fail2ban pe Raspberry Pi ?

[Levy]

Buna.
Am un raspberry Pi 4, pe care-l folosesc ca server pentru acasa.
Sunt diverse servicii pe acesta. Node-Red, icecast2, liquidsoap, ssh, ftp, dlna, samba, un server apache2 si tot felul de minuni inofensive.

De o vreme observ ca parca nu se conecteaza Putty asa de rapid ca de obicei, parca intarzie. Si de aici a inceput cautarea.
Spre surprinderea mea, am observat prin loguri incercari de conectare prin ssh la server cu userul root si parola gresita. Daca-mi aduc bine aminte nici nu am userul root creat.
Surpriza a fost si mai mare cand am observat ca nu doar un singur IP incearca asa ceva, ci mai multe. Foarte multe.

In prima faza am zis, ce pot sa fure din acest server? Muzica pe care o ascult odata la cateva zile din folderele liquidsoap? Si nu prea m-am impacientat, dar urmarind cateva zile ce se intampla, am hotarat ca trebuie sa fac ceva, ca deja e prea de tot ce se vede in loguri.

Asa ca am instalat fail2ban:

Code: Select all

sudo apt update
sudo apt upgrade
sudo apt install fail2ban


Din folderul /etc/fail2ban am copiat fisierul jail.conf in /etc/fail2ban/jail.local

Code: Select all

cd /etc/fail2ban
sudo cp jail.conf jail.local


dupa care l-am editat putin,

Code: Select all

sudo nano /etc/fail2ban/jail.local


iar acum arata in acest fel:

Code: Select all

[sshd]
enabled = true
filter = sshd
port = 22
logpath = /var/log/auth.log
banaction = iptables-multiport
bantime = 86400
maxretry = 1
maxconn = 3
#logpath = %(sshd_log)s
backend = %(sshd_backend)s
ignoreip = 127.0.0.1 192.168.0.*

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 300
findtime = 60
bantime = 86400

[https-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 300
findtime = 60
bantime = 86400


[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/access.log
maxretry = 6
findtime = 3600
bantime = 86400
ignoreip = 127.0.0.1 192.168.0.*

[apache-owerflow]
enabled = true
port = http,https
filter = apache-owerflow
logpath = /var/log/apache2/error.log
maxretry = 3
findtime = 3600
bantime = 86400

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/error.log
maxretry = 3
findtime = 3600
bantime = 86400

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/error.log
maxretry = 2
findtime = 3600
bantime = 86400


Nu stiu daca sunt cele mai bune setari, daca aveti ceva de adaugat chiar va rog s-o faceti,

dupa care am dat enable la serviciul fai2ban:

Code: Select all

sudo systemctl enable fail2ban


Pornim fai2ban

Code: Select all

sudo systemctl start fail2ban


dupa care verificam daca functioneaza:

Code: Select all

sudo systemctl status fail2ban


aceasta comanda la mine da asa ceva in consola:

Code: Select all

root@raspberrypi:/etc/fail2ban# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pr>
     Active: active (running) since Wed 2023-10-11 14:16:18 EEST; 26min ago
       Docs: man:fail2ban(1)
    Process: 167455 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, st>
   Main PID: 167456 (fail2ban-server)
      Tasks: 15 (limit: 8754)
        CPU: 6.530s
     CGroup: /system.slice/fail2ban.service
             └─167456 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Oct 11 14:16:18 raspberrypi systemd[1]: Starting Fail2Ban Service...
Oct 11 14:16:18 raspberrypi systemd[1]: Started Fail2Ban Service.
Oct 11 14:16:18 raspberrypi fail2ban-server[167456]: 2023-10-11 14:16:18,771 >
Oct 11 14:16:18 raspberrypi fail2ban-server[167456]: 2023-10-11 14:16:18,771 >
Oct 11 14:16:18 raspberrypi fail2ban-server[167456]: 2023-10-11 14:16:18,771 >
Oct 11 14:16:19 raspberrypi fail2ban-server[167456]: Server ready
lines 1-17/17 (END)


