Securing your Cloud Server with Fail2ban

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] if you are the administrator of a Linux server whether it be a virtual server a physical server security is extremely important and there's not any one thing that you can do to make your server bulletproof and to be honest there's no such thing as a bulletproof unhackable server but everything you do adds another layer of protection in a previous video I showed you guys how to better secure your OpenSSH server because let's face it that's a very common way for Linux administrators like us to remotely maintain and manage our environments in this video I want to show you guys how to add another layer of security to your server that I think is going to further complement that so if you haven't already checked out my video on open SSH and how to better secure it I'll put a card right about here that will give you a link to watch that video in this video it doesn't require that you've already watched that one but again every additional layer of security that you add to your server is going to help and this time we are going to check out failed to ban which is going to add additional protection for your linux server so here on my laptop I am logged in to my Linode console because I created a cloud server specifically for this video you don't have to be using Linode though because nothing I'm going to show you in this video is specific to that platform but they are an awesome provider of cloud services and a valued sponsor if you are looking for a solution for cloud hosting but whether you are maintaining a cloud server or a virtual machine what I'm going to show you in this video will apply to get started I am going to need to SSH into this server I have the IP address for it right here so I'm going to copy that to my clipboard and we're going to SSH into that server so that we can get started so here I have a terminal ready to go so I'm just going to SSH into that server I'm going to use root for my username that's very common when you have a cloud server that they use the root user account your configuration may vary if you have installed your server from scratch then you probably have your own username and then I'll simply paste in the IP address which you see right here and we should be good to go I'll confirm that type in my password and there we go I am now connected to the server that I'm going to be using as an example in this video so on this instance I am running Ubuntu 1804 you don't have to be running Ubuntu server or any particular distribution the only thing that might change is maybe the default config file but you know you're still installing and configuring the same thing regardless if you are running some flavor of Ubuntu or Debian then everything I show you in this video will probably match but if you are using a different distribution just go ahead and adjust the commands accordingly now before we get started I'm just going to make sure real quick that we have all the latest security patches this is something that I do mention in virtually every video that has to do with security because the concept of updating packages isn't very lengthy to account for its own video but it is a very important thing that we definitely want to make sure that we do when we are maintaining a linux server we always want to be up-to-date so first of all I'm just going to run apt update and if you are running as a normal user you're just gonna put sudo in front of that but since I'm running as root I don't need to do that so basically any time you see me run a command just go ahead and put sudo in front of it if you're running as a normal user okay it actually tells me 127 packages can be updated so I'm glad I check this and to actually install the updates I'm just going to run out dist upgrade just like that again use sudo if you need to that's the last time I'll mention it and then I'll press ENTER and it's going to you know like I mentioned upgrade 127 packages which will require five newly installed packages I'll press ENTER to accept the default the capital y for yes and I'll let this install [Music] we see a message like this we can simply say yes if we don't mind restarting services if you are running a production server and restarting services would be bad you know your users would be disconnected then go ahead and say no but I'm gonna go ahead and say yes okay so all of the updates were successfully installed and this part is optional we could do some cleanup now on a production server you might want to reboot the server and kind of just see how things go before you do this but since this is a brand-new server I'm just gonna go ahead and do the cleanup now so I'm just gonna run app auto remove and it's gonna go ahead and clean up old kernels again if this is a production server you might want to test out the new kernel first but I don't care this is a brand new instance I'm just gonna go ahead and do the cleanup now and we're good to go so at this point I'm going to reboot the server now it's not always necessary to reboot a Linux server to be honest it's just the easiest thing to do at this point if you're running security updates on a production server you definitely want to make sure you restart the services that have been updated but for the sake of simplicity I'm just going to reboot the entire server so that we are on the latest kernel and the latest software stack so I will be right back when that's done all right so I think enough time has passed I'm just going to press the up arrow and attempt to reconnect to the server all right put in the password and now I am reconnected to our linux server so with that out of the way it's time to actually get started on the main topic of this video let's get failed to ban installed and this part is easy we just simply do apt install fail to ban just like that and then it's going to need some additional libraries and prerequisite packages to be installed that's fine I'll press ENTER and there we go that was fairly quick I didn't even have to edit that part of the video now if you're not using Debian for Mbutu then you might need to use something other than apt install perhaps DNF install in the case of Fedora or pacman - capital S if you're running Arch Linux but regardless we just want to get that package installed and then we'll move on to the next step next we're