Prevent from DoS and Bruteforce attack.
Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose.
Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password.
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.
Step 1-Installing Fail2Ban in RHEL, CentOS and Fedora.
By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarc...
# rpm –import https://fedoraproject.org/static/0608B895.txt
# yum install fail2ban
Step 2- Configuring Default section for Fail2Ban.
The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
Then edit the configuration file as you wish :
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
as follows :
Step 3 -Restarting Fail2Ban Service
Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on
# service fail2ban start
Starting fail2ban: [ OK ]
Step 4- DDOS Deflate
DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script:
# wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh
A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and will regurlarly to the DoS checking.
# ls -l /etc/cron.d
-rw-r--r--. 1 root root 113 Jul 19 2011 0hourly
-rw-r--r--. 1 root root 74 Apr 1 12:37 ddos.cron
-rw-r--r--. 1 root root 108 Dec 6 21:41 raid-check
# /usr/local/ddos/ddos.sh --help
DDoS-Deflate version 0.6
Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose.
Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password.
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.
Step 1-Installing Fail2Ban in RHEL, CentOS and Fedora.
By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarc...
# rpm –import https://fedoraproject.org/static/0608B895.txt
# yum install fail2ban
Step 2- Configuring Default section for Fail2Ban.
The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
Then edit the configuration file as you wish :
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
as follows :
Step 3 -Restarting Fail2Ban Service
Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on
# service fail2ban start
Starting fail2ban: [ OK ]
Step 4- DDOS Deflate
DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script:
# wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh
A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and will regurlarly to the DoS checking.
# ls -l /etc/cron.d
-rw-r--r--. 1 root root 113 Jul 19 2011 0hourly
-rw-r--r--. 1 root root 74 Apr 1 12:37 ddos.cron
-rw-r--r--. 1 root root 108 Dec 6 21:41 raid-check
# /usr/local/ddos/ddos.sh --help
DDoS-Deflate version 0.6
Usage: ddos.sh [OPTIONS] [N]
N : number of tcp/udp connections (default 150)
OPTIONS:
-h | --help: Show this help screen
-c | --cron: Create cron job to run this script regularly (default 1 mins)
-k | --kill: Block the offending ip making more than N connections
Watch Failed SSH login attempts
To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' | sort | uniq -c
