Fail2ban with VYOS API


Introduction


I, like many people, found that I was getting a few failed ssh attempts per day. I looked at a root account facing the internet and found a little over 32000 failed attempts per day.
Rest assured, these are low-skill attacks with a pretty low risk of compromise, but still, there are a few things that still makes me want to respond to it. Firstly, it's a lot of noise in the logs. It fills disks and makes it hard to see more dangerous attacks. Second, this confirms malicious intent. Maybe it's just a compromised box that is now part of a botnet, but you never know if it's going to be a platform for another attack.
Finally, even though it's a low probability of compromise, there is still a chance.

I know most of these attacks are checking for things like 10-year-old linksys WAPs with default passwords, but there is also the worst case out there, distributed brute force attacks and password spraying.

My decision was to block this traffic, but then the next question is: How? I use "fail2ban", which is basically the cheapest and simplest host-based IPS around. I'm using this for SSH, but later I added SMTP and DNS.

This is really a generic technique that can use any API-driven edge firewall... So let's dive right in.

Setting up VYOS

The first step is configuring VYOS for this.
Firewall Rules

The way this will work is that the VYOS firewall will have firewall rule-set, named "OUT-IN" (Because I'm creative). The first rull will be to block everything in an "address group", named 'autoban'. Obviously, use the proper names for your firewall.set firewall name OUT-IN rule 10 action 'drop' set firewall name OUT-IN rule 10 protocol 'ip' set firewall name OUT-IN rule 10 source group address-group 'autoban' set firewall name OUT-IN rule 20 action 'accept' set firewall name OUT-IN rule 20 state established 'enable' set firewall name OUT-IN rule 20 state related 'enable'


In this example, I'm including rule 10 to show you what I'm doing, and how little I'm specifing here. Rule 20 is included just to show I'm including 10 even before the established/related rules.

Looking at that autoban group, I created the group with a single IP address as a seed. In this case I used 192.168.255.255. It either needs to be something that you actually want to block, or something that will never be matched. I don't use 192.168.0.0/16 address space so that's safe for me. When in doubt, use someone who tried to log into ssh 20 times.set firewall group address-group autoban address '192.168.255.255'


I only seeded it with one, because the rest should come automaticly.

The only other thing for firewall rules is that the next step will open port 8080. I don't want to open this to the Internet, just my internal network. I have another firewall named "OUT-LOCAL" which is the rule-set that governs all packets from the external interface (i.e. internet side) connecting directly to the firewall, which I set to drop this traffic, so this should only be allowed from my intranet. For extra points, I could (should?) have a rule in IN-LOCAL restricting port 8080 to JUST the hosts that need API access.
Firewall API Configuration

You can find some documentation of these features at:https://docs.vyos.io/en/equuleus/automation/vyos-api.html
https://docs.vyos.io/en/equuleus/configuration/service/https.html#http-apiset service https api debug set service https api keys id fail2ban key '0123456789abcdefgABCDEFG987654' set service https api port '8080' set service https listen-address 10.1.1.1


This step is pretty self explanitory. The listen address is the internal IP of the firewall. You can choose a different port if you want to. And please never use that key. There's more you could do, such as setting a certificate. Consider that too :)

Setting up fail2ban

There's really two parts to the 4. setup fail2ban 1. ssh jail 2. helper scripts

Problems

What do I not like about my setup? VYOS - at least the version I'm running - is very slow at applying firewall changes. I've seen this on other firewall platforms too. Ideally,

Conclusion

Comments

Post a Comment

Popular posts from this blog

Super Raspberry

 There's a list called TOP500 , indexing the 500 most powerful (known) computers.  Obviously, the NSA's super secret computers aren't on the list.    This list has been around for many years, released every June and November.    Topping the list in June 2022 is the Frontier HPE CRAY EX235A.  This absolute beast runs 8,730,112 AMD cores, rated at 1,685.65 PFlop/s.   Let me rewrite that a few times:  1.6 Exaflots/second. 1685650Teraflops/s.  1685650000 Gigaflops/s. But I want to call your attention to an older version, published in July, 1997.   That year's #500 was SX-4/4, built by NEC for the Houston Area Research Center in the USA.  With it's 8GFlops/S, this nearly doubled November 1996's last place computer in the  Goodyear  Technical Center in Luxembourg, clocking in at 4.6GFLOPS.  This is quite a bit slower than the créme-de-la-créme of 25 years later.  It sure shows the march of progress....
Read more

Minecraft-FTB-Endeavour-Linux

  Minecraft-FTB-Endeavour-Linux #quicknote   #minecraft Quick note I was setting up FTB Endeavour, and the latest version gave me an error forge-1.16.5-36.2.2 could not be downloaded The solution was to download and run forge-1.16.5-36.2.2-installer.jar, and install it at ~/.ftba/bin or whatver your  *profile*json  file is located. meta © 2021 All Rights Reserved First published: October 31, 2021
Read more