212.4. Security tasks
Weight: 3
Description: Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
Key Knowledge Areas:
    Tools and utilities to scan and test ports on a server
    Locations and organizations that report security alerts as Bugtraq, CERT or other sources
    Tools and utilities to implement an intrusion detection system (IDS)
    Awareness of OpenVAS and Snort
Terms and Utilities:
    telnet
    nmap
    fail2ban
    nc
    iptables
Talking about Linux security can be subject of a full course. Many Linux Security titles are covered in LPIC3 303 exam but for now we just discuss about what we are required to pass LPIC2 exam.

What we can do for system security?

Updates :
We should keep our system(s) updated. Daily updates is recommended but in busy production environment it might be posteponed. Do not forget updates, keeping our critical remote access systems updated weekly is a must. Subscribing to third party systems that can provide security information is also important
Monitoring
We can gain valuable information of our system by doing periodic manual audits, but that is not something we can always rely on. Having automated monitoring of key systems is a must.
Security tools
There are some embeded security tool, some of them are free and some others cost mony.
    nmap
    nc
    telnet
    iptables
    fail2ban
    snort
    openVAS
Lets start with updates and where we can gain information about lates Security Vulnerability and issues.There are some websites and organizations which we can gain valuable information from them:
    Computer Emergency response Team (specifically the CERT Coordination Center or CRET-CC is located at Carnegie Mellon University )
    Provides tools for vulnerability assessments and analysis including comprehensive list of known vulnerabilities and attack vectors.
    Often found working with goverments organizations or private institutions regarding computer security policy issues.
    United States- Computer Emergency Response Team
    Provides classified governments responses to computer security incidents.
    Works with the CERT-CC on computer policy issues.

BugTraq (mailing list hosted by http://www.securityfocous.com)

    this is a subscription based e-mail list.
    Created and paid for by the Security Focous Organization.
    This list is a moderated (and very detailed list) for the discussion of (and announcements of new) security vulnerabilities.
    This list provides details on vulnerabilities as they are discovered and reported, including what is affected (versions, types, devices and operating systems), what the vulnerability is and any known attack vectors.
We have already talked about nmap and nc in previous courses, so lets just have a quick review of them here and show some related examples of them.

nc

netcat (or nc in short) is a powerful and easy-to-use utility that can be employed for just about anything in Linux in relation to TCP, UDP, or UNIX-domain sockets.
We have used it to: open TCP connections, listen on arbitrary TCP and UDP ports, send packets, and port scanning which we review here.
By using netcat we can check if a single or multiple or a range of open ports exist in our system(We use Ubuntu16.04 here):
1
[email protected]:~# nc -zv localhost 21-29
2
Connection to localhost 21 port [tcp/ftp] succeeded!
3
nc: connect to localhost port 22 (tcp) failed: Connection refused
4
nc: connect to localhost port 23 (tcp) failed: Connection refused
5
nc: connect to localhost port 24 (tcp) failed: Connection refused
6
nc: connect to localhost port 25 (tcp) failed: Connection refused
7
nc: connect to localhost port 26 (tcp) failed: Connection refused
8
nc: connect to localhost port 27 (tcp) failed: Connection refused
9
nc: connect to localhost port 28 (tcp) failed: Connection refused
10
nc: connect to localhost port 29 (tcp) failed: Connection refused
Copied!
-zsets nc to simply scan for listening daemons, without actually sending any data to them. -v enables verbose mode. netcat can be used for port scanning under both IPv4 and IPv6 protocols.

