This post describes how the server can be secured using fail2ban and shorewall. It mostly builds on the procedure that I described earlier in this post with a few additional warnings.
fail2ban is a software that is used to protect against brute force and DDoS attacks. The principle is that it blocks IPs that repeatedly fail to authenticate in a variety of services. Here, we explain how to configure it to block failed ssh login attempts. The tutorial will eventually be updated later with other services.
fail2ban is installed with:
sudo apt install fail2banand its status can be checked with
sudo systemctl status fail2banwhich, at that state, should return
Active: active (running) since Thu 2020-07-30 18:24:24 CEST; 1min 11s ago
The main configuration files are
/etc/fail2ban/jail.conf, that can be kept as is and amended with the creation of
/etc/fail2ban/jail.local for custom configurations. More precisely, I created
[DEFAULT] loglevel = INFO logtarget = /var/log/fail2ban.logand
/etc/fail2ban/jail.localwith [DEFAULT] ignoreip = 127.0.0.1 XX.XXX.XXX.XX bantime = -1 findtime = 3600 maxretry = 3 destmail = email@example.com action = %(action_mwl)s backend = systemd </pre> that configures fail2ban to ban forever any IP that has at least 3 failed connexion attempts (on sshd service) in the last 3600 seconds. Emails are sent to my address with detailed information on IP and whois who have been banned.
Other specific jails can be configured using custom files in
/etc/fail2ban/jail.d/myfile.conf. In my case, I created
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4that additionnaly ban any IPs failing to connect 4 times as indicated in the file
The configuration is finally validated with
systemctl restart fail2banNote that other interesting commands are:
fail2ban-client set JAIL banip IPto ban a given IP address
fail2ban-client set JAIL unbanip IPto unban a given IP address
fail2ban-client set JAIL addignoreip IPto add an IP to the whitelist
shorewall is a tool to manage easily IP tables and secure the allowed connexions on the server. It is installed with:
sudo apt install shorewalland a first basic configuration (for a single server) can be obtained with
sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/.
Starting from that, the default policy is described in
/etc/shorewall/policy, where a standard configuration can be:
$FW net ACCEPT $FW all ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT infothat allows all connexions from the firewall to the net and all other interfaces, drops all connexions from the net and rejects all the other connexions.
Exceptions to these rules are describes in
/etc/shorewall/rules that typically should at least contains
PING(ACCEPT) net $FW SSH(ACCEPT) net $FWif you want to allow ping and ssh connexions to your server.
Be careful that the file
/etc/shorewall/interfaces contains the appropriate configuration
net NET_IF dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=YYYin which
YYYis replaced by the name of your network interface as given by
ifconfig. Forgetting this setting led me to test the RESCUE mode of Kimsufi after the starting of shorewall...
Finally, shorewall is enabled by editing the file
/etc/default/shorewall in which the line starting with
startup has to be modified to be:
startup=1or (I don't know which one of the two was successful) by running
sudo systemctl enable shorewallFinally, the value
/etc/shorewall/shorewall.confhas to be set to
Yesand shorewall is started with
sudo systemctl start shorewall