Securing your VPS

2»

Comments

  • edited July 2020

    , including things that you may not be aware of.

    Yeah. This trips you up as a noob.

    Take a look at (as root) output of :
    lsof -i

  • Oh guys. I always used panels with fail2ban included but now I have no panel, installed fail2ban and configured but it doesn't work properly. I mean yeah it works but doesn't work after I reboot my server or after the first fail to login. Where did I go wrong way?

  • @djn said:
    I only allow ssh from allowed ip addresses via iptables
    I have a script that reverse looks up my dynamic ip

    I love that idea

  • @Anon said:
    Oh guys. I always used panels with fail2ban included but now I have no panel, installed fail2ban and configured but it doesn't work properly. I mean yeah it works but doesn't work after I reboot my server or after the first fail to login. Where did I go wrong way?

    Find out that everythings work on Ubuntu 18.04. But not on Ubuntu 20.04. Checked bug reports, found this
    https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1875169
    Checked and it turned out I have this recommended line already, so nothing to change

    Anyone facing the issue with fail2ban on Ubuntu 20.04?

  • MaxKVMMaxKVM Hosting Provider
    edited July 2020

    @Anon said:

    @Anon said:
    Oh guys. I always used panels with fail2ban included but now I have no panel, installed fail2ban and configured but it doesn't work properly. I mean yeah it works but doesn't work after I reboot my server or after the first fail to login. Where did I go wrong way?

    Find out that everythings work on Ubuntu 18.04. But not on Ubuntu 20.04. Checked bug reports, found this
    https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1875169
    Checked and it turned out I have this recommended line already, so nothing to change

    Anyone facing the issue with fail2ban on Ubuntu 20.04?

    I think you might need to set the bantime to 3600 instead of 60 if you are looking for a 1-hour ban.

    Edit: a 60 second ban explains why works, then doesn't, but I do not know why you are allowed to exceed your maxretry of 2 unless the banaction (iptables-multiport or ufw/auto) is disabled.

  • umiumi
    edited July 2020

    Even when tcp port is not listened an icmp packet is sent back to caller saying: nobody here... Usually, I setup firewall to allow access to ssh port from my networks only and black holing the unused port ranges. The bunch of scanners are setup to rescan all internet on a daily if not an hour basis.

  • @Anon said:
    Oh guys. I always used panels with fail2ban included but now I have no panel, installed fail2ban and configured but it doesn't work properly. I mean yeah it works but doesn't work after I reboot my server or after the first fail to login. Where did I go wrong way?

    Use fail2ban-regex to see what is being matched in the logs rather than blindly guessing.

  • @tetech said:
    Use fail2ban-regex to see what is being matched in the logs rather than blindly guessing.

    @MaxKVM said: I think you might need to set the bantime to 3600 instead of 60 if you are looking for a 1-hour ban.
    Edit: a 60 second ban explains why works, then doesn't, but I do not know why you are allowed to exceed your maxretry of 2 unless the banaction (iptables-multiport or ufw/auto) is disabled.

    But everything works fine on Ubuntu 18.04 with the same config. 60 secs just to test.
    Looks like your were right with iptables-multiport things. Tried to fix it by adding

     [DEFAULT]
        bantime = 3600
        banaction = iptables-multiport
    
        [sshd]
        maxretry = 5
        enabled = true
    

    To jail.local
    But it didn't help
    Then tried banaction = iptables-allports instead of iptables-multiport and still facing the same issue...
    Any idea? I'm not good at iptables at all, only ufw.

  • /etc/fail2ban/action.d/iptables-common.conf file
    # Option: lockingopt
    # Notes.: Option was introduced to iptables to prevent multiple instances from
    # running concurrently and causing irratic behavior. -w was introduced
    # in iptables 1.4.20, so might be absent on older systems
    # See https://github.com/fail2ban/fail2ban/issues/1122
    # Values: STRING
    lockingopt = -w

    This one option with deleting -w I also tried, commenting this line as well

  • MaxKVMMaxKVM Hosting Provider

    @Anon said:

    @tetech said:
    Use fail2ban-regex to see what is being matched in the logs rather than blindly guessing.

