Araneo: DevOps & Automation
Araneo: DevOps & Automation
  • Home
  • Concepts
    • Development
  • Articles
  • Blog
  • About
  • Home
  • Concepts
    • Development
  • Articles
  • Blog
  • About

A BLOG

Securing CentOS 6.6 with fail2ban and Shorewall

5/5/2015

0 Comments

 
SSH severs are naturally exposed to the script-kiddies on Internet, unless you only allow connections over VPN-tunnels. You shouldn't configure SSH to allow password based security, and only allow certificate based authentication. That's a different blog post though.

Even with certificate-based authentication only, as long as you expose the SSH server to internet, you will have your secure-log filled with bruteforce attempts, to the degree that it can be almost impossible to identify real threats. To work around this, you can use fail2ban, a python-based program which parses through your log files, and dynamically alters your firewall rules, so that brute-force attackers are temporarily blacklisted.

If you, like me, are using Shorewall firewall instead of iptables and such, on top of a CentOS 6.5 or 6.6, you may have run into some problems with fail2ban, but there is an easy way around it.

As long as you have the EPEL repository installed, you can install fail2ban using yum:
# yum install fail2ban

CentOS 6.5/6.6 Modifications

The configuration files for fail2ban is found in /etc/fail2ban,
# cd /etc/fail2ban

Start by making a copy of "jail.conf" (as it may be overwritten by application updates), and name the copy "jail.local". The local file will have precedence over the conf-file - that is, all rules added here will be applied last.
# cp jail.conf jail.local

In jail.local, add this section on top of [ssh-iptables] in the file:

[ssh-shorewall]
enabled  = true
filter   = sshd_centos66
action   = shorewall
logpath  = /var/log/secure
maxretry = 3

It tells the application to:
  • enabled =true - This rule should be enabled
  • filter=sshd_centos66 - Use this filter file when parsing the log file
  • action=shorewall - Use this action when the filter finds matches
  • logpath=/var/log/secure - Parse this log file, it contains all the failed SSH logins
  • maxretry=3 - Override the default 5 attempts before getting blocked

Next, we must create our modified filter. Go to the folder filter configuration folder:
# cd /etc/fail2ban/filter.d

Copy the existing sshd.conf to our modified sshd_centos66.conf, so we have a clean backup of the original:
# cp sshd.conf sshd_centos66.conf

Edit sshd_centos66.conf, and add to failregex, as a new line in the end:
^.*authentication failure;.*rhost=<HOST>

This will match the associated rows in /var/log/secure, and pick out the Host/IP of the attacker. Time to restart fail2ban to make the changes work.
# service fail2ban restart

Sit back and wait, and keep an eye on the log file /var/log/fail2ban.log, sooner or later you'll see these rows start to appear:
2015-05-05 19:53:25,806 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.120.155.175
2015-05-05 19:53:25,885 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.45.79.116
2015-05-05 19:55:12,190 fail2ban.actions: WARNING [ssh-shorewall] Ban 221.229.166.29
2015-05-05 20:03:25,911 fail2ban.actions: WARNING [ssh-shorewall] Unban 60.8.151.51

Tips and Tricks

You can change the defaults in jail.local, if you want to change the blocking behavior.
  • maxretry = 3
  • findtime  = 600
  • bantime  = 600
This is the default, and it tells you that 3 failed attempts within 600 seconds, will get you black-listed for 600 seconds. You can tweak these values after studying the attack patterns. SSH attacks are usually in the dozens per minutes, so the detection time can be much lower.

To check which IP-addresses that are currently blacklisted, use:
# shorewall show dynamic
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       60.8.151.51          0.0.0.0/0
    0     0 DROP       all  --  *      *       59.120.155.175       0.0.0.0/0
    0     0 DROP       all  --  *      *       59.45.79.116         0.0.0.0/0

Fail2ban can also be used to detect abusive behavior against web servers, then you just parse the Apache log instead. There is an exampe in the jail-file, which you can start from, and also suitable filter-patterns in the filter directory.

