Protect public Linux servers with fail2ban

Do you have public facing Linux servers?

Of course you do. Who doesn’t!?!? Or why would you be here if you wouldn’t?

I’m not a big fan of security through obscurity, so I need, or we all need, a way to protect our known public ports.

I know, iptables or any of it’s derivatives are always there, but, what about that one port that must stay opened and accessible? After all, if you didn’t need a public facing service, you wouldn’t need to to make it public, would you?

fail2ban to the rescue

fail2ban is a very useful utility that creates rules on your firewall to block failed authentication attempts. It can be used with any service that generates log files. As an example I will use SSH.

How To

Installation

Installation of fail2ban is as easy as it gets. Just make sure you have your repositories up to date and to a yum install fail2ban or apt-get install fail2ban.

Configuration

First step to configure fail2ban is to copy it’s config file to a .local file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

fail2ban configuration should be done only on the new .local file

In the jail.local file, let’s search for the area [ssh] or [ssh-iptables] depending if you use a Debian base or red hat base distro.

Make sure that it is enabled and the log file is pointing to the right location.

We can also set the ban duration and the number of tries before banning. I like to ban for 1 hour (value in seconds) and after 5 retries.

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-allports ; ban retrys on any port
bantime = 3600 ; ip address is banned for 10 minutes
maxretry = 5 ; allow the ip address retry a max of 10 times

After the configuration done, let’s start the service and see it in action.

Seeing it all come together

If you have anyone testing your defences you should see fail2ban in action very fast. Just to a word count of the number of lines in auth.log with failed attempts like so:
less /var/log/auth.log | grep ‘sshd.*Failed’ | wc -l
The follow up with a listing of your iptables rules with iptables -L.

Wrap up

Very useful tool this fail2ban. There are many more configuration possible, for other services, for e-mail notifications, for different actions, etc.

This is just a very basic starting point.
Now go explore and stay safe.

Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

 

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

 

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

 

Scenario 1 – “I can’t login! My password isn’t working!”

 

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

 

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

 

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

 

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

 

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

 

And there you have it. You can start owning your Active Directory.