SSH Brute Force Protection With Fail2Ban

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Fail2ban is easy to set up with alerts as well, so you can take other actions when someone hits the threshold on attempts.

👍︎︎ 12 👤︎︎ u/palpablefuckery 📅︎︎ Nov 21 2019 🗫︎ replies

So in the interest of starting a discussion how do you all feel about this vs using configserv. And if a whm server you would have access to both configserv and cphulk. I think these provide all the blocking options of fail2ban (with which I lack detailed familiarity). LFD in Configserv also provide ability to subscribe to some very good block lists as well.

Thoughts?

👍︎︎ 5 👤︎︎ u/CaptainSur 📅︎︎ Nov 21 2019 🗫︎ replies

Nice work

👍︎︎ 3 👤︎︎ u/shaperaty 📅︎︎ Nov 21 2019 🗫︎ replies

Great job 👍

👍︎︎ 2 👤︎︎ u/Kamfart 📅︎︎ Nov 21 2019 🗫︎ replies

btw you can also build neat ssh wordlists by saving down the user:passwords in file and dropping the connection, simple ssh server like this can be done in Python

👍︎︎ 1 👤︎︎ u/wereii 📅︎︎ Nov 22 2019 🗫︎ replies

Captions

this series is sponsored by lenode linux provides virtual servers that make it easy and affordable to host your own app site or project in the cloud whether you're a linux power user or just a beginner you can use linux you can start from scratch and fully customize your server for any application or use linux one-click apps to deploy game servers wordpress websites personal vpns and much more you can even upload and run your own image you can get twenty dollars free on your new code lenovo or by clicking the link in the description that is linux.com forward slash hack exploit hey guys in this video we're going to be taking a look at ssh brute force protection with fail to ban now before we actually get started with setting it up let's get a bit of an understanding as to what this tool is and how we can use it uh for ssh brute force protection all right so what is fail to ban filter ban is an intrusion prevention framework that's written in python and that protects linux systems and servers from brute force attacks now these are not limited to ssh but the scope of this video is going to be based around ssh as the primary service that is going to be protected uh you know from brute force attacks all right so it allows you to monitor the strength and the frequency of attacks and then from that you can sort of create various jails that you can use and you can sort of customize uh your the strength of the defense you want to set up based on the attacks you're getting and of course fail to ban can be set up to block ip addresses automatically based on specific parameters more of which i'll explain as we move along all right so the great thing about fail the ban is that it automates the process of protecting your server or your ssh from brute force attacks all right so let's get started all right now that we have an understanding of what fail to ban is and how we can use it to protect our servers uh you know from brute force attacks on ssh let's take a look at the infrastructure we'll be using in this video so for the purpose of this video i've just set up a quick uh a quick server here with linux and i'll just copy the ip address it's just a simple ubuntu server and they'll demonstrate how powerful filterband actually is so i'll just open up a terminal here and we can try and log into this server right now i haven't set any any other user account so we'll be logging as the root user and let me just enter the password here and that should log us in immediately so the first thing i want to do is i want to update the packages because we do need to install fail to ban all right so i'm just going to say upgrade update here and we do need to run sudo there because we're already using the root user but in any case um let's just update the packages here or the repositories sorry not our packages now filter ban is completely free to use and you know you can install it through most of your popular package managers in our case we're just going to use the aptitude package manager so as a apt-get install and we're going to say fail to pan and we hit enter and that is going to prompt us to download about 18.7 megabytes and we're just gonna let that install this shouldn't take uh too much time and we can see we do have a sim link created here that's very important for the filter band service so one of the first things we need to do is we need to ensure that we have enabled fail to ban to run on on system startup so in the event you do reboot your server you need to make sure that filter ban you know runs directly on the startup or during the startup so to do this we'll use a systemd so system control and we'll say enable of course we're going to say fill to ban and the service is actually called fail to ban dot service so we're going to hit enter and as you can see it's going to say synchronizing the state of the filterband service with the csv uh service script uh so irregardless of whether we used uh systemd um so uh what we can do now is we can start taking a look at the configuration files right now the configuration files uh for failed ban are gonna be found in the etsy they're in the etsy directory so we can say let's just list all the files etsy fail to ban and we hit enter and let's take a look at these configuration files so the most important one that you want you want to be familiar with is are going to be the jail.com file and the filterband.com file or the fieldband.com file is a file we'll not be taking a look at uh in this video but we're taking a look at the actual jail.configuration file now uh a a fairly frequent or common term that you'll be hearing in that you'll hear being mentioned when talking about fail the ban is the use of jails all right so what is a jail in filter ban well a jail is essentially a configuration file that you know contains filters or arguments that protect your system or a particular service now by default all your jails for particular services are going to be in the jail.conf file all right so if i just get the contents or let's