search by tags

for the user

adventures into the land of the command line

fail2ban

i was looking for some extra ssh security to provide some brute force protection or deterence. if you have a look at /var/log/secure and you see stuff like this

Mar 27 10:21:52 cent1gbfra04 sshd[9511]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.113  user=root
Mar 27 10:21:54 cent1gbfra04 sshd[9511]: Failed password for root from 183.3.202.113 port 22009 ssh2
Mar 27 10:21:56 cent1gbfra04 sshd[9511]: Failed password for root from 183.3.202.113 port 22009 ssh2
Mar 27 10:21:58 cent1gbfra04 sshd[9512]: Disconnecting: Too many authentication failures for root
Mar 27 10:21:58 cent1gbfra04 sshd[9511]: Failed password for root from 183.3.202.113 port 22009 ssh2
Mar 27 10:21:58 cent1gbfra04 sshd[9511]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.113  user=root
Mar 27 10:22:09 cent1gbfra04 sshd[9514]: Received disconnect from 183.3.202.113: 11:
Mar 27 10:22:12 cent1gbfra04 sshd[9515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.113  user=root
Mar 27 10:22:13 cent1gbfra04 sshd[9515]: Failed password for root from 183.3.202.113 port 62324 ssh2
Mar 27 10:22:16 cent1gbfra04 sshd[9515]: Failed password for root from 183.3.202.113 port 62324 ssh2
Mar 27 10:22:18 cent1gbfra04 sshd[9516]: Disconnecting: Too many authentication failures for root
Mar 27 10:22:18 cent1gbfra04 sshd[9515]: Failed password for root from 183.3.202.113 port 62324 ssh2
Mar 27 10:22:18 cent1gbfra04 sshd[9515]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.113  user=root
Mar 27 10:22:34 cent1gbfra04 sshd[9668]: Invalid user oracle from 121.156.116.213
Mar 27 10:22:34 cent1gbfra04 sshd[9669]: input_userauth_request: invalid user oracle
Mar 27 10:22:34 cent1gbfra04 sshd[9668]: pam_unix(sshd:auth): check pass; user unknown
Mar 27 10:22:34 cent1gbfra04 sshd[9668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.156.116.213
Mar 27 10:22:34 cent1gbfra04 sshd[9668]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Mar 27 10:22:36 cent1gbfra04 sshd[9668]: Failed password for invalid user oracle from 121.156.116.213 port 42223 ssh2
Mar 27 10:22:37 cent1gbfra04 sshd[9669]: Received disconnect from 121.156.116.213: 11: Bye Bye

probbaly means you’re getting brute forced :/ we can use fail2ban to auto block ip addresses that break some rules we set

because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:

$ rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

then install fail2ban

$ yum install fail2ban

make a local copy of the config file and edit your copy

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ vim /etc/fail2ban/jail.local

you can specify ips to ignore, the time to check for failed attempts after one failed attempt, the max number of failed attemps before banning and the length of time to ban for

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 1800

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

there’s a bunch of other config options for different authentication mechanisms. let’s add a section for ssh and iptables.

#
# JAILS
#

#
# SSH servers
#

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 3

this will add some iptable rules to block an ip that breaks our rules

start or restart fail2ban

$ /etc/init.d/fail2ban restart

you can see the rules that fail2ban puts into effect within iptables

$ iptables -L

Chain f2b-SSH (1 references)
target     prot opt source               destination         
REJECT     all  --  59.45.79.109         anywhere            reject-with icmp-port-unreachable
REJECT     all  --  58.218.211.11        anywhere            reject-with icmp-port-unreachable
REJECT     all  --  183.3.202.113        anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere  

you may also like to add some memory optimisation to prevent fail2ban using +150MB. i’ve seen some posts where people report ~1.6GB of memory utilisation.

you can reduce this by adding this in

ulimit -s 256

but where?

on centos, in here:

$ vim /etc/init.d/fail2ban

.
.
start() {
    echo -n $"Starting fail2ban: "
    ulimit -s 256
    ${FAIL2BAN} -x start > /dev/null
    RETVAL=$?
    if [ $RETVAL = 0 ]; then
        touch ${lockfile}
        echo_success
    else
        echo_failure
    fi
    echo
    return $RETVAL
}
.
.

or on a debian distro, at the bottom of here:

$ vim /etc/default/fail2ban

.
.
.
ulimit -s 256