Debian Tutorials » Security

Prevent brute force attacks using fail2ban

aip — Mon, 21 Jun 2010 22:38:04 +0000

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban

2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log

Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started 2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18

3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24

Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart

Installing suPHP

aip — Fri, 01 Jan 2010 22:05:02 +0000

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

1. Install suPHP

apt-get install libapache2-mod-suphp

2. Disable the php5 apache module

a2dismod php5

3. Restart Apache

/etc/init.d/apache2 restart

4. You can test if suPHP is working correctly by creating a php file containing the following lines:

system('id'); ?>

The script will return user/group id and name. Make sure you set the file owner to a user/group with id greater than 99.

Scan your web server for vulnerabilities with Nikto

aip — Mon, 28 Dec 2009 09:49:56 +0000

Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

1. Install Nikto

apt-get install nikto

2. Test the local web server

nikto -h localhost

Nikto also supports testing on different ports. Click here for Nikto usage information.

Disable root login to SSH

aip — Mon, 09 Nov 2009 20:44:31 +0000

Allowing root logins to your SSH damon is a big security threat. If the SSH port is open, hackers will probably at some time attempt to brute force your root password. It's a good idea to disable root logins to SSH and instead use a normal user to login and type "su -" to enter the super user shell or sudo to perform tasks that require root privileges.

1. Open the SSH daemon config file and change this line: (pico /etc/ssh/sshd_config)

PermitRootLogin no

2. Restart the SSH daemon

/etc/init.d/ssh restart

Adding a sudoer to use sudo on Debian

aip — Mon, 09 Nov 2009 20:36:59 +0000

Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

1. Create a new user (optional)

adduser user1

2. Make sure sudo is install (installed by default on lenny)

apt-get install sudo

3. Add the new user to the sudo-ers list (visudo)

user1 ALL=(ALL) ALL

This will allow user1 to run all commands that require root privileges. You can also limit the access, Click here to view the syntax

4. Save the file by pressing Ctrl-X if you are using Nano/pico or :w if using vi

You can now login as the standard user (user1) and execute commands that require root privileges using sudo.

Loading iptables rules on startup

admin — Mon, 01 Sep 2008 21:48:31 +0000

By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we'll configure some rules and load them into iptables on startup.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh IPT="/sbin/iptables"

echo -n "Loading iptables rules..."
# Flush old rules
$IPT --flush
$IPT --delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo "rules loaded."
You can customize this file as required, check the iptables manual for parameters and options.

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh chmod 700 /etc/firewall-rules.sh

2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh

Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.