I like security. The more control I have over a network or system the better I feel. So when I had to push out a couple of secure FTP sites for clients, I had to make sure that they couldn’t be broken into.
First I started with Ubuntu 10.04.3LTS LAMP installation. The rest you can see below:
Update Linux
apt-get update
apt-get upgrade
apt-get install build-essential
apt-get dist-upgrade
reboot
Remove anything unneeded
apt-get autoremove
I installed SSH access to one external-facing system, on a completely separate network, but have edited the allowed hosts to be only my personal public IP. But it’s still a good idea to stop people from trying and filling up the logs. I also installed VSFTP on two external-facing systems – it is these systems that I worry most about.
Install fail2ban
apt-get install fail2ban
Edit the configuration
nano /etc/fail2ban/jail.local
Now I put the following in there:
[DEFAULT]
# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime = 60
maxretry = 3
backend = polling
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 5
Restart the Fail2ban service
/etc/init.d/fail2ban restart
I checked to see if SSH would be “banned” by trying to connect from another system several times to the fail2ban system (see actions in BOLD):
tail -f /var/log/fail2ban.log
2011-08-24 07:40:29,300 fail2ban.jail : INFO Jail ‘ssh’ uses poller
2011-08-24 07:40:29,330 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2011-08-24 07:40:29,332 fail2ban.filter : INFO Set maxRetry = 5
2011-08-24 07:40:29,336 fail2ban.filter : INFO Set findtime = 600
2011-08-24 07:40:29,337 fail2ban.actions: INFO Set banTime = 60
2011-08-24 07:40:29,481 fail2ban.jail : INFO Jail ‘ssh’ started
2011-08-24 07:40:39,561 fail2ban.actions: WARNING [ssh] Ban 192.168.0.253
2011-08-24 07:41:39,816 fail2ban.actions: WARNING [ssh] Unban 192.168.0.253
You can verify that the ban is active by listing out your iptables
iptables -L
Next I’ll verify that it works on vsftp.
Edit the fail2ban local jail
nano /etc/fail2ban/jail.local
Change the enabled to enabled = true
Restart the fail2ban service
/etc/init.d/fail2ban restart
Then I ran the regex checker
fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf
Which gave me 0 results.
Edit the failregex configuration
nano /etc/fail2ban/filter.d/vsftpd.conf
I changed from FAIL LOGIN to CONNECT
Save and quit, then restart fail2ban
2011-08-24 08:17:19,564 fail2ban.actions: WARNING [vsftpd] Ban 192.168.0.115
2011-08-24 08:18:19,660 fail2ban.actions: WARNING [vsftpd] Unban 192.168.0.115
***EDIT***
I had a few bots that were trying to get access to directories that didn’t exist.
In my /etc/fail2ban/jail.local
[owncloud]
enabled = true
port = http,https
filter = apache-owncloud
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 240
In my /etc/fail2ban/filter.d/apache-owncloud.conf
[Definition]
failregex = \[client\] (File does not exist|script not found or unable to stat): [^ ]*/([^ ]*\.asp|[^ ]*\.dll|[^ ]*\.exe|admin|Admin|Ads|ads|apps|archive|awstats|b0ard|bin|blog|board|cgi|clan|cms|community|cube|database|datenbank$ ignoreregex =
Unblock an existing entry
We all know that you can use iptables -L to find the entry and then -D to delete it. Fail2ban doesn’t really like that.
fail2ban-client set JAIL unbanip MYIP
If you forgot your jail name (haha) you can list them all out:
fail2ban-client status