This post describes how the server can be secured using fail2ban and shorewall. It mostly builds on the procedure that I described earlier in this post with a few additional warnings.

fail2ban

Refs: https://ubuntu.tutorials24x7.com/blog/how-to-install-fail2ban-on-ubuntu-20-04-lts and https://doc.ubuntu-fr.org/fail2ban

fail2ban is a software that is used to protect against brute force and DDoS attacks. The principle is that it blocks IPs that repeatedly fail to authenticate in a variety of services. Here, we explain how to configure it to block failed ssh login attempts. The tutorial will eventually be updated later with other services.

fail2ban is installed with:

sudo apt install fail2ban
and its status can be checked with
sudo systemctl status fail2ban
which, at that state, should return
Active: active (running) since Thu 2020-07-30 18:24:24 CEST; 1min 11s ago

The main configuration files are /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf, that can be kept as is and amended with the creation of /etc/fail2ban/fail2ban.local and /etc/fail2ban/jail.local for custom configurations. More precisely, I created /etc/fail2ban/fail2ban.local with

[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log
and /etc/fail2ban/jail.local with [DEFAULT] ignoreip = 127.0.0.1 XX.XXX.XXX.XX bantime = -1 findtime = 3600 maxretry = 3 destmail = me@mydomain.org action = %(action_mwl)s backend = systemd </pre> that configures fail2ban to ban forever any IP that has at least 3 failed connexion attempts (on sshd service) in the last 3600 seconds. Emails are sent to my address with detailed information on IP and whois who have been banned.

Other specific jails can be configured using custom files in /etc/fail2ban/jail.d/myfile.conf. In my case, I created /etc/fail2ban/jail.d/ssh.conf with

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4
that additionnaly ban any IPs failing to connect 4 times as indicated in the file /var/log/auth.log.

The configuration is finally validated with

systemctl restart fail2ban
Note that other interesting commands are:
  • fail2ban-client set JAIL banip IP to ban a given IP address
  • fail2ban-client set JAIL unbanip IP to unban a given IP address
  • fail2ban-client set JAIL addignoreip IP to add an IP to the whitelist

Shorewall

shorewall is a tool to manage easily IP tables and secure the allowed connexions on the server. It is installed with:

sudo apt install shorewall
and a first basic configuration (for a single server) can be obtained with
sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/.

Starting from that, the default policy is described in /etc/shorewall/policy, where a standard configuration can be:

$FW     net             ACCEPT
$FW	all		ACCEPT

net     $FW             DROP            info
net     all             DROP            info      

# The FOLLOWING POLICY MUST BE LAST
all     all             REJECT          info
that allows all connexions from the firewall to the net and all other interfaces, drops all connexions from the net and rejects all the other connexions.

Exceptions to these rules are describes in /etc/shorewall/rules that typically should at least contains

PING(ACCEPT)	net	$FW
SSH(ACCEPT)     net     $FW
if you want to allow ping and ssh connexions to your server.

Be careful that the file /etc/shorewall/interfaces contains the appropriate configuration

net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=YYY
in which YYY is replaced by the name of your network interface as given by ifconfig. Forgetting this setting led me to test the RESCUE mode of Kimsufi after the starting of shorewall...

Finally, shorewall is enabled by editing the file /etc/default/shorewall in which the line starting with startup has to be modified to be:

startup=1
or (I don't know which one of the two was successful) by running
sudo systemctl enable shorewall
Finally, the value STARTUP_ENABLED of /etc/shorewall/shorewall.conf has to be set to Yes and shorewall is started with
sudo systemctl start shorewall