As promised is debt, here I come to show you a somewhat basic installation of OSSEC y Fail2ban. With these two programs I intend to secure a bit, an Apache server and SSH.
OSSEC is a free, open source host-based intrusion detection system (IDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B Cid and made public in 2004.
In summary. OSSEC is an intruder detector that checks the integrity of our server through logs and alarms. So it sends a signal every time a system file is modified etc.
Fail2ban is an application written in Python for the prevention of intrusions in a system, which is based on the connection penalty (block connection) to the sources that attempt brute force access. It is distributed under the license GNU and typically works on all systems POSIX that interface with a packet control system or a firewall .
In short, Fail2ban "bannea" or blocks connections that try unsuccessfully a certain number of times to enter a service on our server.
We go to the Official page of OSSEC And we download the LINUX version.
And then we download the GUI which as the graphical environment.
Now we are going to install everything.
# tar -xvf ossec-hids-2.7.tar.gz
# aptitude install build-essential
Now we install
# cd ossec-hids-2.7 && sudo ./install
Next, you will get a series of questions. Read very well and follow all the steps.
When I finish compiling we check.
# /var/ossec/bin/ossec-control start
If everything went well, you will get something like.
If you get an error message like: »OSSEC analysisd: Testing rules failed. Configuration error. Exiting. » We run the following to fix it.
# ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest
The graphical interface of OSSEC goes through the web. If you don't have Apache installed. we install it. and support for PHP as well.
# apt-get install apache2 apache2-doc apache2-utils
# apt-get install libapache2-mod-php5 php5 php-pear php5-xcache
# apt-get install php5-suhosin
# tar -xvf ossec-wui-0.3.tar.gz
Now as ROOT we move the folder.
# mv ossec-wui-0.3 /var/www/ossec
Now we install.
# cd /var/www/ossec/ && ./setup.sh
It will ask us for a username and a password (the user does not have to be on your pc. It is only for login) Now we are going to do the following.
Editamos el archivo "/etc/group»
and where does it say
We leave it like this:
Now we do the following (inside the folder »/ var / www / ossec»
# chmod 770 tmp/
# chgrp www-data tmp/
# /etc/init.d/apache2 restart
Now we enter our OSSEC. In our browser we write. "Localhost / ossec"
Now we can see what happens on our server through logs.
WE INSTALL FAIL2BAN
Fail2ban is in repositories. Therefore it is easy to install.
#apt-get install fail2ban
We press CTRL-W and write ssh.
It will appear something like:
This would enable the failt2ban for SSH. (If they have changed the ssh port. They replace it) In the same way we can enable it for ftp. apache and a multitude of services. Now we are going to make him send us an email when he sees that someone is trying to access. In /etc/fail2ban/jail.conf we add.
[ssh-iptables] enabled = true filter = sshd action = iptables [name = SSH, port = ssh, protocol = tcp] sendmail-whois [name = SSH, dest =firstname.lastname@example.org, sender = fail2ban @ mail.com] logpath = /var/log/sshd.log maxretry = 5
Now we restart the server.
# service fail2ban restart
As we can see in the two previous LOGS it shows me that they have actually tried to access by sshd with failed passwords.
It tells me the source ip and blocks it. 🙂