Activities

December 2014
M T W T F S S
« Nov   Jan »
1234567
891011121314
15161718192021
22232425262728
293031  

Deny hacking attempts using fail2ban

As we know IPTABLE is the weapon of the most Linux Admin nowadays to mange the traffic/access IN/OUT towards the servers. Creating IPTables chains and updating by hand is an old fashion and outdated now. So I uses APF firewall for most the Linux servers those are not using AWS cloud service.

AWS highlights

it’s because Amazon provides a white-listed firewalls commonly called “Security Group” which is associated with each servers launched. The term ‘whitelist firewall’ meant for it will block all the access by default and hence we need to open the port to public. Nowadays AWS enable the support to manage “OUTBOUND” traffic. This will be very helpful to mange the traffic coming out of your server. Support your system is hacked and the hacker opened a port to public for this purpose, it won’t affect as long you have a different set of rules in “OUTBOUND” declared in AWS. So this is very good attempt by AWS

Installing fail2ban on Amazon EC2 server.

[root@OR-Web04 ~]# yum install fail2ban
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.10-3.4.amzn1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================
 Package        Arch         Version                Repository       Size
==========================================================================
Installing:
 fail2ban       noarch       0.8.10-3.4.amzn1       amzn-main       169 k
Transaction Summary
==========================================================================
Install  1 Package
Total size: 169 k
Installed size: 526 k
Is this ok [y/d/N]:

How do I configure fail2ban

The idea is simple. Fail2ban is a service daemon which uses IPTABLES to block suspicious IP for a while. Main configuration files are jail.conf and fail2ban.conf.

1. Main Configuration file “/etc/fail2ban/fail2ban.conf”
2. Master configuration file “/etc/fail2ban/jail.conf”.
3. Custom rules and filters files ” /etc/fail2ban/filter.d/”
4. Custom/Predefined actions files : /etc/fail2ban/action.d/

First you need to enable the fail2ban login type to a file in Main configuration file by updating the line logtarget = /var/log/fail2ban.log. Dont foget to create an empty file.

[root@OR-Web01 ~]#vi /etc/fail2ban/fail2ban.conf
[root@OR-Web01 ~]#touch /var/log/fail2ban.log
[root@OR-Web01 ~]# cat  /etc/fail2ban/fail2ban.conf  | grep "logtarget"
# Option:  logtarget
#          If you change logtarget from the default value and you are
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log
[root@OR-Web01 ~]#

Most of the time you are suppose to operate with “jail.conf” files where you drive the rules by enabling and disabling based on the requirements.

Here is my scenario,

I want to block all the invalid/failed loign attempts to the area “administrator/index.php” using fail2baqn features.

1. I need to create a rule and conditions which match my BAN criteria. Create a file ( /etc/fail2ban/filter.d/or-adminlogin.conf) having the fllowing lines under “/etc/fail2ban/filter.d” folder.

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
# Fail2Ban configuration file
[Definition]
failregex = ^<HOST> .* "GET /administrator/index.php
ignoreregex =

2. Add the filter in your Master configuration files and set actions.

Edit the file “/etc/fail2ban/jail.conf” and add the following lines at the bottom of the file.

[or-adminlogin]
enabled = true
filter = or-adminlogin
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /home/domain.com/domain.com_access.log
bantime = 1200
maxretry = 3

Notes
filter : filername should match the “filter file name”.
action : This lines create a new chain “NoAuthFailures” in iptables and deny the http,https access from the hackers IP.
loginpath : this will be the Apache/webserver log files names
bantime : this will be the time period for blocking the IP
maxretry : now of attempts to be made before creating a rule.
enabled : True will activate your rules and false will disable your rule easily.

Now it’s your turn to restart the fail2ban service.

[root@OR-Web02 ~]# service fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]
[root@OR-Web02 ~]#

Monitor the logfile to see the activity,

[root@OR-Web02 ~]# tail -f /var/log/fail2ban.log
2014-12-03 03:41:53,448 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.10
2014-12-03 03:41:53,448 fail2ban.jail   : INFO   Creating new jail 'or-adminlogin'
2014-12-03 03:41:53,482 fail2ban.jail   : INFO   Jail 'or-adminlogin' uses pyinotify
2014-12-03 03:41:53,493 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-12-03 03:41:53,494 fail2ban.filter : INFO   Added logfile = /home/domain.com/domain.com_access.log
2014-12-03 03:41:53,495 fail2ban.filter : INFO   Set maxRetry = 3
2014-12-03 03:41:53,496 fail2ban.filter : INFO   Set findtime = 600
2014-12-03 03:41:53,497 fail2ban.actions: INFO   Set banTime = 1200
2014-12-03 03:41:53,503 fail2ban.jail   : INFO   Jail 'or-adminlogin' started
2014-12-03 03:42:04,530 fail2ban.actions: WARNING [or-adminlogin] Ban 109.86.15.95

fail-2_ban

How do I test it,

List the iptables an find the entries and fai2ban chain. It’s pretty clear that how it’s running.

[root@OR-Web02 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-NoAuthFailures  tcp  --  anywhere             anywhere             multiport dports http,h                       ttps
DROP       tcp  --  202.179.0.0/16       anywhere             tcp dpt:http
DROP       tcp  --  103.15.0.0/16        anywhere             tcp dpt:http
DROP       tcp  --  static.0.0.46.78.clients.your-server.de/16  anywhere             tcp dpt:http
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain fail2ban-NoAuthFailures (1 references)
target     prot opt source               destination
REJECT     all  --  95.15.86.109.triolan.net  anywhere             reject-with icmp-port-unreachabl                       e
RETURN     all  --  anywhere             anywhere
[root@OR-Web02 ~]#

if you want to mimic the condition,

Execute the below script from any other system, you will be blocked at the middle of it execution.

#vi /root/test_fail2ban.sh
for i in {1..20}
do
   echo "Welcome $i times"
  cd /tmp/
   wget http://mydomain.com/administrator/index.php
done

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>