Read Time:11 Minute, 59 Second
Disable ping
$ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Install iptables and iptables-persistent
$ sudo apt-get install iptables iptables-persistent $ sudo service iptables-persistent start
Create shell script
$ nano reset_iptables.sh
#!/usr/bin/env bash iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP # # PACKETS chain # iptables -N PACKET iptables -A PACKET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT iptables -A PACKET -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT #limit ping to 1 per second #iptables -A INPUT -p icmp -j DROP #iptables -A PACKET -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT # # STATE_TRACK chain (connection tracking) # iptables -N STATE_TRACK iptables -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A STATE_TRACK -m state --state INVALID -j DROP # # PORTSCAN chain (drop common attacks) # iptables -N PORTSCAN iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Disable ping response iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT iptables -A INPUT -p icmp -j DROP #allow all outgoing access iptables -A OUTPUT -o eth0 -j ACCEPT iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo chmod a+x reset_iptables.sh $ sudo ./reset_iptables.sh
Install PSAD (Port Scan Attack Detection)
References:
- http://cipherdyne.org/psad/download/
- https://www.digitalocean.com/community/tutorials/how-to-use-psad-to-detect-network-intrusion-attempts-on-an-ubuntu-vps
$ wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz $ tar xvfz psad-2.4.3.tar.gz $ cd psad-2.4.3 $ sudo ./install.pl
Set configurations
$ sudo nano /etc/psad/psad.conf
EMAIL_ADDRESSES psad@loopback; # Don't want to receive any email HOSTNAME raspberrypi; # Set to hostname HOME_NET 192.168.1.0/24; # Set to internal IP HTTP_PORTS 8080; # Set custom HTTP port SHELLCODE_PORTS !8080; # Set custom HTTP port ENABLE_AUTO_IDS Y; # Set to automatically configure iptables AUTO_IDS_DANGER_LEVEL 1; # Set to 1 for strict AUTO_BLOCK_TIMEOUT 999999999; # Make permanent ENABLE_AUTO_IDS_EMAILS N; IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
Set IP address that to be ignored
$ nano /etc/psad/auto_dl
192.168.1.0/24 0; #ignore interal ip 221.229.1.0/24 5; # permanent ban
$ sudo psad --sig-update $ sudo service psad restart $ sudo service psad status
Install Fail2ban
References:
- http://www.fail2ban.org/wiki/index.php/Main_Page
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7
$ sudo apt-get install fail2ban postfix
Set configurations
$ sudo nano /etc/fail2ban/jail.conf
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.0/24 192.168.1.0/24
bantime = -1
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = fail2ban@loopback
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[invalidmethod]
enabled = true
port = http,https
filter = invalidmethod
logpath = /var/log/apache*/*access.log
findtime = 10800
maxretry = 3
#
# FTP servers
#
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 3
#
# Mail servers
#
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
Update iptables-multiport.conf to set persistent.bans
$ sudo nano /etc/fail2ban/action.d/iptables-multiport.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# $Revision$
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
sed -i /<ip>/d /etc/fail2ban/persistent.bans
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
Add extra filter to prevent unauthorised access to http
$ sudo nano /etc/fail2ban/filter.d/invalidmethod.conf
# Fail2Ban configuration file # # # $Revision: 1 $ # [Definition] # Option: failregex Notes.: Regexp to catch invalid method # abovementioned bots. Values: TEXT # failregex = ^<HOST> .*\"(GET|HEAD|PUT|POST) [^\"]+\" 401.* # Option: ignoreregex Notes.: regex to ignore. If this regex # matches, the line is ignored. Values: TEXT # ignoreregex = ^<HOST> .*\"(GET|POST) [^\"]+\" 200.*
$ sudo nano /etc/fail2ban/jail.conf
[invalidmethod] enabled = true port = http,https filter = invalidmethod logpath = /var/log/apache*/*access.log findtime = 10800 maxretry = 3
$ sudo /etc/init.d/fail2ban restart
Check jail is configured correctly
$ sudo fail2ban-client status
Status |- Number of jail: 9 `- Jail list: invalidmethod, apache-noscript, postfix, ssh-ddos, apache-multiport, vsftpd, ssh, apache-overflows, apache
Install OSSEC (Open Source HIDS SECurity)
References
- https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04
- http://ossec.github.io/downloads.html
$ sudo apt-get install build-essential inotify-tools $ wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz $ tar -zxf ossec-hids-2.8.3.tar.gz $ cd ossec-hids-2.8.3 $ sudo ./install.sh
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux kuruji 3.13.0-36-generic
- User: root
- Host: kuruji
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
- Local installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? sammy@example.com
- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]:
--- Using SMTP server: mail.example.com.
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific command based on the events received.
Do you want to enable active response? (y/n) [y]:
Active response enabled.
Do you want to enable the firewall-drop response? (y/n) [y]:
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 8.8.8.8
- 8.8.4.4
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze the following logs:
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/dpkg.log
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
--- Press ENTER to finish (maybe more information below). ---
$ sudo /var/ossec/bin/ossec-control start $ cd /var/www $ git clone https://github.com/ossec/ossec-wui.git ossec $ cd ossec $ ./setup.sh
Open http://{http_host}/ossec