Thursday, January 14, 2016

[Quick Tips = Fail2Ban]: Fail2Ban Howto: Block IP Address Using Fail2ban and IPTables

Fail2Ban Howto: Block IP Address Using Fail2ban and IPTables


Fail2ban scans log files for various services ( SSH, FTP, SMTP, Apache, etc., ) and bans the IP that makes too many password failures. It also updates the firewall rules to reject these ip addresses.
Fail2ban is an intrusion prevention framework written in the Python programming language.
Main purpose of Fail2ban is to prevent brute force login attacks.
Also, refer to our earlier article on Tripwire (Linux host based intrusion detection system).

Install Fail2ban

To install fail2ban from source, download it from sourceforge..
Use apt-get to install Fail2ban on a Debian based system as shown below.
# apt-get install fail2ban
You can also install Fail2ban manually by downloading the fail2ban deb package.
# dpkg -i fail2ban_0.8.1-1_all.deb

How to configure fail2ban

All Fail2ban configuration files are located under the /etc/fail2ban directory.

/etc/fail2ban/fail2ban.conf

Main purpose of this file is to configure fail2ban log related directives.
  • Loglevel: Set the log level output.
  • logtarget : Specify the log file path
Actions taken by the Fail2ban are logged in the /var/log/fail2ban.log file. You can change the verbosity in the conf file to one of: 1 – ERROR, 2 – WARN, 3 – INFO or 4 – DEBUG.

/etc/fail2ban/jail.conf

jail.conf file contains the declaration of the service configurations. This configuration file is broken up into different contexts. The DEFAULT settings apply to all sections.
The following DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).
[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
findtime = 600
bantime = 600
  • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
  • maxretry: Maximum number of failed login attempts before a host is blocked by fail2ban.
  • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

Service Configurations

By default, some services are inserted as templates. Following is an example of the ssh services section.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath  = /var/log/auth.log
action = iptables
  • enabled : Enable the fail2ban checking for ssh service
  • port: service port ( referred in /etc/services file )
  • filter: Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d'; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’.
  • logpath: The log file that fail2ban checks for failed login attempts.
  • Action: This option tells fail2ban which action to take once a filter matches. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.
Fail2ban will monitor the /var/log/auth.log file for failed access attempts, and if it finds repeated failed ssh login attempts from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with fail2ban iptables firewall rule.

Fail2ban Filters

The directory /etc/fail2ban/filter.d contains regular expressions that are used to detect break-in attempts, password failures, etc., for various services.
For example:
  • sshd.conf – Fail2ban ssh related filters
  • apache-auth.conf – Fail2ban apache service filters
We can also add our own regular expression to find unwanted action.

Fail2ban Actions

The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.
For example:
  • IPtables.conf – block & unblock IP address
  • Mail.conf – Sending mail to configured user

Start/Stop Fail2ban Service

After making configuration changes stop and start the Fail2ban daemon as shown below.
# /etc/init.d/fail2ban stop

# /etc/init.d/fail2ban start

[Quick Tips = Netstat]: 10 Netstat Command Examples

10 Netstat Command Examples

Netstat command displays various network related information such as network connections, routing tables, interface statistics, masquerade connections, multicast memberships etc.,
In this article, let us review 10 practical unix netstat command examples.

1. List All Ports (both listening and non listening ports)

List all ports using netstat -a

# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
udp        0      0 *:bootpc                *:*                                

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     6135     /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     5140     /var/run/acpid.socket

List all tcp ports using netstat -at

# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

List all udp ports using netstat -au

# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 *:bootpc                *:*
udp        0      0 *:49119                 *:*
udp        0      0 *:mdns                  *:*

2. List Sockets which are in Listening State

List only listening ports using netstat -l

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN
udp        0      0 *:49119                 *:*

List only listening TCP Ports using netstat -lt

# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

List only listening UDP Ports using netstat -lu

# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 *:49119                 *:*
udp        0      0 *:mdns                  *:*

List only the listening UNIX Ports using netstat -lx

# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     6294     private/maildrop
unix  2      [ ACC ]     STREAM     LISTENING     6203     public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     6302     private/ifmail
unix  2      [ ACC ]     STREAM     LISTENING     6306     private/bsmtp

3. Show the statistics for each protocol

Show statistics for all ports using netstat -s

# netstat -s
Ip:
    11150 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    11149 incoming packets delivered
    11635 requests sent out
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
Tcp:
    582 active connections openings
    2 failed connection attempts
    25 connection resets received
Udp:
    1183 packets received
    4 packets to unknown port received.
.....

Show statistics for TCP (or) UDP ports using netstat -st (or) -su

# netstat -st

# netstat -su

4. Display PID and program names in netstat output using netstat -p

netstat -p option can be combined with any other netstat option. This will add the “PID/Program Name” to the netstat output. This is very useful while debugging to identify which program is running on a particular port.
# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox
tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox

5. Don’t resolve host, port and user name in netstat output

When you don’t want the name of the host, port or user to be displayed, use netstat -n option. This will display in numbers, instead of resolving the host name, port name, user name.
This also speeds up the output, as netstat is not performing any look-up.
# netstat -an
If you don’t want only any one of those three items ( ports, or hosts, or users ) to be resolved, use following commands.
# netsat -a --numeric-ports

# netsat -a --numeric-hosts

# netsat -a --numeric-users

6. Print netstat information continuously

netstat will print information continuously every few seconds.
# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
tcp        1      1 ramesh-laptop.loc:52564 101.11.169.230:www      CLOSING
tcp        0      0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED
tcp        1      1 ramesh-laptop.loc:42367 101.101.34.101:www      CLOSING
^C

7. Find the non supportive Address families in your system

netstat --verbose
At the end, you will have something like this.
 netstat: no support for `AF IPX' on this system.
 netstat: no support for `AF AX25' on this system.
 netstat: no support for `AF X25' on this system.
 netstat: no support for `AF NETROM' on this system.

