Araneo: DevOps & Automation
Araneo: DevOps & Automation
  • Home
  • Concepts
    • Development
  • Articles
  • Blog
  • About
  • Home
  • Concepts
    • Development
  • Articles
  • Blog
  • About

A BLOG

Securing CentOS 6.6 with fail2ban and Shorewall

5/5/2015

0 Comments

 
SSH severs are naturally exposed to the script-kiddies on Internet, unless you only allow connections over VPN-tunnels. You shouldn't configure SSH to allow password based security, and only allow certificate based authentication. That's a different blog post though.

Even with certificate-based authentication only, as long as you expose the SSH server to internet, you will have your secure-log filled with bruteforce attempts, to the degree that it can be almost impossible to identify real threats. To work around this, you can use fail2ban, a python-based program which parses through your log files, and dynamically alters your firewall rules, so that brute-force attackers are temporarily blacklisted.

If you, like me, are using Shorewall firewall instead of iptables and such, on top of a CentOS 6.5 or 6.6, you may have run into some problems with fail2ban, but there is an easy way around it.

As long as you have the EPEL repository installed, you can install fail2ban using yum:
# yum install fail2ban

CentOS 6.5/6.6 Modifications

The configuration files for fail2ban is found in /etc/fail2ban,
# cd /etc/fail2ban

Start by making a copy of "jail.conf" (as it may be overwritten by application updates), and name the copy "jail.local". The local file will have precedence over the conf-file - that is, all rules added here will be applied last.
# cp jail.conf jail.local

In jail.local, add this section on top of [ssh-iptables] in the file:

[ssh-shorewall]
enabled  = true
filter   = sshd_centos66
action   = shorewall
logpath  = /var/log/secure
maxretry = 3

It tells the application to:
  • enabled =true - This rule should be enabled
  • filter=sshd_centos66 - Use this filter file when parsing the log file
  • action=shorewall - Use this action when the filter finds matches
  • logpath=/var/log/secure - Parse this log file, it contains all the failed SSH logins
  • maxretry=3 - Override the default 5 attempts before getting blocked

Next, we must create our modified filter. Go to the folder filter configuration folder:
# cd /etc/fail2ban/filter.d

Copy the existing sshd.conf to our modified sshd_centos66.conf, so we have a clean backup of the original:
# cp sshd.conf sshd_centos66.conf

Edit sshd_centos66.conf, and add to failregex, as a new line in the end:
^.*authentication failure;.*rhost=<HOST>

This will match the associated rows in /var/log/secure, and pick out the Host/IP of the attacker. Time to restart fail2ban to make the changes work.
# service fail2ban restart

Sit back and wait, and keep an eye on the log file /var/log/fail2ban.log, sooner or later you'll see these rows start to appear:
2015-05-05 19:53:25,806 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.120.155.175
2015-05-05 19:53:25,885 fail2ban.actions: WARNING [ssh-shorewall] Ban 59.45.79.116
2015-05-05 19:55:12,190 fail2ban.actions: WARNING [ssh-shorewall] Ban 221.229.166.29
2015-05-05 20:03:25,911 fail2ban.actions: WARNING [ssh-shorewall] Unban 60.8.151.51

Tips and Tricks

You can change the defaults in jail.local, if you want to change the blocking behavior.
  • maxretry = 3
  • findtime  = 600
  • bantime  = 600
This is the default, and it tells you that 3 failed attempts within 600 seconds, will get you black-listed for 600 seconds. You can tweak these values after studying the attack patterns. SSH attacks are usually in the dozens per minutes, so the detection time can be much lower.

To check which IP-addresses that are currently blacklisted, use:
# shorewall show dynamic
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       60.8.151.51          0.0.0.0/0
    0     0 DROP       all  --  *      *       59.120.155.175       0.0.0.0/0
    0     0 DROP       all  --  *      *       59.45.79.116         0.0.0.0/0

Fail2ban can also be used to detect abusive behavior against web servers, then you just parse the Apache log instead. There is an exampe in the jail-file, which you can start from, and also suitable filter-patterns in the filter directory.

Happy blocking!
0 Comments

    Author

    Hi, I'm Johan, I've been working as a consultant and entrepreneur in the IT-sector since 1999.

    I blog about ideas, tricks and tech tips from my daily work life as solution architect.

    Archives

    April 2016
    March 2016
    February 2016
    May 2015
    April 2015

    Categories

    All
    Atlassian
    CentOS
    Devops
    Git
    LAMP
    Linux
    Scm
    Security
    Svc Virt
    Testing
    Tips N Tricks
    Tips-n-tricks
    Virtualization

    RSS Feed

(cc) Araneo 1999-2016

Privacy Policy | Copyright
✕