Sunday, April 17, 2016

WHM/CPanel Centos 7: blocking brute force attack

By default, Centos 7 use firewalld to manages net filter rules. Just like iptables, adding new rules may increase your cpu load. This is my notes to optimize net filtering ipset to block brute force attack.

Disable firewalld and enable iptables/ipset

Stop and mask the firewalld service:
# systemctl stop firewalld# systemctl mask firewalld
Install the iptables-services package:
# yum install iptables-services
Enable the service at boot-time:
# systemctl enable iptables
# systemctl enable ip6tables
Start iptables service
# systemctl start iptables
# systemctl start ip6tables
Install ipset
# yum install ipset

Install & Configure fail2ban (Optional)

Installing fail2ban
# yum install fail2ban
Enable fail2ban
# systemctl enable fail2ban
Start fail2ban
# systemctl start fail2ban
or
# service fail2ban start
Fix firewall run
# /scripts/configure_firewall_for_cpanel
Open some port for examples 12345
# iptables -I INPUT -p tcp --dport 12345 -m state --state NEW,ESTABLISHED -j ACCEPT
To disable fail2ban service
# systemctl stop firewalld
# systemctl disable fail2ban
If you prefered to use CSF (ConfigServer Sercurity & Firewall) follow WHM/CPanel Centos 7: enabling ipset in csf
Preferences: 

Wednesday, April 13, 2016

Webmin: Domain Slave in webmin and Domain Master in WHM/CPanel

In WHM/Cpanel server:
  • open file /etc/named.conf and edit
    //allow-transfer    { "none"; };
    allow-transfer { your_public_ip_for_slave_dns; }; 
    • restart your bind/named
    # /scripts/restartsrv_named 
    In Debian Jessie server:
    • Open webmin, Servers -> BIND DNS Server -> Create slave zone
    Zone type : Forward (Names to Adddress)
    Domain name / Network : yourdomain.com
    Record file : Automatic
    Master server : your_debian_ip_address
    Server port : Default
    • Test Zone Transfer
    Testing transfer of slave zone from master_ip_address .... from master_ip_address : Completed OKTest transfer successfully fetched 28 records from at least one nameserver. Actual transfers by BIND should also succeed.
    Now you can add/edit your Domain Slave Server in WHM/CPanel -> Edit DNS Zone. 

    Reference:
    • https://www.debian.org/doc/manuals/network-administrator/ch-bind.html
    • http://serverfault.com/questions/403848/configure-secondary-dns-server-debian

    Monday, April 4, 2016

    Loading ipset and iptables on boot in Debian Jessie

    Debian Jessie until I write this note, does not provide script to save and load ipset rules.
    ipset
    -----------------------------------------------------------------------------------------------
    saving ipset rules:
    # ipset save 
    or
    # /sbin/ipset save
    We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
    # ipset save > /etc/ipset.up.rules
    To save ipset rules to other file
    # ipset save > /root/iptablesrules/ipsetrules.save 
    To restore ipset rules
    # ipset restore -! < /etc/ipset.up.rules
    or
    # /sbin/ipset restore -! < /etc/ipset.up.rules
    iptables (my version v1.4.21)
    -----------------------------------------------------------------------------------------------
    saving iptables rules
    # iptables-save 
    or
    # /sbin/iptables-save 
    We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
    # iptables-save > /etc/iptables.up.rules
    To save iptables rules to other file
    # iptables-save > /root/iptablesrules/iptablesrules.save
    Note: in iptables-persistent packages, rules are save in file:

    1. /etc/iptables/rules.v4
    2. /etc/iptables/rules.v6

    But we do not use iptables-persistent
    To restore iptables
    # iptables-restore < /etc/iptables.up.rules
    or
    # /sbin/iptables-restore < /etc/iptables.up.rules
    We have some choice to load ipset and iptables on boot:
    1. Manual init.d configuration
    2. Configuring via ifup
      1. put loader in file /etc/network/interface
      2. put script configuration in /etc/network/if-pre-up.d/
    Option 1:

    To use /etc/network/interface to load ipset and iptables
    Edit /etc/network/interface
    ....
    # The primary network interface
    allow-hotplug eth0
    iface eth0 inet static
       ...
       pre-up ipset restore -! < /etc/ipset.up.rules
       pre-up iptables-restore < /etc/iptables.up.rules
    ...
    Option 2:

    To use script configuration in /etc/network/if-pre-up.d/ to load ipset and iptables
    Create or edit /etc/network/if-pre-up.d/load.rules
    #!/bin/sh
    /sbin/ipset
    restore -! < /etc/ipset.up.rules
    /sbin/iptables-restore < /etc/iptables.up.rules
    chmod +x /etc/network/if-pre-up.d/load.rules