8. Display the kernel routing information using netstat -r

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
link-local      *               255.255.0.0     U         0 0          0 eth2
default         192.168.1.1     0.0.0.0         UG        0 0          0 eth2
Note: Use netstat -rn to display routes in numeric format without resolving for host-names.

9. Find out on which port a program is running

# netstat -ap | grep ssh
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        1      0 dev-db:ssh           101.174.100.22:39213        CLOSE_WAIT  -
tcp        1      0 dev-db:ssh           101.174.100.22:57643        CLOSE_WAIT  -
Find out which process is using a particular port:
# netstat -an | grep ':80'

10. Show the list of network interfaces

# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
eth2       1500 0     26196      0      0 0         26883      6      0      0 BMRU
lo        16436 0         4      0      0 0             4      0      0      0 LRU
Display extended information on the interfaces (similar to ifconfig) using netstat -ie:
# netstat -ie
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:10:40:11:11:11
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:f6ae0000-f6b00000

[Quick Tips = User n Groups]: 5 Steps to Setup User and Group Disk Quota on UNIX / Linux

5 Steps to Setup User and Group Disk Quota on UNIX / Linux


On Linux, you can setup disk quota using one of the following methods:
  • File system base disk quota allocation
  • User or group based disk quota allocation

On the user or group based quota, following are three important factors to consider:
  • Hard limit – For example, if you specify 2GB as hard limit, user will not be able to create new files after 2GB
  • Soft limit – For example, if you specify 1GB as soft limit, user will get a warning message “disk quota exceeded”, once they reach 1GB limit. But, they’ll still be able to create new files until they reach the hard limit
  • Grace Period – For example, if you specify 10 days as a grace period, after user reach their hard limit, they would be allowed additional 10 days to create new files. In that time period, they should try to get back to the quota limit.

1. Enable quota check on filesystem

First, you should specify which filesystem are allowed for quota check.
Modify the /etc/fstab, and add the keyword usrquota and grpquota to the corresponding filesystem that you would like to monitor.
The following example indicates that both user and group quota check is enabled on /home filesystem
# cat /etc/fstab
LABEL=/home    /home   ext2   defaults,usrquota,grpquota  1 2
Reboot the server after the above change.

2. Initial quota check on Linux filesystem using quotacheck

Once you’ve enabled disk quota check on the filesystem, collect all quota information initially as shown below.
# quotacheck -avug
quotacheck: Scanning /dev/sda3 [/home] done
quotacheck: Checked 5182 directories and 31566 files
quotacheck: Old file not found.
quotacheck: Old file not found.
In the above command:
  • a: Check all quota-enabled filesystem
  • v: Verbose mode
  • u: Check for user disk quota
  • g: Check for group disk quota
The above command will create a aquota file for user and group under the filesystem directory as shown below.
# ls -l /home/

-rw-------    1 root     root        11264 Jun 21 14:49 aquota.user
-rw-------    1 root     root        11264 Jun 21 14:49 aquota.group

3. Assign disk quota to a user using edquota command

Use the edquota command as shown below, to edit the quota information for a specific user.
For example, to change the disk quota for user ‘ramesh’, use edquota command, which will open the soft, hard limit values in an editor as shown below.
# edquota ramesh

Disk quotas for user ramesh (uid 500):
  Filesystem           blocks       soft       hard     inodes     soft     hard
  /dev/sda3           1419352          0          0       1686        0        0
Once the edquota command opens the quota settings for the specific user in a editor, you can set the following limits:
  • soft and hard limit for disk quota size for the particular user.
  • soft and hard limit for the total number of inodes that are allowed for the particular user.

4. Report the disk quota usage for users and group using repquota

Use the repquota command as shown below to report the disk quota usage for the users and groups.
# repquota /home
*** Report for user quotas on device /dev/sda3
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
root      --  566488       0       0           5401     0     0
nobody    --    1448       0       0             30     0     0
ramesh    -- 1419352       0       0           1686     0     0
john      --   26604       0       0            172     0     0

5. Add quotacheck to daily cron job

Add the quotacheck to the daily cron job. Create a quotacheck file as shown below under the /etc/cron.daily directory, that will run the quotacheck command everyday. This will send the output of the quotacheck command to root email address.
# cat /etc/cron.daily/quotacheck
quotacheck -avug

Wednesday, January 13, 2016

[NIS Server/Client] Tips : HowTo: Disable User List on RHEL6 / CentOS6 Login Window

How To: Disable User List on RHEL6 / CentOS6 Login Window


Quick bit of code to disable the user list on the RHEL6 / CentOS6 login screen. 

# gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list true


Quick bit of code to enable the user list on the RHEL6 / CentOS6 login screen.

# gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list false




Useful Gconf References: