Saturday, June 25, 2016

Network Attacks. UFW is Working, but More is Needed.

More attacks on the server. Of course. UFW (UFW -Uncomplicated Firewall) is running, which is a must.

Unfortunately, the logs are still full of assholes trying to break in. Shit like this:

Jun 25 20:16:17 vbox sshd[38237]: Invalid user guest from 91.214.130.248
Jun 25 20:16:17 vbox sshd[38237]: input_userauth_request: invalid user guest [preauth]
Jun 25 20:16:17 vbox sshd[38237]: Received disconnect from 91.214.130.248: 11: Bye Bye [preauth]
Jun 25 20:16:18 vbox sshd[38239]: reverse mapping checking getaddrinfo for host-91.214.130.248.ardinvest.net [91.214.130.2
48] failed - POSSIBLE BREAK-IN ATTEMPT!


and...

Jun 25 21:57:32 vbox sshd[38342]: Received disconnect from 95.39.39.5: 11: disconnected by user [preauth]
Jun 25 22:02:43 vbox sshd[38345]: Received disconnect from 116.31.116.7: 11:  [preauth]
Jun 25 22:09:01 vbox CRON[38349]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 25 22:09:01 vbox CRON[38349]: pam_unix(cron:session): session closed for user root
Jun 25 22:09:51 vbox sshd[38371]: reverse mapping checking getaddrinfo for static.customer-201-116-53-85.uninet-ide.com.mx
[201.116.53.85] failed - POSSIBLE BREAK-IN ATTEMPT!


There is more of course. Time to use another tool to make things a bit easier.

After some research, it appears that fail2ban comes highly recommended.


My amazing web writing skill enables me to simply regurgitate words from the fail2ban website:


"Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services."
Setting it up is easy enough. Plenty of tutorials for numerous Linux/OSS distributions out there. If you need a link, just ask. I will try and find a decent one for you.
I have set findtime to 480 seconds,
maxretry to 3,
and offenders are blocked for 6000 seconds (100 minutes)

So if I understand it correctly, if some prick tries 3 times within 480 seconds, he/she gets banned for 100 minutes.

Let's see how that works after a couple days.

No comments: