Fail2ban

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Installing Fail2ban)
(OS X)
Line 52: Line 52:
 
# Open the Help tab and click on '''Configuration Wizard'''
 
# Open the Help tab and click on '''Configuration Wizard'''
 
# Enter your '''login''' password and click '''Continue'''
 
# Enter your '''login''' password and click '''Continue'''
# On the "Allow Inbound Connections" page, select the following:
+
# On the "Allow Inbound Connections" page, select the following and click '''Next'''
 
#* Remote login (SSH)
 
#* Remote login (SSH)
 
#* iChat, Message and iPhoto
 
#* iChat, Message and iPhoto
 
#* ICMP protocol
 
#* ICMP protocol
#
+
#* If you use iTunes, you should also enable '''iTunes sharing''' and '''Airplay'''
 +
# On the "Allow outbound connections" page, leave the default '''Allow all outbound connection''' and click '''Next'''
 +
#* If you are sure of what you are doing, you can limit outbound connections...doing this has the most chance of breaking something
 +
# Check '''Enable Emerging Threats protection''' and click '''Save configuration'''
 +
# Enter your '''login''' password
 +
# Click the '''Start PF''' button and agree to the warning
 +
# Enter your '''login''' password again...
 +
# Choose '''yes''' to start PF rules at startup
 +
 
 +
 
  
 
====Install MacPorts====
 
====Install MacPorts====
 
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
 
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
 
  ^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
 
  ^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$

Revision as of 18:13, 4 December 2014

Contents

Fail2ban

We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts.

If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables.

To unban an IP address manually, it is necessary to know the chain name and the rule number. The following command can be used to acquire this information:

Code:

iptables -L -n --line-numbers

The relevant bits are at the end of the output. Here is an example chain with attendant rules:

Code:

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    DROP       all  --  204.110.13.107       anywhere
2    DROP       all  --  1.234.20.21          anywhere
3    DROP       all  --  gw-tair-rp.rel.com.ua  anywhere
4    RETURN     all  --  anywhere             anywhere

In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).

To unban an IP address, you would run the following command:

Code:

iptables -D [chain-name] [line-number]

To unban the IP address 1.234.20.21 (see above), the command would be:

Code:

iptables -D fail2ban-ssh 2

Reference: http://www.howtoforge.com/forums/showthread.php?t=51366&page=2


Installing Fail2ban

OS X

This is an advanced setup, and requires using the terminal to install and modify files.

Install IceFloor

IceFloor is an open-source graphical front-end for pf, the default built-in firewall for OS X.

  1. Download and install IceFloor: http://www.hanynet.com/icefloor/
  2. Open IceFloor and enter your login password
  3. Read the Welcome Wizard and skip installing the IceFloor Menulet
  4. Open the Options tab
  5. Check the Enable Emerging Threats... line and Enable <sshguard>... line
  6. Open the Help tab and click on Configuration Wizard
  7. Enter your login password and click Continue
  8. On the "Allow Inbound Connections" page, select the following and click Next
    • Remote login (SSH)
    • iChat, Message and iPhoto
    • ICMP protocol
    • If you use iTunes, you should also enable iTunes sharing and Airplay
  9. On the "Allow outbound connections" page, leave the default Allow all outbound connection and click Next
    • If you are sure of what you are doing, you can limit outbound connections...doing this has the most chance of breaking something
  10. Check Enable Emerging Threats protection and click Save configuration
  11. Enter your login password
  12. Click the Start PF button and agree to the warning
  13. Enter your login password again...
  14. Choose yes to start PF rules at startup


Install MacPorts

add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf

^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$
Views
Personal tools
Support