Dedicated server – fail2ban and rkhunter

By | September 22, 2011

“Ban Automatic with fail2ban

Most of the time, when someone trying to hack your server, hacker use brute force method. That is to say they test all possible passwords, starting with the most likely (as dictionary words) to the more unlikely (sequences of random characters). With the computing power of today’s computers, it works not too bad if your password is simple. Fortunately we can easily counter it by installing a system that automatically ban people who try to connect on many occasions without success.

“Simple configuration of fail2ban

To begin, you must install fail2ban with the command line apt-get install fail2ban. Then it is recommended that the configuration file intact and make a copy for editing, then cp / etc/fail2ban/jail.conf / etc/fail2ban/jail.conf.local and then vi etc/fail2ban/jail . conf.local.

To activate a filter, you must enclose the field enabled to true and possibly change the maxretry (number of attempts before the ban), the bantime (time ban) and the port (especially for ssh).

I recommend you to activate the following filters: [ssh] [ssh-back], [Apache] [apache-multiport] [apache-noscript] [apache-overflows], [proftpd] [postfix] [couriersmtp] and [courierauth]. These filters are enabled by default, you have nothing else to do by changing the enabled = false to true.

“Add  custom filters

The default filters are fine, but here are some custom filters that you can find on the internet. You do not have to activate them is the bonus.

The filter “apache-404” can ban users who make too many errors 404. Usually it is those who are looking for administration pages to hard by changing the url. However, be careful! If there is a missing element on your site, such as an image, it will generate a 404 and it may ban your visitors.

The filter “apache-admin” can protect your administration area if you have one. In my case but I’d rather not give it to you anyway.

And the last, “apache-w00tw00t” can ban a scanner fault “w00tw00t” frequently used, we find traces in the logs.

To be added to the file / etc/fail2ban/jail.conf.local:

[apache-404]
enabled = true
port = http
filter = apache-404
logpath = /var/log/apache*/error*.log
maxretry = 10

[apache-admin]
enabled = true
port = http
filter = apache-admin
logpath = /var/log/apache*/error*.log
maxretry = 6

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 1

Now you must create three files, which are filters based on regular expression (Regex) in / etc/fail2ban/filter.d  /:

(Apparently in the article, I forgot the “. Conf” at the end of files, so think of it)
apache-404.conf

# Fail2Ban configuration file
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

apache-admin.conf

# Fail2Ban configuration file
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
apache-w00tw00t.conf

# Fail2Ban configuration file

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[email protected]:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf

failregex = ^ -.*”GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*”.*

ignoreregex =

Then  you can do with a restart of  fail2ban / etc/init.d/fail2ban restart and you’re done.

“Backdoor Detector

The latest software is to install a detector Backdoor. To install, do an apt-get install rkhunter and check its configuration file / etc / default / rkhunter report_email that is on root and cron_daily_run to yes.

You will receive emails in case if sensitive files are modified. Be careful because it can generate false positives.
Receive an email when an ssh

This time it’s more a trick than software. To receive an email when someone connects to an account of a user system, you can change the file ~ user / .bashrc and add the following line: echo ‘Root Shell Access `who` `date` | mail-s `hostname` Root Shell [email protected]

At each connection, this code will be executed and you will be notified. Rather handy if you’re paranoid and want to easily detect intrusions.

In conclusion, with these few basic principles you should have a secure dedicated server. Remember that no server is infallible and always keep a system up to date to limit the risks.

Leave a Reply

Your email address will not be published. Required fields are marked *