Install Fail2Ban using UFW and Custom ssh port Ubuntu

Problem

Noticed automated ssh brute-force login attempts in the auth logfile on a server

Jun 22 12:49:55 Whiscardz sshd[29114]: Received disconnect from 18.2.17.3 port 47636:11: Normal Shutdown, Thank you for playing [preauth]

Solution

Fail2ban attempts to alleviate these issues by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manner.

Fail2ban scans log files and detects patterns which correspond to possible break-in attempts and then performs actions such as adding a new rule in a firewall chain and sending an e-mail notification to the system administrator.

Installation and Configuration

  • Install fail2ban
imela@whiscardz:~$ sudo apt update
imela@whiscardz:~$ sudo apt install fail2ban
  • Enable the ufw firewall that comes with most ubuntu distros. This is what fail2ban will use to block ips that fail2ban finds:
imela@whiscardz:~$ sudo ufw default deny incoming
imela@whiscardz:~$ sudo ufw default allow outgoing
imela@whiscardz:~$ sudo ufw allow ssh
imela@whiscardz:~$ sudo ufw allow 3322
imela@whiscardz:~$ sudo ufw enable
Firewall is active and enabled on system startup
imela@whiscardz:~$ sudo ufw status verbose
Status: active
  • If you use ssh on a custom port, then create ufw app profile:
imela@whiscardz:~$ sudo vim /etc/ufw/applications.d/openssh-server

  1 [OpenSSH]
  2 title=Secure shell server, an rshd replacement
  3 description=OpenSSH is a free implementation of the Secure Shell protocol.
  4 ports=22/tcp
  5 
  6 [OpenSSH-3322]
  7 title=Secure shell server, an rshd replacement
  8 description=OpenSSH is a free implementation of the Secure Shell protocol.
  9 ports=3322/tcp

imela@whiscardz:~$ sudo ufw app list 
[sudo] password for imela: 
Available applications:
  OpenSSH
  OpenSSH-3322
  • Customize the sshd jail:
imela@whiscardz:~$ sudo vim /etc/fail2ban/fail2ban.local

[sshd]
port = 3322
action = ufw[application="OpenSSH-3322", blocktype=reject]
logpath = %(sshd_log)s
backend = %(sshd_backend)s
  • Note that “action” pass the “application” parameter that corresponds to the app profile that we have created earlier. Reload fail2ban so that it recognizes the new jail configuration.
sudo fail2ban-client reload
  • Now you can test the jail. Try logging in to the box with invalid credentials a couple of times, and check the jail status
imela@whiscardz:~$ sudo fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 10
    | `- File list: /var/log/auth.log
    `- Actions
    |- Currently banned: 1
    |- Total banned: 2
    `- Banned IP list: 14.24.xxx.yyy
  • Check whether the ufw filter has been added:
    To                         Action      From
    --                         ------      ----
    3222/tcp (OpenSSH-3222)    REJECT IN   14.24.xxx.yyy
    3222                       ALLOW IN    Anywhere
    8443                       ALLOW IN    Anywhere
    3222 (v6)                  ALLOW IN    Anywhere (v6)
    8443 (v6)                  ALLOW IN    Anywhere (v6)
  • The setup will result in failban inserting an ufw filter that block both ports configured on that particular profile.

References

fail2ban wiki

fail2ban, ufw, and sshd with custom port on Ubuntu

Securing Ubuntu 18.04 ssh server with ufw and fail2ban

potential ufw and fail2ban conflicts

A Tutorial for Using Fail2ban to Secure Your Server

Limiting failed ssh login attempts with fail2ban

WARN: Duplicate profile ‘Apache’, using last found (ufw)

Problem

When I run any ufw command on the terminal, I get the following error:

imela@whiscardz:~$ sudo ufw status verbose
WARN: Duplicate profile 'Apache', using last found
WARN: Duplicate profile 'Apache Secure', using last found
WARN: Duplicate profile 'Apache Full', using last found
Status: inactive

Solution

Check the following location, there are 2 duplicate apache configuration files with the same content

root@whiscardz:~/ufw/2020-07-17# less /etc/ufw/applications.d/apache2.2-common 
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
root@whiscardz:~/ufw/2020-07-17# less /etc/ufw/applications.d/apache2-utils.ufw.profile 
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp

Now move one of the files to a specific location and now check the status of any ufw command:

root@whiscardz:~/ufw/2020-07-17# mv /etc/ufw/applications.d/apache2.2-common .
root@whiscardz:~/ufw/2020-07-17# ufw status verbose
Status: inactive

References

Unable to add firewall rule “Duplicate Profile”

Firewalld – RHEL 7 & CentOS 7

There are a couple of excellent articles on Firewall D and I’ll attribute them as follows. Remember to check out the comments sections where available since there are some insightful contributions:

Resources

How To Set Up a Firewall Using FirewallD on CentOS 7

A few ways to configure Linux firewalld

RHEL7: How to get started with Firewalld.

What Is FirewallD and How It Works (firewall-cmd)

Firewalld configuration and usage

centos 7 – open firewall port

How to open a port in the firewall on CentOS or RHEL

Snippets

Below are some of the neat things I gleaned from the above resources:

Firewalld is the default firewall on CentOS minimal install and its managed by the firewall-cmd administrative tool.

Firewalld daemon encapsulates  groups of rules into what are termed as Zones. These rules dictate what traffic should be allowed depending on the level of “Trust” in the network your computer is connected to.

Zones are activated by adding Network Interfaces to them. The default zone after a CentOS mimimal install is the public zone. Here you’ll find a nice description of the different zones. Remember, check the zones that are active then add rules, e.g enabling ports, on them instead of blindly opening ports in all the zones.

To allow traffic between network interfaces remember to enable ip_forwading.

Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. On CentOS, these configurations are defined within the /etc/sysconfig/network-scripts directory with files of the format ifcfg-interface. To define a zone for the interface, open up the file associated with the interface you’d like to modify.

Incase you’d rather switch back to Ip-tables, follow the instructions here.

NOTE: Firewalld relies on NetworkManager. This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!

MasqueradingIf your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

Services: There are a few basic building blocks in the zones — services are the most important. Firewalld uses its own set of services that are configured using XML files in the directories /usr/lib/firewalld/services (for the system default services) and /etc/firewalld/services for services that you, the administrator, create. If the same service is found in both locations then the services defined in /etc/firewalld/services takes precedence.

The firewall-cmd command is one of many methods to configure firewalld. Alternatively, you can edit the zone configuration file directly. This doesn’t give you any feedback on wrong syntax, but it’s a clean and straightforward configuration file that is easy to modify and distribute across multiple servers.