www.centos.org - Forums - CentOS 5 - Security Support - fail2ban Centos 5 sshd Rules Thread

www.centos.org Forum Index

CentOS 5 - Security Support

fail2ban Centos 5 sshd Rules Thread - Advice/Experience welcome

Bottom

Previous Topic

Next Topic

Topic options

Rate Thread

Rate this Thread
Excellent Good Average Bad Terrible

Search Forum

Search Forum

Advanced Search

View mode

View mode
Threaded
Newest First

Poster	Thread

ikonia

fail2ban Centos 5 sshd Rules Thread - Advice/Experience welcome

Newbie

Joined: 2009/4/6

From

Posts: 2

Guys,

I've configured Dag's fail2ban package on my centos 5.3 servers.

The default configuration out of the boxe catches some errors, however some it doesn't catch, which are fixable, but I'm sure there are even more that I'm not aware of or not thought about.

The purpose of this post is to concentrate on sshd rules

The out of the box regex rules from /etc/fail2ban/filter.d/sshd.conf looks like this

failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ROOT LOGIN REFUSED.* FROM <HOST>\s*$
            [iI](?:llegal|nvalid) user .* from <HOST>\s*$
            Invalid user .* from <HOST>\s*$
            User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
            authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

running

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

I get the following results

Failregex
|- Regular expressions:
|  [1] (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|  [2] Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
|  [3] ROOT LOGIN REFUSED.* FROM <HOST>\s*$
|  [4] [iI](?:llegal|nvalid) user .* from <HOST>\s*$
|  [5] Invalid user .* from <HOST>\s*$
|  [6] User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
|  [7] User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|  [8] Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
|  [9] authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 4545 match(es)
   [5] 4545 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)

which is great, as you can see rule 4/5 catches the users brute force you can see in the log

Mar  8 14:07:02 bender sshd[21575]: Invalid user oracle1 from 205.237.202.133
Mar  8 14:07:03 bender sshd[21576]: input_userauth_request: invalid user oracle1
Mar  8 14:07:03 bender sshd[21576]: Received disconnect from 205.237.202.133: 11: Bye Bye
Mar  8 14:07:03 bender sshd[21577]: Invalid user grace from 205.237.202.133
Mar  8 14:07:03 bender sshd[21578]: Invalid user grace from 205.237.202.133

However it doesn't find

Mar 10 07:43:59 bender sshd[14659]: reverse mapping checking getaddrinfo for 221-135-54-97.sify.net failed - POSSIBLE BREAK-IN ATTEMPT!

which is because the regex pattern doesn't pickup ATTEMPT!, it picks up ATTEMPT.

Adjusting the rule

Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$

should resolve this

which we can see by re-running the fail2ban-regex test

Results
=======

Failregex
|- Regular expressions:
|  [1] (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|  [2] Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
|  [3] ROOT LOGIN REFUSED.* FROM <HOST>\s*$
|  [4] [iI](?:llegal|nvalid) user .* from <HOST>\s*$
|  [5] Invalid user .* from <HOST>\s*$
|  [6] User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
|  [7] User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|  [8] Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!\s*$
|  [9] authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 4545 match(es)
   [5] 4545 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 1 match(es)
   [9] 0 match(es)

does catch it.

The questions are

1.) are there any more rules that should be added from experience
2.) is there a better way to design these rules.

Posted on: 2009/4/6 14:17

adamos

Re: fail2ban Centos 5 sshd Rules Thread - Advice/Experience welcome

Jr Board Member

Joined: 2008/6/4

From nj

Posts: 47

Why dont you configure your iptables for ssh access? Also, add entries in /etc/hosts.deny and hosts.allow for an additional layer of access prevention.

SSH should be accessible from IPs that you trust only.

If you want automated firewall for intrusion detection try fwsnort from cipherdyne.

My .02

-Adam

Posted on: 2009/4/6 17:21

pjwelsh

Re: fail2ban Centos 5 sshd Rules Thread - Advice/Experience welcome

Professional Board Member

Joined: 2007/1/7

From Central IL USA

Posts: 2195

fail2ban can issue iptable rule changes. That's part of the beauty of fail2ban. It's also VERY light weight. Just like fwsnort it can do MORE than just ssh.

Posted on: 2009/4/6 17:56

ikonia

Re: fail2ban Centos 5 sshd Rules Thread - Advice/Experience welcome

Newbie

Joined: 2009/4/6

From

Posts: 2

Just to be clear - I'm not asking for alternative options, or how to secure an ssh box - I'm looking to document a very solid set of fail2ban rules on a centos box as there is very little on the web and the default rule set shipped with Dags package miss some key attacks.

Posted on: 2009/4/7 7:43

Top

Previous Topic

Next Topic

You cannot start a new topic.

You can view topic.

You cannot reply to posts.

You cannot edit your posts.

You cannot delete your posts.

You cannot add new polls.

You cannot vote in polls.

You cannot attach files to posts.

You cannot post without approval.