actually view the entire file we can say let me move into the directory so it's much easier for us to work there so we can say less and we say jail jail.conf and we hit enter you can pretty much see that first of all it tells you that uh this is not the uh the appropriate way of actually creating or modifying the already preset jails the reason being is this we should actually create another jail.configuration file uh with the local extension so you can see in most of the cases you should not modify this file but provide customizations in the jail dot lock of the jail.local file or you can create separate.conf files under the jl.d directory something we're not going to be doing because the jail.local file is pretty much the best way of going about it so what you can do is you can copy this file and you know you can make a copy of it however the second copy is going to be called jail.local in within this it has various jails that protect various services now the first one you can see is uh going to be the sshd or the open ssh server service and it's going to be enabled so a jail has already become uh has already been configured for this but you can see that there aren't any protection uh configuration options that have been set here so for example the band time the default band time for all jails on all services irregardless of whether it's ssh or ftp has been set to one hour now we can pretty much customize this for uh particular services which is what we want to do so you can use this uh this same configuration file uh and you can copy it you know and use the local extension and this will essentially set up protection for all of those services however in our case i want to i want to actually create a new jail.local file and the only service that i'm going to be protecting or we're going to be configuring is the uh the the openssh server this sshd service so again all we'll do is we will say we'll use them here and we'll say jl.local and we're going to enter now as you already saw within the gel.configuration file we can essentially we can start working with these services that we want to protect so again we do this by specifying their name so in our case the openness h server is defined by the ssh daemon here so we're going to say ssh daemon and then after this we're going to start providing the syntax now the first important bit of syntax here is going to be the enabled configuration or the enabled option uh this essentially you know means whether this essentially controls whether the jail is enabled or disabled and the option here we can specify is either true or false right and of course that is self explan explanatory uh enabled means that the uh the jail or the protection will be enabled or this these particular configurations will be enabled so for now let's just keep it at false because i want to show you uh you know a test brute force attack on the server uh before and after so what we'll do is we'll just say false and after this we can then get started with our configurations now let me just talk about the various configurations that exist here so we pretty much need to specify the service the port and the filter and the log file that we'll be using now let me explain that sounds like a mouthful but it's really very simple to understand all right so the first thing i want to do is i want to say uh what's the port the port is going to be the ssh port right so the ssh port here and after this we specify the filter that we're looking for now the filter is something very important right so let me just open up a uh i'll open up a new tab here and we can try and authenticate to this server one more time so i'll just say ssh root and we'll just authenticate to this server and the reason being is i want to show you the log the log file that we're talking about this is the auth.log file now the auth.log file pretty much stores all the authentication attempts made to the server whether they they were successful or whether they failed and pretty much you can find this within the let's just cut the contents of the file so you can find this within the log directory under etsy and it's called the author log file now when i talk about a filter again a filter is very simple to understand uh we'll just hit enter for some reason we don't have this file we're looking sorry this is in the var directory my apologies just getting confused with the etsy directory there so you can see that this gives you it gives you a log here of all the authentication attempts and when i was talking about the actual filter so if i say filter this will essentially mean this is essentially where you say fail to ban i want you to look for this particular filter in our case we're looking for the ssh daemon or the sshd service here so you can see that for example if we take a look at the first ssh demon log here we can see that this is the the ssh server listening on port 22 and then if we take a look at some authentication attempts you can see we have an authentication attempt here that tells us accepted password for the root user and the particular ip address here and this was made through ssh not a tty session so if it can also tell you whether the authentication is done locally or remotely so that is the filter we're looking for so we only want to filter for ssh daemon or sshd logs there so we then need to specify the the location of the log file that we're going to be using so we say log path is going to be equal to and we specify the relative directory here so we're going to say var log and auth.log here and after this we can just hit enter and we can now talk about the security options right so the security options are very simple the first or the first of with er of which is the most important this is the max retry option and this is where you specify the number of attempts to be made before an ip address or a user is banned all right so to do this we say max retry max retry and that's going to be equal to in our case we'll just say three so the number of uh so we say the number of attempts to be made before