| Fred Stluka on 26 Aug 2018 17:45:48 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Steve,
So far I have no evidence that fail2ban is banning anything. No evidence in /var/log/fail2ban.log, even when I tried to su - to root 5 times fast with a wrong password. So I'll need to do some more study.
By default, fail2ban blocks an IP after failed attempts to login remotely via ssh. It doesn't watch local su commands. If it found failed attempts what would it block? The local IP address of the server itself? See what I mean? To test it, try to ssh to the box without an SSL keypair, and specifying a wrong password. Do that a few times and you'll be blocked. Before you do, make sure you have another IP address that you can get in from while the 1st one is blocked. Use it to unblock the 1st IP address. Here's a script to do so: - http://bristle.com/Tips/Unix/ipunblock_fail2ban It calls this to beep when an error happens: - http://bristle.com/Tips/Unix/beep Are you also using logwatch and tripwire? Logwatch sends you counts of how many failed attempts there were. Fail2ban blocks persistent hackers. Tripwire tells you if anyone actually succeeded in breaking in. The 3 together make a really nice team. See: - http://bristle.com/Tips/Unix.htm#unix_security Tripwire reports changes to system files, which are usually caused by you intentionally making a change, not by a hacker. So, when there's a false positive like that, you have to tell tripwire to update its DB to accept the change. Here's a script to do so: - http://bristle.com/Tips/Unix/tripwirereview While I'm at it, you may like this script to create and install ssh keypairs on remote servers: - http://bristle.com/Tips/Unix/authorize_ssh_key It uses the beep script above and also this one: - http://bristle.com/Tips/Unix/promptloop Enjoy! --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 8/26/18 10:58 AM, Steve Litt wrote:
On Fri, 24 Aug 2018 18:38:04 -0400 Fred Stluka <fred@bristle.com> wrote:Rich,For example, block access to ssh from all of Digital Ocean's blocks. Same for AWSPlease don't encourage people to block all access from AWS servers. My servers and those of almost all of my clients are hosted on AWS. So is the CIA, and other major parts of the US Govt. Also, major companies like Netflix, Adobe, GE, Kelloggs, BMW, etc. If you're going to ding AWS for having some ignorant, negligent, incompetent users, you may as well ding all Windows users, and many Linux users also. What large segment of the world is trustworthy enough to allow in? That's why I prefer fail2ban. 3 strikes and you're out, but until then, you're presumed innocent. --FredYou're a good salesman, Fred. I just installed fail2ban. By the way, anyone with Void Linux, you're going to have to manually create directory /var/lib/fail2ban in order for fail2ban-server to auto-create the database. Whoops! Out of an abundance of caution and because I don't know my way around fail2ban, I've set my dbpurge to 600 seconds so worst comes to worst I'm locked out for 10 minutes. It came configured as a day. So far I have no evidence that fail2ban is banning anything. No evidence in /var/log/fail2ban.log, even when I tried to su - to root 5 times fast with a wrong password. So I'll need to do some more study. Thanks for the tip! SteveT Steve Litt September 2018 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug