Well, of course you have port knocking implemented on the port where your ssh server is active only after the port knock was successful. The script that handles the port knocking could start the ssh server and only allow traffic through if it comes from same IP address as the initial port knock, all the other traffic arriving on that port could be sent to the tarpit. Of course after 3 failed port knocking attempts, the IP where the attempts came from is blocked for ever increasing amounts of time, this combined with a tarpit can be extremely frustrating. Attempts to connect to port 22 (default ssh port) could, of course, by default lead to a tarpit.
Creativity can lead to fun situations. Have fun configuring your scripts and firewall. I’m sure you get the idea of what I mean by now.
Hi Neville,
Thank you so much for you reply, my friend
I would like to test Devuan but is for another project, but not for the server.
I’m sorry if I wasn’t specific, and I apologize for that.
Your threads about Devuan made me very curious to test it, and it will be tested on a disk just for that purpose.
As I have a disk free at the moment, I’m going to test Devuan to see how it works and, if you’re willing to help me, I’ll ask you and the rest of the forum friends for help, but I’ll create a specific thread. I don’t know when, but maybe there will be a Devuan test this week.
This came into my sight with Davinci Resolve. As CentOS was wrecked when it became a rolling release, Blackmagic choosed Rocky Linux as default supported instead of CentOS.
I don’t use Rocky at the moment, and probably never will, but who knows?
Hi Jorge,
You will find the Refracta Installer a bit unusual, but it works
well. It directs you to gparted for disk setup.
I can help if/when you need it.
Regards
Neville
Hi pdecker,
Thank you so much for your reply, my friend.
I completely understand your opinion and it was because of everything I read that I was curious to test Ubuntu Server on my old PC, after having tested DietPi, and it seems to me to be a suitable distro for a server (who am I to say this…). ), but don’t get me wrong, I always try to avoid using Ubuntu - it’s a personal opinion, I have nothing against Ubuntu and I don’t want to cause discontent among forum friends, but it’s hard for me to use Ubuntu Server, when I’ve never wanted to use Ubuntu on a day-to-day basis.
One example I found on Ubuntu Server is that it’s an “all-in-one” package, including snap… on a server?
I may be wrong, because I’m a novice, but it left me thinking, “I’ll look for another distro.”
On the other hand, running without any other programs installed, just with security settings, Ubuntu Server seems to be quite optimized, at least from the memory used:
tarpit looks interesting… will have to check it out when I get a chance…
I just forward a non-standard port from my router to my RPi (now a 5) that has static
(or fixed) DHCP lease from my router - and use fail2ban on the Pi5…
I don’t mind Ubuntu as a server O/S - but I prefer the way debian does fail2ban than Ubuntu…
I was running Ubuntu 22.04 “headless” on a Pi4 with fail2ban - it was far too permissive for my taste, on Debian (now running Raspbian 12 bookworm on the Pi5) it’s much more fascist
That may be just the default config. Fail2ban itself cannot be too permissive or “fascist”, it just monitors log files, then disables network traffic via iptables for rogue hosts - all this based on rules described in the configuration.
So if you find it too permissive, change the configuration to be more restrictive!
Even on Debian, the default configs work for default ports. Moving a service to a non-default port, such as SSH server, also means to have to change Fail2ban config. Otherwise, an attacker hammering SSH on port 2275 (for example) will cause Fail2ban detect him, and lock out from port 22.
So the way to bruteforce the non standard port SSH is left open.
I’m lazy too, but configuring something is a one time only effort
I take back everything I said about fail2ban on debian - it’s a broken pile of crap - won’t run with the debian defaults…
I really can’t be arsed figuring it out either…
I’ve just disabled the NAT rule on my router… I just re-hooked up my Pi4 after I noticed in Feb the fan and heatsink on it were f–ked (was running as high as 85 c) - now idling on around 45-50c)… So I have a NAT rule to let me SSH to the Pi4 too - and that is running Ubuntu …
OK - figured it out - fail2ban is different beast than I remember it being on Debian Stretch…
I fixed it on Debian Bookworm (Raspberry Pi 5) by running
fail2ban-client start
Then restarting fail2ban in systemd…
Never had to use/run fail2ban-client before… pezzo-di-merda!
Hi Dan,
Now I’m lost…
I was following my mentor Dan Tripp who was talking about fail2ban and I just read this post?