Happy blocking!
0 Comments

4 Quick Linux Command Line Tips

4/23/2015

2 Comments

 
Today's small blog post will cover four handy tips, which makes your life on a Linux/bash terminal easier and faster!

Search your BASH History on-the-fly

One of the most time-saving features of bash is the "search bash history" quick command Ctrl-r. Find a terminal and see what happens when you issue the command. The prompt will say "(reverese-i-search)". Type in the beginning of a command you have used recently, which had some hard-to-remember extra parameters. This can be a scp-command with that awkward flag for pointing out which certificate to use for the connection, or just finding the path to a script deep in the file-system, which you edited the other day but can't remember where it's located. 

Press ctrl-r and type the first one or two letter of the command that you are looking for, and it will find the last executed command for your user which match. Type more letters to qualify the search even further, or press ctrl-r again, to find the next match.

If you are not already familiar with this, you will ask yourself very soon, how you managed to live without it!

Find and Kill a Background Job the Fast Way

You probably know how to put a process in the background by using "&" after a command. You use the command "jobs" to list the processes that you have put in the background, where each command has it's own unique numerical identifier. This ID can be used to kill the process, using "kill %<id>". See image below.
Kill bg job
Find and kill background jobs.

Show Last Exit Status

Scripts and programs in the unix-styled-world has a tendency not to send unnecessary (or even necessary ) information back to the command line. However, the exit code of a program can tell a a lot about why the program did not execute as expected. It can also be very useful in scripts and automation, to be able to determine specific exit codes.

To check the exit code of the last executed program, use "echo $?". Example

[[email protected] ~]$ ./my_script.sh --option=invalidValue
[[email protected] ~]$ echo $?
4

It's customary in the unix-world that 0 means "program executed successfully", and everything else means that the program failed in some way.

Go to Last Directory

You know what it's like. You're deep into the file-system, in some obscure configuration directory of an application, and just have to go to your home directory to check a config file. Then you need to find your way back, but was it /opt/app/version/config or /var/app/version/config, or....? 

Just use the command "cd -" to go to the directory you were in last!

[[email protected] tmp]$ cd -
/var/www/demoapp/html/api
2 Comments

Virtual LAMP - Step 2: Install Linux CentOS

4/21/2015

0 Comments

 
This is the second part in an article covering Virtual LAMP Installation and Configuration.
"Linux CentOS" may seem like a bit of a redundant headline, but I wanted to stress the L in LAMP. 

Installing Linux is simple these days, you get instructions from a graphical installer with all the information and helpers that you may need. It's not like installing some odd Slackware 3.2 with a buggy 2.0 kernel (which happens to be the first Linux I at least tried to install). So let's start!

Step 1: Insert the CentOS Image

To get started, you need to "Insert the CD/DVD" into the virtual server. In this case the CD/DVD is an image file, which you downloaded earlier (see Step 1). 

Open up VirtualBox and right-click on your instance, and select Settings (or click that nice looking Settings icon).  
Server Configuration
Configure the Virtual Server
Select the Storage option in the left menu, the click the Empty label in the "Controller: IDE" section, and click the CD-icon to the right, and finally click the "Chose a virtual CD/DVD disk file...". Find your way to the downloaded CentOS 6.6 image file, and select it.
Image selection
Select the Image file to use for installation

Step 2: Boot the Image

Time to start the installation! Right-click the instance and select Start, or use the icon next to Settings.  

Important! When you click the screen of a VirtualBox instance, your mouse pointer will be transferred to that environment. If the server does not support mouse operation, you will have no mouse at all. To go out of the VirtualBox-mode, and get the mouse pointer back, press the right Ctrl button!

After you press the Start button, a new window will appear, and a boot loader will show some options, Click on the new window, and use the up/down arrows to select an option. Also practice "releasing" the virtual instance with the right Ctrl button.

The default option will show "Install or Upgrade an existing system", which you should select, so press Enter. Next, odd-looking text will flicker by for a few seconds, and you will be met by a asking if you should test the "install media". Select the Skip option, unless you have reasons to believe that your downloaded ISO-file is broken. 