a band is going to be equal to three so if you enter uh you know an incorrect password three times uh that's that you're going to be banned right now we then have the band time right so the band time is again self explanatory this is the number of seconds an ip address will be banned for now typically you can set it to an hour which is uh is primarily going to be uh you know 3 600 seconds or you can uh you can specify a day which is a very good option that many system administrators set so again uh we can just calculate this so 60 times 60 um that pretty much gives us what we're looking for that's 3600 multiplied by 24 hours that's going to be 86 400 so we can say 86 400 and that's typically going to block uh any ip addresses that have incorrect authentications more than three or uh three incorrect authentications for an entire day right so what we can do is we'll just set it to 3600 or we can set it to 60 seconds whatever you feel is appropriate for your server based on the attacks you've been getting or you can set a generic one if you're monitoring your server and seeing how many attacks you're typically getting which i'll show you how to monitor you can then ignore ip addresses so you can whitelist ip addresses so again that's done by specifying ignore ip and then within this you can then specify any ip addresses that you may want to whitelist if you're a system administrator it may be wise to enter your ip address here so you can do that and i think we can also specify a specified band time what about find time so the amount of time between failed uh login attempts we can you can just say find time uh or we can actually leave that out because we really don't need that uh these are these options are pretty pretty good um so we can save this file and we uh we we ensured that this jail was disabled and the reason being is i want to show you uh what uh you know typical field authentication looks like so what i'll do is um let me just exit from here and i'll just uh ssh into this and i'll enter incorrect passwords now typically the the the max amount of times you're allowed to authenticate incorrectly is three times that's the default one but i'll explain something interesting here so for example actually before i do this because i do want to block my ip address because it is going to connect to it remotely let's see if we can actually use proxy chains here so let me just open up this in part os and i'll expand this uh or we can actually use anon surf so let me just use anon surf instead of using proxy chain so we'll just start this yes go ahead and the reason being is i don't want to actually expose my real ip address here because when i'll be showing you the ip addresses that were blocked uh this will come into play so what i'll do is i'll just wait for announcers and on surf to start before we authenticate to the server and i'll show you what happens here so remember the jail has is currently disabled and ssh protection is is currently not active with fail to ban all right so we are currently uh anonymized here so what we'll do is we'll say ssh root at and we'll hit enter and we'll say yes we want to accept the fingerprint and we'll enter incorrect password so i can just say password and again that will be incorrect permission denied password will hit enter another incorrect password attempt or authentication attempt hit enter one more time and there we are you can see so it gives you three attempts by default and then after which you're told permission denied let's try this one more time so we're sort of exceeding the amount of attempts but remember we haven't enabled the field to ban jail so we can still try authenticating incorrectly say password and password let's try it a few more times and there we are we can still see that after three unsuccessful attempts uh it uh it it essentially disconnects the uh the connection what i'll do is we'll just wait for we'll just close this and let's restart the service before we actually get started so again uh before after writing any changes to your uh to your jail configuration file you essentially need to restart the the filterband service so we say system control sorry system system control and we say restart uh we'll say fill a two-band service and we hit enter and that's going to restart it uh so now that we've tested that this uh that we know we currently do not have any brute force protection here uh what we can do is we can modify this file and we can say uh set this to true so now we're going to activate the protection so we're going to say true and we're going to write changes and exit and we'll restart the filter band service and let me just check the status here [Music] sorry that is incorrect we'll just change this to status and we can see it's active and running this is very important because if you do want to actually check if you're having any issues with your syntax or any of the filters you've set up for your particular jail in the jail configuration file this is where you can actually check if there are any issues and you also have the log here so you can see stopped start started and we're ready again so we can now get started and we can test it one more time so what i'll do is i'll use the same ip address here and what we'll do is we'll just say ssh root at and for some reason we're being told the connection was closed by remote host so let's try another different ip here so let's see if we can let's check the um the status of of the tor service and we remember we need uh do we have toll running we currently have tour running i believe but i think we still need to disable the anon surf here we can just stop it uh so we'll say stop and we'll wait for this to stop and i think we can just use proxy change now that would be much better instead of using anon surf although i should have done that before but i just wanted to explain a point here so all anonymous mode has been stopped and um we'll just start door uh actually here we can we can do we'll start it and uh now let's use proxy chain so i'll say proxy chains