The Unwritten Words :: Linux Newbie
My Stack :: Archives

Raspberry Pi: fail2ban (Security – Part III)

As I have mentioned before, fail2ban is a daemon that scans defined log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. It is a must tool, especially if you would want to allow ssh access from outside your local network. It is an automated script that scans the log files for you and jails the intruders. It supports a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc) and can be integrated with your iptables. It can also be configured to prevent WordPress spamming and unwanted intrusions. And, yes, it works! Just look here: fail2ban log.

Installation

Fail2ban requires Python 2.4 (or higher) installed on your system. To make sure it’s there, type:

dpkg --get-selections | grep python

If you don’t know how to install Python, try THIS automated script (remember to make it executable by sudo chmod ugo+x python27_on_debian.sh).

To install fail2ban on Raspbian, type (to install the software from sources, head here):

sudo apt-get install fail2ban

The daemon should start automatically, but if it doesn’t, try executing sudo service fail2ban start command.

Configuration

You can configure fail2ban to cooperate with any service you want – ssh, ftp, web server, just anything that connects to the internet and might be vulnerable to external attacks. It’s really easy easy to set fail2ban jails that tell the daemon where to look for intrusions, how much of them allow before banning the intruder and for how long. Not to copy-paste every single bit of the world wide web, for a default configuration of the software, head here.

Jails

The service depends on jails, which are configuration files containing declarations of your jails. By default, they contain examples of what might be configured. Every jail can be customized by tuning following options:

Jail Options
Name Default Description
filter Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath /var/log/messages Path to the log file which is provided to the filter
maxretry 3 Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime 600 sec The counter is set to zero if no match is found within "findtime" seconds.
bantime 600 sec Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.
Filters

Fail2ban filters are located in /etc/fail2ban/filter.d/ directory by default. They contain regular expressions used to detect break-in attempts, password failures, etc. For example, filter.d/sshd.conf contains 3 possible regular expressions to match the lines of the logfile:

failregex = Authentication failure for .* from <HOST>
Failed [-/\w]+ for .* from <HOST>
ROOT LOGIN REFUSED .* FROM <HOST>
[iI](?:llegal|nvalid) user .* from <HOST>

This corresponds to log lines such as:

Jul 13 00:44:53 RaspberryPi sshd[19445]: Failed password for invalid user nobody from 118.244.14.49 port 54516 ssh2

And, depending on maximum number of matches you’ve allowed, jails the recorded user and logs it to /var/log/fail2ban.log file:

2013-07-13 00:44:53,400 fail2ban.actions: WARNING [ssh] Ban 118.244.14.49

and unbans it after the set period of time:

2013-07-14 00:44:53,400 fail2ban.actions: WARNING [ssh] Unban 118.244.14.49

Integrating fail2ban with WordPress

You probably have some plugins installed already, such as Akismet, that catch spam on your blog, but it’s a good idea, especially if you run Raspberry Pi with SD card that has a relatively short lifespan, to integrate fail2ban with the existing service. Many spammers post a huge deal of  comments from a single IP. The volume, even if they’ve been correctly marked as spam, makes it difficult to monitor the spam queue. Even if spam never appears on your blog, it still wastes valuable resources of your server. Low-memory servers need all available resources for serving legitimate users. Banning spammers at the firewall before they ever connect to your web server is very efficient. There is a script for that purpose – spam-log – that you install into your WordPress plugins. What it does?

Spam-log simply logs a message every time a comment is marked as spam. Each message contains the IP address of a spammer and comment ID. Than the log is processed by fail2ban and bans the misbehaving IP.

Spam-log: Installation

1. Go into your WordPress plugin directory:

cd /path/to/your/wp-content/plugins

2. Download the plugin with wget:

wget http://static.shadypixel.com/files/spam-log-0.1.tar.gz

3. Unpack it to your WordPress plugin folder (if that doesn’t work, add sudo at the beginning of the command):

tar xvjf spam-log-0.1.tar.gz

4. Active the plugin through the WordPress Admin menu.

5. Set the location of the spam log through Spam Log’s Options page in the WordPress Admin menu. By default, the location is set to wp-content/spam.log. The file or containing directory needs to be writeable by the user that the web server runs as. On Debian or Ubuntu systems, you can do the following:

sudo touch /path/to/spam.log
sudo chown www-data:www-data /path/to/spam.log

fail2ban: Configuration

1. Create spam-log configuration file:

sudo nano /etc/fail2ban/filter.d/spam-log.conf

with the following contents:

[Definition]
failregex = ^\s*comment id=\d+ from host=<HOST> marked as spam$
ignoreregex =

2. Add the following lines to /etc/fail2ban/jail.local:

[spam-log]
enabled = true
port = http,https
filter = spam-log
logpath = /change/to/path/to/spam.log
maxretry = 5
findtime = 3600 #in seconds
bantime = 86400 #in seconds

This configuration will ban an IP address for a day if it’s used to post 5 comments within an hour that are marked as spam. You can change the maxretry to suit your needs, but be cautious with decreasing it, as there’s a risk that you will ban legitimate users.

Tune up for more security advices coming soon!



JOIN 7+ BILLION FABULOUS READERS: rss | email | twitter | +

Powered by Debian :: My Stack