Monday, September 19, 2016

fail2ban: Protecting Servers

Generally recommending security measures is considered as the work of Application and Network Security team. But with introduction of DevOps and change in culture, everyone can contribute to it.

I usually recommend teams to embed these security tools into the development practices to ensure better end results. Coz if used properly tools like these help in maintaining better code quality and keeping infrastructure protected.

Few Open Source tools:
YASCA: http://www.scovetta.com/yasca.html
PMD: https://pmd.github.io/
SNORT: https://www.snort.org/
Fail2Ban: http://www.fail2ban.org/wiki/index.php/Main_Page

Let me explain more with an example:
With expanding infrastructure, we need tools to keep any on malicious attempts and take appropriate actions against them.
I use Fail2ban for this, which is one of the best Open Source tool available for this purpose.
How it works? Fail2ban can monitor logs/files based on defined patterns and take action when match exceeds the threshold.
Example: Pattern defined: <HOST> - - .*/create-account.html .*
Threshold Definition:
  • Take action if finds 20 connections within 20 seconds from one IP.
  • Blocks it for 1800 seconds. - Can be set to any other number or forever.
Actions: Actions like blocking IP via iptables, denying host via hosts.deny file, sending email notification, etc can be triggered once IPs/Users are caught for malicious activities.
Conclusion
Reach out to people who know about security tools and can help you setup these. Leave the rest to the tools to do their duty, small effort from every team member will help in making internet world more secure.

Important links:
Fail2ban Installation instructions: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
More Security Tools: https://www.owasp.org/index.php/Tools

Sample Configurations:
jail.conf:
[apache-custom-rule]
enabled  = true
action   = iptables-multiport[name=qa, port="http,https"]
filter   = apache-custom-rule
logpath  = /var/log/apache/access.log
maxretry = 20
findtime = 20
iptables-multiport.conf:
actionban = iptables -t nat -A PREROUTING -p tcp -s <ip> --dport 80 -j DNAT --to <Your Private IP>:80
                iptables -t nat -A PREROUTING -p tcp -s <ip> --dport 443 -j DNAT --to <Your Private IP>:443
actionunban = iptables -t nat -D PREROUTING -p tcp -s <ip> --dport 80 -j DNAT --to <Your Private IP>:80
                iptables -t nat -D PREROUTING -p tcp -s <ip> --dport 443 -j DNAT --to <Your Private IP>:443
apache-custom-rule:
failregex = <HOST> - - .*/accounts/u .*
                  <HOST> - - .* 403 .*