Protecting your public servers is crucial we have talked before on a previous post on how to mitigate Ssh attacks on a cisco router now let’s talk Ssh on a server
an ssh server is no different you still have the same issues to fend off from DDOS attacks to brute force attacks ssh servers such as openssh are vulnerable here is a good module you can install on any Linux based server to protect again a brute force attack on your ssh tunnel ,
There is a free open source product called fail2ban www.fail2ban.org/
this free solution scans logs files of the ssh service and looks for a set of criteria mostly an x amount of failed login attempts on the ssh service and then creates a rule in the iptables firewall which will drop all future traffic to the ssh port it also supports ftp applications such as pure ftp in the same way
The below steps assume you are using a debian based distribution of Linux in our example we are using Ubuntu server 12.04
To install this application run the following command from your terminal window
sudo apt-get install fail2ban
Once the package is installed we can now start configuring it
Fail2ban uses a file called jail.conf to set the parameters for things like maximum attempts
Before banning the offending IP
the location of the jail.conf file is /etc/fail2ban
Once in the proper directory we can edit the config file using a text editor i personally like the VI editor
So you would issue the following command
sudo vi jail.conf
This will open the fail 2 ban configuration file
In this configuration file you are going to look for a section that looks like this
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
the above configuration allows for 3 unsuccessful attempts (default is 6 ) before banning the offending IP address you can change the log file name and path if you like also by default there will be a # symbol before enable you will want to remove that symbol the enable this rule or you can just copy and paste the config above
Once you have matched the default config to the one above you will then save the file in the vi editor using the :wq combination in command mode within the vi editor
you have now completed the setup of fail2ban for the ssh service
View Banned IP addresses
In order to see what IP's have been banned issue the following command
sudo iptables -L -n
look through the output for the fail2ban chain
Banned IP addresses will shows up like the one below in bold
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Drop all - 10.10.10.10 0.0.0.0/0
Remove banned ip addresses
in order to remove a IP address from the banned list issues the following command
sudo iptables -D fail2ban-ssh -s 10.10.10.10 -j DROP
this will allow the IP on the server
The following post shows how to protect again bruteforce attacks on linux based ssh servers
using the fail2ban application this tool is a simple and free yet powerful application that should be installed to add a layer of protection to you servers ssh service
Till next time
Stay secure !
No comments:
Post a Comment