Fail2ban intro

Transcript

1. The System Security for green hand on Linux OS 2017/02/12,

   Hsinchu, DigitalOcean Hsinchu Presenter: Samina

2. ◎ National Chiao Tung University, Taiwan ◦ Wireless Internet Laboratory

   ◦ Department of Computer Science ◦ Information Technology Service Center Network & System Engineer ◎ Familiar with python, mysql, git, linux ◎ You can find me at: https://www.worldplay.com.tw Twitter & GitHub (@sufuf3) Monisan 2

3. 3

4. How to Protecte host 4

5. How to Protecte host 5

6. What is the brute-force attack? ◎ A brute force attack

   uses a large volume of requests/responses to break into a system. ◎ The attacker try many method to guess the response to a challenge or a request. 6

7. How to Protect 7

8. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

   Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 8

9. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

   Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 9

10. Introduction ◎ Scans log files and bans IPs that show

    the malicious signs -- too many password failures, seeking for exploits, etc. ◎ Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. ◎ Able to reduce the rate of incorrect authentications attempts. 10

11. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 11

12. Install (1) ◎ Ubuntu: ◦ apt-get install fail2ban ◎ CentOS:

    ◦ yum install fail2ban 12

13. Install (2) 13 $ sudo service fail2ban status * Status

    of authentication failure monitor * fail2ban is running $ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh

14. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 14

15. Configure (1) ◎ the configuration files directory ◦ /etc/fail2ban 15

    $ ls -al total 56 drwxr-xr-x 6 root root 4096 Feb 11 18:15 . drwxr-xr-x 99 root root 4096 Feb 7 08:35 .. drwxr-xr-x 2 root root 4096 Feb 7 08:35 action.d -rw-r--r-- 1 root root 1525 Nov 13 2013 fail2ban.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 fail2ban.d drwxr-xr-x 2 root root 4096 Feb 11 18:08 filter.d -rw-r--r-- 1 root root 11937 Feb 10 20:32 jail.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 jail.d

16. Configure (2) - fail2ban.conf ◎ fail2ban.conf 16

17. Configure (3) - jail.conf (1) ◎ Cause the file would

    modified by package upgrades, we need copy it so that we can make our changes safely. 17 jail.conf jail.local default options wish to override Copy

18. Configure (4) - jail.conf (2) ◎ jail.conf ◦ Typing the

    following: 18 awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

19. Configure (5) - jail.conf (3) • sudo vim /etc/fail2ban/jail.conf •

    [DEFAULT] ◦ ignoreip ▪ add additional addresses that fail2ban ignores, separated by a space. ◦ bantime ▪ sets length of time that a client will be banned when they have failed to authenticate correctly. (second) 19

20. Configure (6) - jail.conf (4) • sudo vim /etc/fail2ban/jail.conf •

    the client can tries how many times in findtime. • [DEFAULT] ◦ findtime - how long that a client has to authenticate within a window. (second) ◦ maxretry - the client can tries how many times 20

21. Configure (7) - jail.conf (5) • sudo vim /etc/fail2ban/jail.conf •

    [DEFAULT] • if you want to receive the alerts by email. ◦ destemail - the email of recipient who should receive ban messages. ◦ sendername - the value of the "From" field in the email ◦ mta - mail service ◦ action - there are three choice: 21 action_ ban action_mw ban & send an e-mail with whois report action_mwl ban & send an e-mail with whois report and relevant log lines

22. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 22

23. Individual Jail Settings (1) ◎ if you want to enable

    ◦ uncommenting the header of the section ◦ changing the enabled line to be "true" 23

24. Individual Jail Settings (2) ◎ you can see what kind

    of filters are available by looking the directory: ◦ /etc/fail2ban/filter.d 24 $ ls /etc/fail2ban/filter.d/

25. Remember if you modify any configoration, you need to restart

    the fail2ban service. 25 $ sudo service fail2ban restart

26. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 26

27. Testing the Banning Policies ◎ SSH ◎ mysqld-auth 27

28. SSH (1) 28 Server Attacker

29. SSH (2) 29 Server Attacker $ ssh username@server_IP The authenticity

    of host 'server_IP (server_IP)' can't be established. ECDSA key fingerprint is SHA256:DpIDl7AZU........yUMzXq+0lvPGHo2GA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server_IP' (ECDSA) to the list of known hosts. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied (publickey,password). $ ssh username@server_IP username@server_IP's password: Permission denied, please try again. username@server_IP's password:

30. SSH (3) 30 Server Attacker $ sudo tail -f /var/log/fail2ban.log

    2017-02-10 20:03:11,437 fail2ban.server : INFO Exiting Fail2ban 2017-02-10 20:03:12,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2017-02-10 20:03:12,167 fail2ban.jail : INFO Creating new jail 'ssh' 2017-02-10 20:03:12,203 fail2ban.jail : INFO Jail 'ssh' uses pyinotify 2017-02-10 20:03:12,239 fail2ban.jail : INFO Initiated 'pyinotify' backend 2017-02-10 20:03:12,241 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2017-02-10 20:03:12,243 fail2ban.filter : INFO Set maxRetry = 6 2017-02-10 20:03:12,245 fail2ban.filter : INFO Set findtime = 600 2017-02-10 20:03:12,246 fail2ban.actions: INFO Set banTime = 600 2017-02-10 20:03:12,319 fail2ban.jail : INFO Jail 'ssh' started 2017-02-10 20:06:28,496 fail2ban.actions: WARNING [ssh] Ban attacker_IP

31. SSH (4) 31 Server Attacker $ sudo fail2ban-client status ssh

    Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 16 `- action |- Currently banned: 2 | `- IP list: 14.189.180.193 attacker_IP `- Total banned: 2

32. SSH (5) 32 Server Attacker

33. mysqld-auth (1) 33 Server Attacker

34. mysqld-auth (2) 34 Server Attacker $ mysql -u root -h

    server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) ... $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 2003 (HY000): Can't connect to MySQL server on 'server_IP' (111)

35. mysqld-auth (3) 35 Server Attacker $ sudo tail -f /var/log/fail2ban.log

    2017-02-11 18:07:17,257 fail2ban.actions: WARNING [mysqld-auth] Ban attacker_IP $ sudo tail -f /var/log/mysql/error.log 170211 18:07:14 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES) ... 170211 18:07:16 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)

36. mysqld-auth (4) 36 Server Attacker $ sudo fail2ban-client status mysqld-auth

    Status for the jail: mysqld-auth |- filter | |- File list: /var/log/mysql/error.log | |- Currently failed: 0 | `- Total failed: 43 `- action |- Currently banned: 1 | `- IP list: attacker_IP `- Total banned: 2

37. mysqld-auth (5) 37 Server Attacker

38. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 38

39. How to Unblock IP 39 $ sudo fail2ban-client set ssh

    unbanip attacker_IP

40. Thank You Q & A 40

41. References (1) ◎ Fail2ban ◦ http://www.fail2ban.org/wiki/index.php/Main_Page ◎ How To Protect

    SSH with Fail2Ban on Ubuntu 14.04 ◦ https://www.digitalocean.com/community/tutorials/how- to-protect-ssh-with-fail2ban-on-ubuntu-14-04 41

42. References (2) ◎ 《分享》Ubuntu安裝fail2ban ◦ http://www.shunze.info/forum/thread.php?threadid=188 9&boardid=3&sid=e1e02be23bf8adf2ba4bf92be652791 b ◎ CentOS安裝fail2ban記事

    ◦ http://blog.pulipuli.info/2011/07/centosfail2ban.html 42