Tag Archive for Intrusion Prevention System

Safeguard Against Random Password Hacks

Partial map of the Internet based on the Janua...
Image via Wikipedia

A great tool I ran across to protect your server from random password attacks which I have been receiving recently from China.

Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful attempts to access the server and then it updates the IPtables rules to reject those IP addresses for a period of time which is defined by you. It can also be configured to notify you if once these events occur.

Its no high-end Intrusion Prevention System, but it does the job.

Fail2ban comes preconfigured to detect and block attacks to ports 22 (ssh), 25 (SMTP) and 80 (http). Instructions on installing on CentOS are detailed below as well as adding functionality for ProFTPD.

I love package management as opposed to compiling because its clean and easy to maintain, so we will need to subscribe to repositories to install Fail2ban.

* Update the system

yum update

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install Fail2ban

yum install fail2ban

* Configure Fail2ban by editing and adding to /etc/fail2ban.conf

maxfailures = 3 (the default is 5)

ignoreip = 127.0.0.1 <the_server_IP> <network_you_want_excluded/24>

* Enable E-Mail Notification

[MAIL]
# Option:  enabled
# Notes.:  enable mail notification when banning an IP address.
# Values:  [true | false]  Default:  false
#
enabled = true

to = <your_email_address>

* Add ProFTPD functionality

[proftpd]
enabled = true
logfile = /var/log/secure
fwstart = iptables -N fail2ban-proftpd
iptables -I INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
fwend = iptables -D INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd
fwcheck = iptables -L INPUT | grep -q fail2ban-proftpd
fwban = iptables -I fail2ban-proftpd 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-proftpd -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = Maximum login attempts|no such user found|Failed password

* Set it to startup automatically with the system

chkconfig –levels 235 fail2ban on

* Start Fail2ban and walk away

/etc/init.d/fail2ban start

[ad]

Reblog this post [with Zemanta]