#2 closed task (fixed)
Set up firewall and fail2ban to stop brute force ssh attacks
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Install and configure crin1 |
| Component: | crin1 | Version: | |
| Keywords: | Cc: | jenny, gillian | |
| Estimated Number of Hours: | 0 | Add Hours to Ticket: | 0 |
| Billable?: | yes | Total Hours: | 0.4 |
Description
The servers need only listen for HTTP, HTTPS and SSH traffic and brute force attacks on ssh accounts should be blocked using https://packages.debian.org/jessie/fail2ban
Change History (4)
comment:1 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Total Hours set to 0.25
comment:2 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0 to 0.05
- Total Hours changed from 0.25 to 0.3
aptitude install iptables-persistent fail2ban vi /etc/fail2ban/jail.local service fail2ban restart vi /etc/iptables/rules.v4 iptables-restore < /etc/iptables/rules.v4 vi /etc/sysctl.conf
The following was added to rules.v4:
# https://wiki.debian.org/iptables # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT
Check the rules:
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
That should do for now for this issue.
comment:3 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0 to 0.1
- Resolution set to fixed
- Status changed from new to closed
- Total Hours changed from 0.3 to 0.4
Just tested the ssh servers and I had to uncomment this for crin1:
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Think this ticket can now be closed as resolved.
Note: See
TracTickets for help on using
tickets.
Install:
Create /etc/fail2ban/jail.local containing:
Restart:
Edit /etc/iptables/rules.v4 which originally contained:
To config from existing servers:
Reload and check:
Disable IPv6 as we are not setting it up right now, add the following to /etc/sysctl.conf:
The above now needs doing for crin2.