nmap

We have discussed about nmap but as a review, nmap is an open source and a very usefull tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.
1
[email protected]:~# nmap -v -r 192.168.10.128,138
2
3
Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-31 03:02 PDT
4
Initiating ARP Ping Scan at 03:02
5
Scanning 192.168.10.138 [1 port]
6
Completed ARP Ping Scan at 03:02, 0.20s elapsed (1 total hosts)
7
Initiating Parallel DNS resolution of 1 host. at 03:02
8
Completed Parallel DNS resolution of 1 host. at 03:02, 0.14s elapsed
9
Initiating SYN Stealth Scan at 03:02
10
Scanning example.com (192.168.10.128) [1000 ports]
11
Discovered open port 21/tcp on 192.168.10.128
12
Completed SYN Stealth Scan at 03:02, 1.60s elapsed (1000 total ports)
13
Nmap scan report for example.com (192.168.10.128)
14
Host is up (0.0000080s latency).
15
Not shown: 999 closed ports
16
PORT STATE SERVICE
17
21/tcp open ftp
18
19
Initiating SYN Stealth Scan at 03:02
20
Scanning 192.168.10.138 [1000 ports]
21
Discovered open port 22/tcp on 192.168.10.138
22
Discovered open port 80/tcp on 192.168.10.138
23
Completed SYN Stealth Scan at 03:02, 14.28s elapsed (1000 total ports)
24
Nmap scan report for 192.168.10.138
25
Host is up (-0.0062s latency).
26
Not shown: 998 filtered ports
27
PORT STATE SERVICE
28
22/tcp open ssh
29
80/tcp open http
30
MAC Address: 00:0C:29:7A:7F:7B (VMware)
31
32
Read data files from: /usr/bin/../share/nmap
33
Nmap done: 2 IP addresses (2 hosts up) scanned in 16.29 seconds
34
Raw packets sent: 4041 (177.772KB) | Rcvd: 2147 (90.800KB)
Copied!
-v option is giving more detailed information about the remote machine.-r Scan Ports Consecutively and doesn’t randomize.

telnet

Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Through Telnet, an administrator or another user can access someone else's computer remotely. On the Web, HTTP and FTP protocols allow us to request specific files from remote computers, but not to actually be logged on as a user of that computer. With Telnet, we log on as a regular user with whatever privileges you may have been granted to the specific application and data on that computer.
Telnet is one of the earliest remote login protocols on the Internet. It was initally released in the early days of IP networking in 1969, and was for a long time the default way to access remote networked computers. It is a client-server protocol that provides the user a terminal session to the remote host from the telnet client application. Since the protocol provides no built-in security measures, it suffers from serious security issues that have limited its usefulness in environments where the network cannot be fully trusted. The use of Telnet over the public Internet should be avoided due to the risk of eavesdropping.
The most usage of telnet command is for testing perposes:
1
[[email protected] ~]# telnet 192.168.10.128 21
2
Trying 192.168.10.128...
3
Connected to 192.168.10.128.
4
Escape character is '^]'.
5
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
6
220-You are user number 1 of 50 allowed.
7
220-Local time is now 04:38. Server port: 21.
8
220-This is a private system - No anonymous login
9
220-IPv6 connections are also welcome on this server.
10
220 You will be disconnected after 15 minutes of inactivity.
Copied!

TELNET security problems

The Telnet session between the client and the server is not encrypted. Anyone with access to the TCP/IP packet flow between the communicating hosts can reconstruct the data that flows between the endpoints and read the messaging, including the usernames and passwords that are used to log in to the remote machine. This network attack requires very little expertise and can be performed with network debugging tools that are readily available.
Packet sniffing attacks like the above were the underlying reason for developing SSH, and they were the most common security problem on the Internet already in the mid-1990s.

replace insecureTELNET with secure shell(SSH)

SSH (Secure Shell) provides a secure alternative to Telnet. SSH protects user identities, passwords, and data from network snooping attacks, and allows secure logins and file transfers.
SSH has practically replaced Telnet, and the older protocol is used these days only in rare cases to access decades old legacy equipment that does not support more modern protocols. And there are still organizations that simply do not care about security.
For Unix and Linux operating systems, the OpenSSH implementation comes free with the operating system and can be used to replace Telnet.(see the previous course).