Si putem sa verificam si statusul fail2ban

Code: Select all

sudo fail2ban-client status


La mine dupa aceasta comanda apare astfel:

Code: Select all

root@raspberrypi:/etc/fail2ban# sudo fail2ban-client status
Status
|- Number of jail:      6
`- Jail list:   apache, apache-badbots, apache-noscript, http-get-dos, https-get-dos, sshd
root@raspberrypi:/etc/fail2ban#


Observam ca avem configurate 6 feluri de filtre, pe moment ma intereseaza cel ssh, asa ca dam comanda

Code: Select all

sudo fail2ban status sshd


Si aici avem o surpriza desul de mare:

Code: Select all

root@raspberrypi:/etc/fail2ban# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 73
   |- Total banned:     73
   `- Banned IP list:   1.14.190.24 103.2.233.237 104.243.46.66 106.12.171.121 106.75.211.48 111.92.191.20 116.41.52.110 119.198.10.89 121.4.83.32 124.223.41.41 124.226.216.189 125.229.27.156 129.226.214.79 13.72.86.172 139.59.7.115 141.98.11.11 141.98.11.90 143.110.247.138 146.190.38.28 154.72.194.207 157.245.110.233 161.35.57.242 170.106.83.144 171.251.18.244 178.128.101.55 178.128.91.222 178.62.69.141 180.101.88.221 180.101.88.247 180.251.52.61 182.43.217.125 187.189.8.17 189.112.196.1 196.219.234.3 198.46.215.219 201.159.95.242 202.139.196.124 213.215.140.6 218.92.0.108 218.92.0.112 218.92.0.113 218.92.0.118 218.92.0.22 218.92.0.24 218.92.0.25 218.92.0.27 218.92.0.29 218.92.0.31 218.92.0.34 218.92.0.56 218.92.0.76 222.91.124.34 31.41.244.61 31.41.244.62 37.32.4.64 43.131.57.46 43.134.224.12 43.153.114.147 43.156.101.56 43.159.32.200 43.159.49.103 46.245.69.52 61.177.172.136 61.177.172.140 61.177.172.160 61.177.172.185 61.222.241.108 69.10.54.154 78.187.21.105 81.17.22.117 85.208.253.165 85.209.11.227 93.222.25.63


Sincer, nu pot intelege ce vor acestia de incearca continuu sa sparga parola de root la ssh.
Daca ma gandesc bine, am observat cu totul intamplator activitate ciudata pe micutul server.
Serverul apache2 are doar un ceas pe pagina principala:


Si mai am ceva, doua termometre la care vreau sa mai lucrez, dar nu am avut timp in ultimele doua saptamani



si acesta



In prima faza, am crezut ca e ceva personal, dar nu are de ce sa fie.
Cred ca se scaneaza totul in toate directiile posibile. Cine stie ce activitate este in fundal si noi habar nu avem.

Ce am uitat sa trec in acest material, configurarea filtrelor. In mod normal ar trebui in folderul /etc/fail2ban/filter.d sa aveti filtre gata configurate, dar de exemplu pentru http-get-ddos nu am avut, astfel incat am creat fisierul /etc/fail2ban/filter.d/http-det-dos.conf care arata asa:

Code: Select all

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" 40\d .*$
ignoreregex =


Bineinteles faceti si pentru https, si pentru toate serviciile pentru care nu aveti aceste filtre.
Cred ca ar fi bine, ca cei care au experienta mai mare, (eu sunt un amator incepator! ) si care cred ca ne pot ajuta in aceasta directie, sa-si spuna parerile.
Securizarea serverelor nu prea a fost dezbatuta pe acest forum.

O zi frumoasa tuturor!

