Before following below instructions and installing utilities make sure you restricted root for ssh.
you can restrict root in /etc/sshd/sshd_config , and just put '#' in front of PermitRootLogin.
Also change the ssh port 22 to another port you like.
Important: Move your server to IPv6 if possible. This is because it is more difficult to map the range of IPv6 addresses (2^128) than it is with the range of IPv4 addresses (2^32). And attacker will face more difficulty to make it go through.
Let's start....
We're going to install fail2ban with pf(In case on Linux use IPtables). You can also apply different methods and techniques to prevent this attack.
Like:
You can also use key based authentication.
You can restrict other unprivileged users for ssh access.
You can also protect ssh through your redundant firewall if already have it.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits…
It can be usefull to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port).
Here a quick how-to to enable fail2ban on FreeBSD, in combination with pf (packet filter).
Update 07/05/2015 : This works on FreeBSD 9.x. I haven’t tested it against FreeBSD 10.x yet.
First, install it, use pkg, portinstall, whatever :
# pkg install py27-fail2ban
Then go to /usr/local/etc/fail2ban and create the file jail.d/ssh-pf.local
[ssh-pf]
enabled = true
filter = sshd
action = pf
# sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600
You can of course configure maxretry/bantime/findtime or sending mails.
I use pf in action (‘action = pf’), you can see what this action do in action.d/pf.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
tablename = fail2ban
When ‘action’ is triggered, fail2ban launch pfctl -t <tablename> -T add <ip>/32 to add it to pf table ‘fail2ban’.
It’s now ok on fail2ban side (easy right ?)
On pf side, in /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the fail2ban table, for example :
ext_if="re0" # your interface !
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if port ssh
Now, we need to start pf, then fail2ban :
/etc/rc.d/pf onestart
/usr/local/etc/rc.d/fail2ban onestart
I use onestart, with the assumption that it’s the first start of pf and fail2ban, you will need to add pf and fail2ban in /etc/rc.conf to auto start them on boot.
Now you can look in /var/log/fail2ban.log to see detected IP and applied ban.
To list current banned IP :
pfctl -t fail2ban -T show
And you need to add these lines to /etc/rc.conf
Start PF Firewall
pf_enable="YES"
Start Fail2Ban, to stop hackers
fail2ban_enable="YES"
Sources:
https://philpep.org/blog/fail2ban-sshd-et-pf
https://www.freebsd.org/doc/handbook/
you can restrict root in /etc/sshd/sshd_config , and just put '#' in front of PermitRootLogin.
Also change the ssh port 22 to another port you like.
Important: Move your server to IPv6 if possible. This is because it is more difficult to map the range of IPv6 addresses (2^128) than it is with the range of IPv4 addresses (2^32). And attacker will face more difficulty to make it go through.
Let's start....
We're going to install fail2ban with pf(In case on Linux use IPtables). You can also apply different methods and techniques to prevent this attack.
Like:
You can also use key based authentication.
You can restrict other unprivileged users for ssh access.
You can also protect ssh through your redundant firewall if already have it.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits…
It can be usefull to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port).
Here a quick how-to to enable fail2ban on FreeBSD, in combination with pf (packet filter).
Update 07/05/2015 : This works on FreeBSD 9.x. I haven’t tested it against FreeBSD 10.x yet.
First, install it, use pkg, portinstall, whatever :
# pkg install py27-fail2ban
Then go to /usr/local/etc/fail2ban and create the file jail.d/ssh-pf.local
[ssh-pf]
enabled = true
filter = sshd
action = pf
# sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600
You can of course configure maxretry/bantime/findtime or sending mails.
I use pf in action (‘action = pf’), you can see what this action do in action.d/pf.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
tablename = fail2ban
When ‘action’ is triggered, fail2ban launch pfctl -t <tablename> -T add <ip>/32 to add it to pf table ‘fail2ban’.
It’s now ok on fail2ban side (easy right ?)
On pf side, in /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the fail2ban table, for example :
ext_if="re0" # your interface !
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if port ssh
Now, we need to start pf, then fail2ban :
/etc/rc.d/pf onestart
/usr/local/etc/rc.d/fail2ban onestart
I use onestart, with the assumption that it’s the first start of pf and fail2ban, you will need to add pf and fail2ban in /etc/rc.conf to auto start them on boot.
Now you can look in /var/log/fail2ban.log to see detected IP and applied ban.
To list current banned IP :
pfctl -t fail2ban -T show
And you need to add these lines to /etc/rc.conf
Start PF Firewall
pf_enable="YES"
Start Fail2Ban, to stop hackers
fail2ban_enable="YES"
Sources:
https://philpep.org/blog/fail2ban-sshd-et-pf
https://www.freebsd.org/doc/handbook/
No comments:
Post a Comment