    Note:
    1. Use only one option above.
    2. After adding ip address into ipset rules, don't forget to save it in file etc/ipset.up.rules.
    3. If you use fail2ban, Do not put fail2ban rules in iptables.up.rules. It will automatically configure it self. you need to remove fail2ban rules in file /etc/iptables.up.rules.
    Distributing ipset across server farm
    This ipset rules can be distributed across your server.
    Master ipset can be generated from honeypot/server and distribute it via web. Run this script after you add or edit ipset rules into your root web directory
    #!/bin/bash
    ## create by dedetok April 2016
    ## last update 2016-04-28
    ## GNU GPL v3
    ## Disclaimer: experimental, use it with your own risk
    /sbin/ipset save > /etc/ipset.up.rules
    # create temporary file to save new ipset rules without fail2ban rules
    if [ -f "/root/bin/ipset.up.rules.new" ] ; then
     rm "/root/bin/ipset.up.rules.new"
    fi
    touch /root/bin/ipset.up.rules.new
    while read -r line; do
     if [[ $line != *"fail2ban"* ]]
     then
      echo "$line" >> /root/bin/ipset.up.rules.new
     fi
    done < /etc/ipset.up.rules
    # copy clean ipset into /etc/ipset.up.rules
    cp /root/bin/ipset.up.rules.new /etc/ipset.up.rules
    # save it into web or user public_html
    #cp /root/bin/ipset.up.rules.new /home/[user]/public_html/ipset.up.rules
    cp /root/bin/ipset.up.rules.new /var/www/public_html/ipset.up.rules
    Do the following steps on your server farm:
    • Write this bash script to download /root/unduhgarasiku.sh or download
    #!/bin/bash
    ## create by dedetok April 2016
    ## last update 2017-05-02
    ## GNU GPL v3
    ## Disclaimer: experimental, use it with your own risk
    echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
    if wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules; then
     chmod 444 /etc/ipset.up.rules.new
     chown root:root /etc/ipset.up.rules.new
     ## Update ipset ignore error, we need fresh list
     echo "updating new rules"
     if /sbin/ipset restore -! < /etc/ipset.up.rules.new; then
      echo "Saving new ipset rules into /etc/ipset.up.rules"
      cp /etc/ipset.up.rules.new /etc/ipset.up.rules
      chmod 544 /etc/ipset.up.rules
      chown root:root /etc/ipset.up.rules
     else
      echo "Error, ipset.up.rules not in ipset format"
      exit 1
     fi
    else
     echo "Fail to download ipset.up.rules"
     exit 1
    fi
    echo "End process"
    Old version
    #!/bin/bash
    ## create by dedetok April 2016
    ## last update 2016-04-15
    ## GNU GPL v3
    ## Disclaimer: experimental, use it with your own risk 
    echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
    wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules
    chmod 444 /etc/ipset.up.rules.new
    chown root:root /etc/ipset.up.rules.new
    ## Compare ipset.up.rules vs ipset.uprules.new
    echo "updating new rules"
    diff --new-line-format="+ %L" --old-line-format="- $L" <(sort /etc/ipset.up.rules) <(sort /etc/ipset.up.rules.new) |
    while IFS=' ' read -r r1 r2 r3 r4; do
     if [ "$r2" = "add" ]; then
      if [ "$r1" = "+" ]; then
       cmdline="/sbin/ipset $r2 $r3 $r4"
       echo "eval $cmdline"
       eval "$cmdline"
      fi
      if [ "$r2" = "-" ]; then
       cmdline="/sbin/ipset del $r3 $r4"
       echo "eval $cmdline"
       eval "$cmdline"
      fi
     fi
    done
    echo "Saving new ipset rules into /etc/ipset.up.rules"
    /sbin/ipset save > /etc/ipset.up.rules
    echo "End process"
    • Put it into crontab to update ipset.up.rules everyday at 0 night:
    # crontab -e
    • Put this line (you can choose nano editor)
    0 0 * * * /root/unduhgarasiku.sh
    • Save it (you can use default file name)
    File Name to Write: /tmp/crontab.9uLsb5/crontab
    • iptabes rules for server farm
    -A INPUT -m set --match-set mynetrules src -j DROP
    -A INPUT -p tcp -m multiport --dports 25,465,587,993,995,465,143,110 -m set --match-set mynetrulessmtp src -j DROP
    -A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set mynetruleshttp src -j DROP
    -A INPUT -p tcp --dport 22 -m set --match-set mynetrulesssh src -j DROP
    -A INPUT -p tcp  -m multiport --dports 21,22 -m set --math-set mynetrulesftp src -j DROP
    -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP
    or if you want to limiting connection from class C up to 20 connection -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993,995,265,143,110 -m connlimit --connlimit-above 8 --connlimit-mask 32 --connlimit-saddr -j DROP
    NOTE: don't forget to add your ipset rules into iptables rules in every your server farms and make it persistent. I suggest you create iptables rules in every server, do not copy iptables other server. Every server may have unique iptables rules.
    Simple script to analyst authentication log files:
    • Search fail in sshawk '(/authentication fail/ && /ssh/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in smtpawk '(/authentication fail/ && /smtp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in ftpawk '(/authentication fail/ && /ftp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in dovecotawk '(/authentication fail/ && /dovecot/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search ssh preauthentication awk '(/Connection closed by/ && /sshd/) { print $(NF-1),$NF}' /var/log/auth.log | sort | uniq -c | sort -n
      awk '(/preaut/ && /sshd/) { print $0}' /var/log/auth.log
    • search fail in mailawk '(/authentication fail/) { print $7}' /var/log/mail.log | sort | uniq -c
    Reference:

    Saturday, April 2, 2016

    How to determine your Debian need to restart after packages update

    Does your Debian server need to restart after packages update?

