Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#2 closed task (fixed)

Set up firewall and fail2ban to stop brute force ssh attacks

Reported by: chris Owned by: chris
Priority: major Milestone: Install and configure crin1
Component: crin1 Version:
Keywords: Cc: jenny, gillian
Estimated Number of Hours: 0 Add Hours to Ticket: 0
Billable?: yes Total Hours: 0.4

Description

The servers need only listen for HTTP, HTTPS and SSH traffic and brute force attacks on ssh accounts should be blocked using https://packages.debian.org/jessie/fail2ban

Change History (4)

comment:1 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours set to 0.25

Install:

aptitude install iptables-persistent fail2ban

Create /etc/fail2ban/jail.local containing:

# See http://www.pontikis.net/blog/fail2ban-install-config-debian-wheezy

[DEFAULT]
ignoreip  = 127.0.0.1 93.95.228.179
bantime   = 86400
#destemail = chris@webarchitects.co.uk  
banaction = iptables-multiport
#action    = %(action_mwl)s

# JAILS
[ssh]
enabled   = true
maxretry  = 3

Restart:

service fail2ban restart

Edit /etc/iptables/rules.v4 which originally contained:

# Generated by iptables-save v1.4.21 on Tue Apr 28 13:27:23 2015
*filter
:INPUT ACCEPT [2:104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:336]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Apr 28 13:27:23 2015

To config from existing servers:

# Generated by iptables-save v1.4.21 on Tue Apr 28 13:27:23 2015
*filter
:INPUT ACCEPT [2:104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:336]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# mysql allow 93.95.228.180 
#-A INPUT -p tcp -d 93.95.228.180 --dport 3306 -j ACCEPT
-A INPUT -p tcp -s 93.95.228.180 --dport 3306 -j ACCEPT
-A INPUT -p tcp --dport 3306 -j DROP

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
# Completed on Tue Apr 28 13:27:23 2015

Reload and check:

iptables-restore < /etc/iptables/rules.v4
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     tcp  --  crin2.crin.org       anywhere             tcp dpt:mysql
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Disable IPv6 as we are not setting it up right now, add the following to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

The above now needs doing for crin2.

comment:2 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.05
  • Total Hours changed from 0.25 to 0.3
aptitude install iptables-persistent fail2ban
vi /etc/fail2ban/jail.local 
service fail2ban restart
vi /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
vi /etc/sysctl.conf

The following was added to rules.v4:

# https://wiki.debian.org/iptables

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

Check the rules:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

That should do for now for this issue.

Last edited 3 years ago by chris (previous) (diff)

comment:3 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.1
  • Resolution set to fixed
  • Status changed from new to closed
  • Total Hours changed from 0.3 to 0.4

Just tested the ssh servers and I had to uncomment this for crin1:

-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

Think this ticket can now be closed as resolved.

comment:4 Changed 3 years ago by chris

  • Cc jenny gillian added; jonas removed

CCs changed.

Note: See TracTickets for help on using tickets.