls /etc/fail2ban/filter.d/
Remember
if you modify any configoration, you need to restart the fail2ban service.
25
$ sudo service fail2ban restart
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
26
Testing the Banning Policies
◎ SSH◎ mysqld-auth
27
SSH (1)
28
Server Attacker
SSH (2)
29
Server Attacker
$ ssh username@server_IPThe authenticity of host 'server_IP (server_IP)' can't be established.ECDSA key fingerprint is SHA256:DpIDl7AZU........yUMzXq+0lvPGHo2GA.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'server_IP' (ECDSA) to the list of known hosts.username@server_IP's password: Permission denied, please try again.username@server_IP's password: Permission denied, please try again.username@server_IP's password: Permission denied (publickey,password).$ ssh username@server_IPusername@server_IP's password: Permission denied, please try again.username@server_IP's password:
SSH (3)
30
Server Attacker
$ sudo tail -f /var/log/fail2ban.log 2017-02-10 20:03:11,437 fail2ban.server : INFO Exiting Fail2ban2017-02-10 20:03:12,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.112017-02-10 20:03:12,167 fail2ban.jail : INFO Creating new jail 'ssh'2017-02-10 20:03:12,203 fail2ban.jail : INFO Jail 'ssh' uses pyinotify2017-02-10 20:03:12,239 fail2ban.jail : INFO Initiated 'pyinotify' backend2017-02-10 20:03:12,241 fail2ban.filter : INFO Added logfile = /var/log/auth.log2017-02-10 20:03:12,243 fail2ban.filter : INFO Set maxRetry = 62017-02-10 20:03:12,245 fail2ban.filter : INFO Set findtime = 6002017-02-10 20:03:12,246 fail2ban.actions: INFO Set banTime = 6002017-02-10 20:03:12,319 fail2ban.jail : INFO Jail 'ssh' started2017-02-10 20:06:28,496 fail2ban.actions: WARNING [ssh] Ban attacker_IP
SSH (4)
31
ServerAttacker
$ sudo fail2ban-client status sshStatus for the jail: ssh|- filter| |- File list: /var/log/auth.log | |- Currently failed: 1| `- Total failed: 16`- action |- Currently banned: 2 | `- IP list: 14.189.180.193 attacker_IP `- Total banned: 2
SSH (5)
32
Server Attacker
mysqld-auth (1)
33
Server Attacker
mysqld-auth (2)
34
Server Attacker
$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)...$ mysql -u root -h server_IP -pEnter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO)$ mysql -u root -h server_IP -pEnter password: ERROR 2003 (HY000): Can't connect to MySQL server on 'server_IP' (111)
mysqld-auth (3)
35
Server Attacker
$ sudo tail -f /var/log/fail2ban.log 2017-02-11 18:07:17,257 fail2ban.actions: WARNING [mysqld-auth] Ban attacker_IP
$ sudo tail -f /var/log/mysql/error.log170211 18:07:14 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)...170211 18:07:16 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)
mysqld-auth (4)
36
ServerAttacker
$ sudo fail2ban-client status mysqld-authStatus for the jail: mysqld-auth|- filter| |- File list: /var/log/mysql/error.log | |- Currently failed: 0| `- Total failed: 43`- action |- Currently banned: 1 | `- IP list: attacker_IP `- Total banned: 2
mysqld-auth (5)
37
Server Attacker
Outline
◎ Introduction◎ Install◎ Configure◎ Individual Jail Settings◎ Testing the Banning Policies ◎ How to Unblock IP
38
How to Unblock IP
39
$ sudo fail2ban-client set ssh unbanip attacker_IP
Thank YouQ & A
40
References (1)
◎ Fail2ban○ http://www.fail2ban.org/wiki/index.php/Main_Page
◎ How To Protect SSH with Fail2Ban on Ubuntu 14.04○ https://www.digitalocean.com/community/tutorials/how-
to-protect-ssh-with-fail2ban-on-ubuntu-14-04
41
References (2)
◎ 《分享》Ubuntu安裝fail2ban○ http://www.shunze.info/forum/thread.php?threadid=188
9&boardid=3&sid=e1e02be23bf8adf2ba4bf92be652791b
◎ CentOS安裝fail2ban記事○ http://blog.pulipuli.info/2011/07/centosfail2ban.html
42