    @MaxKVM said: I think you might need to set the bantime to 3600 instead of 60 if you are looking for a 1-hour ban.
    Edit: a 60 second ban explains why works, then doesn't, but I do not know why you are allowed to exceed your maxretry of 2 unless the banaction (iptables-multiport or ufw/auto) is disabled.

    But everything works fine on Ubuntu 18.04 with the same config. 60 secs just to test.
    Looks like your were right with iptables-multiport things. Tried to fix it by adding

    [DEFAULT]
    bantime = 3600
    banaction = iptables-multiport

    [sshd]
    maxretry = 5
    enabled = true

    To jail.local
    But it didn't help
    Then tried banaction = iptables-allports instead of iptables-multiport and still facing the same issue...
    Any idea? I'm not good at iptables at all, only ufw.

    I would try to set banaction = ufw if you are using ufw. This should be the default on Ubuntu 20.04 though. Is your ufw enabled?

  • @MaxKVM said: Is your ufw enabled?

    It wasn't installed by that time. Just a fresh VPS. I started from the fail2ban configurating and stuck...
    Installed now, allowed 22/tcp, enabled, added banaction = ufw to jail.local, restarted f2b, even rebooted the vps. Nothing interesting.

  • What type of virtualization? Show iptables-save with your IPs redacted - possible that there's an ACCEPT before the f2b chain?

  • @tetech said:
    What type of virtualization? Show iptables-save with your IPs redacted - possible that there's an ACCEPT before the f2b chain?

    KVM

    With ufw enabled

    root@lowend:~# iptables-save
    # Generated by iptables-save v1.8.4 on Tue Jul 21 08:35:10 2020
    *filter
    :INPUT DROP [1:32]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-forward - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -s 218.92.0.190/32 -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT
    # Completed on Tue Jul 21 08:35:10 2020
    

    The IPs aren't mine, that's why I didn't redact them

  • MaxKVMMaxKVM Hosting Provider

    @Anon said:

    @tetech said:
    What type of virtualization? Show iptables-save with your IPs redacted - possible that there's an ACCEPT before the f2b chain?

    KVM

    With ufw enabled

    The IPs aren't mine, that's why I didn't redact them

    Is there anything new in fail2ban-regex now? It seems like you may have the NSA version of fail2ban.

  • @Anon said:

    @tetech said:
    What type of virtualization? Show iptables-save with your IPs redacted - possible that there's an ACCEPT before the f2b chain?

    KVM

    With ufw enabled

    root@lowend:~# iptables-save
    # Generated by iptables-save v1.8.4 on Tue Jul 21 08:35:10 2020
    *filter
    :INPUT DROP [1:32]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-forward - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -s 218.92.0.190/32 -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT
    # Completed on Tue Jul 21 08:35:10 2020
    

    The IPs aren't mine, that's why I didn't redact them

    f2b chains don't exist, so clearly nothing is going to be blocked.

  • Installed inetutils-syslogd and iptables-persistent, then fail2ban and edited jail.local.

    systemctl start fail2ban
    systemctl enable fail2ban
    

    Looks like works, banned me 2 times after the each 3th attempt. Restarted the VPS and again it wasn't working. Okay.

    systemctl enable fail2ban

    Rebooted and now it's working. Dunny why so complicated on 20.04... when on 18.04 was sooo smooth

    root@lowend: iptables-save
    # Generated by iptables-save v1.8.4 on Tue Jul 21 14:13:07 2020
    *filter
    :INPUT ACCEPT [6:422]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [4:324]
    :f2b-sshd - [0:0]
    -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
    -A f2b-sshd -j RETURN
    COMMIT
    # Completed on Tue Jul 21 14:13:07 2020
    

    ===================================

    root@lowend: iptables -nvL
    Chain INPUT (policy ACCEPT 69 packets, 5271 bytes)
     pkts bytes target     prot opt in     out     source               destination
       89  9740 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 53 packets, 8617 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain f2b-sshd (1 references)
     pkts bytes target     prot opt in     out     source               destination
       65  7888 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    

    ==================================

    root@lowend:~# fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     11
    |  `- File list:        /var/log/auth.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     5
       `- Banned IP list:
    

    I'm afraid that after setting UFW it will not be working lol.
    And also dunno why I'm doing all this...I disabled root auth, added keys, disabled password auth. Maybe no reason having fail2ban for ssh?

Sign In or Register to comment.