Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fail2ban intro

Fail2ban intro

Samina (Shan Jung Fu)

April 18, 2018
Tweet

More Decks by Samina (Shan Jung Fu)

Other Decks in Technology

Transcript

  1. The System Security for green hand on Linux OS 2017/02/12,

    Hsinchu, DigitalOcean Hsinchu Presenter: Samina
  2. ◎ National Chiao Tung University, Taiwan ◦ Wireless Internet Laboratory

    ◦ Department of Computer Science ◦ Information Technology Service Center Network & System Engineer ◎ Familiar with python, mysql, git, linux ◎ You can find me at: https://www.worldplay.com.tw Twitter & GitHub (@sufuf3) Monisan 2
  3. 3

  4. What is the brute-force attack? ◎ A brute force attack

    uses a large volume of requests/responses to break into a system. ◎ The attacker try many method to guess the response to a challenge or a request. 6
  5. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 8
  6. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 9
  7. Introduction ◎ Scans log files and bans IPs that show

    the malicious signs -- too many password failures, seeking for exploits, etc. ◎ Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. ◎ Able to reduce the rate of incorrect authentications attempts. 10
  8. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 11
  9. Install (2) 13 $ sudo service fail2ban status * Status

    of authentication failure monitor * fail2ban is running $ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh
  10. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 14
  11. Configure (1) ◎ the configuration files directory ◦ /etc/fail2ban 15

    $ ls -al total 56 drwxr-xr-x 6 root root 4096 Feb 11 18:15 . drwxr-xr-x 99 root root 4096 Feb 7 08:35 .. drwxr-xr-x 2 root root 4096 Feb 7 08:35 action.d -rw-r--r-- 1 root root 1525 Nov 13 2013 fail2ban.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 fail2ban.d drwxr-xr-x 2 root root 4096 Feb 11 18:08 filter.d -rw-r--r-- 1 root root 11937 Feb 10 20:32 jail.conf drwxr-xr-x 2 root root 4096 Nov 18 2013 jail.d
  12. Configure (3) - jail.conf (1) ◎ Cause the file would

    modified by package upgrades, we need copy it so that we can make our changes safely. 17 jail.conf jail.local default options wish to override Copy
  13. Configure (4) - jail.conf (2) ◎ jail.conf ◦ Typing the

    following: 18 awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
  14. Configure (5) - jail.conf (3) • sudo vim /etc/fail2ban/jail.conf •

    [DEFAULT] ◦ ignoreip ▪ add additional addresses that fail2ban ignores, separated by a space. ◦ bantime ▪ sets length of time that a client will be banned when they have failed to authenticate correctly. (second) 19
  15. Configure (6) - jail.conf (4) • sudo vim /etc/fail2ban/jail.conf •

    the client can tries how many times in findtime. • [DEFAULT] ◦ findtime - how long that a client has to authenticate within a window. (second) ◦ maxretry - the client can tries how many times 20
  16. Configure (7) - jail.conf (5) • sudo vim /etc/fail2ban/jail.conf •

    [DEFAULT] • if you want to receive the alerts by email. ◦ destemail - the email of recipient who should receive ban messages. ◦ sendername - the value of the "From" field in the email ◦ mta - mail service ◦ action - there are three choice: 21 action_ ban action_mw ban & send an e-mail with whois report action_mwl ban & send an e-mail with whois report and relevant log lines
  17. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 22
  18. Individual Jail Settings (1) ◎ if you want to enable

    ◦ uncommenting the header of the section ◦ changing the enabled line to be "true" 23
  19. Individual Jail Settings (2) ◎ you can see what kind

    of filters are available by looking the directory: ◦ /etc/fail2ban/filter.d 24 $ ls /etc/fail2ban/filter.d/
  20. Remember if you modify any configoration, you need to restart

    the fail2ban service. 25 $ sudo service fail2ban restart
  21. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 26
  22. SSH (2) 29 Server Attacker $ ssh username@server_IP The authenticity

    of host 'server_IP (server_IP)' can't be established. ECDSA key fingerprint is SHA256:DpIDl7AZU........yUMzXq+0lvPGHo2GA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server_IP' (ECDSA) to the list of known hosts. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied, please try again. username@server_IP's password: Permission denied (publickey,password). $ ssh username@server_IP username@server_IP's password: Permission denied, please try again. username@server_IP's password:
  23. SSH (3) 30 Server Attacker $ sudo tail -f /var/log/fail2ban.log

    2017-02-10 20:03:11,437 fail2ban.server : INFO Exiting Fail2ban 2017-02-10 20:03:12,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2017-02-10 20:03:12,167 fail2ban.jail : INFO Creating new jail 'ssh' 2017-02-10 20:03:12,203 fail2ban.jail : INFO Jail 'ssh' uses pyinotify 2017-02-10 20:03:12,239 fail2ban.jail : INFO Initiated 'pyinotify' backend 2017-02-10 20:03:12,241 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2017-02-10 20:03:12,243 fail2ban.filter : INFO Set maxRetry = 6 2017-02-10 20:03:12,245 fail2ban.filter : INFO Set findtime = 600 2017-02-10 20:03:12,246 fail2ban.actions: INFO Set banTime = 600 2017-02-10 20:03:12,319 fail2ban.jail : INFO Jail 'ssh' started 2017-02-10 20:06:28,496 fail2ban.actions: WARNING [ssh] Ban attacker_IP
  24. SSH (4) 31 Server Attacker $ sudo fail2ban-client status ssh

    Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 1 | `- Total failed: 16 `- action |- Currently banned: 2 | `- IP list: 14.189.180.193 attacker_IP `- Total banned: 2
  25. mysqld-auth (2) 34 Server Attacker $ mysql -u root -h

    server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) ... $ mysql -u root -h server_IP -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'attacker_IP' (using password: NO) $ mysql -u root -h server_IP -p Enter password: ERROR 2003 (HY000): Can't connect to MySQL server on 'server_IP' (111)
  26. mysqld-auth (3) 35 Server Attacker $ sudo tail -f /var/log/fail2ban.log

    2017-02-11 18:07:17,257 fail2ban.actions: WARNING [mysqld-auth] Ban attacker_IP $ sudo tail -f /var/log/mysql/error.log 170211 18:07:14 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES) ... 170211 18:07:16 [Warning] Access denied for user 'root'@'attacker_IP' (using password: YES)
  27. mysqld-auth (4) 36 Server Attacker $ sudo fail2ban-client status mysqld-auth

    Status for the jail: mysqld-auth |- filter | |- File list: /var/log/mysql/error.log | |- Currently failed: 0 | `- Total failed: 43 `- action |- Currently banned: 1 | `- IP list: attacker_IP `- Total banned: 2
  28. Outline ◎ Introduction ◎ Install ◎ Configure ◎ Individual Jail

    Settings ◎ Testing the Banning Policies ◎ How to Unblock IP 38
  29. References (1) ◎ Fail2ban ◦ http://www.fail2ban.org/wiki/index.php/Main_Page ◎ How To Protect

    SSH with Fail2Ban on Ubuntu 14.04 ◦ https://www.digitalocean.com/community/tutorials/how- to-protect-ssh-with-fail2ban-on-ubuntu-14-04 41