[Levy]

Dupa o zi intreaga cat a stat la panda fail2ban sa baneze IP-uri care incearca sa dezbarlige parola de root, statistica fail2ban arata astfel:

Code: Select all

root@raspberrypi:~# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     695
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 364
   |- Total banned:     471
   `- Banned IP list:   106.15.73.24 82.156.171.81 106.58.175.97 158.160.37.78 149.202.55.133 79.137.202.87 195.19.97.157 64.227.112.172 148.153.110.76 88.88.123.168 77.91.84.54 43.156.83.79 185.174.136.146 210.126.78.57 34.101.186.28 128.199.182.19 209.141.52.163 106.246.224.154 35.232.191.211 43.134.46.59 14.6.92.242 196.189.87.177 128.199.147.72 43.155.165.90 43.153.76.170 159.223.206.185 112.220.238.3 43.153.225.154 150.158.79.61 89.208.104.119 186.121.203.115 150.158.90.167 124.222.36.115 43.134.1.121 45.165.64.197 101.43.48.56 117.50.197.248 135.0.208.122 43.136.50.56 203.170.212.21 125.130.197.211 82.207.8.194 64.62.197.138 220.134.212.36 175.203.218.101 177.160.82.163 129.126.206.70 210.187.196.192 113.105.5.237 8.209.240.18 165.154.92.123 34.150.61.31 201.66.218.130 58.210.241.5 5.42.73.0 101.32.244.107 111.230.33.231 95.50.8.193 121.224.79.0 211.38.78.98 36.92.214.178 172.118.175.99 187.140.167.13 44.200.186.168 76.214.124.139 223.206.135.13 136.233.27.164 187.190.40.99 58.215.177.31 139.59.127.73 154.221.23.18 50.242.122.30 221.232.78.242 212.145.210.150 211.231.6.182 201.172.107.81 36.156.145.28 1.116.215.79 65.20.161.247 41.93.33.2 8.242.175.215 79.59.42.28 206.189.177.52 129.226.164.101 43.163.219.169 73.15.203.143 101.35.49.57 42.194.237.220 62.3.42.85 103.163.119.25 43.153.109.215 69.92.25.64 179.1.87.34 43.128.107.250 90.175.126.120 212.33.199.167 203.149.204.201 159.65.249.117 49.0.129.17 103.176.96.75 139.186.181.225 201.163.162.179 43.153.78.101 186.225.134.202 43.143.211.48 43.156.134.43 43.135.26.153 81.193.150.183 45.90.223.118 60.51.166.66 201.131.212.19 130.25.50.54 220.122.216.180 14.184.111.39 115.20.149.213 221.165.87.21 43.129.175.134 180.76.243.96 124.133.2.33 114.129.28.238 144.217.173.156 177.12.2.75 114.141.37.166 204.44.108.197 108.189.101.107 220.141.4.184 103.91.103.51 128.68.228.206 46.153.52.76 121.180.99.215 128.199.33.46 185.255.90.48 213.212.204.98 35.199.97.42 103.38.182.54 187.32.70.120 159.89.164.61 36.139.142.121 219.250.188.106 157.245.216.59 36.133.62.130 110.40.180.253 195.70.93.131 45.82.136.103 89.37.3.117 61.222.211.114 43.133.75.61 61.93.186.125 44.192.79.186 111.248.36.212 59.124.202.193 125.228.160.245 116.100.36.12 59.17.192.243 176.52.10.84 175.145.190.115 85.208.253.160 106.13.4.11 168.138.7.117 106.75.97.89 43.153.181.254 103.144.245.50 219.152.41.184 152.228.145.0 106.251.237.171 165.22.242.64 107.173.251.6 43.153.85.152 193.233.232.21 