Prevent repeated login attempts with Fail2Ban
Fail2Ban is a security tool to prevent dictionary attacks. It works by monitoring important services (like SSH) and blocking IP addresses which appear to be malicious (i.e. they are failing too many login attempts because they are guessing passwords).
Install Fail2Ban:
sudo aptitude install fail2ban
Configure Fail2Ban:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
Set “enabled” to “true” in the [ssh-ddos] section. Also, set “port” to “44444” in the [ssh] and [ssh-ddos] sections. (Change the port number to match whatever you used as your SSH port).
Save the file and restart Fail2Ban to put the new rules into effect:
sudo service fail2ban restart
Add a firewall
We’ll add an iptables firewall to the server that blocks all incoming and outgoing connections except for ones that we manually approve. This way, only the services we choose can communicate with the internet.
The firewall has no rules yet. Check it out:
sudo iptables -L
Setup firewall rules in a new file:
sudo nano /etc/iptables.firewall.rules
The following firewall rules will allow HTTP (80), HTTPS (443), SSH (44444), ping, and some other ports for testing. All other ports will be blocked.
Paste the following into /etc/iptables.firewall.rules:
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow ports for testing -A INPUT -p tcp --dport 8080:8090 -j ACCEPT # Allow ports for MOSH (mobile shell) -A INPUT -p udp --dport 60000:61000 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 44444 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Activate the firewall rules now:
sudo iptables-restore < /etc/iptables.firewall.rules
Verify that the rules were installed correctly:
sudo iptables -L
Activate the firewall rules on startup:
sudo nano /etc/network/if-pre-up.d/firewall
Paste this into the /etc/network/if-pre-up.d/firewall file:
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
Set the script permissions:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Get an email anytime a user uses sudo
I like to get an email anytime someone uses sudo. This way, I have a “paper trail” of sorts, in case anything bad happens to my server. I use a Gmail filter to file these away and only look at them occasionally.
Create a new file for the sudo settings:
sudo nano /etc/sudoers.d/my_sudoers
Add this to the file:
Defaults mail_always Defaults mailto="[email protected]"
Set permissions on the file:
sudo chmod 0440 /etc/sudoers.d/my_sudoers
This is isn’t mentioned anywhere on the web, as far as I know, but in order for the “mail on sudo use” feature to work, you need to install an MTA server. sendmail is a good choice:
sudo aptitude install sendmail
Now, you should get an email anytime someone uses sudo!