going to want to see whether or not fail to ban is running this may vary whether or not it starts automatically so what we're going to do is do system CTL status fail to ban and press Enter now I didn't use sudo because I'm running as root if you're running as a normal user you may or may not see all of the information here but in my case we can see that it is active and running well get back to the video in just a moment but I wanted to take a minute to mention my sponsor and cloud infrastructure provider Linode Linode provides virtual servers that make it easy and affordable to host your own app site or project in the cloud whether you're a Linux power user or just a beginner you can use Linode you can start from scratch and fully customize your server for any application or use the notes one-click apps to deploy game servers WordPress sites personal VPNs and much more you can even upload and run your own image Linode comes with amazing 100% human 24 by 7 for support by phone or support ticket along with hundreds of Docs and guides to help you get started sign up to get twenty dollars free on your new Linode account with the code learn Linux 19 or by signing up with a link in the description I really appreciate Linode sponsorship of my channel they're awesome definitely check them out now let's get back to the video but what exactly is fail to ban doing for us well there's a very specific command we can run that's going to give us that information so what I'm going to do is run fail to ban - client and then status and you will need to have root privileges to do this and it tells us that there is one jail in use and the jail that is currently in use is sshd but what exactly does that mean so you might be wondering you know what is fail to ban doing for us what is the purpose of fail to ban in general probably something I should have gone over and here the beginning of the video but basically what it's going to do is it's going to monitor for login attempts and when a certain threshold of failed logins is reached it's going to ban that particular person by just putting in a firewall rule to block their IP we can configure how many login attempts is allowed before it blocks somebody and we can also configure how long someone is blocked for let's face it you know some of our users they're going to type in the wrong password and I'm talking about users that legitimately should be using the server so you might decide you don't want to basically have them blocked forever but putting a time limit on it would probably help stop somebody trying to brute-force the server if they're locked out for 30 minutes to an hour every fourth password attempt it's a lot harder to brute force a server in that way but it still allows the timeout to expire so that a user can try again after have you receptor password now of course in everything that I just said I'm referring to SSH because as you saw the jail that is active is SSH so by default fail to ban is actually monitoring SSH for us we didn't tell it to do that it's automatically doing that so it's already helping us secure SSH but we do need to look at the configuration file to basically tweak this and another thing to know is that bail to ban is able to watch other types of things for login attempts for example Apache web logins so SSH isn't the only thing that we can put it in front of it's just the default at least in terms of Ubuntu now again we see that it is monitoring SSH for us and this may vary from one distribution to another again I haven't changed anything this is Ubuntu 1804 so how do we configure it so what we're gonna do is change directory into slash Etsy fail to ban that directory right there and let's see what's inside we have a number of files here but there's one in particular that's important to us and it's this one right here which is the configuration file that failed to band reads when it starts now what's kind of confusing is that this is not the preferred file there's actually another file name that it looks for that is not present here called jail local so I'm gonna want to explain this so I don't have you waste your time configuring the wrong file if you did make your changes in the jail dot conf file that one it would it would work I mean all your configuration changes assuming you had no syntax errors would actually work just fine you would get the desired result but what would happen potentially is if you run your security updates and failed tube and is updated that jsconf file could be overwritten and you might lose your changes which is the reason why we don't want to use that one but what we can do is copy that existing file to a new name jail dot local if that file is present fail to ban will prefer that file and it will not overwrite that file in case of an update so that is the desired way to go we definitely want to do it that way so we want a custom file rather than use the default and to get that started it's pretty simple we're just gonna copy jsconf to jail local and I'll press enter and now we can see that we have the jail dot local file which is simply just a copy of the original again this file will not be overwritten when we do updates but this file right here might be overwritten if we update the package it's just a safe rule of thumb to put our changes in this file but let's go ahead and take a look at this I use BIM you can use whatever text editor you would like and I'm going to bring that up in a text editor and we can see that it actually is a very large file if I turn on line numbers for example just : set space number and then I just do a capital G it takes me to the end of the file we see that there are 889 lines of text here obviously a bunch of blank lines but it's quite a big file but I'll press G twice to jump back to the top and don't let that scare you because you don't have to memorize everything here there's just a ton of examples that it gives you but you're not going to use most of this file the majority of the file is just used as an example that you can use to build your configurations on ok so I'm going to scroll down here and here we see line number 54 I'll just move that up a little bit ignore IP so it's probably self-explanatory but what this allows us to do is add an IP address here that will never be blocked regardless of how many invalid attempts to log in happens to come from that IP we first have