Using fail2ban
Fail2Ban is a very useful tool to ban IPs after a repeated amount of failed login tries. It is fully automated, and works checking the /var/log/auth.log against a set of regular expressions.
In Debian you can install it as usual:
apt-get install fail2ban
But... what happened so I had to use fail2ban?
Friday I had to setup our own SSH server using a Debian virtual machine (server runs Windows) to access a remote shell. Today I found this logs:
luis pts/6 178.124.133.40 Mon Dec 17 22:17 - 22:17 (00:00) luis pts/6 178.124.133.40 Mon Dec 17 22:12 - 22:13 (00:00) luis pts/6 178.124.133.40 Mon Dec 17 21:20 - 21:31 (00:11) luis pts/6 178.124.133.40 Mon Dec 17 21:07 - 21:08 (00:01) luis pts/6 178.124.133.40 Mon Dec 17 21:06 - 21:07 (00:01) ... alex pts/1 85.122.42.3 Mon Dec 17 09:14 - 09:15 (00:00) luis pts/1 188.173.243.80 Mon Dec 17 07:44 - 07:45 (00:00) alex pts/1 195.175.254.95 Mon Dec 17 07:28 - 07:28 (00:00) luis pts/1 188.173.243.80 Sun Dec 16 22:01 - 22:02 (00:00) luis pts/1 188.173.243.74 Sun Dec 16 14:23 - 14:25 (00:01) luis pts/1 77-108-1-191-sta Sun Dec 16 01:15 - 03:15 (02:00) alex pts/1 190.144.34.118 Sat Dec 15 18:53 - 18:53 (00:00)
Well, this are VERY bad news, and of course this showed me how noob I am as server admin. Fortunately, neither luis nor alex accounts had enough privileges for anything. I immediately changed the passwords for those users, and decided to put a limit to the login attempts. So 3 failed attempts = IP ban for 10 hours. This should be enough to discourage most script-kiddies around there.
Using fail2ban was quite straightforward. I installed it from Debian official repository and slightly edited the /etc/fail2ban/jail.conf.
In the [DEFAULT] section I put:
# 10 hours ban
bantime = 36000 maxretry = 3
And in the [ssh] section I commented this line:
#maxretry = 6
Then I ran the server:
$ sudo fail2ban-client start WARNING 'findtime' not defined in 'apache-noscript'. Using default value WARNING 'findtime' not defined in 'pam-generic'. Using default value WARNING 'findtime' not defined in 'vsftpd'. Using default value WARNING 'findtime' not defined in 'xinetd-fail'. Using default value WARNING 'findtime' not defined in 'ssh-ddos'. Using default value WARNING 'findtime' not defined in 'apache-multiport'. Using default value WARNING 'findtime' not defined in 'apache-overflows'. Using default value WARNING 'findtime' not defined in 'couriersmtp'. Using default value WARNING 'findtime' not defined in 'wuftpd'. Using default value WARNING 'findtime' not defined in 'ssh'. Using default value WARNING 'findtime' not defined in 'postfix'. Using default value WARNING 'findtime' not defined in 'sasl'. Using default value WARNING 'findtime' not defined in 'apache'. Using default value WARNING 'findtime' not defined in 'courierauth'. Using default value WARNING 'findtime' not defined in 'proftpd'. Using default value WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value 2012-12-18 17:56:26,862 fail2ban.server : INFO Starting Fail2ban v0.8.4-SVN 2012-12-18 17:56:26,863 fail2ban.server : INFO Starting in daemon mode
Check it is correctly running:
$ sudo fail2ban-client ping Server replied: pong
Then I ran some tests (with bantime 1 minute, not 10 hours, of course...) failed logins and effectively it banned the IPs after 3 failed attempts :)
$ sudo tail fail2ban.log 2012-12-18 17:15:23,344 fail2ban.jail : INFO Creating new jail 'ssh' 2012-12-18 17:15:23,344 fail2ban.jail : INFO Jail 'ssh' uses poller 2012-12-18 17:15:23,347 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2012-12-18 17:15:23,349 fail2ban.filter : INFO Set maxRetry = 3 2012-12-18 17:15:23,352 fail2ban.filter : INFO Set findtime = 600 2012-12-18 17:15:23,353 fail2ban.actions: INFO Set banTime = 60 2012-12-18 17:15:23,415 fail2ban.jail : INFO Jail 'ssh' started 2012-12-18 17:16:10,576 fail2ban.actions: WARNING [ssh] Ban 192.168.1.61 2012-12-18 17:17:10,848 fail2ban.actions: WARNING [ssh] Unban 192.168.1.61
Comments
Post a Comment
Comment, motherf*cker