fail2ban

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on our server. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert us Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.through email that an attack is occurring.
Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise. Lets install it (Ubuntu):
1
[email protected]:~# apt search fail2ban
2
Sorting... Done
3
Full Text Search... Done
4
fail2ban/xenial,xenial 0.9.3-1 all
5
ban hosts that cause multiple authentication errors
6
7
roundcube-plugins-extra/xenial,xenial 1.1.3-20151025 all
8
skinnable AJAX based webmail solution - extra plugins
9
10
[email protected]:~# apt install fail2ban
11
12
[email protected]:/etc/fail2ban# systemctl status fail2ban
13
● fail2ban.service - Fail2Ban Service
14
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset:
15
Active: active (running) since Sat 2018-08-04 21:00:57 PDT; 5h 1min ago
16
Docs: man:fail2ban(1)
17
Main PID: 11717 (fail2ban-server)
18
CGroup: /system.slice/fail2ban.service
19
└─11717 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ba
20
21
Aug 04 21:00:56 server1 systemd[1]: Starting Fail2Ban Service...
22
Aug 04 21:00:57 server1 fail2ban-client[11714]: 2018-08-04 21:00:57,001 fail2ban
23
Aug 04 21:00:57 server1 fail2ban-client[11714]: 2018-08-04 21:00:57,002 fail2ban
24
Aug 04 21:00:57 server1 systemd[1]: Started Fail2Ban Service.
Copied!

fail2ban configuration files

The fail2ban service keeps its configuration files in the/etc/fail2bandirectory.
1
[email protected]:~# cd /etc/fail2ban/
2
[email protected]:/etc/fail2ban# ls -l
3
total 48
4
drwxr-xr-x 2 root root 4096 Aug 4 21:00 action.d
5
-rw-r--r-- 1 root root 2328 Jul 31 2015 fail2ban.conf
6
drwxr-xr-x 2 root root 4096 Aug 2 2015 fail2ban.d
7
drwxr-xr-x 3 root root 4096 Aug 4 21:00 filter.d
8
-rw-r--r-- 1 root root 18562 Jul 31 2015 jail.conf
9
drwxr-xr-x 2 root root 4096 Aug 4 21:00 jail.d
10
-rw-r--r-- 1 root root 1939 Jul 31 2015 paths-common.conf
11
-rw-r--r-- 1 root root 642 Jul 31 2015 paths-debian.conf
Copied!
Fail2ban reads .conf configuration files first, then.localfiles override any settings. Because of this, all changes to the configuration are generally done in .localfiles, leaving the .conf files untouched.

Configure fail2ban.local

fail2ban.conf contains the default configuration profile. The default settings will give us a reasonable working setup. If we want to make any changes, it’s best to do it in a separate file,fail2ban.local, which overridesfail2ban.conf. Rename a copyfail2ban.conftofail2ban.local.
1
[email protected]:/etc/fail2ban# cp fail2ban.conf fail2ban.local
Copied!
1
[email protected]:/etc/fail2ban# cat fail2ban.conf
2
# Fail2Ban main configuration file
3
#
4
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
5
#
6
# Changes: in most of the cases you should not modify this
7
# file, but provide customizations in fail2ban.local file, e.g.:
8
#
9
# [Definition]
10
# loglevel = DEBUG
11
#
12
13
[Definition]
14
15
# Option: loglevel
16
# Notes.: Set the log level output.
17
# CRITICAL
18
# ERROR
19
# WARNING
20
# NOTICE
21
# INFO
22
# DEBUG
23
# Values: [ LEVEL ] Default: ERROR
24
#
25
loglevel = INFO
26
27
# Option: logtarget
28
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
# Only one log target can be specified.
30
# If you change logtarget from the default value and you are
31
# using logrotate -- also adjust or disable rotation in the
32
# corresponding configuration file
33
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
34
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
35
#
36
logtarget = /var/log/fail2ban.log
37
38
# Option: syslogsocket
39
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
40
# auto uses platform.system() to determine predefined paths
41
# Values: [ auto | FILE ] Default: auto
42
syslogsocket = auto
43
44
# Option: socket
45
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
46
# not remove this file when Fail2ban runs. It will not be possible to
47
# communicate with the server afterwards.
48
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
49
#
50
socket = /var/run/fail2ban/fail2ban.sock
51
52
# Option: pidfile
53
# Notes.: Set the PID file. This is used to store the process ID of the
54
# fail2ban server.
55
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
56
#
57
pidfile = /var/run/fail2ban/fail2ban.pid
58
59
# Options: dbfile
60
# Notes.: Set the file for the fail2ban persistent data to be stored.
61
# A value of ":memory:" means database is only stored in memory
62
# and data is lost when fail2ban is stopped.
63
# A value of "None" disables the database.
64
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
65
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
66
67
# Options: dbpurgeage
68
# Notes.: Sets age at which bans should be purged from the database
69
# Values: [ SECONDS ] Default: 86400 (24hours)
70
dbpurgeage = 86400
Copied!

