From my basic understanding of iptables I put together the below setup intended to run a Tor relay... here it is after 6 hours approx. Please note, I do not want to discuss any Tor operations, and so I shall not be pointed to https://tor.stackexchange.com/ Thank you.
There was a large attack on port 22, which I spotted when I woke up, so I've changed it, password authentication was already disabled, but the person/bot tried to break in anyways, I have an 8192 bits long RSA public/private key, so I hope it will be enough.
# iptables -L -v --line-numbers
outputs:
Chain INPUT (policy DROP 8242 packets, 735K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- any any anywhere anywhere ctstate NEW tcp flags:!FIN,SYN,RST,ACK/SYN /* protection: non-syn packets */
2 10 452 DROP all -- any any anywhere anywhere ctstate INVALID /* protection: malformed packets */
3 20 1000 ACCEPT all -- lo any anywhere anywhere /* loopback: compulsory */
4 3 98 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 2/sec burst 5 /* ICMP: ping only */
5 16625 9388K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* traffic */
6 7 420 ACCEPT tcp -- any any anywhere anywhere ctstate NEW,ESTABLISHED tcp dpt:xxyyzz /* SSH: global obfuscated */ <-- CENSORED
7 438 26080 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9001 /* Tor: OR */
8 558 30828 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9030 /* Tor: Dir */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16969 packets, 6369K bytes)
num pkts bytes target prot opt in out source destination
I would like to deploy fail2ban, but I never used it, so I found several guides to set it up, but I believe we should have some example on this site, I did find too many results for fail2ban alone, however only nothing relevant for fail2ban initial setup ?
If this for whatever reason can't be done here, please comment and I'll delete this question later on.
System: Debian GNU/Linux 11 (bullseye) with openssh-server for ssh service.
Thank you in advance!
PS: Migrated from https://security.stackexchange.com/
Installing f2b on deb is fairly simple. I had written about on a post before (https://dev.slickalpha.blog/2019/11/installing-lemp-stack-on-debian-buster.html#sv-fail2ban).
First you install f2b
Copy config to local
and make your edits on the local file
update default values (port 22 is pre-enabled on f2b)
Restart f2b
Check status of sshd 22
Apart from this using key with passphrase should be enough. You can always fine tune f2b.
Update:
Fail2ban basically checks logs for IPs, using regex filters and block matching IP's using iptables.
To list the enabled jails (regex filters for a service in f2b)
To defend a custom port or service,
Check if regex filters for that service is present
If they are present, say
jail-name.conf, just enable them on f2b local fileUnder syntax
let's say if sshd was not enabled, add
enabled = trueto sshd jailTo test the jails against your logs and update regex if missing
If jails do not exist for a service or port, check online for those filters, and add those filters to
/etc/fail2ban/filter.dand enable it on local config file.