to uncomment that then we can move to the end of this line since I'm using vim I'm just gonna go to append mode by pressing a and then I can type an IP address right here that will never be blocked so what you can do on your end is go to something like what is my IP address com if you don't already know what your public IP is and then you can get that number now once you have that you can go ahead and add that right here so I'm not going to know what IP address you should put here obviously because each of you are going to have your own public IP but when you go to a site like what is my IP address com or equivalent you'll just go ahead and put in whatever that number is right here so basically as an example I'm just putting in a completely a random IP address I just made it off the top of my head I know that's not a publicly routable IP you get the idea there's four octets whatever your IP address is you'll put here you'll make sure that there is a space between the last item the IP address that you are entering here and of course you could enter more than one if you'd like now in my case I'm going to undo this change only because this is a completely bogus IP and for the purposes of this tutorial this really doesn't apply to me so since this is BIM I can hit escape and press you a couple of times to revert back to the way it was but there's more changes that we will need to make band time is an important setting to configure as well in this case it's defaulting to ten minutes despite the fact that it says right here that it's referring to the number of seconds if you don't put the M there that would just be for ten seconds that would be fairly useless but we can see here that if a host gets banned they will be banned for about ten minutes you can customize this for whatever you would like and then you could just set it to 60 minutes 15 minutes you know you could put hours in there whatever you would like to do down here is max retry which is another setting that I recommend you consider changing its defaulting to five on this installation of fail to ban which means that if somebody goes beyond this the host will be banned and I can't tell you what to put here because it kind of depends on your situation if you are an administrator and you have a lot of clumsy users and you set this to five you're going to be getting a lot of calls from people that are just simply missed typing their password but you know you can increase this to 10 or the seven you could be even more strict and lower it down to three as a administrator that's basically up to you how strict you want to be here but I just want you to know that this option exists and you can configure this accordingly now all of that is well and good but the benefit of fail to ban is of course banning things and by default we are banning SSH which is great because that's a very common means by which people will try to get into your server now another section that I want to show you and perhaps the most important section of this file is the jails section so basically you're going to page down and look for that part of the file in my case it starts around line 230 in my example here again that could vary but this is the jails section which basically as you can see goes on for quite a while we have all these different configurations well basically every time you see something in brackets like you do right here that's basically the name of a jail or an application that failed to ban is able to monitor by default that has default configuration and there's quite a few because again this file goes on for quite a while so the very first thing that we have we'll go ahead and Center this a bit is sshd so again when you see the brackets that's the beginning of a new section and basically everything underneath that stanza right here is going to be configuration for that particular object in this case sshd is enabled now I can minimize this text file by doing ctrl Z which will take me back to the local shell here if I do bill to ban client status we can see that the SSH jail is currently enabled now at least in the case of Debian and Ubuntu this is kind of an exception we didn't actually enable this you don't even see an option that says enabled here at all but by default at least in this particular distribution that is enabled which is why you see it even though it doesn't reference that in the file now essentially how you enable something is you add the line in labeled equals true save the file and then what you're going to do is restart fail to ban and then we'll check the client status and then you'll see whatever it is you've enabled on this list now SSH was already there so we didn't actually have to do that now in other distributions I've seen this be the case where this line is there and maybe it's commented out or it'll say enable equals false and it will just have to change it but in the case of a boon to you'll have a blank line it doesn't even have to be on the blank line you can basically add it wherever and you can simply enable that now another option here that's of special importance is port right now it's set to SSH the default port for SSH is 22 so by having the word SSH here where we are basically referring to the SSH port of 22 if we have changed that port we will need to make sure we reference that change here otherwise fail to ban will not be helping us out in my securing OpenSSH video that I did previously I showed you guys how to change the port for the SSH server if you have done that you'll want to make that change right here so I can go ahead and back this out right here and I can just go ahead and type the port whatever I happen to have SSH set to I did not change the SSH port I'm just giving you an example I'm going to go ahead and change it back but basically what you would do is write the change and then restart the file if you're curious what I'm talking about if you go into Etsy SSH and you open up the sshd config file near the top right here you have port 22 its commented out so that means it's a default so if you were to uncomment this and change the port number to something else and then restart the SSH server then SSH you'll be listening for connections on a different port I'm not going to do that though I'm going to go ahead and just leave it as the default in fact I'm just going to undo everything altogether and get out of this