I have my box to send email notification for every successful SSH login in the past here.
It requires sendmail to be installed, which is too much I think just to send email out from the box.
I found a lighter way to do it, using ssmtp package:
edit/create the file:
> sudo vi /etc/ssh/sshrc
DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`
echo "To: laurence.lau@domain.tld" > /tmp/mail.content
echo "From: Beaver <beaver@domain.tld>" >> /tmp/mail.content
echo "Subject: SSH Login Succcessful" >> /tmp/mail.content
echo "" >> /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content
ssmtp laurence.lau@domain.tld < /tmp/mail.content &
edit the file:
> sudo vi /etc/ssmtp/ssmtp.conf
mailhub=smtprelay.domain.tld:25
Showing posts with label ssh. Show all posts
Showing posts with label ssh. Show all posts
Thursday, May 10, 2018
Friday, December 25, 2015
Fail2ban BAN-Forever!
OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...
So, I came across this blog and set my systems as per following:
Modify fail2ban config:
So, I came across this blog and set my systems as per following:
Modify fail2ban config:
vi /etc/fail2ban/fail2ban.confMake sure
log level = 3 logtarget = /var/log/fail2ban.logModify Logrotate config:
vi /etc/logrotate.d/fail2banMake sure
notifempty monthly rotate 13 missingok postrotate fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null endscript # If fail2ban runs as non-root it still needs to have write access # to logfiles. # create 640 fail2ban adm create 640 root admAdd Repeat Offender rule:
vi /etc/fail2ban/jail.localAdd the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever
#
# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year
#
[repeatoffender]
enabled = true
filter = repeatoffender
action = repeatoffender[name=repeatoffender]
sendmail-whois[name=Repeat-Offender, dest=me@domain.me, sender=fail2ban@domain.me]
logpath = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime = -1
Create fail2ban Filter:vi /etc/fail2ban/filter.d/repeatoffender.confAdd the following to the file:
# Fail2ban configuration file # this filter monitors the fail2ban log file and permanently bans the IP # # only works with iptables [Definition] _jailname = repeatoffender failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+Create fail2ban Action:ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+
vi /etc/fail2ban/action.d/repeatoffender.confAdd the following to the file:
# Fail2Ban configuration File # # [INCLUDES] before = iptables-blocktype.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of fail2ban # Values: CMD actionstart = iptables -N fail2ban-that's it. to check the iptables, to show which IP is blocked there, just run:iptables -A fail2ban- -j RETURN iptables -I -p -j fail2ban- # Establish chain and blocks for saved IPs iptables -N fail2ban-ip-blocklist iptables -A fail2ban-ip-blocklist -j RETURN iptables -I -p -j fail2ban-ip-blocklist cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- # Remove chain and blocks for saved IPs to prevent duplicates on service restart iptables -D -p -j fail2ban-ip-blocklist iptables -F fail2ban-ip-blocklist iptables -X fail2ban-ip-blocklist # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L | grep -q 'fail2ban- [ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = VERIFY=" *" ADD=" # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned" FILE=/etc/fail2ban/ip.blocklist. grep -q "$VERIFY" "$FILE" || iptables -I fail2ban- 1 -s -j DROP grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = # Do nothing becasuse their IP is in the blocklist file # To manually unban from the ip blocklist file run this command: # Be warned that if the ip is in log rotated files it must be whitelisted # # sed -i '/^ /d' /etc/fail2ban/ip.blocklist.repeatoffender # [Init] # Default name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT
iptables -L -n
Wednesday, August 26, 2015
Google Authenticator for Ubuntu
I am running SSH on Ubuntu and publish this service on my firewall so that I can remotely login. I used fail2ban to block IP address that is trying to brute-force his way in to my SSH server. I also setup notification so that I get email notification whenever someone is either successful login or not.
I think I need more than that, so today decided to dual-factor my SSH entrance :)
Running Ubuntu, I just need to run:
sudo apt-get install libpam-google-authenticator
This will install the lib for google authenticator
Then login to to system as the user who I want to be dual-factor authenticated, I run:
google-authenticator
this will prompt me a lot of question and I answered accordingly.
this also give me a QR code that I can add to my Google Authenticator apps.
Next is to edit /etc/pam.d/sshd and add the following line:
auth required pam_google_authenticator.so
Next is to edit /etc/ssh/sshd_config, and find the following line and change it:
ChallengeResponseAuthentication yes
Next is to restart the SSH service:
sudo service ssh restart
Then test it!!
