|
| 1 | +# Intrusion Detection |
| 2 | + |
| 3 | +To further increase the security of the SSH login, we can use an Intrusion Detection System (IDS) which is an application that monitors a network or systems for malicious activity or policy violations. We'll use [Fail2Ban](https://github.com/fail2ban/fail2ban "Fail2Ban GitHub") which is a free and open source IDS for our relay. |
| 4 | + |
| 5 | +Fail2Ban monitors system logs for automated attacks on servers, e.g., repeated login failures. When a possible attack is identified using default parameters or parameters we set, it will block the IP address of the attacker for a set amount of time or permanently. |
| 6 | + |
| 7 | +Fail2Ban is primarily focused on SSH attacks, but it can be configured to work with any service susceptible to an automated network attack that uses log files. |
| 8 | + |
| 9 | +## Install Fail2Ban |
| 10 | + |
| 11 | +To install UFW run: |
| 12 | + |
| 13 | +```bash |
| 14 | +apt install fail2ban |
| 15 | +``` |
| 16 | + |
| 17 | +## Status |
| 18 | + |
| 19 | +To check the status of Fail2Ban run: |
| 20 | + |
| 21 | +```bash |
| 22 | +systemctl status fail2ban |
| 23 | +``` |
| 24 | + |
| 25 | +If you see output similar to: `Active: failed (Result: exit-code)` instead of `Active: active (running)`, an error occurred that we need to resolve before we can activate Fail2Ban. |
| 26 | + |
| 27 | +Take a look at the [Resolve Error(s)](/server/intrusion-detection/#resolve-errors "Resolve Error(s)") section to determine how to view the full error(s) and how to resolve common errors. |
| 28 | + |
| 29 | +## Enable |
| 30 | + |
| 31 | +Fail2Ban should already be enabled to start automatically on boot, but if it isn’t run: |
| 32 | + |
| 33 | +```bash |
| 34 | +systemctl enable fail2ban |
| 35 | +``` |
| 36 | + |
| 37 | +## Start |
| 38 | + |
| 39 | +Fail2Ban should have started after the installation, but if it didn't run: |
| 40 | + |
| 41 | +```bash |
| 42 | +systemctl start fail2ban |
| 43 | +``` |
| 44 | + |
| 45 | +## View Jails |
| 46 | + |
| 47 | +Fail2Ban jails describe how various services, e.g., SSH, HTTP, FTP, etc. are handled by specifying whether they’re enabled or disabled as well as by setting combinations of filters and actions. Fail2Ban comes with 1 jail rule for SSH by default. |
| 48 | + |
| 49 | +To view the jails run: |
| 50 | + |
| 51 | +```bash |
| 52 | +fail2ban-client status |
| 53 | +``` |
| 54 | + |
| 55 | +Output: |
| 56 | + |
| 57 | +```bash |
| 58 | +Status |
| 59 | +|- Number of jail: 1 |
| 60 | +`- Jail list: sshd |
| 61 | +``` |
| 62 | + |
| 63 | +## Default Jail Configuration |
| 64 | + |
| 65 | +The default Fail2Ban jail configuration is located in `/etc/fail2ban/jail.conf`. |
| 66 | + |
| 67 | +To view the jail configuration you can open the file: |
| 68 | + |
| 69 | +```bash |
| 70 | +nano /etc/fail2ban/jail.conf |
| 71 | +``` |
| 72 | + |
| 73 | +## Edit Jail Configuration |
| 74 | + |
| 75 | +To edit the jail configuration, create new configuration files in the `/etc/fail2ban/jail.d` directory using a `.local` file extension. |
| 76 | + |
| 77 | +### sshd |
| 78 | + |
| 79 | +Before creating a new SSH jail configuration we're going to first delete the `defaults-debian.conf` file which contains a basic sshd jail configuration: |
| 80 | +
|
| 81 | +```bash |
| 82 | +rm /etc/fail2ban/jail.d/defaults-debian.conf |
| 83 | +``` |
| 84 | +
|
| 85 | +You can now create and edit a new SSH jail configuration called `sshd.local` in the `/etc/fail2ban/jail.d` directory: |
| 86 | +
|
| 87 | +```bash |
| 88 | +nano /etc/fail2ban/jail.d/sshd.local |
| 89 | +``` |
| 90 | +
|
| 91 | +Add the following to the file: |
| 92 | +
|
| 93 | +```bash |
| 94 | +[sshd] |
| 95 | +enabled = true |
| 96 | +port = 22 |
| 97 | +findtime = 5m |
| 98 | +bantime = 2h |
| 99 | +maxentry = 3 |
| 100 | +ignoreip = 127.0.0.1/8 ::1 |
| 101 | +``` |
| 102 | +
|
| 103 | +Save and exit the file. |
| 104 | +
|
| 105 | +Here's a description of the settings: |
| 106 | + |