I’m going to do tests with Debian as the server distro, as I mentioned in my posts above, and now I read that you’re upset with fail2ban?
I’ll need your help to configure it…
Then systemctl restart fail2ban, and ooooops.
There’s no auth.log to monitor…
Because in Bookworm there is only the journald as default.
Need to install rsyslog apt install rsyslog
After that logs are in their usual place, so restarting fail2ban: systemctl start fail2ban
And checking status: systemctl status fail2ban
Reports:
root@gepecske:/# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Sat 2024-04-20 11:21:55 CEST; 7s ago
Docs: man:fail2ban(1)
Main PID: 260687 (fail2ban-server)
Tasks: 7 (limit: 18960)
Memory: 43.4M
CPU: 574ms
CGroup: /system.slice/fail2ban.service
└─260687 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
ápr 20 11:21:55 gepecske systemd[1]: Started fail2ban.service - Fail2Ban Service.
ápr 20 11:21:55 gepecske fail2ban-server[260687]: 2024-04-20 11:21:55,685 fail2ban.configreader [260687]: WARNING 'allowipv6' not defined in 'Def>
ápr 20 11:21:56 gepecske fail2ban-server[260687]: Server ready
Checking the jail after a purposely failed login attempt:
root@gepecske:/# fail2ban-client status ssh
Status for the jail: ssh
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
then I tweaked the default settings to configure sshd.
Looking at jail.local I saw there are two separate entries for sshd:
They look lke this at present:
# [DEFAULT]
# bantime = 1h
#
[sshd]
enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
and…
# [sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
# mode = normal
# port = ssh
# logpath = %(sshd_log)s
# backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
I´m not quite sure whether these all are sane settings.
Here are some infos:
1.)
systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: disabled)
Active: active (running) since Sat 2024-04-20 14:24:24 CEST; 23min ago
Docs: man:fail2ban(1)
Process: 341 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 347 (fail2ban-server)
Tasks: 5 (limit: 1137)
Memory: 97.1M (peak: 411.2M swap: 4.0K swap peak: 4.0K zswap: 22B)
CPU: 2.445s
CGroup: /system.slice/fail2ban.service
└─347 /usr/bin/python /usr/bin/fail2ban-server -xf start
Warning: some journal files were not opened due to insufficient permissions.
2.)
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
3.)
sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Seems it works, at least somehow.
Yet I don´t know whether I could´ve done it better.
I tried fail2ban on Deb12 the first time, and on a desktop, not a server. Just wanted tobhave f2b get to work as quck as possible.
I found a solution, but it is definitely not the best.
Investigating the issue with logs vs fail2ban, I learned that I better have to use systemd backend for f2b. Still did not dig into it.
No problem with that though. Because I wanted to be quick, I just copied some parts from a working config from a different host (from a server, from my VPS)
Please note the filter= line in my config, which points to sshd.conf in filter.d.
You could call a fail2ban jail basically anything, I created now a custom named jail (well, actually quite descriptive in regard how freely you can name that jail ) for the ssh attempts on my laptop.
This time I tell to use the systemd backend, so it works without rsyslog installed.
root@DellG3:/etc/fail2ban# systemctl restart fail2ban
root@DellG3:/etc/fail2ban# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Sat 2024-04-20 19:10:50 CEST; 5s ago
Docs: man:fail2ban(1)
Main PID: 24177 (fail2ban-server)
Tasks: 5 (limit: 18914)
Memory: 33.1M
CPU: 235ms
CGroup: /system.slice/fail2ban.service
└─24177 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
ápr 20 19:10:50 DellG3 systemd[1]: Started fail2ban.service - Fail2Ban Service.
ápr 20 19:10:51 DellG3 fail2ban-server[24177]: 2024-04-20 19:10:51,018 fail2ban.configreader [24177]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
ápr 20 19:10:51 DellG3 fail2ban-server[24177]: Server ready
root@DellG3:/etc/fail2ban# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: scheissegal
root@DellG3:/etc/fail2ban# fail2ban-client status scheissegal
Status for the jail: scheissegal
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
root@DellG3:/etc/fail2ban#
In case you are curious, the config files I created/modified:
Hi László and Rosika,
Thank you so much for you posts.
I’m currently trying to install and configure fail2ban and reading your topics, they are a great help
.
) for the ssh attempts on my laptop.