I’m calling you Linux gods, to help me in this path I’m going through!
What I’m going through is try to make my Raspberry as secure as possible in order to keep it on the net without worring about what could happen to it.
The first thing I did was make my own user, create a strong password with Diceware and delete the default user. This was easy even for a newbie like me.
Than I installed fail2ban in order to ban permanently every IP that tries to bruteforce my micro-server. Here I’m starting to struggle because the config file is actually kinda complicated:
I think I managed to change the general settings using this values
banaction = iptables-allports
bantime = -1
but I’m not sure if those values are applied for every other setting available further in the config file or if I have to set those for each service I want to use;
2) I checked if the process is running on boot and appears like it is (when I do ps -A I see a fail2ban-server process) but it is actually working?;
3) I don’t have a clue on how to set it to send me emails when an IP is banned;
4) I don’t know if it’s storing somewhere the banned IPs or if it’s starting from scratch every time is rebooted.
I know this is already a lot but it’s not over yet. I’d like to put a firewall on too but I don’t know wich one to pick or even if it’s necessary.
Everything would be configured from console (duh).
I’d greatly appreciate every bit of help I might get, thanks to everyone.
Only SSH because I'm tunneling everything through it like you thought me. The only jail I changed is the SSH one because the port was set to deafult (I'm not using the standard 22 port for SSH) and the number of tries before ban was not the one set in the general settings. I didn't block any port, how should I do that?
Man I should really pay you now for all the help you're giving me on this forum. Everyone should know how awsome you are!
banaction = iptables-allports That will ban the offending IP on all ports;
For blocking the other ports, I would suggest you to use UFW as "frontend" to iptables; Try and scan your raspberry with nmap (it's gui is called zenmap) and scann all ports, that will show you which ports are open to be connected to from the outside;
As long as you have NO services (IMAP, POP3, HTTP, HTTPS, ... ) running you have no ports open (or should not have) except that one you specified for SSH.
Do you run that raspberry at your home behind a router that forwards traffic to the PI? Because than the router should only have the port open you use for SSH;
fail2ban crawls the log files generated by the services it's protecting and when it finds enough regular expressions matching a regex it takes action and creates a iptables rule for the offending IPs to DROP the packets;
The built in firewall on linux (unix) systems is "iptables" to be honest the way iptables is operated is horrible (in my oppinion) thus several "firewalls" appeared wich are nothing else but frontends that make use of iptables. UFW is the one I know best, and thus can recomend - it has both a commandline tool (UFW) and a gui (gufw) that can be used to create rules
Well run the SSH service =) for testing. As long as you do not forward any port to the raspberry from your router/modem it can not be accessed from the Internet anyway.
For securing SSH with fail2ban - the deffault is actually pretty good - so changing the port is sufficient enough to be save.
If you moved from password authentication to certificates on SSH your 99% save =) they can probe with as many passwords they want and will not get access granted.
I'm still not comfortable switching to key authentication but I will in the future. The password I used was made with http://world.std.com/~reinhold/diceware.html and involved me tossing my D6 a couple of times and I ended up with a long password with symbols. I should be good, right?
Well yeah - I mean nothing compares to a 4096bit key set - but sure that sounds good.
Well, as you have local access to the PI there is nothing you could mess up and not fix with a keyboard and monitor hooked up to the PI ^^ The key private/public key stuff is only used for SSH; for login in locally and for sudo you still use the password of the user
Yeah, I guess you're right. What if I would add a rule to fail2ban? I just realized I can't tunnel Mumble through SSH and I'm going to use it. Also do you know how can I set the email notification with full details when an access is blocked?
I always feel like I can't thank you enough for all the help! Thanks a lot.
# Choose default action. To change, just override value of 'action' with th e
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mw)s
This action_mw gives you the most detail, including a whois. In general one copies the jail.conf to jail.local and everything one wants to override (a.k.a. change) is done in the jail.local
It than will look like that:
Hi,
The IP 81.90.36.65 has just been banned by Fail2Ban after
3 attempts against f2b-loop3.
Here are more information about 81.90.36.65:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '81.90.36.0 - 81.90.36.255'
% Abuse contact for '81.90.36.0 - 81.90.36.255' is '[email protected]'
inetnum: 81.90.36.0 - 81.90.36.255
netname: CMO-HOUSING-REUTLINGEN
descr: CMO Internet Dienstleistungen GmbH
descr: Postfach 1335
descr: D-72577 Dettingen an der Erms
descr: Germany
country: DE
admin-c: NS4596-RIPE
tech-c: MS2621-RIPE
status: ASSIGNED PA
mnt-by: CMO-MNT
created: 2002-10-01T07:58:41Z
last-modified: 2013-03-04T15:40:36Z
source: RIPE
person: Marcus Sommer
address: CMO Internet Dienstleistungen GmbH
address: Postfach 1335
address: D-72577 Dettingen/Erms
address: Germany
phone: +49 7123 72670
fax-no: +49 7123 7267150
nic-hdl: MS2621-RIPE
mnt-by: CMO-MNT
created: 2002-07-03T08:56:18Z
last-modified: 2013-03-04T15:20:29Z
source: RIPE # Filtered
person: Norman Sommer
address: CMO Internet Dienstleistungen GmbH
address: Postfach 13 35
address: D-72577 Dettingen an der Erms
address: Germany
phone: +49 7123 72670
fax-no: +49 7123 7267150
nic-hdl: NS4596-RIPE
mnt-by: CMO-MNT
created: 2013-03-04T15:24:00Z
last-modified: 2013-03-04T15:24:00Z
source: RIPE
% Information related to '81.90.32.0/20AS25058'
route: 81.90.32.0/20
descr: CMO Internet Dienstleistungen GmbH
origin: AS25058
mnt-by: CMO-MNT
mnt-routes: mnt-globalways
created: 2002-07-15T16:19:13Z
last-modified: 2014-05-27T17:00:25Z
source: RIPE
% Information related to '81.90.32.0/20AS48918'
route: 81.90.32.0/20
descr: CMO Internet Dienstleistungen GmbH via Globalways
origin: AS48918
mnt-by: mnt-globalways
created: 2014-05-27T17:01:21Z
last-modified: 2014-05-27T17:01:21Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.86 (DB-1)
Regards,
Fail2Ban
I'd recommend installing logwatch and have it send you a daily email. The default settings are pretty good and send you log entries related to security.
True, but it is still good to see other errors like when clamav or Apache breaks. Plus it gives you an overview of bans and unbans from fail2ban. The most interesting thing I saw though was all the brute force attempts from my mail server. They would essentially go through a name list and try three passwords per name at random times so that fail2ban wouldn't pick it up. I was almost tempted to turn on password logging so I could see what passwords they were trying. But I changed the fail2ban settings and it seems to have stopped, either that or the log format has changed and it's just not getting picked up anymore.
Edit: No I disabled plain text logins on the mail server and that's what stopped it. Apparently they were only trying on port 25 and not using STARTTLS.