Daily we hear some news related to cybercrime just, like, some malicious users or bots has successfully defaced some publicly accessible website or some services. As we always try to explain through our articles, how such types of activities are possible when system is weak configured or misconfigured. Therefore, it is important to build some security measures such as IDS/IPS within firewall to defend your server and clients while configuring it.
In this article we will show, how you can protect your network from brute force attack and running services on a network?
And the Answer is: By Implementing IPS in your network.
Table of Content What is an IPS? Introduction to fail2ban Lab Set-up Requirement Brute Force Attack in Absence of IPS Intrusion Prevention Lab Set-Up Configure Fail2Ban Protect SSH Against Brute Force Attack Testing Fail2ban How to unban IP in fail2ban for SSH Protect FTP against Brute Force Attack Testing Fail2ban for VSFTP Unban IP for VSFTPD What is an IPS?Intrusion Prevention System is short term as IPS, it a network security measures to examine the incoming traffic to perform intrusion detection and then block the detected incidents. For example, an IPS can drop malicious packets, ban the traffic coming from an offending IP address.
Introduction to fail2banFail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs ― too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.
In this article, I will discuss how to prevent your running services against brute force attack using fail2ban.
Source : https://www.fail2ban.org/wiki/index.php/Main_Page
Lab Set-up Requirement
Victim’s Machine: Ubuntu 14.04 (192.168.0.105)
Pentester’s Machine: Kali linux (192.168.0.105)
Brute Force Attack in Absence of IPSNow let’s try to launcha brute force attackwhen on port 22 which is open inthe target’s networkto make unauthorized login. With the help hydra we will try to guess SSH login credential.
hydra -L user.txt -P pass.txt 192.168.0.105 ssh
As you can observe inthe above imagethat it has successfully foundaarti:123 for ssh login.Similarly, let’stry to launcha brute force attackwhen on port 21 which is open inthe target’s networkto make unauthorized login. With the help hydra we will try to guess FTP login credential.
hydra -L user.txt -P pass.txt 192.168.0.105 ftp
And from the given below image you can observe, how badly these services are configured. Even the network administrator has not followed the password complexity rules asa result, itis so easy to launcha brute forceagainst such type of network.
Intrusion Prevention Lab Set-UpTherefore, I decided to set-up Intrusion Prevention system in this network which will monitor the incoming packet’s and detects the malicious activities and block that traffic coming from wicked IP. It is very easy to install fail2ban as Ubuntu already has a package for fail2ban in apt-repositories.
First ofall, letme show you, the Iptables rulelist, whichis empty as shown in the below image and then executethe installation command. Once itgetscompleted, thencopy the configuration of jail.conf file inside jail.local file.
sudo Iptables -S sudo apt-get install fail2banNOTE:While configuring fail2ban in your local machine, you must have root access or can use non-root user with sudo rights.
Configure Fail2Ban
The service fail2ban has its default configuration files “jail.local” in the /etc/fail2ban directory, therefore, you should not edit this file, but you can override this into jail.local file with the help of below command and then open that file for configuring it as per your requirement.
Above you have seen that we had successfully launched brute force attack on SSH and FTP, therefore I will configure fail2ban to stop brute force attack in the network.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo gedit /etc/fail2ban/jail.localOnce the filegetsopened you need tofocusfew things such as “ignoreip,bantam,maxretry” and then modify their value as per your requirement. Set the IPs you want fail2ban to ignore asignoreip, setthe ban time(in second) for a particular time period and maximum number for the user attempts.
ignoreip = 192.168.0.105 127.0.0.1 bantime = 600 maxretry = 3
Protect SSH Against Brute Force Attack Ultimately, we come towards that portion of the configuration file which deals with specific services. These are identified by the section headers, such as [ssh]. To enable each of these sections uncomment header [ssh] and modify the enabled value into “true” as shown in the below image and then save the jail.local file and restart the fail2ban service: [ssh] enable = true service fail2ban restart
Testing Fail2ban for SSH
Fail2ban offers a command “fail2ban-client” that can be used to execute Fail2ban from the command line, to check that the Fail2Ban is running and the SSH jail is enabled you can follow the below syntax confirm its status.
Syntax: fail2ban-client COMMAND
sudo fail2ban-client status sudo fail2ban-client status sshAs you can observe, currently filter list and action list is set as 0 or all I can say, it is empty. These values will get change if someone tries to cross the limit of maxretry.
As said above fail2ban will update iptables rules to reject the IP addresses for a specified amount of time and from the given below image you can observe, last 3 policies is automatically created by fail2ban.
Now let’s test host machine against brute force attack for ssh login once again:
hydra -L user.txt -P pass.txt 192.168.0.105 ssh
And as you can obverse, this time we got “ Connection refused ” error while brute forcing attack on port 22.
Hmm!! Not bad, let’s also check the status for ssh jail status after this attack.
sudo fail2ban-client status sshNow you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can explore log file too for more details.
tail /var/log/auth.log
How to unban IP in fail2ban for SSH If you wish to unban the IP then again, you can go with fail2bai