I like security. The more control I have over a network or system the better I feel. So when I had to push out a couple of secure FTP sites for clients, I had to make sure that they couldn’t be broken into.<\/p>\n
First I started with Ubuntu 10.04.3LTS LAMP installation. The rest you can see below:<\/p>\n
Update Linux<\/p>\n
apt-get update<\/code>
\napt-get upgrade<\/code>
\napt-get install build-essential<\/code>
\napt-get dist-upgrade<\/code>
\nreboot<\/code><\/p><\/blockquote>\nRemove anything unneeded<\/p>\n
apt-get autoremove<\/code><\/p><\/blockquote>\nI installed SSH access to one external-facing system, on a completely separate network, but have edited the allowed hosts to be only my personal public IP. But it’s still a good idea to stop people from trying and filling up the logs. I also installed VSFTP on two external-facing systems – it is these systems that I worry most about.<\/p>\n
Install fail2ban<\/p>\n
apt-get install fail2ban<\/code><\/p><\/blockquote>\nEdit the configuration<\/p>\n
nano \/etc\/fail2ban\/jail.local<\/code><\/p><\/blockquote>\nNow I put the following in there:<\/p>\n
[DEFAULT]
\n# “ignoreip” can be an IP address, a CIDR mask or a DNS host
\nignoreip = 127.0.0.1 192.168.0.99
\nbantime = 60
\nmaxretry = 3
\nbackend = polling
\n# Destination email address used solely for the interpolations in
\n# jail.{conf,local} configuration files.
\ndestemail = root@localhost
\n# Default action to take: ban only
\naction = iptables[name=%(__name__)s, port=%(port)s]
\n[ssh]
\nenabled = true
\nport = ssh
\nfilter = sshd
\nlogpath = \/var\/log\/auth.log
\nmaxretry = 5
\n[vsftpd]
\nenabled = false
\nport = ftp,ftp-data,ftps,ftps-data
\nfilter = vsftpd
\nlogpath = \/var\/log\/vsftpd.log
\nmaxretry = 5<\/p><\/blockquote>\nRestart the Fail2ban service<\/p>\n
\/etc\/init.d\/fail2ban restart<\/code><\/p><\/blockquote>\nI checked to see if SSH would be “banned” by trying to connect from another system several times to the fail2ban system (see actions in BOLD):
\ntail -f \/var\/log\/fail2ban.log<\/code><\/p>\n2011-08-24 07:40:29,300 fail2ban.jail : INFO Jail ‘ssh’ uses poller
\n2011-08-24 07:40:29,330 fail2ban.filter : INFO Added logfile = \/var\/log\/auth.log
\n2011-08-24 07:40:29,332 fail2ban.filter : INFO Set maxRetry = 5
\n2011-08-24 07:40:29,336 fail2ban.filter : INFO Set findtime = 600
\n2011-08-24 07:40:29,337 fail2ban.actions: INFO Set banTime = 60
\n2011-08-24 07:40:29,481 fail2ban.jail : INFO Jail ‘ssh’ started
\n2011-08-24 07:40:39,561 fail2ban.actions: WARNING [ssh] Ban 192.168.0.253<\/strong>
\n2011-08-24 07:41:39,816 fail2ban.actions: WARNING [ssh] Unban 192.168.0.253<\/strong>\n<\/p><\/blockquote>\nYou can verify that the ban is active by listing out your iptables
\niptables -L<\/code><\/p>\nNext I’ll verify that it works on vsftp.
\nEdit the fail2ban local jail
\nnano \/etc\/fail2ban\/jail.local<\/code>
\nChange the enabled to enabled = true
\nRestart the fail2ban service
\n\/etc\/init.d\/fail2ban restart<\/code><\/p>\nThen I ran the regex checker
\nfail2ban-regex \/var\/log\/vsftpd.log \/etc\/fail2ban\/filter.d\/vsftpd.conf
\nWhich gave me 0 results.<\/p>\nEdit the failregex configuration
\nnano \/etc\/fail2ban\/filter.d\/vsftpd.conf<\/code>
\nI changed from FAIL LOGIN to CONNECT
\nSave and quit, then restart fail2ban<\/p>\n2011-08-24 08:17:19,564 fail2ban.actions: WARNING [vsftpd] Ban 192.168.0.115
\n2011-08-24 08:18:19,660 fail2ban.actions: WARNING [vsftpd] Unban 192.168.0.115<\/p><\/blockquote>\n***EDIT***
\nI had a few bots that were trying to get access to directories that didn’t exist.<\/p>\nIn my \/etc\/fail2ban\/jail.local<\/p>\n
\n[owncloud]
\nenabled = true
\nport = http,https
\nfilter = apache-owncloud
\nlogpath = \/var\/log\/apache2\/error.log
\nmaxretry = 3
\nbantime = 240\n<\/p><\/blockquote>\nIn my \/etc\/fail2ban\/filter.d\/apache-owncloud.conf<\/p>\n
\n[Definition]
\nfailregex = \\[client\\] (File does not exist|script not found or unable to stat): [^ ]*\/([^ ]*\\.asp|[^ ]*\\.dll|[^ ]*\\.exe|admin|Admin|Ads|ads|apps|archive|awstats|b0ard|bin|blog|board|cgi|clan|cms|community|cube|database|datenbank$<\/p>\n ignoreregex =\n<\/p><\/blockquote>\n
Unblock an existing entry<\/strong>
\nWe all know that you can use iptables -L to find the entry and then -D to delete it. Fail2ban doesn’t really like that.<\/p>\n
fail2ban-client set JAIL unbanip MYIP<\/code>
\nIf you forgot your jail name (haha) you can list them all out:
\nfail2ban-client status<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"I like security. The more control I have over a network or system the better I feel. So when I had to push out a couple of secure FTP sites for clients, I had to make sure that they couldn’t be broken into. First I started with Ubuntu 10.04.3LTS LAMP installation. The rest you can … Continue reading Fail2ban Ubuntu SSH VSFTP<\/span>