SSH severs are naturally exposed to the script-kiddies on Internet, unless you only allow connections over VPN-tunnels. You shouldn't configure SSH to allow password based security, and only allow certificate based authentication. That's a different blog post though.
Even with certificate-based authentication only, as long as you expose the SSH server to internet, you will have your secure-log filled with bruteforce attempts, to the degree that it can be almost impossible to identify real threats. To work around this, you can use fail2ban, a python-based program which parses through your log files, and dynamically alters your firewall rules, so that brute-force attackers are temporarily blacklisted.
If you, like me, are using Shorewall firewall instead of iptables and such, on top of a CentOS 6.5 or 6.6, you may have run into some problems with fail2ban, but there is an easy way around it.
As long as you have the EPEL repository installed, you can install fail2ban using yum:
# yum install fail2ban
Even with certificate-based authentication only, as long as you expose the SSH server to internet, you will have your secure-log filled with bruteforce attempts, to the degree that it can be almost impossible to identify real threats. To work around this, you can use fail2ban, a python-based program which parses through your log files, and dynamically alters your firewall rules, so that brute-force attackers are temporarily blacklisted.
If you, like me, are using Shorewall firewall instead of iptables and such, on top of a CentOS 6.5 or 6.6, you may have run into some problems with fail2ban, but there is an easy way around it.
As long as you have the EPEL repository installed, you can install fail2ban using yum:
# yum install fail2ban
CentOS 6.5/6.6 Modifications
The configuration files for fail2ban is found in /etc/fail2ban,
# cd /etc/fail2ban
Start by making a copy of "jail.conf" (as it may be overwritten by application updates), and name the copy "jail.local". The local file will have precedence over the conf-file - that is, all rules added here will be applied last.
# cp jail.conf jail.local
In jail.local, add this section on top of [ssh-iptables] in the file:
[ssh-shorewall]
enabled = true
filter = sshd_centos66
action = shorewall
logpath = /var/log/secure
maxretry = 3
It tells the application to:
Next, we must create our modified filter. Go to the folder filter configuration folder:
# cd /etc/fail2ban/filter.d
Copy the existing sshd.conf to our modified sshd_centos66.conf, so we have a clean backup of the original:
# cp sshd.conf sshd_centos66.conf
Edit sshd_centos66.conf, and add to failregex, as a new line in the end:
^.*authentication failure;.*rhost=<HOST>
This will match the associated rows in /var/log/secure, and pick out the Host/IP of the attacker. Time to restart fail2ban to make the changes work.
# service fail2ban restart
Sit back and wait, and keep an eye on the log file /var/log/fail2ban.log, sooner or later you'll see these rows start to appear:
2015-05-05 19:53:25,806 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.120.155.175
2015-05-05 19:53:25,885 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.45.79.116
2015-05-05 19:55:12,190 fail2ban.actions: WARNING [ssh-shorewall] Ban 221.229.166.29
2015-05-05 20:03:25,911 fail2ban.actions: WARNING [ssh-shorewall] Unban 60.8.151.51
# cd /etc/fail2ban
Start by making a copy of "jail.conf" (as it may be overwritten by application updates), and name the copy "jail.local". The local file will have precedence over the conf-file - that is, all rules added here will be applied last.
# cp jail.conf jail.local
In jail.local, add this section on top of [ssh-iptables] in the file:
[ssh-shorewall]
enabled = true
filter = sshd_centos66
action = shorewall
logpath = /var/log/secure
maxretry = 3
It tells the application to:
- enabled =true - This rule should be enabled
- filter=sshd_centos66 - Use this filter file when parsing the log file
- action=shorewall - Use this action when the filter finds matches
- logpath=/var/log/secure - Parse this log file, it contains all the failed SSH logins
- maxretry=3 - Override the default 5 attempts before getting blocked
Next, we must create our modified filter. Go to the folder filter configuration folder:
# cd /etc/fail2ban/filter.d
Copy the existing sshd.conf to our modified sshd_centos66.conf, so we have a clean backup of the original:
# cp sshd.conf sshd_centos66.conf
Edit sshd_centos66.conf, and add to failregex, as a new line in the end:
^.*authentication failure;.*rhost=<HOST>
This will match the associated rows in /var/log/secure, and pick out the Host/IP of the attacker. Time to restart fail2ban to make the changes work.
# service fail2ban restart
Sit back and wait, and keep an eye on the log file /var/log/fail2ban.log, sooner or later you'll see these rows start to appear:
2015-05-05 19:53:25,806 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.120.155.175
2015-05-05 19:53:25,885 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.45.79.116
2015-05-05 19:55:12,190 fail2ban.actions: WARNING [ssh-shorewall] Ban 221.229.166.29
2015-05-05 20:03:25,911 fail2ban.actions: WARNING [ssh-shorewall] Unban 60.8.151.51
Tips and Tricks
You can change the defaults in jail.local, if you want to change the blocking behavior.
To check which IP-addresses that are currently blacklisted, use:
# shorewall show dynamic
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 60.8.151.51 0.0.0.0/0
0 0 DROP all -- * * 59.120.155.175 0.0.0.0/0
0 0 DROP all -- * * 59.45.79.116 0.0.0.0/0
Fail2ban can also be used to detect abusive behavior against web servers, then you just parse the Apache log instead. There is an exampe in the jail-file, which you can start from, and also suitable filter-patterns in the filter directory.
Happy blocking!
- maxretry = 3
- findtime = 600
- bantime = 600
To check which IP-addresses that are currently blacklisted, use:
# shorewall show dynamic
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 60.8.151.51 0.0.0.0/0
0 0 DROP all -- * * 59.120.155.175 0.0.0.0/0
0 0 DROP all -- * * 59.45.79.116 0.0.0.0/0
Fail2ban can also be used to detect abusive behavior against web servers, then you just parse the Apache log instead. There is an exampe in the jail-file, which you can start from, and also suitable filter-patterns in the filter directory.
Happy blocking!