| 107 | +- `enabled` - Enables the sshd jail. |
| 108 | + |
| 109 | +- `port` - The port to listen for SSH connections on which by default is `22`. If you set a custom SSH port, be sure to update the value to correctly filter traffic. |
| 110 | + |
| 111 | +- `findtime` - Sets the time duration for the number of failures before a ban is enacted. The default value is `10m`. We'll set this to `5m`, i.e., 5 minutes. |
| 112 | +
|
| 113 | +- `bantime` - Sets the time duration of the ban placed on an IP address. The default value is `10m`. We'll set this to `2h`, i.e., 2 hours. |
| 114 | + |
| 115 | +- `maxretry` - Sets the number of failures before an IP address is banned. The default value is `5`. We'll set this to `3`. |
| 116 | +
|
| 117 | +- `ignoreip` - Sets IP addresses that will not get banned by whitelisting them. The value `127.0.0.1/8 ::1` corresponds to the IPv4 and IPv6 loopback address, i.e., the IP addresses the device uses to refer to itself. You can also add your public IP address(es) to avoid being locked out of the device. |
| 118 | +
|
| 119 | +If you had to resolve the missing log file for sshd jail error after installing Fail2Ban, be sure to include the `backend = systemd` setting in the file as well. |
| 120 | +
|
| 121 | +To apply the changes restart Fail2Ban: |
| 122 | +
|
| 123 | +```bash |
| 124 | +systemctl restart fail2ban |
| 125 | +``` |
| 126 | +
|
| 127 | +Verify the sshd jail configuration: |
| 128 | +
|
| 129 | +```bash |
| 130 | +fail2ban-client status sshd |
| 131 | +``` |
| 132 | +
|
| 133 | +Ouput: |
| 134 | +
|
| 135 | +```bash |
| 136 | +Status for the jail: sshd |
| 137 | +|- Filter |
| 138 | +| |- Currently failed: 0 |
| 139 | +| |- Total failed: 0 |
| 140 | +| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd |
| 141 | +`- Actions |
| 142 | + |- Currently banned: 0 |
| 143 | + |- Total banned: 0 |
| 144 | + `- Banned IP list: |
| 145 | +``` |
| 146 | +
|
| 147 | +Be sure to not lock yourself out of the relay by attempting too many incorrect login attempts within the `findtime` limit. If you do, try accessing the relay using a different IP address using the correct login credentials or wait for the `bantime` to expire. |
| 148 | +
|
| 149 | +## Resolve Error(s) |
| 150 | +
|
| 151 | +If you’re seeing `Active: failed (Result: exit-code)` when checking the status of Fail2Ban, and you’re unable to view the full error message run: |
| 152 | +
|
| 153 | +```bash |
| 154 | +systemctl status fail2ban | less |
| 155 | +``` |
| 156 | +
|
| 157 | +You can now navigate through the output of the `status` command by using the arrow keys. Press `q` to quit viewing the output. |
| 158 | +
|
| 159 | +### Missing Log File for sshd Jail |
| 160 | +
|
| 161 | +If you see the following errors, the async configuration of the server failed since no log file for the sshd jail was found: |
| 162 | +
|
| 163 | +```bash |
| 164 | +ERROR Failed during configuration: Have not found any log file for sshd jail |
| 165 | +ERROR Async configuration of server failed |
| 166 | +``` |
| 167 | +
|
| 168 | +To resolve this we’re going to change the backend value for the sshd jail in a `sshd.local` file which we're going to create in the `/etc/fail2ban/jail.d` directory. |
| 169 | + |
| 170 | +To create and open the `sshd.local` file run: |
| 171 | + |
| 172 | +```bash |
| 173 | +nano /etc/fail2ban/jail.d/sshd.local |
| 174 | +``` |
| 175 | + |
| 176 | +Add the following to the file: |
| 177 | + |
| 178 | +```bash |
| 179 | +[sshd] |
| 180 | +enabled = true |
| 181 | +backend = systemd |
| 182 | +``` |
| 183 | + |
| 184 | +Now save and exit the file. |
| 185 | + |
| 186 | +Restart Fail2Ban to apply the changes: |
| 187 | + |
| 188 | +```bash |
| 189 | +systemctl restart fail2ban |
| 190 | +``` |
| 191 | + |
| 192 | +Check the status: |
| 193 | + |
| 194 | +```bash |
| 195 | +systemctl status fail2ban |
| 196 | +``` |
| 197 | + |
| 198 | +If you see `Active: active (running)`, the error has been resolved. |
0 commit comments