How can I skillfully configure two security tools to prevent brute-force attacks?

How can I skillfully configure two security tools to prevent brute-force attacks?
Introduction to brute force attacks

We all know this buzzword: "Prevention is better than treatment ." If you are a Linux system administrator, you may know how a "brute-force attack application" can cause problems on your local or remote server. Imagine: If your server is attacked by unknown attackers, the data on the server will fall into the bad guys. This will definitely cause you and your company to be in a big trouble that you have never imagined before. Brute force attacks are repeated attempts by applications to crack your encrypted data. Encrypted data may be any password or key. Simply put, a brute-force attack application will try all possible combinations of passwords or keys until the correct password or key is found. This takes a while, depending on the complexity of the password. If it takes too long to find the password, it can be said that your password is safe and strong.

Some clever tools can be used to prevent or prevent brute-force attacks. Today, we will discuss the following tools.

1. SSHGuard ;2. Fail2Ban.

Note: Do not install both tools on the same system. You may not be able to get the correct results.

First, let's take a look at SSHGuard and how to install and configure it to prevent brute force attacks.

1. SSHGuard

SSHGuard (http://www.sshguard.net) is a fast and lightweight monitoring tool written in C language. It can use Log Activity to monitor servers and protect servers from brute force attacks. If someone tries to access your server through SSH and fails to access your server multiple times (maybe four times), SSHGuard will put the IP address of the other server in iptables, block access by him/her within a period of time. It will be automatically unlocked after a period of time. It can protect almost all services, such as sendmail, exim, dovecot, vsftpd, proftpd, and many services without protecting SSH.

Install SSHGuard

On Ubuntu/Debian, SSHGuard is in the default software library.

Therefore, we can use the following command to easily install it:

sudo apt-get install sshguard

On CentOS/RHEL 6. x:

First download and add the FlexBox software library, as shown below.

wget http://sourceforge.net/projects/flexbox/files/flexbox-release-1-1.noarch.rpm

Use the following command to update the software library list:

yum repolist

Finally, run the following command to install sshguard:

yum install sshguard

For other releases, download their respective binaries from the official website (http://www.sshguard.net/download/) and install them on your own.

Or you can download it from here (http://pkgs.org/download/sshguard.

Configure SSHGuard with Iptables/Netfilter

SSHGuard does not have a configuration file. All you need to do is create a new chain for SSHGuard in iptables to insert access blocking rules.

To support IPv4, run the following command with the root permission:

iptables -N sshguard

To support IPv6:

ip6tables -N sshguard

Update the INPUT chain to transfer traffic to sshguard. Specify the -- dport option and use sshguard to protect all ports of the service. If you want to prevent attackers from transmitting any traffic to the host, delete this option completely.

Block all traffic from attackers

To support IPv4:

iptables -A INPUT -j sshguard

To support IPv6:

iptables -A INPUT -j sshguard

Blocks specific services from attackers, such as SSH, FTP, POP, or IMAP.

To support IPv4:

iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

To support IPv6:

ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143-j sshguard

Finally, save the iptables rule.

service iptables save

Verify that the upper-level user in the chain does not have the default allow (default allowed) rule for transferring all ssh traffic. Verify that you do not have any default deny (default deny) rules that block all ssh traffic in the firewall. In either case, assume that you already have the skills to adjust the firewall settings.

The following is a reasonable sample rule set:

iptables -N sshguard

Blocking sshguard indicates that it is a bad traffic for any traffic:

iptables -A INPUT -j sshguard

Enable ssh, dns, http, and https:

iptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p udp --dport 53 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 443 -j ACCEPT

All services other than blocking:

iptables -P INPUT DROP

Configure SSHGuard without Iptables/Netfilter

If you do not need iptables, you can run the following command to create and save the iptables configuration. In addition to enabling sshguard to run properly, this configuration will never do anything:

iptables -Fiptables -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -N sshguardiptables -A INPUT -j sshguard

Finally, save the iptables configuration:

service iptables save

That's it. Now you have installed and configured SSHGuard to protect your ssh, ftp, and other services from Brute Force attackers.
 

