https://trac.crin.org/trac/ticket/2 <p> The servers need only listen for HTTP, HTTPS and SSH traffic and brute force attacks on ssh accounts should be blocked using <a class="ext-link" href="https://packages.debian.org/jessie/fail2ban"><span class="icon">​</span>https://packages.debian.org/jessie/fail2ban</a> </p> en-us https://trac.crin.org/trac/chrome/site/logo.gif https://trac.crin.org/trac/ticket/2 Trac 1.0.2 chris Tue, 28 Apr 2015 13:41:10 GMT https://trac.crin.org/trac/ticket/2#comment:1 https://trac.crin.org/trac/ticket/2#comment:1 <ul> <li><strong>hours</strong> changed from <em>0</em> to <em>0.25</em> </li> <li><strong>totalhours</strong> set to <em>0.25</em> </li> </ul> <p> Install: </p> <pre class="wiki">aptitude install iptables-persistent fail2ban </pre><p> Create <tt>/etc/fail2ban/jail.local</tt> containing: </p> <pre class="wiki"># See http://www.pontikis.net/blog/fail2ban-install-config-debian-wheezy [DEFAULT] ignoreip = 127.0.0.1 93.95.228.179 bantime = 86400 #destemail = chris@webarchitects.co.uk banaction = iptables-multiport #action = %(action_mwl)s # JAILS [ssh] enabled = true maxretry = 3 </pre><p> Restart: </p> <pre class="wiki">service fail2ban restart </pre><p> Edit <tt>/etc/iptables/rules.v4</tt> which originally contained: </p> <pre class="wiki"># Generated by iptables-save v1.4.21 on Tue Apr 28 13:27:23 2015 *filter :INPUT ACCEPT [2:104] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:336] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN COMMIT # Completed on Tue Apr 28 13:27:23 2015 </pre><p> To config from existing servers: </p> <pre class="wiki"># Generated by iptables-save v1.4.21 on Tue Apr 28 13:27:23 2015 *filter :INPUT ACCEPT [2:104] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:336] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE #-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # mysql allow 93.95.228.180 #-A INPUT -p tcp -d 93.95.228.180 --dport 3306 -j ACCEPT -A INPUT -p tcp -s 93.95.228.180 --dport 3306 -j ACCEPT -A INPUT -p tcp --dport 3306 -j DROP # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT # Completed on Tue Apr 28 13:27:23 2015 </pre><p> Reload and check: </p> <pre class="wiki">iptables-restore &lt; /etc/iptables/rules.v4 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- crin2.crin.org anywhere tcp dpt:mysql DROP tcp -- anywhere anywhere tcp dpt:mysql LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere </pre><p> Disable IPv6 as we are not setting it up right now, add the following to <tt>/etc/sysctl.conf</tt>: </p> <pre class="wiki">net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 </pre><p> The above now needs doing for crin2. </p> Ticket chris Tue, 28 Apr 2015 13:48:53 GMT https://trac.crin.org/trac/ticket/2#comment:2 https://trac.crin.org/trac/ticket/2#comment:2 <ul> <li><strong>hours</strong> changed from <em>0</em> to <em>0.05</em> </li> <li><strong>totalhours</strong> changed from <em>0.25</em> to <em>0.3</em> </li> </ul> <pre class="wiki">aptitude install iptables-persistent fail2ban vi /etc/fail2ban/jail.local service fail2ban restart vi /etc/iptables/rules.v4 iptables-restore &lt; /etc/iptables/rules.v4 vi /etc/sysctl.conf </pre><p> The following was added to <tt>rules.v4</tt>: </p> <pre class="wiki"># https://wiki.debian.org/iptables # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT </pre><p> Check the rules: </p> <pre class="wiki">iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere </pre><p> That should do for now for this issue. </p> Ticket chris Tue, 28 Apr 2015 13:58:50 GMT https://trac.crin.org/trac/ticket/2#comment:3 https://trac.crin.org/trac/ticket/2#comment:3 <ul> <li><strong>hours</strong> changed from <em>0</em> to <em>0.1</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.3</em> to <em>0.4</em> </li> </ul> <p> Just tested the ssh servers and I had to uncomment this for crin1: </p> <pre class="wiki">-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT </pre><p> Think this ticket can now be closed as resolved. </p> Ticket chris Thu, 18 Jun 2015 11:57:05 GMT https://trac.crin.org/trac/ticket/2#comment:4 https://trac.crin.org/trac/ticket/2#comment:4 <ul> <li><strong>cc</strong> <em>jenny</em> <em>gillian</em> added; <em>jonas</em> removed </li> </ul> <p> CCs changed. </p> Ticket