Security

some tools for security

fail2ban

ban hosts that cause multiple authentication errors via iptables

apt-get install fail2ban

jails are defined in /etc/fail2ban/jail.local - setup all options there

to receive mail, you need to set default action to

action = %(action_mwl)s

check, if it works

iptables -n -L 

Test, if it really works and actually blocks offending IPs!!

If your INPUT chain allows everything, you need to change to FORWARD chain!

Try manually, if INPUT or FORWARD drops the IP:

iptables -I INPUT -j DROP -s EV.IL.IP
iptables -I FORWARD -j DROP -s EV.IL.IP

The working chain must be setup in jail.conf or jail.local AND in /etc/fail2ban/action.d/iptables-multiport.conf

# FORWARD required, because INPUT accepts all
chain = FORWARD

Unban:

Use these commands to remove an IP from the blackhole - example for blocked courier mailserver logins:

fail2ban-client get courierlogin actionunban xx.xx.xx.xx
fail2ban-client get courierauth actionunban xx.xx.xx.xx
/etc/init.d/fail2ban restart

debug

if the service doesn't start

for some useful error messages:

fail2ban-client -x start

too much cpu / ram usage maybe a problem with /etc/localtime

trace which files are opened / closed all the time by one of the server threads:

strace -f -p <various pids of fail2ban processes

try to delete the database in /var/lib/fail2ban

log analysis

some bash lines to extract IPs from logfiles

get banned messages from one jail:

grep contactforms fail2ban.log.1 | grep Ban > blocked-ips-complete

grep contactforms fail2ban.log | grep Ban >> blocked-ips-complete

count:

cat blocked-ips-complete | wc -l

get unique IPs sorted by date:

cat blocked-ips-complete | awk  '{print $1 , $2 , $7}' | sort -u -k3,4 | sort -k1,1  > blocked-ips-by-date

get only IPs and sort by IP:

cat blocked-ips-by-date | awk  '{print $3}' | sort -u


apparmor

WIP

install:

apt-get install apparmor apparmor-profiles apparmor-utils

add boot parameter:

perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
reboot

check:

aa-status

activate app profiles..

 
Back to top
communitycloud/services/security.txt · Last modified: 2017/06/14 11:50 by tkilla