Category Archives: Business Security

a little continuation of my fail2ban post

Recently i was able to capture some real data from my servers fail2ban logs

this is how fail2ban logs look for banning ips

2012-10-21 12:54:16,032 fail2ban.actions: WARNING [ssh] Ban 112.4.172.217
2012-10-22 17:05:48,080 fail2ban.actions: WARNING [ssh] Ban 222.73.24.10
2012-10-22 18:36:55,892 fail2ban.actions: WARNING [ssh] Ban 202.96.199.150
2012-10-22 23:23:10,053 fail2ban.actions: WARNING [ssh] Ban 111.74.82.33
2012-10-23 05:06:53,861 fail2ban.actions: WARNING [ssh] Ban 74.206.235.92
2012-10-23 13:11:05,652 fail2ban.actions: WARNING [ssh] Ban 112.216.140.51
2012-10-24 19:31:55,504 fail2ban.actions: WARNING [ssh] Ban 60.161.124.10
2012-10-24 22:52:47,324 fail2ban.actions: WARNING [ssh] Ban 125.210.190.190
2012-10-25 04:20:06,184 fail2ban.actions: WARNING [ssh] Ban 109.163.234.238
2012-10-26 11:11:12,332 fail2ban.actions: WARNING [ssh] Ban 122.139.60.134

very straigt forward and easy to understand which is always a good feature now lets look at the iptables entries

DROP       all  —  122.139.60.134       0.0.0.0/0
DROP       all  —  109.163.234.238      0.0.0.0/0
DROP       all  —  125.210.190.190      0.0.0.0/0
DROP       all  —  60.161.124.10        0.0.0.0/0
DROP       all  —  112.216.140.51       0.0.0.0/0
DROP       all  —  74.206.235.92        0.0.0.0/0
DROP       all  —  111.74.82.33         0.0.0.0/0
DROP       all  —  202.96.199.150       0.0.0.0/0
DROP       all  —  222.73.24.10         0.0.0.0/0
DROP       all  —  112.4.172.217        0.0.0.0/0
DROP       all  —  31.3.214.241         0.0.0.0/0
DROP       all  —  193.104.68.200       0.0.0.0/0
DROP       all  —  219.146.225.147      0.0.0.0/0
DROP       all  —  64.185.226.120       0.0.0.0/0
DROP       all  —  58.221.252.194       0.0.0.0/0
DROP       all  —  212.68.50.132        0.0.0.0/0
DROP       all  —  205.251.141.29       0.0.0.0/0
DROP       all  —  121.10.140.215       0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

fail2ban as i say in my post is a must have for ssh based security
with dynamic editing to the iptables firewall and clear logs it really is a
admins must have app

stay secure !

Protecting your linux ssh server with fail2ban

Protecting your public servers is crucial we have talked before on a previous post on how to mitigate Ssh attacks on a cisco router now let’s talk Ssh on a server

an ssh server is no different you still have the same issues to fend off from DDOS attacks to brute force attacks ssh servers such as openssh are vulnerable here is a good module you can install on any Linux based server to protect again a brute force attack on your ssh tunnel ,

There is a free open source product called fail2ban   www.fail2ban.org/ 

this free solution scans logs files of the ssh service and looks for a set of criteria mostly an x amount of failed login attempts on the ssh service   and then creates a rule in the iptables firewall which will drop all future traffic to the ssh port it also supports ftp applications such as pure ftp in the same way

The below steps assume you are using a debian based distribution of Linux in our example we are using Ubuntu server 12.04

To install this application run the following command from your terminal window

sudo apt-get install fail2ban

Once the package is installed we can now start configuring it 
Fail2ban uses a file called jail.conf to set the parameters for things like maximum attempts
Before banning the offending IP

the location of the jail.conf file is  /etc/fail2ban

Once in the proper directory we can edit the config file using a text editor i personally like the VI editor

So you would issue the following command 

sudo vi jail.conf

This will open the fail 2 ban configuration file
In this configuration file you are going to look for a section that looks like this

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

the above configuration allows for 3 unsuccessful attempts (default is 6 ) before banning the offending IP address   you can change the log file name and path if you like also by default there will be a # symbol before enable you will want to remove that symbol the enable this rule or you can just copy and paste the config above  

Once you have matched the default config to the one above you will then save the file in the vi editor using the :wq combination in command mode within the vi editor 

you have now completed the setup of fail2ban for the ssh service 

View Banned IP addresses 

In order to see what IP’s have been banned issue the following command

sudo iptables -L -n

look through the output for the fail2ban chain 
Banned IP addresses will shows up like the one below in bold

Chain fail2ban-ssh (1 references)
target     prot opt source               destination        
RETURN     all  —  0.0.0.0/0            0.0.0.0/0   

Drop  all – 10.10.10.10                    0.0.0.0/0

Remove banned ip addresses

in order to remove a IP address from the banned list issues the following command 

sudo iptables -D fail2ban-ssh -s 10.10.10.10 -j DROP

this will allow the IP  on the server 

This  post shows how to protect again bruteforce attacks on linux based ssh servers 
using the fail2ban application this tool is a simple and free yet powerful application that should be installed to add a layer of protection to you servers ssh service

Till next time

Stay secure !
  
  

 

 

SSH bruteforce attack on cisco routers and ways to stop it !

Here is what a ssh bruteforce attack looks like from a  cisco router log

uthentication Failed] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:18.463: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:57 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:57 UTC Sun Sep 30 2012

The above shows a perfect example why you should have a radiius server or tacas server for authentication with an ip ban mechanism this prevents scripts such as the above one from constantly trying to bruteforce attack your edge router from the same ip which would force the script to either use a different proxy or change servers not a total solution but an effective layer of security  you can also use things like vpn so an administrator would vpn into your local network and then locally access your equipment

Just a little tid bit of knowledge

Till next time

Stay secure !

The misconceptions about network security for both home and business

everyday millions and millions of computers around the world are compromised and the users of these computers don’t even know from the big corporations to the home users  everyone is at risk and the scary part about it is that most of the users of the computers don’t even know !!!
the problem is  number one EDUCATION some people think just because they have an antivirus/firewall on their computer that they are in some sort of untouchable zone wrong !!!  millions of different types of malware is launched onto the internet a day and for security professionals to keep up is near impossible  security is a balance between education and common sense for instance  a common thing now is to get a spam message from a bank asking for information such as your account number now site back and think now why would a bank ask for  your account number ? 

live by this rule if a person were to call me and ask for this information would i give it to them without challenging them ? if not then why would you just give your information to a computer  without questioning it ?

be smart stay secure !