file anyway just wanted to make sure you were aware of that if your service is running on a different port you do need to change that in the file but what I'm going to do is show you guys how to change other things now you might be tempted to go ahead and enable everything because I mean look at this there's a bunch of things here that you can enable and you might be thinking you know I want all the protections that this service offers me I want to turn on everything by enabling everything don't do that because you could actually create a situation where fail to ban isn't working at all now sometimes it handles this gracefully and sometimes not so for example I'm going to enable this one just as a completely random example so I'm going to do enabled equals true for this save the file and let's just restart fail to ban and see what happens and we'll do a status on it and a failed why did it fail well if you remember I enabled Apache bot search right here by adding the enabled line but the problem is Apache is simply not installed on the server so if you do enable something for a service that you don't even have installed in the first place bill to ban could fail to start up and that's bad because it's not protecting you at all so you definitely don't want to enable everything so I'm gonna go ahead and remove this line right here and I'll save it let's restart this service one more time and check the status and we're back up and running now is active and running so that's why I wanted to bring to your attention that you should not enable everything just because you can't I'm going to scroll up a bit here and I'm going to explain to you the basic workflow of failed to ban how you would actually use this in practice as I mentioned it protects SSH by default that's great but if you have other things on your server that you want to protect you're gonna want to try to see if failed to ban can offer you an additional layer of protection for that service now as I mentioned I was not able to enable the Apache jail the other one I tried to enable because the patch is not installed let's go ahead and install it so I'm gonna do apt install apache2 which is probably gonna be httpd if you're running a fedora based or sent OS or something red hat like install this package and now we have apache installed so i'll do system CTL status apache - and we can see that it is running and perhaps even more interesting i have a web browser down here in a different workspace i'm just going to paste the IP address in here and we can see that apache is installed up successfully hosting a site on this particular cloud server back here on my shell I can bring back my text editor and let's go ahead and enable this even though I'm not actually accepting authentication via Apache it's only listening on port designated for a web server anyway so I'm just gonna go ahead and enable this so basically the workflow is you have something running on your server whatever that happens to be whether it be nginx Apache or something else you're going to add this enabled line to it then you'll save the file and restart failed to ban and then after you do that you're going to check the status of it make sure that it's running and then you'll do fail to ban client status to see if the newly enabled jail is on the list that's how you know that fail to ban is actually watching that service and then what you're going to do is do this one by one so here we have a patchy ban bot I'll go ahead and enable that as well save the file and I'm just going to go through the same exact exercise all over again it's still running that's great and now the newly added jail is there so basically you just repeat for however many things in this file actually pertain to things running on your server to go ahead and help protect those items clear the screen now for the next thing I want to show you I'm going to have to lower my font size down a bit I try to keep it up for those of my viewers that are vision impaired for example but I do need to lower the font size for this in particular and let's take a look at a very special log file I'm just going to use cat you do need to be root or have sudou in order to be able to look at this file we can see that there are you know there's quite a few things in here I mean obviously I was testing and playing around with this before I recorded the video but if I scroll up a bit I'm hoping we will see some kind of line where somebody was banned like somebody's trying to log into my server they weren't able to and so far we don't have anybody here trying to break in but basically I wanted to show you guys what log file you can look into to find some information about what is going on with bail to ban now other log files that you might want to take a look at from time to time the system log we can see some items here where basically failed to ban log some of its information there as well and then we also have the authorization log which is already on your server and might be bar log secure for other distributions but basically in my case bar log off log which will also have some useful information that you might want to check out if you're in a situation where you want to know if something got banned or if somebody is getting blocked out now one easier way of getting some information is you can actually perform a status look-up on individual jails now again we've been running this which basically tells us that there are three jails enabled and then it lists them down here but what you can also do is type the name of one of the jails and it's going to actually give you a list of banned IPs which you can't see right here thankfully no one has tried to hack into the server yet but considering this as a test server I kind of wish somebody was but right now we have nobody banned following this right here so what do you do in a situation where you want to unban an IP address maybe your user entered there in incorrectly too many times and honest mistake you want to basically unbanned them how would you do that well the first thing you would do again is execute this command right here we've already done that whatever the jail name is if it's not SSH they're locked out of something else you would put that jail name there you would confirm that their IP address is on this list just to make sure that fail to man actually is the culprit in why they can't