Sunday, March 2, 2014

Making your SSH server more secure with fail2ban

Today, when I was checking the logs on my server, I noticed that someone was trying to hack it by quessing usernames and passwords.

The command
cat /var/log/auth.log

Returned something like this:
Invalid user danica from (attacker ip)
input_userauth_request: invalid user danica [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(attacker ip)
Failed password for invalid user danica from (attacker ip) port 20135 ssh2
Received disconnect from (attacker ip): 11: Bye Bye [preauth]
reverse mapping checking getaddrinfo for (attacker host) [(attacker ip)] failed - POSSIBLE BREAK-IN ATTEMPT!
Invalid user daniela from (attacker ip)
input_userauth_request: invalid user daniela [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(attacker ip)
Failed password for invalid user daniela from (attacker ip) port 12037 ssh2
Received disconnect from (attacker ip): 11: Bye Bye [preauth]
reverse mapping checking getaddrinfo for (attacker host) [(attacker ip)] failed - POSSIBLE BREAK-IN ATTEMPT!
Invalid user daniele from (attacker ip)
input_userauth_request: invalid user daniele [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(attacker ip)
Failed password for invalid user daniele from (attacker ip) port 28710 ssh2
Received disconnect from (attacker ip): 11: Bye Bye [preauth]
reverse mapping checking getaddrinfo for (attacker host) [(attacker ip)] failed - POSSIBLE BREAK-IN ATTEMPT!



Of course, I wanted this to stop. After a quick google search I found two good ways of preventing this: change the ssh server port number to something else than 22 or to use fail2ban to ban the ip address of the attacker with iptables.

I didn't want to change the SSH port, since I've configured it on multiple computers and applications, so fail2ban was my solution of choice.

I'm using ubuntu, so fail2ban could be installed with the commands
apt-get update
apt-get install fail2ban

After the installation, running the command
fail2ban-client status
showed me that fail2ban was running with the default settings (ssh jail was active).

Typing
fail2ban-client status ssh 
showed that one IP address was already blocked by the program.

The "BREAK-IN ATTEMPT!" messages stopped appearing /var/log/auth.log, and the iptables directive list
iptables -L
showed that the attacker's IP was automatically added to the firewall table.

You can also monitor the fail2ban log at /var/log/fail2ban.log

I didn't stop there, though. I edited the fail2ban configuration file /etc/fail2ban/jail.conf so that also some of the apache-related jails were enabled, and I changed the maxretries to a lower value and the ban time to be longer.

In addition, I added a line to /etc/fail2ban/action.d/iptables-multiport.conf that notifies badips.com of each ip that gets banned. This way I get nice graphs and the ips are added to badips.com blocklist, automatically blocking them from other sites as well. Here's a nice tutorial on how to do that.

No comments:

Post a Comment