[Linux-Biella] CentOS 7.5 ssh access hardening

[Ioan Maxim (gmail)]

Ciao a tutti.

Ho portato alcune modifiche per risolvere gli errori nel fail2ban.log

/2018-05-23 21:33:12,333 fail2ban.action    [1478]: ERROR   iptables -w 
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''/
/2018-05-23 21:33:12,333 fail2ban.action    [1478]: ERROR   iptables -w 
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''/
/2018-05-23 21:33:12,333 fail2ban.action    [1478]: ERROR   iptables -w 
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1/
/2018-05-23 21:33:12,333 fail2ban.CommandAction  [1478]: ERROR  
  Invariant check failed. Trying to restore a sane environment/
/2018-05-23 21:33:12,651 fail2ban.action    [1478]: ERROR   iptables -w 
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with 
icmp-port-unreachable -- stdout: ''/
/2018-05-23 21:33:12,651 fail2ban.action    [1478]: ERROR   iptables -w 
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with 
icmp-port-unreachable -- stderr: 'iptables: No chain/target/match by 
that name.\n'/
/2018-05-23 21:33:12,651 fail2ban.action    [1478]: ERROR   iptables -w 
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with 
icmp-port-unreachable -- returned 1/
/2018-05-23 21:33:12,651 fail2ban.actions     [1478]: ERROR   Failed to 
execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 
'2018-05-23T20:49:30.795682vps59025 sshd[2543]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=58.218.198.168 user=root2018-05-23T20:49:30.965821vps59025 
sshd[2541]: pam_unix(sshd:auth): authentication failure; logname= uid=0 
euid=0 tty=ssh ruser= rhost=58.218.198.168 
user=root2018-05-23T20:49:32.642905vps59025 sshd[2543]: Failed password 
for root from 58.218.198.168 port 54503 
ssh22018-05-23T20:49:32.813045vps59025 sshd[2541]: Failed password for 
root from 58.218.198.168 port 54491 
ssh22018-05-23T20:49:34.726678vps59025 sshd[2543]: Failed password for 
root from 58.218.198.168 port 54503 
ssh22018-05-23T20:49:35.371472vps59025 sshd[2541]: Failed password for 
root from 58.218.198.168 port 54491 
ssh22018-05-23T20:49:36.557326vps59025 sshd[2543]: Failed password for 
root from 58.218.198.168 port 54503 
ssh22018-05-23T20:49:37.199796vps59025 sshd[2541]: Failed password for 
root from 58.218.198.168 port 54491 
ssh22018-05-23T20:49:59.264486vps59025 sshd[2549]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=58.218.198.168 user=root2018-05-23T20:49:59.270134vps59025 
sshd[2547]: pam_unix(sshd:auth): authentication failure; logname= uid=0 
euid=0 tty=ssh ruser= rhost=58.218.198.168 
user=root2018-05-23T20:50:01.427663vps59025 sshd[2549]: Failed password 
for root from 58.218.198.168 port 30919 
ssh22018-05-23T20:50:01.433254vps59025 sshd[2547]: Failed password for 
root from 58.218.198.168 port 30853 
ssh22018-05-23T20:50:03.840734vps59025 sshd[2547]: Failed password for 
root from 58.218.198.168 port 30853 
ssh22018-05-23T20:50:03.841797vps59025 sshd[2549]: Failed password for 
root from 58.218.198.168 port 30919 
ssh22018-05-23T20:50:06.651850vps59025 sshd[2547]: Failed password for 
root from 58.218.198.168 port 30853 
ssh22018-05-23T20:50:06.658040vps59025 sshd[2549]: Failed password for 
root from 58.218.198.168 port 30919 ssh2', 'ip': '58.218.198.168', 
'time': 1527110911.789388, 'failures': 16}': Error unbanning 58.218.198.168/



Le modifiche sono in jail.local che riporto qui sotto:
[DEFAULT]
bantime = 21600
findtime=600
maxretry=2

banaction = iptables-multiport

[sshd]
enabled = true
*
[Init]
lockingopt =
iptables = iptables*


Con queste modifiche scompaiono gli errori nel fail2ban.log quando 
lancio lo script fornito da Daniele (grazie tante di nuovo..funziona che 
è una meraviglia)

On 23-May-18 23:59, ioan maxim wrote:
>
>
> 2018-05-23 20:54 GMT+02:00 <vallini.daniele a bilug.it 
> <mailto:vallini.daniele a bilug.it>>:
>
>
>     Ti passo un piccolo eseguibile che ti offre un servizio base di
>     firewall
>     anche per la porta 22.
>
>     Ad ogni modifica riavvii questo eseguibile e tutto riparte riveduto e
>     corretto.
>
>     Dopo un po' puoi togliere i vecchi IP droppati perche' in genere non
>     tornano.
>
>     Mi insegno' e me lo imposto' il buon Luca Savio che purtroppo ora
>     vediamo
>     raramente.
>
>
> sembra funzioni :)
> Ho inserito 3 IP nelle regole iptables
> iptables -I INPUT -s 58.218.198.168  -j DROP # blocco IP 58.218.198.168
> iptables -I INPUT -s 197.52.232.4  -j DROP # blocco IP 197.52.232.4
> iptables -I INPUT -s 124.127.156.238  -j DROP # blocco IP 124.127.156.238
>
>
> Prima di fare con il tuo script ho dovuto tribolare un po'...ho dovuto 
> fare rebuild di tutto il VPS..
> stasera quando ero tornato a casa ho trovato con lsof -i:
>
> sshd    3773   root    3u  IPv4  66980      0t0  TCP 
> MYVPS.COM:ssh->58.218.198.168:18476 <http://58.218.198.168:18476> 
> (ESTABLISHED)
> sshd    3774   sshd    3u  IPv4  66980      0t0  TCP 
> MYVPS.COM:ssh->58.218.198.168:18476 <http://58.218.198.168:18476> 
> (ESTABLISHED)
> sshd    3775   root    3u  IPv4  67002      0t0  TCP 
> MYVPS.COM:ssh->58.218.198.168:18464 <http://58.218.198.168:18464> 
> (ESTABLISHED)
> sshd    3776   sshd    3u  IPv4  67002      0t0  TCP 
> MYVPS.COM:ssh->58.218.198.168:18464 <http://58.218.198.168:18464> 
> (ESTABLISHED)
>
> Era riuscito ad entrare in qualche modo, non so come.
> Adesso ho disabilitato il login con pass, vado solo con la sshkey e 
> non come root.
>
>
> Adesso sembra più tranquilla la situazione...


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- parte successiva --------------
Un allegato HTML è stato rimosso...
URL: <http://list.bilug.it/pipermail/linux/attachments/20180527/5aee4559/attachment.html>