loosebit Posted April 18, 2013 Share Posted April 18, 2013 Keep Hackers Out Of Your Servers Most web admins all ask the same question. How do I stop these hackers and spambots from trying to break into my server? Your website is safe from hackers. Of course if we only didn’t have to use SSH this wouldn’t be a problem for most of us. Sometimes we spend far to much time securing our web application then we do our own servers. Stick to the basics. In our 100% uptime world turning off remote admin access is just not possible for most organizations, they need remote access 24/7 so wherever you might be, you can still fix problems. Not every admin is going to have a dedicated Cisco ASA Intrusion Detection System at their disposal so we need to be realistic when we are mitigating security. FAIL2BAN Fail2Ban is a wonderful tool every web admin should familiarize themselves with. It’s a very simple daemon that runs in the background scouring all through your logs.. It looks at: apache vsftp lighthttpd sshd postfix If you are reading this and using one of these services go ahead and take a peek at your logs. You are probably going to see a lot of failed login attempts from ip addresses and usernames you don’t recognize. Before I go on there is one thing I need to mention. Never Allow Root Remote Logon for SSHD As a secondary mitigation always change the port your sshd service is running on.vi /etc/ssh/sshd_confPermitRootLogin noPort 1337Now we need to install fail2ban. For Redhat based:rpm -ivh wget http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpmfail2ban is not in the standard repo for redhat boxes so we need to add EPEL repos into yum.yum install fail2banNow let’s make a new config filecp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow let’s look at our config. It might be wise to add known ip addresses so they will not accidentally get banned.vi /etc/fail2ban/jail.local[DEFAULT]# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 Once you have added one of your own trusted ip addresses into the config let’s go over what will happen next. Essentially fail2ban crawls through all of your access logs you tell it to inside the config. If it recognizes an ip addresses trying to connect and getting a failed login, it will add them to a blacklist and apply the ban to iptables. You can preset criteria inside the config but it does a pretty good job out of the box on stopping spammers. You can also how long you want that ip address to be banned. Instead of editing your .htaccess files on your servers with fail2ban you are only blocking malicous ip addresses, not bots trying to crawl your webpage. In that case you want bots to crawl your webpage so they know what’s on it. Keep those shells locked down! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.