[HowTo] Increase your IPv4 security with Fail2Ban and Tinyhoneypot
[HowTo] Increase your IPv4 security with Fail2Ban and Tinyhoneypot
The ingredients
The fail2ban software is capable to dynamically handle your firewall rules to lock out bad guys.
The tinyhoneypot is capable of listening on a TCP/IP port and logging openers details.
The xinetd service starts tinyhoneypot and manages it's listening ports.
Install ingredients: ( Just CopyPaste the bold part of the text )
Settings
In order to make SSH listen on a different port, replace your ssh configuration file with and alternative ssh port:
Your original /etc/ssh/sshd_config config is saved as /etc/ssh/sshd_config.orig
When you restart your SSH service, it will listen on 2201 port (not in 22) now.
So far so good..
Configure Xinetd to start tinyhoneypot and listen on Port 22 of TCP:
Edit your /etc/xinetd.d/thp-pasv to like this:
(RE)Start xinetd with your new settings and make sure it listens on port 22.
Make sure it is working
Open an ssh connection from an another machine.
After a while nothing should happen, interrupt it by [Ctrl + C]
And check log entries on your test machine:
In case everything went well, there should be an entry in your capture log.
Lets tune your Fail2Ban to cooperate with TinyHoneyPot
Never edit your jail.conf!! Make a copy of it as jail.local and ONLY make changes in the .local file!
Find the [ssh] section in your jail.local and modify it depending on [Port 2201] of /etc/ssh/sshd_config
Make and entry in the JAIL section of jail.local:
This will make Fail2Ban to read the log file of tinyhoneypot and get the IPv4 address from it to deny. I recommend to place it after the [ssh] section. It is about the 137th row.
Fail2ban should have a filter in order to know what to deny. There is a macro which substitute IPv4 address. Create a filter for it:
It has been done!
Just a short testing....
You should see something similar at the end of /var/log/fail2ban.log
You can see your custom values from jail.local and fine tune them if needed.
Have a look at your current iptables rules:
Let's check the deny rule from an another machine:
The first action will do nothing. The attacker will probably interrupt it after a while The second action will be refused.
Your iptables rules should look like this by now:
The result is: The attacker's PC is REJECTED on each port.
The fail2ban software is capable to dynamically handle your firewall rules to lock out bad guys.
The tinyhoneypot is capable of listening on a TCP/IP port and logging openers details.
The xinetd service starts tinyhoneypot and manages it's listening ports.
Install ingredients: ( Just CopyPaste the bold part of the text )
Code: Select all
root@server:~# [b]apt-get install tinyhoneypot fail2ban xinetd[/b]
In order to make SSH listen on a different port, replace your ssh configuration file with and alternative ssh port:
Code: Select all
root@server:~# [b]sed -i.orig 's/Port 22/Port 2201/m' /etc/ssh/sshd_config[/b]
When you restart your SSH service, it will listen on 2201 port (not in 22) now.
Code: Select all
root@server:~# [b]service ssh restart[/b]
root@server:~# [b]netstat -lptn | grep ssh[/b]
tcp 0 0 0.0.0.0:2201 0.0.0.0:* LISTEN 4313/sshd
tcp6 0 0 :::2201 :::* LISTEN 4313/sshd
Configure Xinetd to start tinyhoneypot and listen on Port 22 of TCP:
Code: Select all
root@server:~# [b]cp -v /usr/share/doc/tinyhoneypot/examples/xinetd.d/thp-pasv /etc/xinetd.d/[/b]
Code: Select all
root@server:~# [b]cat /etc/xinetd.d/thp-pasv[/b]
Code: Select all
# default: on
# description: thp-ftpd calls the generic thpsvcs with param "ftp",
# resulting in an ftpd emulation.
service thp-pasv
{
type = UNLISTED
socket_type = stream
protocol = tcp
port = 22
wait = no
user = thpot
server = /usr/sbin/thpot
server_args = nullresp
nice = 10
disable = no
instances = 1
per_source = 1
}
Code: Select all
root@server:~# [b]service xinetd restart[/b]
root@server:~# [b]netstat -lptn | grep xinetd[/b]
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4567/xinetd
Open an ssh connection from an another machine.
