Join Log in
Score:1
LinuxSecurityFreak avatar Server

fail2ban initial setup - guidance

ru flag
LinuxSecurityFreak

From my basic understanding of iptables I put together the below setup intended to run a Tor relay... here it is after 6 hours approx. Please note, I do not want to discuss any Tor operations, and so I shall not be pointed to https://tor.stackexchange.com/ Thank you.

There was a large attack on port 22, which I spotted when I woke up, so I've changed it, password authentication was already disabled, but the person/bot tried to break in anyways, I have an 8192 bits long RSA public/private key, so I hope it will be enough.

# iptables -L -v --line-numbers

outputs:

Chain INPUT (policy DROP 8242 packets, 735K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  any    any     anywhere             anywhere             ctstate NEW tcp flags:!FIN,SYN,RST,ACK/SYN /* protection: non-syn packets */
2       10   452 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* protection: malformed packets */
3       20  1000 ACCEPT     all  --  lo     any     anywhere             anywhere             /* loopback: compulsory */
4        3    98 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request limit: avg 2/sec burst 5 /* ICMP: ping only */
5    16625 9388K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* traffic */
6        7   420 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW,ESTABLISHED tcp dpt:xxyyzz /* SSH: global obfuscated */  <-- CENSORED
7      438 26080 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9001 /* Tor: OR */
8      558 30828 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9030 /* Tor: Dir */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16969 packets, 6369K bytes)
num   pkts bytes target     prot opt in     out     source               destination

I would like to deploy fail2ban, but I never used it, so I found several guides to set it up, but I believe we should have some example on this site, I did find too many results for fail2ban alone, however only nothing relevant for fail2ban initial setup

If this for whatever reason can't be done here, please comment and I'll delete this question later on.

System: Debian GNU/Linux 11 (bullseye) with openssh-server for ssh service.

Thank you in advance!

PS: Migrated from https://security.stackexchange.com/

79
1 + 0
ssh
Score:1
Ajay Singh avatar Server
us flag
Ajay Singh

Installing f2b on deb is fairly simple. I had written about on a post before (https://dev.slickalpha.blog/2019/11/installing-lemp-stack-on-debian-buster.html#sv-fail2ban).

First you install f2b

apt install fail2ban -y

Copy config to local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and make your edits on the local file

nano /etc/fail2ban/jail.local

update default values (port 22 is pre-enabled on f2b)

[DEFAULT]
...
# MISCELLANEOUS OPTIONS...
bantime  = 86400
findtime  = 86400
maxretry = 2`

Restart f2b

/etc/init.d/fail2ban restart

Check status of sshd 22

fail2ban-client status sshd

Apart from this using key with passphrase should be enough. You can always fine tune f2b.

Update:

Fail2ban basically checks logs for IPs, using regex filters and block matching IP's using iptables.

To list the enabled jails (regex filters for a service in f2b)

fail2ban-client status

To defend a custom port or service,

Check if regex filters for that service is present

ls /etc/fail2ban/filter.d

If they are present, say jail-name.conf, just enable them on f2b local file

nano /etc/fail2ban/jail.local

Under syntax

[jail-name]
..options..

let's say if sshd was not enabled, add enabled = true to sshd jail

[sshd]
enabled = true
....

To test the jails against your logs and update regex if missing

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

If jails do not exist for a service or port, check online for those filters, and add those filters to /etc/fail2ban/filter.d and enable it on local config file.

0 + 2
Ajay Singh avatar
us flag
Ajay Singh
Which port are you using, and is this custom port for tor?
0
Reply
Ajay Singh avatar
us flag
Ajay Singh
I've updated the post for custom ports and services. You can also limit the ports directly using iptables (as mentioned on the linked post) and watch for logs of services that you use and add attack requests to fail2ban.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.