PDA

View Full Version : [Solved] How to protect OpenVZ VPSs on a host node server using fail2ban & ipset?



Fli
12-08-2017, 11:24 AM
Hello,

my aim was to prevent brute force attacks targeted on a OpenVZ virtual private servers hosted on a OpenVZ host/node server. And i own host node and so i wanted to protect it right on it, not on VPSs itself.

fail2ban is software that is known as a good solution to watch server logs and ban bad IPs.

So i installed it (https://internetlifeforum.com/security-protection/1136-installing-fail2ban-linux-prevent-various-bad-bots-attacks-bruteforce/) and then i am making following changes. Note that i do not guarantee it will work for you and i do not recommend anyone to do it unless he is sure what he is doing.

i made sure all log file paths turns from /var/log to /vz/root/*/var/log
cd /etc/fail2ban
sed -i "s|/var/log/|/vz/root/*/var/log/|g" paths-common.conf
sed -i "s|/var/log/|/vz/root/*/var/log/|g" paths-fedora.conf
sed -i "s|/var/log/|/vz/root/*/var/log/|g" paths-debian.conf
sed -i "s|/var/log/|/vz/root/*/var/log/|g" jail.local

this way i will not be checking this server logs, but only VPS logs, node will stay unprotected by fail2ban

edit /etc/fail2ban/fail2ban.local , make sure loglevel is NOT debug

make sure there is /etc/fail2ban/jail.local file and edit it to contain jails you want to use

my file looks like this: https://pastebin.com/BbjZYFTV

in short, in that file (jail.local) i set following variables to this:
ignoreip = 127.0.0.1/8 MyHomeIPHere/32 MyServerAssignedSubnet/28 (just add your home computer IP and subnet of you VPS servers)
maxretry = 15 (so it is not so strict, it bans IP only if it finds "violation" like invalid SSH login 15 times in 600 findtime seconds)
bantime = 1800 (bans for 30 minutes instead of 600 - 10 minutes)
enabled = true (this will globally enable all jails (sshd, apache, mailserver etc protections)! inside this file we are editing - jail.local ; else if it is false, only ssh jail will be enabled)
chain = FORWARD (was INPUT, i am unsure if iptables INPUT is not ignored in case when we are FORWARDing traffic to the VPSs using iptables)
banaction = iptables-ipset-proto6-allports (was iptables-multiport, make sure ipset is installed and in version 6 by command: ipset -V)

I edit /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf - it is the file that shows how the fail2ban will handle ipset blocking/unblocking, it will also create new ipset.
relace:
<iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
by:
<iptables> -I <chain> 3 -m set --match-set f2b-<name> src -j <blocktype>
Because i am using custom made ipset called whitelist (https://internetlifeforum.com/security-protection/8900-tutorial-how-install-use-ipset/) which contains important IPs that i do not want to block ever, so adding "3" will add new fail2ban's ipset rule to the iptables chain to the 3rd line making sure my whitelists IPs will get processed before ipset banlist and so gets favored at all times.

Result looks like:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere match-set whitelistsubnets src
ACCEPT all -- anywhere anywhere match-set whitelist src
REJECT all -- anywhere anywhere match-set f2b-sshd-ddos src reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere match-set f2b-sshd src reject-with icmp-port-unreachable

i restarted fail2ban: service fail2ban restart
then tail server syslog to see if it do not ban anything important:
tail -f /var/log/{syslog,messages}|grep fail2ban

----
I can confirm that indeed fail2ban blocks bruteforce IPs attacking OpenVZ VPSs SSH ports.