attack | My notepad

Scratch pad with conf files to configure Fail2ban on Debian 9

This setup will configure Fail2ban to monitor SSH and keep track of the bad guys. Every time an IP gets banned, it will be stored in /etc/fail2ban/ip.blacklist .
This files gets processed every time Fail2ban restarts.
A cron will sanitise the file daily.

HOW TO

1) Create a custom action file: /etc/fail2ban/action.d/iptables-allports-CUSTOM.conf

# Fail2Ban configuration file

[INCLUDES]

before = iptables-common.confhttps://docs.google.com/document/d/1DjP5z7tvkaMWJMZXVAnMOCgfynfQNHvRkqJyxQdEB84/edit?usp=sharing


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>
              # Persistent banning of IPs
              cat /etc/fail2ban/ip.blacklist | grep -v ^\s*#|awk '{print $1}' | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            # Persistent banning of IPs
            echo '<ip>' >> /etc/fail2ban/ip.blacklist

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

# Fail2Ban configuration file

[INCLUDES]

before = iptables-common.confhttps://docs.google.com/document/d/1DjP5z7tvkaMWJMZXVAnMOCgfynfQNHvRkqJyxQdEB84/edit?usp=sharing

[Definition]

# Option: actionstart

# Notes.: command executed once at the start of Fail2Ban.

# Values: CMD

actionstart = <iptables> -N f2b-<name>

# Persistent banning of IPs

cat /etc/fail2ban/ip.blacklist | grep -v ^\s*#|awk '{print $1}' | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done

# Option: actionstop

# Notes.: command executed once at the end of Fail2Ban

# Values: CMD

actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>

# Option: actioncheck

# Notes.: command executed once before each actionban command

# Values: CMD

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option: actionban

# Notes.: command executed when banning an IP. Take care that the

# command is executed with Fail2Ban user rights.

# Tags: See jail.conf(5) man page

# Values: CMD

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Persistent banning of IPs

echo '<ip>' >> /etc/fail2ban/ip.blacklist

# Option: actionunban

# Notes.: command executed when unbanning an IP. Take care that the

# command is executed with Fail2Ban user rights.

# Tags: See jail.conf(5) man page

# Values: CMD

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

2) Create /etc/fail2ban/jail.local

# Fail2Ban custom configuration file.


[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.0/24

# Ban forever => -1
#bantime=-1

# Ban 3 days => 259200
bantime = 259200 

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 30

banaction = iptables-allports-CUSTOM

[sshd]
enabled = true
filter = sshd
logfile = /var/log/auth.log
maxretry = 3

# Fail2Ban custom configuration file.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.0/24

# Ban forever => -1

#bantime=-1

# Ban 3 days => 259200

bantime = 259200

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.

findtime = 30

banaction = iptables-allports-CUSTOM

[sshd]

enabled = true

filter = sshd

logfile = /var/log/auth.log

maxretry = 3

3) Remove the default debian jail configuration (is integrated in the above custom jail.local file):

rm -f /etc/fail2ban/jail.d/defaults-debian.conf

1	rm -f /etc/fail2ban/jail.d/defaults-debian.conf

4) Set this cron:

# Daily rotate of ip.blacklist
0 20 * * * tail -100 /etc/fail2ban/ip.blacklist | sort | uniq > /tmp/ip.blacklist ; cat /tmp/ip.blacklist > /etc/fail2ban/ip.blacklist ; rm -f /tmp/ip.blacklist > /dev/null 2>&1

1 2	# Daily rotate of ip.blacklist 0 20 * * * tail -100 /etc/fail2ban/ip.blacklist \| sort \| uniq > /tmp/ip.blacklist ; cat /tmp/ip.blacklist > /etc/fail2ban/ip.blacklist ; rm -f /tmp/ip.blacklist > /dev/null 2>&1

5) Run the cron manually once, just to be sure all works AND to have an empty file

6) Restart Fail2ban … and good luck 😉

General notes about Fail2ban

### Fail2Ban ###

Best practise:
- do NOT edit /etc/fail2ban/jail.conf BUT create a new /etc/fail2ban/jail.local file

=============================================================
# Test fail2ban regex:
example: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
example2: fail2ban-regex --print-all-matched/var/log/secure /etc/fail2ban/filter.d/sshd.conf

=============================================================
# Remove email notifications:

comment out 'sendmail-whois' from action in [ssh-iptables]
FYI, comment with # at the BEGINNING of the line like this or it won't work!!!

