The System Security for green hand on Linux OS 2017/02/12, Hsinchu, DigitalOcean Hsinchu Presenter: Samina

◎ National Chiao Tung University, Taiwan ○ Wireless Internet Laboratory ○ Department of Computer Science ○ Information Technology Service Center Network & System Engineer ◎ Familiar with python, mysql, git, linux ◎ You can find me at: https://www.worldplay.com.tw Twitter & GitHub (@sufuf3) Monisan 2

3

How to Protecte host 4

How to Protecte host 5

What is the brute-force attack? ◎ A brute force attack uses a large volume of requests/responses to break into a system. ◎ The attacker try many method to guess the response to a challenge or a request. 6

How to Protect 7

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 8

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 9

Introduction ◎ Scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. ◎ Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. ◎ Able to reduce the rate of incorrect authentications attempts. 10

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 11

Install (1) ◎ Ubuntu: ○ apt-get install fail2ban ◎ CentOS: ○ yum install fail2ban 12

Install (2) 13 $ sudo service fail2ban status * Status of authentication failure monitor * fail2ban is running $ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 14

Configure (1) ◎ the configuration files directory ○ /etc/fail2ban 15 $ ls -al total 56 drwxr-xr-x 6 root root 4096 Feb 11 18:15 . drwxr-xr-x 99 root root 4096 Feb 7 08:35 .. drwxr-xr-x 2 root root 4096 Feb 7 08:35 action.d -rw-r--r-- 1 root root 1525 Nov 13 2013 fail2ban.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 fail2ban.d drwxr-xr-x 2 root root 4096 Feb 11 18:08 filter.d -rw-r--r-- 1 root root 11937 Feb 10 20:32 jail.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 jail.d

Configure (2) - fail2ban.conf ◎ fail2ban.conf 16

Configure (3) - jail.conf (1) ◎ Cause the file would modified by package upgrades, we need copy it so that we can make our changes safely. 17 jail.conf jail.local default options wish to override Copy

Configure (4) - jail.conf (2) ◎ jail.conf ○ Typing the following: 18 awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

Configure (5) - jail.conf (3) ● sudo vim /etc/fail2ban/jail.conf ● [DEFAULT] ○ ignoreip ■ add additional addresses that fail2ban ignores, separated by a space. ○ bantime ■ sets length of time that a client will be banned when they have failed to authenticate correctly. (second) 19

Configure (6) - jail.conf (4) ● sudo vim /etc/fail2ban/jail.conf ● the client can tries how many times in findtime. ● [DEFAULT] ○ findtime - how long that a client has to authenticate within a window. (second) ○ maxretry - the client can tries how many times 20

Configure (7) - jail.conf (5) ● sudo vim /etc/fail2ban/jail.conf ● [DEFAULT] ● if you want to receive the alerts by email. ○ destemail - the email of recipient who should receive ban messages. ○ sendername - the value of the "From" field in the email ○ mta - mail service ○ action - there are three choice: 21 action_ ban action_mw ban & send an e-mail with whois report action_mwl ban & send an e-mail with whois report and relevant log lines

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 22

Individual Jail Settings (1) ◎ if you want to enable ○ uncommenting the header of the section ○ changing the enabled line to be "true" 23

Individual Jail Settings (2) ◎ you can see what kind of filters are available by looking the directory: ○ /etc/fail2ban/filter.d 24 $ ls /etc/fail2ban/filter.d/

Remember if you modify any configoration, you need to restart the fail2ban service. 25 $ sudo service fail2ban restart

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 26

Testing the Banning Policies ◎ SSH ◎ mysqld-auth 27

SSH (1) 28 Server Attacker

SSH (2) 29 Server Attacker $ ssh username@server_IP The authenticity of host 'server_IP (server_IP)' can't be established. ECDSA key fingerprint is SHA256:DpIDl7AZU........yUMzXq+0lvPGHo2GA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server_IP' (ECDSA) to the list of known hosts. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied (publickey,password). $ ssh username@server_IP username@server_IP's password: Permission denied, please try again. username@server_IP's password:

SSH (3) 30 Server Attacker $ sudo tail -f /var/log/fail2ban.log 2017-02-10 20:03:11,437 fail2ban.server : INFO Exiting Fail2ban 2017-02-10 20:03:12,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2017-02-10 20:03:12,167 fail2ban.jail : INFO Creating new jail 'ssh' 2017-02-10 20:03:12,203 fail2ban.jail : INFO Jail 'ssh' uses pyinotify 2017-02-10 20:03:12,239 fail2ban.jail : INFO Initiated 'pyinotify' backend 2017-02-10 20:03:12,241 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2017-02-10 20:03:12,243 fail2ban.filter : INFO Set maxRetry = 6 2017-02-10 20:03:12,245 fail2ban.filter : INFO Set findtime = 600 2017-02-10 20:03:12,246 fail2ban.actions: INFO Set banTime = 600 2017-02-10 20:03:12,319 fail2ban.jail : INFO Jail 'ssh' started 2017-02-10 20:06:28,496 fail2ban.actions: WARNING [ssh] Ban attacker_IP

SSH (4) 31 Server Attacker $ sudo fail2ban-client status ssh Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 16 `- action |- Currently banned: 2 | `- IP list: 14.189.180.193 attacker_IP `- Total banned: 2

SSH (5) 32 Server Attacker

mysqld-auth (1) 33 Server Attacker

mysqld-auth (2) 34 Server Attacker $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) ... $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 2003 (HY000): Can't connect to MySQL server on 'server_IP' (111)

mysqld-auth (3) 35 Server Attacker $ sudo tail -f /var/log/fail2ban.log 2017-02-11 18:07:17,257 fail2ban.actions: WARNING [mysqld-auth] Ban attacker_IP $ sudo tail -f /var/log/mysql/error.log 170211 18:07:14 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES) ... 170211 18:07:16 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)

mysqld-auth (4) 36 Server Attacker $ sudo fail2ban-client status mysqld-auth Status for the jail: mysqld-auth |- filter | |- File list: /var/log/mysql/error.log | |- Currently failed: 0 | `- Total failed: 43 `- action |- Currently banned: 1 | `- IP list: attacker_IP `- Total banned: 2

mysqld-auth (5) 37 Server Attacker

Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 38

How to Unblock IP 39 $ sudo fail2ban-client set ssh unbanip attacker_IP

Thank You Q & A 40

References (1) ◎ Fail2ban ○ http://www.fail2ban.org/wiki/index.php/Main_Page ◎ How To Protect SSH with Fail2Ban on Ubuntu 14.04 ○ https://www.digitalocean.com/community/tutorials/how- to-protect-ssh-with-fail2ban-on-ubuntu-14-04 41

References (2) ◎ 《分享》Ubuntu安裝fail2ban ○ http://www.shunze.info/forum/thread.php?threadid=188 9&boardid=3&sid=e1e02be23bf8adf2ba4bf92be652791 b ◎ CentOS安裝fail2ban記事 ○ http://blog.pulipuli.info/2011/07/centosfail2ban.html 42