139.198.104.61 89.152.169.44 5.35.112.223 87.251.102.94 14.29.198.201 158.160.79.38 149.78.186.133 111.229.190.64 170.106.181.46 124.220.36.65 111.67.203.234 165.154.183.140 43.135.156.102 98.49.45.202 129.150.180.148 167.99.88.71 121.155.224.246 117.34.71.28 114.117.165.114 165.227.85.21 36.103.211.52 82.49.65.102 110.40.175.117 152.32.208.150 179.216.171.122 106.58.217.192 178.62.50.191 103.165.156.195 112.28.209.67 14.63.214.22 14.206.48.30 49.48.114.98 119.204.124.217 170.64.160.121 200.37.241.187 124.222.123.16 190.220.189.47 43.129.185.12 43.155.183.31 68.183.88.186 220.81.22.133 92.50.249.166 146.190.36.1 220.122.38.23 197.248.114.130 122.129.85.182 118.41.55.126 14.40.126.13 178.62.105.122 121.201.91.79 107.175.149.12 43.143.138.159 124.220.55.223 125.142.142.94 178.62.64.66 41.152.191.33 104.225.159.240 170.106.189.253 43.156.238.161 43.134.45.172 118.89.184.28 146.190.162.76 150.158.82.157 173.233.7.220 37.59.64.163 157.245.214.137 42.119.111.155 103.35.65.109 43.155.153.147 223.197.151.55 1.229.29.121 45.127.45.177 43.155.171.11 125.129.32.87 125.24.198.72 114.132.78.189 51.250.109.25 113.142.30.91 196.219.210.179 60.188.58.60 120.138.8.66 183.47.14.74 121.129.93.181 211.75.19.210 202.53.169.98 34.133.86.38 159.223.60.230 97.68.57.241 139.198.120.226 43.153.210.18 103.90.225.4 194.5.237.79 211.221.20.220 180.101.88.221 101.42.48.53 111.229.199.16 64.227.141.188 170.64.191.63 112.168.90.179 114.67.112.190 125.137.24.195 103.48.193.7 1.14.8.188 31.41.244.62 43.134.226.192 43.163.200.216 87.107.69.6 118.201.79.222 182.42.234.23 64.62.197.124 141.98.11.90 81.17.22.117 43.226.33.226 111.230.110.138 110.35.178.125 141.98.11.11 220.118.142.60 150.158.36.56 218.92.0.34 218.92.0.112 218.92.0.27 218.92.0.31 61.177.172.179 183.98.107.63 51.81.111.101 201.17.131.162 218.92.0.29 185.46.18.99 50.236.125.199 218.92.0.118 218.92.0.24 218.92.0.113 61.177.172.140 103.145.5.200 180.218.161.99 93.58.88.27 114.40.7.216 125.26.250.209 220.137.66.80 218.92.0.22 61.177.172.185 61.177.172.160 61.177.172.136 124.223.98.197 113.31.103.147 121.229.62.252 110.42.208.196 31.128.156.95 81.71.38.43 89.208.105.254 121.144.10.60 36.138.224.103 218.92.0.25 218.92.0.108 180.101.88.247 159.65.242.228 111.238.174.6 185.242.234.77 54.37.228.73 106.55.183.15 190.119.165.11 106.75.174.26 222.114.198.5 106.12.79.130 221.144.229.210 217.144.216.23 78.135.67.6 27.154.63.190 112.221.4.3 170.83.78.36 59.24.194.71 180.100.202.3 36.110.138.149 125.228.169.49 221.166.152.247 218.92.0.56 211.195.10.106 109.31.52.190 220.134.154.23 122.116.212.31 175.205.27.48 156.19.198.38 218.92.0.76 170.64.163.19 165.232.86.107 129.226.199.209 118.33.73.84 51.254.109.150 180.64.115.229 177.152.65.146 159.65.154.92 14.155.58.85 43.128.89.213 43.159.40.202 68.198.190.131
root@raspberrypi:~#



