Proj 6x: Protecting SSH with Fail2Ban (15 pts.)

What You Need

An Ubuntu or Kali Linux VM, as you prepared in the previous project. Other versions of Linux could be used, but the steps might be different.

Purpose

To protect a server from SSH brute-force login attacks by enforcing a lockout policy that will block hosts that have too many failed login attempts.

Warning About Passwords

If you are using Kali with the default password of "toor", this project will expose your machine to takeover on your local area network.

If you are working in the S214 lab, or using a virtual machine you don't care about, that's OK, but if you want to protect your machine you should change your login password before starting SSH.

Checking Kali Repositories

If you are using Kali, this adjustment may be needed. If you are using Ubuntu, skip this step.

In a Terminal window, execute this command:

nano /etc/apt/sources.list
If you see more than two lines of text, as shown below, your repositories are out-of-date.

Press Ctrl+K repeatedly to delete all the lines in the file.

Then paste in the lines below:

deb http://http.kali.org/kali kali-rolling main contrib non-free

deb-src http://http.kali.org/kali kali-rolling main contrib non-free

Press Ctrl+X, Y, Enter to save the file.

Installing SSH

In a Terminal window, execute this command:
sudo apt-get update
Enter your password if you are prompted to.

In a Terminal window, execute this command:

sudo apt-get install openssh-server -y
If a message about cryptographic algorithms, as shown below, press Q to close the message.

In a Terminal window, execute these commands:

sudo service ssh start

sudo netstat -pant

You should see a ssh listening on port 22, as shown below. Your Linux machine is now an SSH server.

Note: This SSH server won't automatically start when the server reboots. That's OK for this project, but for a real server you need to configure automatic starting. To do that, see the "Sources" at the bottom of this project.

Finding your SSH Server's IP Address

In a Terminal window, execute this command:
ifconfig
Find the IP address of the interface that goes to the Internet, which is usually eth0, as shown below.

Preparing a Client Machine

You need a second computer of some sort on the same network to test the SSH server. Here are some options: Choose a client machine, and ping the Linux machine from it. If your pings don't get replies, you need to troubleshoot your networking before proceeding.

The next step is different for Windows than for Mac or Linux clients. Use the appropriate instructions.

Testing the Server: Linux or Mac Client

In a Terminal window, execute this command, replacing the IP address with the IP address of your Linux SSH server.
ping 172.16.1.203
You should see replies, as shown below.

If you don't, you need to troubleshoot your networking before proceeding.

Press Ctrl+C to stop the pings.

In a Terminal window, execute this command, replacing the IP address with the IP address of your Linux SSH server.

ssh root@172.16.1.203
A question appears, asking "Are you sure you want to continue connecting (yes/no)?". Enter yes.

When it asks for a password, enter A.

It rejects the password. Enter B.

It rejects the password. Enter C.

It disconnects you. Execute this command again:

ssh root@172.16.1.203
When it asks for a password, enter D.

It rejects the password. Enter E.

It rejects the password. Enter F.

As you can see, there is nothing stopping you from entering as many password guesses as you like.

Testing the Server: Windows Client

In a Command Prompt window, execute this command, replacing the IP address with the IP address of your Linux SSH server.
ping 172.16.1.203
You should see replies, as shown below.

If you don't, you need to troubleshoot your networking before proceeding.

On your Windows machine, in a Web browser, go to

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Download the MSI installer, as shown below.

Double-click the installer file and install the software.

On your Windows desktop, double-click the PuTTY icon.

In the Host Name field, enter your SSH Server's IP address, as shown below.

Click the Open button.

A "PuTTY Security Alert" box pops up, as shown below. Click Yes.

A PuTTY window appears. At the "login as:" prompt, enter

root

When it asks for a password, enter these guesses:

A box pops up saying "Too many authentication failures", as shown below.

There is nothing stopping you from entering as many password guesses as you like. When that box pops up, you can just connect again for another six guesses.

Installing Fail2Ban

On your Linux SSH Server, in a Terminal window, execute these commands:
sudp apt update sudo apt install fail2ban -y
If an esoteric message, appears, as shown below, press Q to close it.

If a "Package configuration" box appears, as shown below. Press the Tab key to highlight Yes and then press the SPACEBAR.

Starting Fail2Ban

On your Linux SSH Server, in a Terminal window, execute this command:
sudo service fail2ban start

Test the Server Again

Using your Client machine, repeat the same steps as before, entering several incorrect password guesses.

After a few incorrect guesses, it refuses to connect, as shown below.

Viewing the Firewall Rule

On your Linux SSH Server, in a Terminal window, execute this command:
sudo iptables -L
You see "REJECT all" rule, as shown below.

Saving the Screen Image

Make sure the "REJECT all" rule is visible, as shown above.

Click the host computer's desktop. Press Shift+PrntScrn key to capture the entire desktop. If you are using a Mac, press Shift+Cmd+3

YOU MUST SUBMIT A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Save this image with the filename "Proj 6x from YOUR NAME"

Turning in Your Project

Email the image to cnit.129S@gmail.com with a subject of "Proj 6x from YOUR NAME".

Sources

Kali Linux remote SSH – How to configure openSSH server
How To Protect SSH with Fail2Ban on Ubuntu 14.04
How Fail2Ban Works to Protect Services on a Linux Server
How to add official Kali Linux Repositories?

Posted 10-20-16
Updated for dynamically-created iptables rules 5-3-2020

Sam Bowne