[Use it like this!] Using Init-Script service on NAVER Cloud Platform with fail2ban to build a secure server access environment
Hi, this is NAVER Cloud Platform.
This time, we’ll try and build a secure server access environment through fail2ban using the NAVER Cloud Platform’s Init Script.
Before we start…
What is fail2ban?
Fail2ban is an open source framework of intrusion prevention software. What fail2ban does is protect computer servers from brute force attacks. It is written in Python programming language, and it can run on a POSIX system that interfaces with a packet control system or a locally installed firewall (iptables or TCP Wrappers). This posting will be based on CentOS 7 or RHEL 7.
What is Init Script on NAVER Cloud Platform?
Init Script is a feature that enables the script that a user has created to automatically run when a server is created. It can come in handy when building the initial server environment.
So, let’s imagine a situation where fail2ban is needed, and build a secure server access environment using the Server product of NAVER Cloud Platform.
Installing an intrusion prevention software on VM, using fail2ban
While checking the VM that has not been used for a while, let’s say that you see the following report.
The message reads that there have been 48,671 login attempts by someone.
login as: root root@X.X.X.X's password: Last failed login: Wed Apr 15 11:22:34 KST 2020 from X.X.X.X on ssh:notty There were 48671 failed login attempts since the last successful login.Checking /var/log/secure, you see that there really have been many intrusions.
# cat /var/log/secure
.....
Apr 15 11:33:23 cat-code-analysis sshd[19627]: Failed password for root from 180.164.126.13 port 46692 ssh2
Apr 15 11:33:24 cat-code-analysis sshd[19627]: Received disconnect from 180.164.126.13 port 46692:11: Bye Bye [preauth]
Apr 15 11:33:24 cat-code-analysis sshd[19627]: Disconnected from 180.164.126.13 port 46692 [preauth]
Apr 15 11:35:21 cat-code-analysis sshd[19787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.195.1.201 user=root
Apr 15 11:35:21 cat-code-analysis sshd[19787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Apr 15 11:35:23 cat-code-analysis sshd[19787]: Failed password for root from 221.195.1.201 port 13505 ssh2
Apr 15 11:35:23 cat-code-analysis sshd[19787]: Received disconnect from 221.195.1.201 port 13505:11: Bye Bye [preauth]
Apr 15 11:35:23 cat-code-analysis sshd[19787]: Disconnected from 221.195.1.201 port 13505 [preauth]
Apr 15 11:35:55 cat-code-analysis sshd[19830]: Invalid user nmrsu from 170.210.83.116 port 41534
Apr 15 11:35:55 cat-code-analysis sshd[19830]: input_userauth_request: invalid user nmrsu [preauth]
Apr 15 11:35:55 cat-code-analysis sshd[19830]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 11:35:55 cat-code-analysis sshd[19830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=170.210.83.116
Apr 15 11:35:58 cat-code-analysis sshd[19830]: Failed password for invalid user nmrsu from 170.210.83.116 port 41534 ssh2
Apr 15 11:35:58 cat-code-analysis sshd[19830]: Received disconnect from 170.210.83.116 port 41534:11: Bye Bye [preauth]
Apr 15 11:35:58 cat-code-analysis sshd[19830]: Disconnected from 170.210.83.116 port 41534 [preauth]
Apr 15 11:36:29 cat-code-analysis sshd[19891]: Invalid user oraprod from 83.234.18.24 port 42101
Apr 15 11:36:29 cat-code-analysis sshd[19891]: input_userauth_request: invalid user oraprod [preauth]Today, I will introduce some tips to handle this.
1. Create a server on NAVER Cloud Platform.
2. Upon creation, fail2ban is automatically installed and SSHD is activated. Next, configure the server so it’s set up with systemd, not the default firewalld.
3. Since the server is configured with Init Script , create a server to run from the very first login.
Using Init Script on NAVER Cloud Platform
1. Creating a script on the console
Click on Create script under Server > Init Script to use the Init Script service on NAVER Cloud Platform.
2. Enter the script name, OS type, script content, and description before creating the script.
Scripts in Python, Perl, shells, and so on can be used on Linux. In the first line of the script, you must specify the path of the script you want to execute in such forms as #!/bin/bash, #!/usr/bin/env python, #!/bin/perl, etc. before running.
Use the example script below.
#!/bin/sh result=`yum update-to epel-release`
checkresult='*available*' if [[ "$result" == $checkresult ]]; then
yum install epel-release -y
fi result=`yum update-to fail2ban` if [[ "$result" == $checkresult ]]; then
yum install fail2ban -y
fi result=`yum update-to fail2ban-systemd` if [[ "$result" == $checkresult ]]; then
iresult=`yum install fail2ban-systemd -y`
checkresult='*Complete*'
if [[ "$iresult" == $checkresult ]]; then
mkdir /root/backup
mv /etc/fail2ban/jail.d/00-firewalld.conf /root/backup/00-firewalld.none
touch /etc/fail2ban/jail.d/jail.conf
echo -e '[DEFAULT]\nignoreip = 127.0.0.1/8\nbantime = 86400\nfindtime = 1800\nmaxretry = 3\n\n\n[sshd]\nenabled = true\nport = ssh' >> /etc/fail2ban/jail.d/jail.conf
systemctl enable fail2ban
systemctl restart fail2ban
fi
fi
3. When the script creation is completed, the following message is displayed.
4. Select “Create server”.
5. Select a server image.
6. When selecting a script, select fail2ban-init-script.
7. Set up an authentication key at the server creation step. Then, select the authentication key you have.
8. Select ACG as the default rule.
9. After the final review, proceed to create the server.
10. A pop-up message will appear while the server is being created.
11. When the VM status reads as running, you can connect to the server by setting port forwarding.
12. Click “Set port forwarding” on the relevant VM.
13. I selected the external port 2006 for the server in this case.
14. Connect to the server using an SSH client.
15. After connecting by SSH, check the server status through Fail2ban.
[root@test-create-server ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
[root@test-create-server ~]#
[root@test-create-server ~]# tail -f /var/log/fail2ban.log
2020-04-15 16:19:49,371 fail2ban.jail [2373]: INFO Jail 'sshd' uses systemd {}
2020-04-15 16:19:49,372 fail2ban.jail [2373]: INFO Initiated 'systemd' backend
2020-04-15 16:19:49,373 fail2ban.filter [2373]: INFO maxLines: 1
2020-04-15 16:19:49,399 fail2ban.filtersystemd [2373]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2020-04-15 16:19:49,399 fail2ban.filter [2373]: INFO maxRetry: 3
2020-04-15 16:19:49,399 fail2ban.filter [2373]: INFO encoding: UTF-8
2020-04-15 16:19:49,399 fail2ban.actions [2373]: INFO banTime: 86400 2
020-04-15 16:19:49,400 fail2ban.filter [2373]: INFO findtime: 1800
2020-04-15 16:19:49,402 fail2ban.jail [2373]: INFO Jail 'sshd' started
2020-04-15 16:20:44,409 fail2ban.filter [2373]: INFO [sshd] Found 58.230.80.34 - 2020-04-15 16:20:44In today’s post, we’ve tried installing fail2ban on a server, using Init Script among NAVER Cloud Platform’s Server products.
By installing fail2ban, you can set up a secure server environment to defend your server from brute-force attacks.
Configuring a server is more convenient if you use Init Script, as the preset fail2ban will automatically run when you create a server.
You can run your infrastructure more effectively if you utilize the Server products of NAVER Cloud Platform, linking them with useful open sources.
That’s all for today. We shall introduce more useful skills next time as well!
Thank you.
