Simple Mitigation For VPS Against Botnets

[loosebit]

Keep Hackers Out Of Your Servers

Most web admins all ask the same question. How do I stop these hackers and spambots from trying to break into my server?

Your website is safe from hackers.

Of course if we only didn’t have to use SSH this wouldn’t be a problem for most of us. Sometimes we spend far to much time securing our web application then we do our own servers. Stick to the basics.

In our 100% uptime world turning off remote admin access is just not possible for most organizations, they need remote access 24/7 so wherever you might be, you can still fix problems.

Not every admin is going to have a dedicated Cisco ASA Intrusion Detection System at their disposal so we need to be realistic when we are mitigating security.

FAIL2BAN

Fail2Ban is a wonderful tool every web admin should familiarize themselves with. It’s a very simple daemon that runs in the background scouring all through your logs..

It looks at:

• apache
• vsftp
• lighthttpd
• sshd
• postfix

If you are reading this and using one of these services go ahead and take a peek at your logs. You are probably going to see a lot of failed login attempts from ip addresses and usernames you don’t recognize. Before I go on there is one thing I need to mention.

Never Allow Root Remote Logon for SSHD

As a secondary mitigation always change the port your sshd service is running on.

vi /etc/ssh/sshd_confPermitRootLogin noPort 1337

Now we need to install fail2ban.

For Redhat based:

rpm -ivh wget http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm

fail2ban is not in the standard repo for redhat boxes so we need to add EPEL repos into yum.

yum install fail2ban

Now let’s make a new config file

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now let’s look at our config. It might be wise to add known ip addresses so they will not accidentally get banned.

vi /etc/fail2ban/jail.local[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.

bantime = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

Once you have added one of your own trusted ip addresses into the config let’s go over what will happen next.

Essentially fail2ban crawls through all of your access logs you tell it to inside the config. If it recognizes an ip addresses trying to connect and getting a failed login, it will add them to a blacklist and apply the ban to iptables. You can preset criteria inside the config but it does a pretty good job out of the box on stopping spammers. You can also how long you want that ip address to be banned.

Instead of editing your .htaccess files on your servers with fail2ban you are only blocking malicous ip addresses, not bots trying to crawl your webpage. In that case you want bots to crawl your webpage so they know what’s on it.

Keep those shells locked down!

[GuardMoony]

Realy sounds/reads like a add commercial. It should help for vps and other small single machines with no firewall in front.

You should say its mainly for red hat based OS

[loosebit]

Sorry it's not an add I didn't write fail2ban.

I would hope you would use this with a firewall in front....

You can install fail2ban on any distro of your liking but yes this was written with RHEL in mind.