Fail2ban Pass Mysql Remote Login through

Server environment

1
2
3
4
5
$ cat /etc/issue
Ubuntu 14.04.5 LTS

$ fail2ban-server -V
Fail2Ban v0.8.11

Recently, I found that there are many ssh attack in the auth.log.

1
2
3
4
5
6
7
8
9
10
$ cat /var/log/auth.log | grep ssh2

...
Jan 1 01:20:49 app sshd[22438]: Failed password for root from 59.55.140.173 port 16421 ssh2
Jan 1 01:27:22 app sshd[22440]: Failed password for invalid user snort from 91.121.112.123 port 33773 ssh2
Jan 1 01:58:52 app sshd[22459]: Failed password for invalid user admin from 196.219.96.116 port 53758 ssh2
Jan 1 01:59:01 app sshd[22461]: Failed password for invalid user admin from 14.170.244.58 port 42785 ssh2
Jan 1 02:05:25 app sshd[22466]: Failed password for invalid user vmail from 5.135.161.94 port 60876 ssh2
Jan 1 02:08:04 app sshd[22468]: Failed password for invalid user test9 from 5.135.161.94 port 55094 ssh2
Jan 1 02:10:52 app sshd[22483]: Failed password for invalid user oracle from 5.135.161.94 port 49413 ssh2

So I decided to use fail2ban with iptables to limit this part of ip address to access.

Check The Iptables

1
2
3
4
5
6
7
8
9
10
$ sudo iptables -nvL

Chain INPUT (policy ACCEPT 1850K packets, 353M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1786K packets, 571M bytes)
pkts bytes target prot opt in out source destination

Add Iptables Rules

1
$ sudo vim /etc/iptables.my.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allows Mysql connections
-A INPUT -p tcp --dport 3306 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

You can follow this example to add other applications port access like this Mysql(3306) port.

Enable This Rules

1
$ sudo iptables-restore < /etc/iptables.my.rules

Save This Rules

1
$ sudo iptables-save > /etc/iptables.up.rules

Auto Start After Boot

1
$ sudo vim /etc/network/if-pre-up.d/iptables
1
2
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

Add file execution permission

1
$ sudo chmod +x /etc/network/if-pre-up.d/iptables

Install Fail2ban

1
2
$ sudo apt-get update
$ sudo apt-get install -y fail2ban

Copy A Jail Config file

1
2
$ cd /etc/fail2ban  
$ cp jail.conf jail.local

Change This Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[DEFAULT]

### Continuous access in 600 seconds
findtime = 600

### Entry wrong password 2 times.
maxretry = 2

### Block access for 1 days.
bantime = 36000000

backend = polling
...
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
#action = %(action_)s

action = iptables[name=SSH, port=ssh, protocol=tcp]

Start Fail2ban

1
$ sudo service fail2ban restart

Check the log print

1
2
3
4
5
6
7
8
9
10
11
12
$ sudo tail -f /var/log/fail2ban.log

2018-01-01 04:44:39,853 fail2ban.jail : INFO Creating new jail 'ssh'
2018-01-01 04:44:39,853 fail2ban.jail : INFO Jail 'ssh' uses poller
2018-01-01 04:44:39,868 fail2ban.jail : INFO Initiated 'polling' backend
2018-01-01 04:44:39,869 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2018-01-01 04:44:39,870 fail2ban.filter : INFO Set maxRetry = 6
2018-01-01 04:44:39,871 fail2ban.filter : INFO Set findtime = 600
2018-01-01 04:44:39,871 fail2ban.actions: INFO Set banTime = 36000000
2018-01-01 04:44:39,919 fail2ban.jail : INFO Jail 'ssh' started
2018-01-01 04:45:10,981 fail2ban.actions: WARNING [ssh] Ban 118.212.143.43
2018-01-01 04:52:52,562 fail2ban.actions: WARNING [ssh] Ban 220.191.194.22

Check Result In iptables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8468 549K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
31873 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
498 33053 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
13 764 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
29 1740 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
376 114K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
1813 442K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31767 20M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
10 988 REJECT all -- * * 220.191.194.22 0.0.0.0/0 reject-with icmp-port-unreachable
369 22140 REJECT all -- * * 118.212.143.43 0.0.0.0/0 reject-with icmp-port-unreachable
8089 525K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

You can see the part Chain fail2ban-SSH (1 references), the fail2ban is working and filter 2 ip attack by iptables.

Share