Nu pot intelege ce naiba se intampla pe retea.

Incercarile aratau cam asa in loguri:

Code: Select all

raspberrypi sshd[17175]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.222.11.100  user=root
raspberrypi sshd[17175]: Failed password for root from 124.222.11.100 port 47346 ssh2
raspberrypi sshd[17170]: Connection closed by 81.71.118.210 port 39588 [preauth]
raspberrypi sshd[17175]: Received disconnect from 124.222.11.100 port 47346:11: Bye Bye [preauth]
raspberrypi sshd[17175]: Disconnected from authenticating user root 124.222.11.100 port 47346 [preauth]
raspberrypi sshd[17181]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.107.127.37  user=root
raspberrypi sshd[17181]: Failed password for root from 187.107.127.37 port 38580 ssh2
raspberrypi sshd[17181]: Received disconnect from 187.107.127.37 port 38580:11: Bye Bye [preauth]
raspberrypi sshd[17181]: Disconnected from authenticating user root 187.107.127.37 port 38580 [preauth]
raspberrypi sshd[17195]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2.40.191.117  user=root
raspberrypi sshd[17195]: Failed password for root from 2.40.191.117 port 54228 ssh2
raspberrypi sshd[17195]: Received disconnect from 2.40.191.117 port 54228:11: Bye Bye [preauth]
raspberrypi sshd[17195]: Disconnected from authenticating user root 2.40.191.117 port 54228 [preauth]
raspberrypi sshd[17245]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=83.144.237.18  user=root
raspberrypi sshd[17245]: Failed password for root from 83.144.237.18 port 34302 ssh2
raspberrypi sshd[17245]: Received disconnect from 83.144.237.18 port 34302:11: Bye Bye [preauth]
raspberrypi sshd[17245]: Disconnected from authenticating user root 83.144.237.18 port 34302 [preauth]
raspberrypi sshd[17378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.71.118.210  user=root
raspberrypi sshd[17378]: Failed password for root from 81.71.118.210 port 48824 ssh2
raspberrypi sshd[17378]: Received disconnect from 81.71.118.210 port 48824:11: Bye Bye [preauth]
raspberrypi sshd[17378]: Disconnected from authenticating user root 81.71.118.210 port 48824 [preauth]
raspberrypi sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2.40.191.117  user=root
raspberrypi sshd[17410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.107.127.37  user=root
raspberrypi sshd[17406]: Failed password for root from 2.40.191.117 port 46594 ssh2
raspberrypi sshd[17406]: Received disconnect from 2.40.191.117 port 46594:11: Bye Bye [preauth]
raspberrypi sshd[17406]: Disconnected from authenticating user root 2.40.191.117 port 46594 [preauth]
raspberrypi sshd[17410]: Failed password for root from 187.107.127.37 port 38938 ssh2
raspberrypi sshd[17410]: Received disconnect from 187.107.127.37 port 38938:11: Bye Bye [preauth]
raspberrypi sshd[17410]: Disconnected from authenticating user root 187.107.127.37 port 38938 [preauth]
raspberrypi sshd[17430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=83.144.237.18  user=root
raspberrypi sshd[17430]: Failed password for root from 83.144.237.18 port 34142 ssh2
raspberrypi sshd[17430]: Received disconnect from 83.144.237.18 port 34142:11: Bye Bye [preauth]
raspberrypi sshd[17430]: Disconnected from authenticating user root 83.144.237.18 port 34142 [preauth]
raspberrypi sshd[17481]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
raspberrypi sshd[17481]: Failed password for root from 180.101.88.221 port 58748 ssh2
raspberrypi sshd[17481]: Failed password for root from 180.101.88.221 port 58748 ssh2
raspberrypi sshd[17481]: Received disconnect from 180.101.88.221 port 58748:11:  [preauth]
raspberrypi sshd[17481]: Disconnected from authenticating user root 180.101.88.221 port 58748 [preauth]
raspberrypi sshd[17481]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root


Momentan este liniste. Foarte rar mai apare vreunul nou, doar ca sa ingroase statistica fail2ban.

Daca un server care nu are nimic important in el, nici macar fisiere personale, pentru ca este foarte recent reinstalat pe un alt mediu de stocare (un SSD mai mare decat cel precedent sunt asemenea incercari, nici nu-mi pot inchipui ce o fi la serverele care chiar sunt valoroase.