fail2ban

There were too many attacks against the sshd (thousands on a single day), so I decided to install fail2ban. Installation is a simple apt-get install fail2ban. Next, a copy of the file /etc/fail2ban/jail.conf with the name jail.local is created. A possible configuration could be:

[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 # more networks if needed
bantime  = 86400
findtime  = 3600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false

[sshd]
enable  = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
backend = %(sshd_backend)s

This configurations bans an attacking ip address, if there are more than 3 failed login requests within an hour (findtime = 3600). The attacker is banned for 24 hours (bantime = 86400).

Continue reading “fail2ban”

Creating a firewall (iptables)

Make sure that iptables are installed (otherwise call apt-get install iptables). A very basic rule set that allows http, https, and ssh (via default port 22) access:

*filter

# Define default policies
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Allows HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow DNS lookups
-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p tcp --sport 53 -j ACCEPT

# Allow NTP
-A INPUT -p udp --sport 123 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

COMMIT

Installing these rules – according to wiki.debian.org:

iptables-restore < /etc/iptables.test.rules
iptables -L # Are these my rules?
iptables-save > /etc/iptables.up.rules

Activating iptable rules at boot time requires a file /etc/network/if-pre-up.d/iptables (as a shell script, it requires x permissions):

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

Nowadays, the same is needed for IPv6 with some minor changes because ICMP plays a far more important role in this version:

 *filter

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

# -A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
# -A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
# -A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p ipv6-icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# -A INPUT -j REJECT --reject-with icmp6-port-unreachable
# -A FORWARD -j REJECT --reject-with icmp6-port-unreachable

COMMIT

Enabling these rules goes the same way as with IPv4 with the sole exception that ip6tables, iptables-restore and ip6tables-save must be called.