Configuring jail.local Settings

Thejail.conffile will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If we want to change this, we should create ajail.localfor editing:
1
[email protected]:/etc/fail2ban# cp jail.conf jail.local
Copied!
as jail.conf has is a big configuration file, we just take a look at general configurations and ssh related ones:
1
[email protected]:/etc/fail2ban# cat jail.conf
2
3
#
4
# WARNING: heavily refactored in 0.9.0 release. Please review and
5
# customize settings for your setup.
6
#
7
# Changes: in most of the cases you should not modify this
8
# file, but provide customizations in jail.local file,
9
# or separate .conf files under jail.d/ directory, e.g.:
10
#
11
# HOW TO ACTIVATE JAILS:
12
#
13
# YOU SHOULD NOT MODIFY THIS FILE.
14
#
15
# It will probably be overwritten or improved in a distribution update.
16
#
17
# Provide customizations in a jail.local file or a jail.d/customisation.local.
18
# For example to change the default bantime for all jails and to enable the
19
# ssh-iptables jail the following (uncommented) would appear in the .local file.
20
# See man 5 jail.conf for details.
21
#
22
# [DEFAULT]
23
# bantime = 3600
24
#
25
# [sshd]
26
# enabled = true
27
#
28
# See jail.conf(5) man page for more information
29
30
31
32
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
33
34
35
[INCLUDES]
36
37
#before = paths-distro.conf
38
before = paths-debian.conf
39
40
# The DEFAULT allows a global definition of the options. They can be overridden
41
# in each jail afterwards.
42
43
[DEFAULT]
44
45
#
46
# MISCELLANEOUS OPTIONS
47
#
48
49
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
50
# ban a host which matches an address in this list. Several addresses can be
51
# defined using space separator.
52
ignoreip = 127.0.0.1/8
53
54
# External command that will take an tagged arguments to ignore, e.g. <ip>,
55
# and return true if the IP is to be ignored. False otherwise.
56
#
57
# ignorecommand = /path/to/command <ip>
58
ignorecommand =
59
60
# "bantime" is the number of seconds that a host is banned.
61
bantime = 600
62
63
# A host is banned if it has generated "maxretry" during the last "findtime"
64
# seconds.
65
findtime = 600
66
67
# "maxretry" is the number of failures before a host get banned.
68
maxretry = 5
69
70
# "backend" specifies the backend used to get files modification.
71
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
72
# This option can be overridden in each jail as well.
73
#
74
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
75
# If pyinotify is not installed, Fail2ban will use auto.
76
# gamin: requires Gamin (a file alteration monitor) to be installed.
77
# If Gamin is not installed, Fail2ban will use auto.
78
# polling: uses a polling algorithm which does not require external libraries.
79
# systemd: uses systemd python library to access the systemd journal.
80
# Specifying "logpath" is not valid for this backend.
81
# See "journalmatch" in the jails associated filter config
82
# auto: will try to use the following backends, in order:
83
# pyinotify, gamin, polling.
84
#
85
# Note: if systemd backend is choses as the default but you enable a jail
86
# for which logs are present only in its own log files, specify some other
87
# backend for that jail (e.g. polling) and provide empty value for
88
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
89
backend = auto
90
91
# "usedns" specifies if jails should trust hostnames in logs,
92
# warn when DNS lookups are performed, or ignore all hostnames in logs
93
#
94
# yes: if a hostname is encountered, a DNS lookup will be performed.
95
# warn: if a hostname is encountered, a DNS lookup will be performed,
96
# but it will be logged as a warning.
97
# no: if a hostname is encountered, will not be used for banning,
98
# but it will be logged as info.
99
usedns = warn
100
101
# "logencoding" specifies the encoding of the log files handled by the jail
102
# This is used to decode the lines from the log file.
103
# Typical examples: "ascii", "utf-8"
104
#
105
# auto: will use the system locale setting
106
logencoding = auto
107
108
# "enabled" enables the jails.
109
# By default all jails are disabled, and it should stay this way.
110
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
111
#
112
# true: jail will be enabled and log files will get monitored for changes
113
# false: jail is not enabled
114
enabled = false
115
116
117