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5


=============================================================
# Wordpress wp-login - block POST attacks

/etc/fail2ban/jail.local

[apache-wp-login]
enabled = true
port = http,https
filter = apache-wp-login
logpath = /var/log/httpd/blog.tian.it-access.log
maxretry = 3
bantime = 604800 ; 1 week
findtime = 120

----------------------------------------------------------------------------------------------------------------------

/etc/fail2ban/filter.d/apache-wp-login.conf
[Definition]
failregex = <HOST>.*POST.*wp-login.php HTTP/1.1
ignoreregex =

=============================================================

# Manually ban an IP:
fail2ban-client -vvv set <CHAIN> banip <IP>

# Check status of sshd chain
fail2ban-client status sshd

### Fail2Ban ###

Best practise:

- do NOT edit /etc/fail2ban/jail.conf BUT create a new /etc/fail2ban/jail.local file

=============================================================

# Test fail2ban regex:

example: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

example2: fail2ban-regex --print-all-matched/var/log/secure /etc/fail2ban/filter.d/sshd.conf

=============================================================

# Remove email notifications:

comment out 'sendmail-whois' from action in [ssh-iptables]

FYI, comment with # at the BEGINNING of the line like this or it won't work!!!

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

# sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]

logpath = /var/log/secure

maxretry = 5

=============================================================

# Wordpress wp-login - block POST attacks

/etc/fail2ban/jail.local

[apache-wp-login]

enabled = true

port = http,https

filter = apache-wp-login

logpath = /var/log/httpd/blog.tian.it-access.log

maxretry = 3

bantime = 604800 ; 1 week

findtime = 120

----------------------------------------------------------------------------------------------------------------------

/etc/fail2ban/filter.d/apache-wp-login.conf

[Definition]

failregex = <HOST>.*POST.*wp-login.php HTTP/1.1

ignoreregex =

=============================================================

# Manually ban an IP:

fail2ban-client -vvv set <CHAIN> banip <IP>

# Check status of sshd chain

fail2ban-client status sshd

How to “SSH” brute force

If you want to make safer your remote server, it is good practise to use a good combination of sshd setup and fail2ban.

Firstly, you should setup your server to allow only key auth, and no passwords. This will drastically reduce the risk. This means anyway that you need to keep your ssh key safe and you won’t be able to access your server unless you have this key. Most of the time is something possible 🙂

For this reason, I’m explaining here how I configured my server.

SSHD

/etc/ssh/sshd_config

Have these settings in the config file (NOTE: the verbosity is for Fail2ban)

LogLevel VERBOSE

PasswordAuthentication no

LogLevel VERBOSE

PasswordAuthentication no

(restart sshd)

/etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for 
# one hour:
#bantime = 3600

# one day:
bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# # seconds.
findtime  = 30

# # "maxretry" is the number of failures before a host get banned.
maxretry = 5

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
filter = sshd-aggressive
port     = ssh
logpath  = /var/log/secure
maxretry = 3
findtime = 30
bantime  = 86400

[DEFAULT]

# Ban hosts for

# one hour:

#bantime = 3600

# one day:

bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"

# # seconds.

findtime = 30

# # "maxretry" is the number of failures before a host get banned.

maxretry = 5

# Override /etc/fail2ban/jail.d/00-firewalld.conf:

banaction = iptables-multiport

[sshd]

enabled = true

filter = sshd-aggressive

port = ssh

logpath = /var/log/secure

maxretry = 3

findtime = 30

bantime = 86400

/etc/fail2ban/filter.d/sshd.conf

Add a custom section after the ddos one:

custom = ^%(__prefix_line_sl)sDisconnected from <HOST> port [0-9]+ \[preauth\]$

1	custom = ^%(__prefix_line_sl)sDisconnected from <HOST> port [0-9]+ \[preauth\]$

This line matches whoever tries to connect without a proper ssh key.

Add this line to include custom to the sshd-aggressive setup:

aggressive = %(normal)s
             %(ddos)s
             %(custom)s

aggressive = %(normal)s

%(ddos)s

%(custom)s

My notepad

Chris' IT notes…

Tag Archives: attack

Fail2ban Debian 9

HOW TO

Fail2ban notes

General notes about Fail2ban

How to “SSH” brute force

SSHD

/etc/ssh/sshd_config

/etc/fail2ban/jail.local

/etc/fail2ban/filter.d/sshd.conf