2. Fail2Ban Fail2ban ( http://www.fail2ban.org/wiki/index.php/Main_Page Is an open-source Intrusion Prevention System that can be used to prevent brute-force attacks and other suspicious malicious attacks. It can scan log files (such as/var/log/apache/error_log) and prohibit IP addresses that indicate suspicious signs (such as too many wrong passwords and looking for security vulnerabilities. In general, Fail2Ban is used to update firewall rules to prevent IP addresses from accessing within a specified period of time, but other random operations can be configured (such as sending an email or popping up a CD-ROM tray ). Fail2Ban is preconfigured with filters by default and can be used for many services (such as Apache, curier, and SSH ). Install Fail2Ban and log on as the root user. Run the following command to install Fail2Ban: on Ubuntu/Debian: apt-get install fail2ban on CentOS/RHEL: add the EPEL software library first. Yum install epel-releaseyum repolist and then run the following command to install fail2ban: yum install fail2ban to enable and start the fail2ban service. Service fail2ban startchkconfig fail2ban on or systemctl enable fail2bansystemctl start fail2ban. Backup Fail2Ban main configuration file: All configuration files are located in the/etc/fail2ban directory. The main configuration file is/etc/fail2ban/jail. conf. It is a good idea to back up the master configuration file to avoid merging during the upgrade. Create/etc/fail2ban/jail. the local copy of the conf file is as follows: cp/etc/fail2ban/jail. conf/etc/fail2ban/jail. local configuration Fail2Ban use any editing tool to open/etc/fasil2ban/jail. local file: vi/etc/fail2ban/jail. locate the part named [Default. This section contains a set of basic rules that Fail2Ban will follow. Set the value according to your needs. The following are my settings: [DEFAULT] # "ignoreip" may be an IP address, a CIDR mask, or a DNS host.

Ignoreip = 127.0.0.1/8 192.168.1.200/24 [...] bantime = 600 [...] maxretry = 3 # "backend" specifies the backend for obtaining file modifications. Available options include "gamin", "polling", and "auto ". # Yoh: for some reason, the python-gamin delivered with Debian does not run as expected. # This problem is pending, so the current default backend is polling [...] backend = auto # used to insert data to jail. the destination email address in the {conf, local} configuration file. Destemail = root @ localhost [...] #

 

Here, • ignoreip-whitelist the IP addresses you trust to prevent Fail2Ban blocking. You can add multiple addresses separated by spaces. Here, I will add the IP address 192.168.1.200 to the White List. Therefore, this IP address is not forbidden, even if it sends a maximum of failed logon attempts. • Bantime-number of seconds if a host is found to be in violation by Fail2Ban. The default value is 600 seconds (10 minutes ). You can extend the time value if you like. • Maxretry-incorrect number of logon attempts, and the host is blocked by Fail2Ban. By default, Fail2Ban includes a set of predefined filters that support various services. Therefore, you do not need to input any manual items to the configuration file. All you need to do is change the Enabled value to true or false, and Fail2Ban will automatically monitor the corresponding service. The following is the sample output of SSH in the jail. local file:

[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6

Let's take a look at the brief details of each item. • Enabled-this means that the ssh service protection feature is enabled. If you want to disable it, set it to false. • Port-SSH service port. • Filter-a configuration file containing rules. Fail2Ban uses these rules to locate the matching. By default, it is set to sshd, which refers to the/etc/fail2ban/filter. d/sshd. conf file. • Logpath-logs the log files of failed logon attempts. • The maxretry-Fail2Ban blocks the number of failed login attempts on the host. Once you change the configuration, restart the Fail2Ban service to save the changes. Systemctl restart fail2ban or service fail2ban restart you can use the following command to verify the rules added by Fail2Ban in iptables: iptables-L sample output:

Chain INPUT (policy ACCEPT)target prot opt source destinationf2b-sshd tcp -- anywhere anywhere multiport dports sshACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHEDACCEPT all -- anywhere anywhereINPUT_direct all -- anywhere anywhereINPUT_ZONES_SOURCE all -- anywhere anywhereINPUT_ZONES all -- anywhere anywhereACCEPT icmp -- anywhere anywhereREJECT all -- anywhere anywhere reject-with icmp-host-prohibited[...]

 

Test Fail2Ban I want to try several random failure attempts to connect to the Fail2Ban server from a local client. Then, I verified the failed logon attempt in the/var/log/fail2ban. log File: cat/var/log/fail2ban. log sample output:

15:38:15, 480 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 482 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 483 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 485 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 485 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 487 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 488 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 490 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 491 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 492 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 493 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 495 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:15, 496 fail2ban. filter [11792]: INFO [sshd] Found 192.168.1.1002015-07-13 15:38:16, 234 fail2ban. actions [11792]: NOTICE [sshd] Ban 192.168.1.100 or iptables-L

How can I skillfully configure two security tools to prevent brute-force attacks?
As you can see from the above two output sections, my local IP address 192.168.1.100 has been disabled by Fail2Ban. Note: by default, the banned IP address will be lifted after 600 seconds. That's it. I hope these two tools will help you. Good luck!