# "filter" defines the filter to use by the jail.
118
# By default jails have names matching their filter name
119
#
120
filter = %(__name__)s
121
122
123
#
124
# ACTIONS
125
#
126
127
# Some options used for actions
128
129
# Destination email address used solely for the interpolations in
130
# jail.{conf,local,d/*} configuration files.
131
destemail = [email protected]
132
133
# Sender email address used solely for some actions
134
135
136
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
137
# mailing. Change mta configuration parameter to mail if you want to
138
# revert to conventional 'mail'.
139
mta = sendmail
140
141
# Default protocol
142
protocol = tcp
143
144
# Specify chain where jumps would need to be added in iptables-* actions
145
chain = INPUT
146
147
# Ports to be banned
148
# Usually should be overridden in a particular jail
149
port = 0:65535
150
151
#
152
# Action shortcuts. To be used to define action parameter
153
154
# Default banning action (e.g. iptables, iptables-new,
155
# iptables-multiport, shorewall, etc) It is used to define
156
# action_* variables. Can be overridden globally or per
157
# section within jail.local file
158
banaction = iptables-multiport
159
160
# The simplest action to take: ban only
161
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
162
163
# ban & send an e-mail with whois report to the destemail.
164
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
165
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
166
167
# ban & send an e-mail with whois report and relevant log lines
168
# to the destemail.
169
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
170
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
171
172
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
173
#
174
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
175
# to the destemail.
176
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
177
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
178
179
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
180
# to the destemail.
181
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
182
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
183
184
# Report block via blocklist.de fail2ban reporting service API
185
#
186
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
187
# use this action. Create a file jail.d/blocklist_de.local containing
188
# [Init]
189
# blocklist_de_apikey = {api key from registration]
190
#
191
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
192
193
# Report ban via badips.com, and use as blacklist
194
#
195
# See BadIPsAction docstring in config/action.d/badips.py for
196
# documentation for this action.
197
#
198
# NOTE: This action relies on banaction being present on start and therefore
199
# should be last action defined for a jail.
200
#
201
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
202
203
# Choose default action. To change, just override value of 'action' with the
204
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
205
# globally (section [DEFAULT]) or per specific section
206
action = %(action_)s
207
208
209
#
210
# JAILS
211
#
212
213
#
214
# SSH servers
215
#
216
217
[sshd]
218
219
port = ssh
220
logpath = %(sshd_log)s
221
222
223
[sshd-ddos]
224
# This jail corresponds to the standard configuration in Fail2ban.
225
# The mail-whois action send a notification e-mail with a whois request
226
# in the body.
227
port = ssh
228
logpath = %(sshd_log)s
229
230
231
[dropbear]
232
233
port = ssh
234
logpath = %(dropbear_log)s
235
236
237
[selinux-ssh]
238
239
port = ssh
240
logpath = %(auditd_log)s
241
maxretry = 5
Copied!
Ban Time and Retry Amount:
    ignoreip : To ignore specific IPs, add them to theignoreipline. By default, this command will not ban the localhost
    bantime: The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent. The default value of600is set to ban an IP for a 10-minute duration.
    findtime: The length of time between login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after five (5) failed log-in attempts, those 5 attempts must occur within the set 10-minutefindtimelimit. Thefindtimevalue should be a set number of seconds.
    maxretry: How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3.
email alerts:
    destemail: The email address where you would like to receive the emails.
    sendername: The name under which the email shows up.
    sender: The email address from which Fail2ban will send emails.

