Author: Yun Muqing

Source: Hang Seng LIGHT Cloud Community

The background,

Hosts open to the public network are attacked all the time, among which SSH brute force cracking is the most frequent. Countless machines search for prey on the public network day and night, and then make weak password attempts

If your public network machine happens to have a weak password, it’s likely that within a few hours of installing the system, someone will come in and do something about it

Of course, if we set a strong password, more than 8 digits mixed case and numbers, will not be blown out. The attacker, for the sake of efficiency, will only try you three or four thousand times, but there will be a lot of people attacking you, so on average you will get attacked 8,000 times a day

How to check whether they have been attacked? You can view SSH logs

Cat/var/log/secure | grep ‘Failed password’ | wc -l directly to see how many times you have been attacked, because history logs are automatically backup, so this is the amount you in recent days

The find/var/log -name ‘secure * | xargs ls -l to see all the SSH log file information

Cat/var/log/secure | grep ‘Failed password’ | tail – 10 look at recent 10 records have been attacked

Some defenses:

  • Password set super – I don’t care about other people blasting, feel the log file is too big to look uncomfortable and then close the log, adjust the level
  • Changing the SSH port number has no effect. The attacker will scan the port
  • The root user is not allowed to log in remotely. If you still want to log in as a super administrator, you can add a user with the same permissions as root, but do not change the user name of root, the system software will fail
  • Write a script to check the number of login failures in /var/log/secure exceeds a certain threshold and add it to /etc/hosts.deny. The frequency of the secure check should be high enough. Otherwise, the script will not respond to the explosion
  • It’s hard to write scripts, so use a tool written by someone else. Fail2ban is recommended here, which can protect web services from directory blasts and GitHub project addresses in addition to SSH

Principles and Installation of FAIL2BAN

Fail2ban is written in Python. The simple principle of fail2Ban is to scan logs to find harmful behaviors, and then configure firewall rules to ban dangerous IP addresses

The official manual indicates that the frequency of fail2BAN scanning logs is 1s

For example, centos7 has python2.7 installed by default. Manual installation is not required. The default firewall is Firewalld, so the version installed should be Fail2ban-Firewalld. If your firewall is iptables, install fail2BAN

yum -y install fail2ban-firewalld

Three, configuration,

Using the default configuration is simple

Cp /etc/fail2ban/ jails. Conf vi /etc/fail2ban/ jails. # [SSHD] # enabled = trueCopy the code

This is where you start up, and if you want to change the configuration, there are some references

The configuration file has nearly a thousand lines, but most of them are comments, compared to a few lines for SSH

#ignoreself = true #ignoreip = 127.0.0.1/8 ::1 ignoreCommand = # "bantime" is the number of seconds that a host is banned. bantime = 10m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions). maxmatches = %(maxretry)s # [SSHD] On line 280 port = SSH logPath = %(sshd_log)s backend = %(sshd_backend)sCopy the code

The important parameter in [DEFAULT] means that the last findTime (minutes) of the log file is scanned and the maxretry login failure record is found. Then the BANtime (minutes) of the IP is blocked. The unit of time can be S, m, or h

Ignoreip is a whitelist. The port can be changed in [SSHD]

4. Startup and status view

Start, and shutdown, restart, status, boot from rev: systemctl {start | stop | restart | status | enable} fail2ban. Service

View service details:

# Check what services fail2Ban is guarding fail2ban-client status # Check the SSH blacklist fail2ban-client status SSHDCopy the code

Test whether the rule is in effect:

If the password is incorrect, “Permission denied” is displayed. If the IP address is “ban”, “Connection refused” is displayed. SSH password error will cause you to enter two more times, one of which will be banned, CTRL + C