I think I need more than that, so today decided to dual-factor my SSH entrance :)
Running Ubuntu, I just need to run:
sudo apt-get install libpam-google-authenticator
This will install the lib for google authenticator
Then login to to system as the user who I want to be dual-factor authenticated, I run:
google-authenticator
this will prompt me a lot of question and I answered accordingly.
this also give me a QR code that I can add to my Google Authenticator apps.
Next is to edit /etc/pam.d/sshd and add the following line:
auth required pam_google_authenticator.so
Next is to edit /etc/ssh/sshd_config, and find the following line and change it:
ChallengeResponseAuthentication yes
Next is to restart the SSH service:
sudo service ssh restart
Then test it!!
Monday, August 12, 2013
Micro$oft, what the.... ???
Got these a lot on my server for the last 4 days:
The IP 157.56.162.105 has just been banned by Fail2Ban after
6 attempts against ssh.
Here are more information about 157.56.162.105:
Lines containing IP:157.56.162.105 in /var/log/auth.log
Aug 11 20:40:08 x sshd[60929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:40:10 x sshd[60929]: Failed password for root from 157.56.162.105 port 62640 ssh2
Aug 11 20:40:10 x sshd[60929]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:40:18 x sshd[60931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:40:20 x sshd[60931]: Failed password for root from 157.56.162.105 port 1112 ssh2
Aug 11 20:40:20 x sshd[60931]: Connection closed by 157.56.162.105 [preauth]
Aug 11 20:50:17 x sshd[60935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:18 x sshd[60935]: Failed password for root from 157.56.162.105 port 1064 ssh2
Aug 11 20:50:19 x sshd[60935]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:21 x sshd[60937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:23 x sshd[60937]: Failed password for root from 157.56.162.105 port 62560 ssh2
Aug 11 20:50:23 x sshd[60937]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:29 x sshd[60939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:31 x sshd[60939]: Failed password for root from 157.56.162.105 port 1184 ssh2
Aug 11 20:50:31 x sshd[60939]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 21:00:34 x sshd[60943]: Connection closed by 157.56.162.105 [preauth]
and guess who owns the 157.56.162.105?
The IP 157.56.162.105 has just been banned by Fail2Ban after
6 attempts against ssh.
Here are more information about 157.56.162.105:
Lines containing IP:157.56.162.105 in /var/log/auth.log
Aug 11 20:40:08 x sshd[60929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:40:10 x sshd[60929]: Failed password for root from 157.56.162.105 port 62640 ssh2
Aug 11 20:40:10 x sshd[60929]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:40:18 x sshd[60931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:40:20 x sshd[60931]: Failed password for root from 157.56.162.105 port 1112 ssh2
Aug 11 20:40:20 x sshd[60931]: Connection closed by 157.56.162.105 [preauth]
Aug 11 20:50:17 x sshd[60935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:18 x sshd[60935]: Failed password for root from 157.56.162.105 port 1064 ssh2
Aug 11 20:50:19 x sshd[60935]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:21 x sshd[60937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:23 x sshd[60937]: Failed password for root from 157.56.162.105 port 62560 ssh2
Aug 11 20:50:23 x sshd[60937]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:29 x sshd[60939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105 user=root
Aug 11 20:50:31 x sshd[60939]: Failed password for root from 157.56.162.105 port 1184 ssh2
Aug 11 20:50:31 x sshd[60939]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 21:00:34 x sshd[60943]: Connection closed by 157.56.162.105 [preauth]
and guess who owns the 157.56.162.105?
Thursday, July 18, 2013
Securing SSH Server with fail2ban and Email Notification
I use fail2ban to secure my SSH server, using the following guide
https://help.ubuntu.com/community/Fail2ban
this helps me to ban the IP address and notify me by email of the failed attempt
and I use the following script to notify me by email of the successful login
edit or create /etc/sshd/sshrc
https://help.ubuntu.com/community/Fail2ban
this helps me to ban the IP address and notify me by email of the failed attempt
and I use the following script to notify me by email of the successful login
edit or create /etc/sshd/sshrc
DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`
echo "Subject: SSH Login Successfully" > /tmp/mail.content echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content
sendmail -f "MyBox <fromemail@domain.tld>" -t "Lau, Laurence <me@domain.tld>" -s smtprelay.domain.tld < /tmp/mail.content &