Service specified Jail Configurations

    enabled: Determines whether or not the filter is turned on.
    port: The port Fail2ban should be referencing in regards to the service. If using the default port, then the service name can be placed here. If using a non-traditional port, this should be the port number. For example, if we move our SSH port to 3456, ew would replacesshwith3456.
    filter: The name of the file located in/etc/fail2ban/filter.dthat contains the failregex information used to parse log files appropriately. The.confsuffix need not be included.
    logpath: Gives the location of the service’s logs.
    maxretry: Will override the globalmaxretryfor the defined service.findtimeandbantimecan also be added.
    action: This can be added as an additional setting, if the default action is not suitable for the jail. Additional actions can be found in theaction.dfolder.

Failregexs

Although Fail2ban comes with a number of filters, you may want to further customize these filters or create your own to suit your needs. Fail2ban uses regular expressions (regex) to parse log files, looking for instances of attempted break-ins and password failures. Fail2ban uses Python’s regex extensions.
1
[email protected]:/etc/fail2ban# ls
2
action.d fail2ban.d filter.d jail.d paths-common.conf
3
fail2ban.conf fail2ban.local jail.conf jail.local paths-debian.conf
4
[email protected]:/etc/fail2ban# cd filter.d/
5
[email protected]:/etc/fail2ban/filter.d# ls
6
3proxy.conf exim.conf postfix-sasl.conf
7
apache-auth.conf exim-spam.conf proftpd.conf
8
apache-badbots.conf freeswitch.conf pure-ftpd.conf
9
apache-botsearch.conf froxlor-auth.conf qmail.conf
10
apache-common.conf groupoffice.conf recidive.conf
11
apache-fakegooglebot.conf gssftpd.conf roundcube-auth.conf
12
apache-modsecurity.conf guacamole.conf selinux-common.conf
13
apache-nohome.conf horde.conf selinux-ssh.conf
14
apache-noscript.conf ignorecommands sendmail-auth.conf
15
apache-overflows.conf kerio.conf sendmail-reject.conf
16
apache-pass.conf lighttpd-auth.conf sieve.conf
17
apache-shellshock.conf monit.conf sogo-auth.conf
18
assp.conf mysqld-auth.conf solid-pop3d.conf
19
asterisk.conf nagios.conf squid.conf
20
botsearch-common.conf named-refused.conf squirrelmail.conf
21
common.conf nginx-botsearch.conf sshd.conf
22
counter-strike.conf nginx-http-auth.conf sshd-ddos.conf
23
courier-auth.conf nsd.conf stunnel.conf
24
courier-smtp.conf openwebmail.conf suhosin.conf
25
cyrus-imap.conf oracleims.conf tine20.conf
26
directadmin.conf pam-generic.conf uwimap-auth.conf
27
dovecot.conf perdition.conf vsftpd.conf
28
dropbear.conf php-url-fopen.conf webmin-auth.conf
29
drupal-auth.conf portsentry.conf wuftpd.conf
30
ejabberd-auth.conf postfix.conf xinetd-fail.conf
31
exim-common.conf postfix-rbl.conf
Copied!
as you can there are sshd.conf and sshd-ddos.conf which are related to ssh service. Lets chek it in action, we ssh to ubuntu server1 from buntu server2 and enter many bad passwords:
2
[email protected]'s password:
3
Permission denied, please try again.
4
[email protected]'s password:
5
Permission denied, please try again.
6
[email protected]'s password:
7
Permission denied (publickey,password).
9
[email protected]'s password:
10
Permission denied, please try again.
11
[email protected]'s password:
12
Permission denied, please try again.
13