Code: Select all
attacker@hackerpc:~$ [b]ssh 192.168.88.212[/b]
And check log entries on your test machine:
Code: Select all
root@server:~# [b]cat /var/log/thpot/captures[/b]
Feb 29 13:02:10 SID=56D4334221165.nullresp PID=4837 SRC=192.168.88.242 SPT=47187 ET=00:00:11 BYTES=39
Lets tune your Fail2Ban to cooperate with TinyHoneyPot
Code: Select all
root@server:~# [b]cd /etc/fail2ban/[/b]
root@server:/etc/fail2ban# [b]cp -v jail.conf jail.local[/b]
Find the [ssh] section in your jail.local and modify it depending on [Port 2201] of /etc/ssh/sshd_config
Code: Select all
[ssh]
enabled = true
port = 2201
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
This will make Fail2Ban to read the log file of tinyhoneypot and get the IPv4 address from it to deny. I recommend to place it after the [ssh] section. It is about the 137th row.
Code: Select all
[thp-ssh]
enabled = true
port = all
filter = thpot
logpath = /var/log/thpot/captures
banaction = iptables-allports
maxretry = 1
findtime = 1800
bantime = 99999
Code: Select all
root@server:~# [b]cat /etc/fail2ban/filter.d/thpot.local[/b]
Code: Select all
[Definition]
failregex = SRC=<HOST>
ignoreregex =
Just a short testing....
Code: Select all
root@server:~# [b]service fail2ban restart[/b]
Code: Select all
2018-02-29 13:54:06,915 fail2ban.jail [6102]: INFO Creating new jail 'thp-ssh'
2018-02-29 13:54:06,915 fail2ban.jail [6102]: INFO Jail 'thp-ssh' uses pyinotify
2018-02-29 13:54:06,920 fail2ban.jail [6102]: INFO Initiated 'pyinotify' backend
2018-02-29 13:54:06,922 fail2ban.filter [6102]: INFO Added logfile = /var/log/thpot/captures
2018-02-29 13:54:06,923 fail2ban.filter [6102]: INFO Set maxRetry = 1
2018-02-29 13:54:06,925 fail2ban.filter [6102]: INFO Set findtime = 1800
2018-02-29 13:54:06,926 fail2ban.actions[6102]: INFO Set banTime = 99999
2018-02-29 13:54:06,934 fail2ban.jail [6102]: INFO Jail 'ssh' started
2018-02-29 13:54:06,940 fail2ban.jail [6102]: INFO Jail 'thp-ssh' started
Code: Select all
findtime = 1800
bantime = 99999
Code: Select all
root@server:~# [b]iptables-save[/b]
Code: Select all
# Generated by iptables-save v1.4.21 on Mon Feb 29 14:05:17 2018
*filter
:INPUT ACCEPT [2:64]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-thp-ssh - [0:0]
-A INPUT -p tcp -j fail2ban-thp-ssh
-A INPUT -p tcp -m multiport --dports 2201 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
-A fail2ban-thp-ssh -j RETURN
COMMIT
# Completed on Mon Feb 29 14:05:17 2018
Code: Select all
attacker@hackerpc:~# [b]ssh 192.168.88.212[/b]
^C
attacker@hackerpc:~# [b]ssh 192.168.88.212[/b]
ssh: connect to host 192.168.88.212 port 22: Connection refused
Your iptables rules should look like this by now:
Code: Select all
root@server:~# [b]iptables-save[/b]
Code: Select all
# Generated by iptables-save v1.4.21 on Mon Feb 29 14:10:53 2018
*filter
:INPUT ACCEPT [4:542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:88]
:fail2ban-ssh - [0:0]
:fail2ban-thp-ssh - [0:0]
-A INPUT -p tcp -j fail2ban-thp-ssh
-A INPUT -p tcp -m multiport --dports 2201 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
-A fail2ban-thp-ssh -s 192.168.88.242/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-thp-ssh -j RETURN
COMMIT
# Completed on Mon Feb 29 14:10:53 2018