Archive for February 5th, 2009
Safeguard Against Random Password Hacks
- Image via Wikipedia
A great tool I ran across to protect your server from random password attacks which I have been receiving recently from China.
Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful attempts to access the server and then it updates the IPtables rules to reject those IP addresses for a period of time which is defined by you. It can also be configured to notify you if once these events occur.
Its no high-end Intrusion Prevention System, but it does the job.
Fail2ban comes preconfigured to detect and block attacks to ports 22 (ssh), 25 (SMTP) and 80 (http). Instructions on installing on CentOS are detailed below as well as adding functionality for ProFTPD.
I love package management as opposed to compiling because its clean and easy to maintain, so we will need to subscribe to repositories to install Fail2ban.
* Update the system
yum update
* Install DAG’s GPG key
rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
* Verify the package you have downloaded
rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.
* Download and Install the package
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm
This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.
* Test with this command:
yum check-update
* Update the system
yum update
* Install Fail2ban
yum install fail2ban
* Configure Fail2ban by editing and adding to /etc/fail2ban.conf
maxfailures = 3 (the default is 5)
ignoreip = 127.0.0.1 <the_server_IP> <network_you_want_excluded/24>
* Enable E-Mail Notification
[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = true
to = <your_email_address>
* Add ProFTPD functionality
[proftpd]
enabled = true
logfile = /var/log/secure
fwstart = iptables -N fail2ban-proftpd
iptables -I INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
fwend = iptables -D INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd
fwcheck = iptables -L INPUT | grep -q fail2ban-proftpd
fwban = iptables -I fail2ban-proftpd 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-proftpd -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = Maximum login attempts|no such user found|Failed password
* Set it to startup automatically with the system
chkconfig –levels 235 fail2ban on
* Start Fail2ban and walk away
/etc/init.d/fail2ban start
Related articles by Zemanta
- Security scans with OpenVAS (linux.com)
- Monitor your network with GroundWork Monitor Community Edition (linux.com)
- LogRhythm: Analysis and Search of Log Files (arnoldit.com)
- IT security market still growing (channelweb.co.uk)
- Access remote network services with SSH tools (linux.com)
- Getting Rid of SSH or SFTP Delay (britg.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=028ed8ed-982f-489c-91c0-83d91bf007f3)
Finding a Needle in a Haystack
I am going to go out on a limb and assert that over 80% of IT shops do not take security seriously and even those who do are not proactive about it.
Whenever an anomaly hits the network, system admins and network engineers hit the logs in an attempt to figure what is going on.
Ideally you will have a centralized server running “syslog” gathering logs from all devices on the network that can put out logs.
Unfortunately, unless you’re “Neo” from the movie “Matrix” it will almost impossible to make sense, interpret or pick up patterns from the vast amount of data in these logs.
This is were a good Log Analyzer comes in. There are well known log analyzers out there for web traffic, including AWStats, Analog, WebLogExpert, Webalizer and WebTrends but something more comprehensive is needed when it comes to security.
Unmatched as a security log analysis tool, “Splunk” gathers data from traps, alerts, syslog and snmp as well as imported logs and lets you graph and search it via a simple web interface. In addition to helping find threats and dangerous trends, it can generate nice reports of your findings.
On the commercial front Sawmill looks like a good product, but I will need to demo and review it.
Related articles by Zemanta
- Splunk: Log File Search Engine (arnoldit.com)
- Review: VisiStat 6.0 (macworld.com)
- Maatkit version 2582 released (xaprb.com)
- Web Success: The Traffic, Conversion, Retention (TCR) Lifecycle – Part I (webtribution.com)
- Google Real Estate SEO Rankings Now Skyrocket and Sends Reports with WebsTarget and VisiStat Joint Venture (seomashup.blogspot.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=231ded40-086c-4141-b54d-b87061686c62)
