During HiTB CTF one of the challenges were to decode a Mifare clasic handshake and…
Lot’s of systems on the internet are been hacked trough the use of easy guessable passwords or default credentials. In many cases the source ip address is been hacked the same way. Attackers are pivoting through compromised systems.
Fail2ban is an application that monitored your log files and based on pre defined thresholds fail2ban will block entirely or temporarily the source. The installation of fail2ban on Linux is pretty straight forward and mostly the default configuration will be efficient.
For the installation on ubuntu you only have to follow the following steps:
sudo apt-get install fail2ban
To automatically start the fail2ban service on ubuntu
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Default fail2ban uses /etc/fail2ban/jail.conf for his configuration and will be overwritten when there is a update. With the /etc/fail2ban/jail.local configuration file you can specify your own configuration and will not be changed after a package update. To change your configuration use vi to create a new jail.local file.
sudo vi /etc/fail2ban/jail.local
Below you see an example configuration file for jail.local. Make sure you only use the configuration for the services you have. So don’t mix for example the two mail server service ‘Postfix’ and ‘Exim’ in the same config.
You also have to set ignoreip = 126.96.36.199 to your testing/last resort ip address in case you locked your self.
[DEFAULT] # Ban for X amount of time # 3600 = 1 hour # 604800 = 1 week bantime = 604800 findtime = 3600 sender = email@example.com destemail = firstname.lastname@example.org action = %(action_mwl)s banaction = iptables-multiport maxretry = 3 ignoreip = 188.8.131.52 [sshd] enabled = true port = 22 [exim] enabled = true filter = exim logpath = /var/log/exim/mainlog [postfix] enabled = true port = smtp, ssmtp filter = postfix failregex = \[<HOST>]: 535 Incorrect authentication data logpath = /var/log/maillog [dovecot] enabled = true port = pop3,pop3s,imap,imaps filter = dovecot logpath = /var/log/maillog [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/maillog
With the following command you will start fail2ban service
service fail2ban start
In case you need more insight of banned ip per service or you need to unban certain ip address. You can use fail2ban interactive command prompt.
fail2ban-client -i status sshd
You will get the following output
Status for the jail: ssh |- Filter | |- Currently failed: 0 | |- Total failed: 6 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 184.108.40.206
and with the below command you can unban a ip adres
set sshd unbanip 220.127.116.11