From here on, you will have a nice graphical interface!

Step 3: Localization

You should now have a screen welcoming you to CentOS 6, and a Next button in the down-rightmost corner. Click it! Continue to chose installation language, and your keyboard layout. 

Step 4: Storage Settings

You will be prompted if you want Basic or Specialized Storage Devices. For a development setup you don't need to think about optimal I/O-performance, so I suggest that you chose Basic Storage Device. After clicking Next, you will get a warning that data could be lost, but since it's a virtualized server, this is not an issue, so click "Yes, discard any data".
Disk config
Virtualized file-disks, no "real" data can be lost

Step 5: Host Name

The next screen will ask you for the server host name. To keep things simple, you can chose something similar to the name you gave the VirtualBox instance in Step 1. However, in Operations, there are two major schools when it comes to sever host names:
  • FQDN: The host name should be formed as a domain path, e.g. frontend-001.eu-1.prod.araneo.local
  • All-in-the-hostname: Everything goes into a stacked host name, e.g. ara-prodeu01fe001
This installation is for a development or test server, so it doesn't really matter, unless you have a specific policy in your company, then ask your Operations team!

Step 6: Time Zone

In the next step, you will be shown a map with incredibly hard-to-click dots on a world map. Try to find the city closest to you (which is in the same time zone!) and click Next.

Please note: We will configure the server to use UTC at a later stage.

Step 7: root password

This is the master password, the key which unlocks all the doors, and so on. But don't stress it, trying to find the strongest password you can imagine, as this server will probably won't accept SSH-connections from the internet. 

However, if you know that the server will have a public IP-address and for some reason needs to accept SSH-connections over public internet, and you for some insane reason needs to accept external root logins; then you should select a crazy-strong password here. And then use the time until your first DDOS/brute-force attack, to figure out a better IT-strategy.

Step 8: Storage Settings, again

At this point, you are going to get the rather scary question what do with any existing data, and how to structure the space. But as this is a virtualized server, using a file disk image, there is no data to lose, so just go for the most aggressive alternative, "Use All Space"!  After pressing Next you will get another confirmation request, but remember that you're not making changes to your host system, just to those hard drive files created earlier, so just click "Write changes to disk".

Step 9: Installation

Now the installation has started. Sit back and relax, or go get some more coffee. In this step, you don't have to do anything. After about four-five sips of coffee, the installation will be done, and you will be prompted to Reboot. 



This takes you to the next chapter of the article: Step 3: Configure the Server.
0 Comments

Virtual LAMP - Step 1: Install a Virtual Server

4/21/2015

0 Comments

 
This is the first part in an article covering Virtual LAMP Installation and Configuration.

There is a reason why the L in LAMP is the first letter, and not only because it makes the acronym more readable; before you can do anything else, you need a Linux installation. You might install it on bare-metal, but in this case we're going for a Virtual server using Oracle VM VirtualBox. It's a virtualization software suitable for Test and Development environments on your local PC, and not for production systems, where you might use VM Ware or KVM instead (backed by a proper storage solution).

Secondly, you need to select which Linux distribution to use, and that's an infected debate I'm not even going to get into. This guide will show you how to install CentOS 6.6, since that's what I use in my projects, and work with professionally. You want Debian or a Step-one installation of Gentoo? Go nuts!

Step 1: Get the Virtualization Software
Visit the Oracle VM VirtualBox homepage, and download a suitable version for you. When installing the software, make sure that you don't deselect any options on the "Custom setup" page . During the installation, you may get prompted about installing a new USB Device Software, which i recommend you to accept, as it's quite useful later on. Same thing goes when you're promped to install a Network Device, Service and Adapter, as it's good to have internet access when creating web applications!

It's good to know that this guide is built on version 4.3.26 on Windows 7. If you are on another version or operating system, I hope that you find the instructions somewhat familiar, at least.

