134 liens privés
J'ai décris là ( http://links.simonlefort.be/?2IWyCw ) l'installation de Tiny Honeypot et son couplage avec Fail2Ban.
J'ai déjà une "prise" qui me renvoie vers Easynet SAS à Nanterre... Avec une adresse à contacter en cas d'abus. Est-ce que vous pensez que ça vaut la peine ?
Les logs Fail2Ban :
# cat /var/log/fail2ban.log
2016-03-02 15:23:22,329 fail2ban.actions[4934]: WARNING [thp-ssh] Ban 84.37.137.216
Quand je fais un "whois" :
$ whois 84.37.137.216
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms- conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '84.37.0.0 - 84.37.255.255'
% Abuse contact for '84.37.0.0 - 84.37.255.255' is 'sysop@easynet.fr'
inetnum: 84.37.0.0 - 84.37.255.255
netname: FR-EASYNET-20040917
descr: EASYNET SAS
country: FR
org: ORG-EA23-RIPE
admin-c: RD5513-RIPE
tech-c: SC14728-RIPE
tech-c: SC14729-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: FR-EASYNET
mnt-routes: FR-EASYNET
mnt-routes: EASYNET-MNT
created: 2004-09-17T10:51:23Z
last-modified: 2013-02-15T15:41:37Z
source: RIPE # Filtered
organisation: ORG-EA23-RIPE
org-name: EASYNET SAS
org-type: LIR
address: 55 avenue des Champs Pierreux
address: 92000
address: NANTERRE
address: FRANCE
phone: +33 1 77 49 70 00
fax-no: +33 1 77 49 71 00
abuse-c: AR15234-RIPE
admin-c: ES630-RIPE
mnt-ref: FR-EASYNET
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2004-04-17T11:21:43Z
last-modified: 2015-06-17T10:14:12Z
source: RIPE # Filtered
person: Richard Dumoulin
address: Easynet SAS
address: 55, Avenue des Champs Pierreux
address: 92000 Nanterre
address: France
phone: +33(0)1.77.49.70.00
fax-no: +33(0)1.77.49.70.01
nic-hdl: RD5513-RIPE
mnt-by: FR-EASYNET
created: 2013-02-15T14:23:44Z
last-modified: 2013-02-15T14:23:44Z
source: RIPE # Filtered
person: Sebastien Collignon
address: Easynet SAS
address: 55, Avenue des Champs Pierreux
address: 92000 Nanterre
address: France
phone: +33(0)1.77.49.70.00
fax-no: +33(0)1.77.49.70.01
nic-hdl: SC14728-RIPE
mnt-by: FR-EASYNET
created: 2013-02-15T14:26:36Z
last-modified: 2013-02-15T14:26:36Z
source: RIPE # Filtered
person: Sebastien Crinier
address: Easynet SAS
address: 55, Avenue des Champs Pierreux
address: 92000 Nanterre
address: France
phone: +33(0)1.77.49.70.00
fax-no: +33(0)1.77.49.70.01
nic-hdl: SC14729-RIPE
mnt-by: FR-EASYNET
created: 2013-02-15T14:26:36Z
last-modified: 2013-02-15T14:26:36Z
source: RIPE # Filtered
% Information related to '84.37.0.0/16AS4589'
route: 84.37.0.0/16
descr: Easynet FR
origin: AS4589
mnt-by: EASYNET-MNT
created: 2005-01-25T14:53:11Z
last-modified: 2005-01-25T14:53:11Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.85.1 (DB-3)
Une astuce pour sécuriser son serveur en utilisant Tiny Honeypot et Fail2Ban.
(via http://book.knah-tsaeb.org/?SVAp2w )
Prérequis :
Avoir changé le port ssh par défaut (22) .