[email protected]'s password:
14
Permission denied (publickey,password).
16
[email protected]'s password:
17
Permission denied, please try again.
18
[email protected]'s password:
19
20
21
asdasd
22
23
asd
24
asd
25
26
asdasd^C
28
ssh: connect to host 192.168.10.129 port 22: Connection refused
Copied!
Wow lets see what fail2ban has been done:
1
[email protected]:/etc/fail2ban/filter.d# iptables -S
2
-P INPUT ACCEPT
3
-P FORWARD ACCEPT
4
-P OUTPUT ACCEPT
5
-N f2b-sshd
6
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
7
-A FORWARD -i ens38 -j ACCEPT
8
-A f2b-sshd -s 192.168.10.137/32 -j REJECT --reject-with icmp-port-unreachable
9
-A f2b-sshd -j RETURN
10
11
[email protected]:/etc/fail2ban/filter.d# fail2ban-client status sshd
12
Status for the jail: sshd
13
|- Filter
14
| |- Currently failed: 1
15
| |- Total failed: 6
16
| `- File list: /var/log/auth.log
17
`- Actions
18
|- Currently banned: 1
19
|- Total banned: 1
20
`- Banned IP list: 192.168.10.137
21
22
[email protected]:/etc/fail2ban/filter.d# cat /var/log/fail2ban.log
23
2018-08-05 23:11:34,928 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
24
2018-08-05 23:11:37,420 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
25
2018-08-05 23:11:49,375 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
26
2018-08-05 23:11:51,260 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
27
2018-08-05 23:12:02,017 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
28
2018-08-05 23:12:02,292 fail2ban.actions [16742]: NOTICE [sshd] Ban 192.168.10.137
29
2018-08-05 23:12:03,686 fail2ban.filter [16742]: INFO [sshd] Found 192.168.10.137
Copied!

Firewall vs IDS vs IPS

What is difference?
Firewall- A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
Intrusion Detection System (IDS)- A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
Intrusion Prevention System (IPS)- A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.
Now lets talk about some other security tools, openVAS and snort:

OpenVAS (Open Vulnerability Assessment System) is a suite of tools that provide information on vulnerabilities and provide various levels of alerting when discovered. Good news is that All OpenVAS products are free software, and most components are licensed under the GNU General Public License(GPL).
    Uses a database (constantly updated) of know vulnerability for varous remote tools and remote acess applications.
    Identifies and reports on security holes that are known or discovered in our environment.
    test configuration settings for security issues and highlights changes to make.
    Commercially available and supported.

Snort is a free open source network intrusion detection system (IDS)created by Martin Roesch in 1998. Snort is now developed by Sourcefireand and bad news is that it has been owned by Cisco since 2013 .The means we have to pay for signature files.
    Snort Can help to determine when someone/something is "probing" our system for vulnerabilities, or attacking with known vectors.
    Network traffic analysis is used in real time (called 'sniffing') to determine if/when attacks are occurring.
    Snort can be configured in three main modes:
    sniffer
    packet logger
    network intrusion detection.
    In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified
A good alternative free open source for snort is Suricata.
Last modified 2yr ago