ssh um i'll say root at and we'll paste the ip in here all right so it'll ask us for the password and i'll just enter an incorrect password late enter and uh an incorrect password again remember we have said we have set the options in the jail configuration file to three so again it will just uh it will block the user for the first three attempts obviously we aren't getting a response we can also try brute forcing with hydra which is also another option so let's try this out so we'll say hydra l say root and the password list is going to be user share and we're going to say word lists and we'll use some of the meta split word lists here let's see which ones we have do we have any ssh ones nothing much um we can use the common roots let's try that we can just use any the the bottom line is i just want to show you uh what this would look like so we're looking for ssh um and we specify the ip address here let's get rid of any other sessions that i had and let's have some verbose output and hit enter and you can see it tells us that could not connect to uh to this particular ip connection refused what i'll do is uh we can you can see that after the third failed attempt we can see that we get no response and that actually proves that it's working however i'll actually show you how you can check this so if we just terminate this and we go back in onto our server we can view the logs and the failed authentication attempts and the blocked ips uh by taking a look at the filterband client here so i can hit enter and then after this we want to display the status right so if i hit status and we hit enter this will give you the number of jails that you have and as you can see we have only one jail and that is the ssh daemon so we want to check the status of the ssh demon or these ssh serve as the openssh server uh jail and we hit enter all right and you can see that the status for the jail is as follows so the filter is the currently failed is zero the total amount of failed authentication attempts is six you then have the file list which is uh the authentication log that is going through it's banned three ip addresses so the total amount of band ips is three you have the band ips that i think we used with unknown surf and also with store and my ip address here which for some reason it blocked i think that's because i disabled um i think i disabled and surf and parrot was using my ip in any case so what we can do now is we can go back into parrot and um if we take a look at hydra we can see that we have a few issues here so let's test this one more time by running anal surf again and then we'll try and run hydra with that so that we have a new ip we can work with because it looked through the filter bank line that it did work um so and when i'd run i'd run proxy chains with hydra here because actually didn't run proxy change directly so if i try and do that right now we can actually do it here so we can save proxy chains um we'll wait for this to connect first so we are currently on the add-ons of tunnel so we can just run it through this so we hit enter it's going to test if possible authentication is supported and you can see it is working and immediately we're getting a few connection errors so it's going to try connecting again but what we can do is um we can say sudo we'll say proxychains and we'll run this with hydra right and i'll enter my password here so we can see that it's currently supported and immediately we get authentication errors to the server so that's working fine let's take a look at the filter bank client one more time so again i'll just clear that out and we can run the filter client and check the number of failed authentication attempts again and now you can see that again the the amount of failed authentication attempts has moved up to 38 and the currently the the total amount of band ip addresses are as follows so we have various ones that we had uh that we have uh that we got with anon surf and proxy chains to uh to a certain extent so uh that's pretty much how to view this is pretty much how to view all the failed authentication attempts and the blocked ips which you can then use to build a geographical model of where most of the attacks are coming from even though they may be coming from a botnet so again that's how to use failed band so again if you want to disable a particular jail we can just check this out here uh filter ban and you can then modify the local configuration file so we can use fim and we say jail dot local and we enter so if i'm working with the ssh daemon i can just disable this um to false here and that will disable the protection and if i just run and exit and we can try and restart this service so i can say system control we can say restart oops sorry restart let me just reduce the font size here and we'll say fill to ban service and will it enter and there we are all right uh let's take a look at whether we can actually log in now um so i'll say exit and this is through my local ip i'm not going to use proxy chains um so i'll say ssh will actually just ssh without proxy chains ssh root at this particular ip and you can see it now works perfectly fine so if i hit another uh you know some other incorrect passwords we are now able to uh at least get uh authentication attempts across the line uh but yeah that's pretty much all that i wanted to show you guys how to do um you know with failed by how to use fail the ban you know to protect to protect your server from ssh brute forces let me know if you have any questions or suggestions and i'll be seeing you in the next video [Music] you

Info

Channel: HackerSploit

Views: 24,454

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, hacking, fail2ban, fail2ban ssh, brute force ssh with hydra, brute force ssh private key passphrase john, brute force ssh nmap, metasploit brute force ssh, hydra ssh brute force kali, ssh brute force hydra, linux, kali linux tutorial for beginners, linux tutorial

Id: Z0cDqF6HAxs

Channel Id: undefined

Length: 24min 22sec (1462 seconds)

Published: Wed Nov 20 2019