Installation :
Installation des programmes nécessaires :
# apt-get install tinyhoneypot fail2ban xinetd
Copie d'un exemple de configuration :
# cp -v /usr/share/doc/tinyhoneypot/examples/xinetd.d/thp-pasv /etc/xinetd.d/
‘/usr/share/doc/tinyhoneypot/examples/xinetd.d/thp-pasv’ -> ‘/etc/xinetd.d/thp-pasv’
Modification de la configuration copiée juste avant :
# vim /etc/xinetd.d/thp-pasv
# cat /etc/xinetd.d/thp-pasv
# default: on
# description: thp-ftpd calls the generic thpsvcs with param "ftp",
# resulting in an ftpd emulation.
service thp-pasv
{
type = UNLISTED
socket_type = stream
protocol = tcp
port = 22
wait = no
user = thpot
server = /usr/sbin/thpot
server_args = nullresp
nice = 10
disable = no
instances = 1
per_source = 1
}
On redémarre le service xinetd et on vérifie qu'il écoute bien sur le port SSH par défaut :
# service xinetd restart
# netstat -lptn | grep xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4426/xinetd
On peut maintenant essayer de se connecter sans spécifier de port (donc tenter une connexion sur le port 22 ou Xinetd écoute) :
(en local) :
$ ssh xxx.xxx.xxx.xxx
^C
(sur le serveur) :
# cat /var/log/thpot/captures
Mar 02 13:28:06 SID=56D6DC56E6F47.nullresp PID=4437 SRC=yyy.yyy.yyy.yyy SPT=45797 ET=00:00:09 BYTES=39
Ok, la première partie marche! On regarde maintenant pour utiliser Fail2ban avec ça. (ATTENTION : On ne doit pas modifier le fichier "jail.conf" mais uniquement le fichier "jail.local" !) On fait donc une copie de jail.conf => jail.local :
# cp -v /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
‘/etc/fail2ban/jail.conf’ -> ‘/etc/fail2ban/jail.local’
# vim /etc/fail2ban/jail.local
# cat /etc/fail2ban/jail.local
(...)
[ssh]
enabled = true
port = xxxx
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
#SLF: (voir https://www.howtoforge.com/tutorial/increase-ipv4-security-with-fail2ban-and-tinyhoneypot-on-debian-jessie/ )
[thp-ssh]
enabled = true
port = all
filte r = thpot
logpath = /var/log/thpot/captures
banaction = iptables-allports
maxretry = 1
findtime = 1800
bantime = 10800
(...)
note: J'ai mis un bantime relativement court au départ (3600 secondes) le temps de tester que tout fonctionne bien. Au pire je suis banni juste une heure si je fais une bêtise...
[Edit: j'ai mis 10800s pour le bantime à présent, je vais probablement augmenter encore dans les prochains jours.
On rajoute le filtre fail2ban pour Tiny Honeypot :
# vim /etc/fail2ban/filter.d/thpot.local
# cat /etc/fail2ban/filter.d/thpot.local
# Fail2Ban configuration file for Tiny Honeypot
[Definition]
# patern :
# Mar 02 13:28:06 SID=56D6DC56E6F47.nullresp PID=4437 SRC=xxx.xxx.xxx.xxx SPT=45797 ET=00:00:09 BYTES=39
# Mar 02 13:44:25 SID=56D6E02951E5.nullresp PID=4566 SRC=yyy.yyy.yyy.yyy SPT=44993 ET=00:00:04
failregex = .* SRC=<HOST> .*
ignoreregex =
On peut tester si les regex de fail2ban fonctionnent bien :
# fail2ban-regex /var/log/thpot/captures /etc/fail2ban/filter.d/thpot.local
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/thpot.local
Use log file : /var/log/thpot/captures
Results
=======
Failregex: 86 total
|- #) [# of hits] regular expression