    You can use checkrestart from the debian-goodies. debian-goodies availabe since Debian Wheezy.
    • Install debian-goodies
    # apt-get install debian-goodies
    • Check does our Debian need to restart
    # checkrestart
    Found 44 processes using old versions of upgraded files
    (28 distinct programs)
    (21 distinct packages)
    ...
      • Restart your Debian

      References:
      • http://serverfault.com/questions/667076/debian-how-can-i-know-if-reboot-is-required-after-update

      Friday, April 1, 2016

      Find host or IP on Fail2ban log in Centos using bash and awk

      Find out your fail2ban log and make permanent block. You need to install ipset to make your iptables rules


      • Create script bannedge2centos.sh
      #!/bin/bash
      ## create by dedetok March 2016
      ## GNU GPL v3
      echo "These IP get WARNING at least twice"
      awk '(/fail2ban.filter/ && /WARNING/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n |
      {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These IP get Filter sshd at least twice"
      awk '(/fail2ban.filter/ && /sshd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These IP get Filter ftpd at least twice"
      awk '(/fail2ban.filter/ && /vsftpd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These hosts get Filter Fail2ban at least twice"
      awk '(/fail2ban.filter/ && /WARNING Unable/) { print $(NF-7)}' /var/log/fail2ban.log | sort | uniq -c |
       sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }
      • Create ipset rules mynetrules
      # ipset create mynetrules hash:net
      • Run bash bannedge2centos.sh  
      # ./bannedge2centos.sh
      These IP get WARNING at least twice
      2 ['199.15.112.8']
      2 ['216.117.2.180']
      2 ['82.148.206.193']
      4 ['208.100.26.231']
      4 ['31.211.102.129']
      5 ['71.6.167.142']
      10 ['88.80.15.69']
      28 known
      These IP get Filter sshd at least twice
      2 118.136.248.90
      18 84.16.74.40
      These IP get Filter ftpd at least twice
      5 88.80.15.69
      These hosts get Filter Fail2ban at least twice
      2 128-140-19-52.maxnet.ir:
      2 1-39-45-166.live.vodafone.in:
      2 178.218.202.224.ip.turontelecom.uz:
      2 181-174-60-157.telebucaramanga.net.co:
      2 222.64.uzpak.uz:
      2 238.124.206.49-ras.beamtele.net:
      2 75-242-69-115.vasaicable.co.in:
      2 78.187.230.16.static.ttnet.com.tr:
      2 85-113-26-150.static.ktnet.kg:
      2 91-219-55-106.static-pool.centr.zp.ua:
      2 brbnd47-30.mng.net:
      2 static-mum-120.63.188.93.mtnl.net.in:
      4 client.fttb.2day.kz:
      • Popuate ipset rules mynetrules
      # ipset add mynetrules 84.16.74.40
      # ipset add mynetrules 71.6.167.142
      # ipset add mynetrules 208.100.26.231
      # ipset add mynetrules 31.211.102.129
      • Add ipset rules into iptables rules
      # iptables -I INPUT -m set --match-set mynetrules src -j DROP
      • Save your new rules
      # service ipset save
      # service iptables save
      Default ipset and iptables: /etc/sysconfig/ipset, /etc/sysconfig/iptables,  and /etc/sysconfig/iptables.save 
      • To reload ipset and iptables
      # service ipset reload
      # service iptables restart
      Another interesting scrips
      • # awk '(/pam_unix/ && /sshd:auth/ && /authentication failure/) { print $NF }' /var/log/secure | sort | uniq -c | sort
      • # awk '(/pam_unix/ && /webmin/ && /authentication failure/) { print $(NF-1) }' /var/log/secure | sort | uniq -c | sort
      • # awk '(/pam_unix/ && /vsftpd/ && /authentication failure/) { print $(NF) }' /var/log/secure | sort | uniq -c | sort 
      • awk '((/not receive/ || /Failed/ || /Connection closed/ || /closed/ || /failure/ ) && /preauth/ && /sshd/) { print (NF-2),$(NF-1),$NF}' /var/log/auth.log | sort  | uniq -c
      Note:
      • You can modify these to auto block those IP into your ipset rules. But beware about your IP may incidentally get auto blocked. Check those IP or host location before add them into ipset ruls
      • When ipset size increasing, it wont impose to CPU load.