reach the server and if their IP address is listed here we can use the same fail to ban client to unbanned their IP as well so to do that we'll do fail to ban client set then the name of the jail we are trying to configure so in this case let's just assume it's SSH then we're going to use the argument on ban IP because we do want to unban an IP and then we type the IP address right here and I just made up a completely random number just to give you an idea now I pressed enter and as telling me that IP is not banned but if that was a actual IP that was banned from fail to ban we would be able to unbanned them with this command and just to show you guys I'm going to try to simulate this problem right now so I'm going to open a new tab and I'm going to SSH into my cloud server here and let's have a little fun it's asking me for the password I'm just gonna put something incorrect into this again just putting in gibberish for the password random characters again and permission denied and just to be safe I'm going to just keep trying okay permission denied I think I have tried enough times now I am still connected here thankfully I did not add my IP to the actual whitelist but what I want to do now is see how this affected failed to ban so I'll do fail to ban client status sshd currently failed one total failed for now I'm not banned quite yet so maybe I should just go ahead and try this a few more times and just go crazy let's see what it's going to take here now at this point I can't even type anything I am locked out of the server even though I had an established connection here that connection got dropped because it basically added a firewall rule to lock me out because I kept trying to get into the server and I wasn't able to do that so when this happens I need a backdoor into the server now if you did add your IP address as a whitelist you would not get locked out but I omitted that on purpose so let's go ahead and try to get into the server another way now here on my Linode account I can just click Launch console right here which is going to bring up a console window and what this is going to do is allow me to log in to the server I apologize for the small text here basically I'm just logging in is rude again and now I am logged in so what I can do now is just double check fail to ban client status ssh d enter and it does say that i am banned and it gives me the banned IP right here so what I'm going to do is restore my access so what I'm going to do is run fail to ban client set s is HD unbanned IP and then that IP address press ENTER and it just repeated the IP address that i typed in which I'm going to take that to mean it's a confirmation let's see and look at this I'm basically already connected I didn't wait long enough for my ssh connection to basically timeout and drop as soon as i unbanned the IP address it basically allowed me right back in it just allowed me to resume this session that I already had open now for the more technical people watching this if you're curious where is the firewall rules I mentioned firewall a few times here have a nice so if I was to do IP tables - capital L again as root or with sudo now I'm not going to see it now because i unbanned my IP but you should actually see your band IP s in here but we see that we have a chain right here for bail - van and that's for sshd and you can see that fail to the N is basically modifying the player wall that's how it actually changes and enforces its rules by configuring the Linux iptables firewall whenever there's an event that requires it to do so but basically that's all there is to it when it comes to the basics so that's basically it now failed to ban can get more advanced than this when you start to get into regular expressions and creating your own jails that's where it gets more complex now most of the time when you want to protect something on your server it's going to be like a web server SSH something typical like that fail to ban is going to have a jail already in the sample config file that you can use to go ahead and enable that but if you do run into a situation where you have a service that you want to enable a jail for and there isn't one you can Google around and see if someone has already written a jail or you might have to run it yourself that's beyond the scope of this video because for the vast majority of you guys the default jailed conf file that you later renamed to jail down local that sample file will have everything that you need inside it and he just enabled the jails that pertain to your server and what it's used case is for so hopefully that was helpful for you guys let me know what you think in the comments below again fail to ban is not a one-stop shop it's just one more layer of security that you can add to your cloud server your virtual server or whatever kind of Linux server that you happen to have that'll make it that much harder for someone on the outside to break in but again at the end of the day the more layers of security you have on your machine the more secure it actually is and you should never rely on just one thing fail to ban just gives you one more layer so thanks again for watching guys and I will see you in the next video thanks for checking out my video I really appreciate it if you found it useful click that like button and if you haven't already done so make sure you subscribe so you'll see the latest content as soon as it becomes available if you want to help me out there's links down below for my patreon page as well as links for purchasing my Linux ebooks and also my affiliate store which has a listing of Linux compatible hardware that I've actually tested personally thanks again for watching and I'll see you in the next video

Info

Channel: LearnLinuxTV

Views: 7,811

Rating: undefined out of 5

Keywords: LearnLinux, Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, LearnLinux.tv, Learn Linux, operating system, os, open-source, open source, gnu/linux, linux server, digital ocean, ubuntu server, linux web server, server build, linux server setup, how to, linux commands, linux tutorial, fail2ban ssh, fail2ban setup, fail2ban ubuntu 18.04, fail2ban tutorial, fail2ban apache, linux tutorial for beginners, linode, ubuntu, cloud, vps, secure, security, hardening, droplet, vm

Id: WMYVqUGMAHM

Channel Id: undefined

Length: 40min 52sec (2452 seconds)

Published: Fri Nov 22 2019