Step 2: Get a CentOS Image
Visit the CentOS download page, and look for 6.6, or go directly here
(64-bit x86 download page). At the time of writing, it's the latest version of Release 6, but if you read this later on, you might find it under "Archived Versions". Find a country or location that is close to you, and follow the link.

We're installing a server with specific features, so we don't need the full-feature installation. Instead we're going for the minimal installation, so the file you are looking for is named "
CentOS-6.6-x86_64-minimal.iso". It's roughly 380 MB large. Download it and remember where you put it.

Step 3: Create a Virtual Machine
So now when we have installed the virtualization software, and have the Linux image, let's create a virtual machine! So start VirtualBox and familiarize yourself with the interface.

First thing to do is to click the icon "New". This will spawn a window, asking you for the name of your new virtual server. This name will not be used by the actual virtual server, it's just an identifier within VirtualBox. It's not uncommon in the linux world to name your servers after a specific theme, maybe characters in a move, or Greek mythology, but anything will do. Select "Linux" as Type, and "Red Hat (64 bit)" as Version (given that you are using the 64-bit version of CentOS, from Step 2). Click Next.

Server config
Greek mythology server name is a 90's classic
Step 4: Configure Memory
On the next page you will be given an option of how much RAM (memory) to allocate for the server. The amount is decided by how much your computer has, and what operations you are going to perform and how many servers you plan to run in parallel. For a LAMP-stack, try to keep it above 512 MB; 1-2 GB is usually sufficient to develop and test Web Service applications. The memory is of course only consumed when you have the server running.
Memory config
1 GB of memory can host our applications
Step 5: Configure Hard Drive
After clicking Next, you will be given an option on how to setup the Hard Drive.
The default value of 8 GB is usually sufficient, but if you know that your application will consume more, increase it as you please. I will assume that you don't have an old virtual server that you want to re-use, and that your applications actually requires a hard drive, so select the option "Create a virtual hard drive now",  and click Next once again.

A new window will appear, asking you for what file type to use. If you are not looking for specific performance or data-interchange related issues, select the default value "VDI (VirtuaBox Disk Image)". The I/O performance of this storage is probably not what you should chose for your production system, but it's good enough for a development environment! Click Next again.

The next selection is static versus dynamic sized Hard Drive. If you can spare the 8 GB (or whatever size you chose in the previous step) you should go for Fixed size, as it's somewhat faster, if you're low on disk or plan to have many virtual instances on your computer, go for Dynamically allocated. Click Next.

The last option on Hard Drive that you get is confirming the size of the virtual hard drive, and the location to store it. Do not store it on a network drive! This is an incredibly bad idea, unless you have a very nice SAS/SSD Fiberchannel or iSCSI thing available. Store it on the fastest hard drive that you got - go for SSD if you have it! Give the hard drive and click Next, the virtual hard drive will now be created, it can take a minute or so to initialize.
Disk config
Fixed size is preferred if you have the space

Now the Virtual Server has been created!

Continue reading in Part 2, where we will install CentOS 6.6
0 Comments

List files of a Certain Size

4/21/2015

0 Comments

 
Just a short tech-tip today. I needed to list all the files with the size 64 bytes in a directory. This is because the size of a specific GPG-encrypted text string always ended up this size.

[[email protected] ~]$ find . -size 64c -ls
  3018    4 -r--r-----   1 johan    johan         64 Apr 21  2015 20150421-data.gpg

Very handy, and a new feature of find, for me.

0 Comments

    Author

    Hi, I'm Johan, I've been working as a consultant and entrepreneur in the IT-sector since 1999.

    I blog about ideas, tricks and tech tips from my daily work life as solution architect.

    Archives

    April 2016
    March 2016
    February 2016
    May 2015
    April 2015

    Categories

    All
    Atlassian
    CentOS
    Devops
    Git
    LAMP
    Linux
    Scm
    Security
    Svc Virt
    Testing
    Tips N Tricks
    Tips-n-tricks
    Virtualization

    RSS Feed

(cc) Araneo 1999-2016

Privacy Policy | Copyright