| 1) [86] .* SRC=<HOST> .*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [86] MONTH Day Hour:Minute:Second
`-
Lines: 86 lines, 0 ignored, 86 matched, 0 missed
On redémarre ensuite le service fail2ban et on regarde ses logs et son statut :
# service fail2ban restart
# cat /var/log/fail2ban.log
2016-03-02 14:49:40,128 fail2ban.server [4862]: INFO Stopping all jails
2016-03-02 14:49:40,240 fail2ban.jail [4862]: INFO Jail 'ssh' stopped
2016-03-02 14:49:41,244 fail2ban.jail [4862]: INFO Jail 'thp-ssh' stopped
2016-03-02 14:49:41,245 fail2ban.server [4862]: INFO Exiting Fail2ban
2016-03-02 14:49:41,796 fail2ban.server [4934]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2016-03-02 14:49:41,797 fail2ban.jail [4934]: INFO Creating new jail 'ssh'
2016-03-02 14:49:41,817 fail2ban.jail [4934]: INFO Jail 'ssh' uses pyinotify
2016-03-02 14:49:41,833 fail2ban.jail [4934]: INFO Initiated 'pyinotify' backend
2016-03-02 14:49:41,834 fail2ban.filter [4934]: INFO Added logfile = /var/log/auth.log
2016-03-02 14:49:41,835 fail2ban.filter [4934]: INFO Set maxRetry = 6
2016-03-02 14:49:41,836 fail2ban.filter [4934]: INFO Set findtime = 600
2016-03-02 14:49:41,837 fail2ban.actions[4934]: INFO Set banTime = 600
2016-03-02 14:49:41,865 fail2ban.jail [4934]: INFO Creating new jail 'thp-ssh'
2016-03-02 14:49:41,865 fail2ban.jail [4934]: INFO Jail 'thp-ssh' uses pyinotify
2016-03-02 14:49:41,868 fail2ban.jail [4934]: INFO Initiated 'pyinotify' backend
2016-03-02 14:49:41,869 fail2ban.filter [4934]: INFO Added logfile = /var/log/thpot/captures
2016-03-02 14:49:41,870 fail2ban.filter [4934]: INFO Set maxRetry = 1
2016-03-02 14:49:41,871 fail2ban.filter [4934]: INFO Set findtime = 1800
2016-03-02 14:49:41,871 fail2ban.actions[4934]: INFO Set banTime = 3600
2016-03-02 14:49:41,876 fail2ban.jail [4934]: INFO Jail 'ssh' started
2016-03-02 14:49:41,880 fail2ban.jail [4934]: INFO Jail 'thp-ssh' started
# service fail2ban status
● fail2ban.service - LSB: Start/stop fail2ban
Loaded: loaded (/etc/init.d/fail2ban)
Active: active (running) since Wed 2016-03-02 14:49:41 CET; 8min ago
Process: 4905 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
Process: 4922 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/fail2ban.service
└─4934 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
Mar 02 14:49:41 xxxxxx fail2ban[4922]: Starting authentication failure monitor: fail2ban.
Malgré un "failure monitor: fail2ban ..." ça fonctionne. Ma session active (dans un autre terminal) a même été dégagée.
Test :
(en local vers 15h10 :)
$ ssh xxx.xxx.xxx.xxx
^C
$ ssh xxx.xxx.xxx.xxx
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
$ ssh -p xxxx LOGIN@xxx.xxx.xxx.xxx
ssh: connect to host xxx.xxx.xxx.xxx port xxxx: Connection refused
(dernière tentative à 15h16)
Par contre, le ping marche toujours. Surprenant!
Si on regarde les logs de fail2ban une fois qu'on est "débanni" du serveur, je remarque que j'ai déjà une "prise" :
# cat /var/log/fail2ban.log
2016-03-02 15:23:22,329 fail2ban.actions[4934]: WARNING [thp-ssh] Ban 84.37.137.216
Tiens, c'est pas moi ça ! La suite : http://links.simonlefort.be/?Cif-aA
Bonus : Pour voir les ports utilisés :
# netstat -lptn