Announcement

Block Unwanted SSH Login Attempts using PyFilter on Ubuntu 16.04

PyFilter on Ubuntu

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely. It's typically used for remote control of a computer system or for transferring files. When SSH is exposed to the public internet, it becomes a security concern. For example, you'll find bots attempting to guess your password via brute force methods.

PyFilter aims to filter out all of the illegitimate login requests to your server and block them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user-configurable amount of time. It then adds rules to the firewall if it captures too many failed attempts, denying the ability to connect to your server.

In this guide, we'll walk you through the steps to install and configure PyFilter to block unwanted SSH requests on our Ubuntu 16.04 machine.


Prerequisites
One Ubuntu 16.04 server
Python 3, which is already installed by default on Ubuntu 16.04.
PIP installed with sudo apt-get install python3-pip.


Downloading and Configuring PyFilter
We will download PyFilter by cloning its repository from Github. Switch to your home directory and clone the repository:

cd ~
git clone https://github.com/Jason2605/PyFilter.git


This will create a directory called PyFilter. Move this folder to the /usr/local folder:

sudo mv PyFilter /usr/local/PyFilter

Then change to the /usr/local/PyFilter directory:

cd /usr/local/PyFilter

Next, we need to make a configuration file. PyFilter comes with a default configuration file located at Config/config.default.json. We'll copy this and edit the copied version rather than editing the default file directly. This way if something was to go wrong, you have the default config file to compare against.

Copy the default configuration file:

sudo cp Config/config.default.json Config/lonfig.json

You can use the less command to view the contents of the configuration file:

less Config/config.json

The defaults settings require the requests to be within 5 seconds of the last request and that needs to happen 5 times, they are good enough to get going. Let's run PyFilter and ensure things work.


Running PyFilter
The PyFilter download includes a script called run.sh which you should use to launch PyFilter.

First, change the permissions on the script to make it executable.

sudo chmod +x run.sh

Once the permissions have been granted, run the script to start PyFilter:

./run.sh

PyFilter will start watching logs and you will see output as events happen:

Output
No file to check within rule: Mysql
No file to check within rule: Apache
No file to check within rule: Nginx
Checking Ssh logs


By default, PyFilter bans IPs that make five or more failed requests that happen within 5 seconds of the previous failed request. You can change this in the PyFilter configuration file.

These results are logged to the /usr/local/PyFilter/Log directory as well.

When an IP has reached the limits that warrant a ban, you will see output similar to this:

Output
2018-03-26 10:50:18 Found IP: 202.0.112.14 from server: your_server_name.

To close PyFilter, press CTRL+C.

Now let's install PyFilter as a service so it runs automatically.


Creating a service for PyFilter
Now that you know that PyFilter works, let's configure it to run as a service so it starts every time we reboot the server.

Within the PyFilter directory, there is a script called install.sh which creates a service for PyFilter and enables it to run on system startup.

Modify the script so you can execute it:

sudo chmod +x install.sh

Then launch the script:

./install.sh

You'll see this output, indicating the installation was successful:

Output
Service created and enabled, check the status of it by using "sudo systemctl status PyFilter"

So lets do just that to ensure everything is running correctly:

sudo systemctl status PyFilter

You'll see this output, showing that the service is active:

Output
PyFilter.service - PyFilter
   Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
   Active: <^>active^> (running) since Wed 2018-03-26 18:55:35 UTC; 12s ago
 Main PID: 8383 (bash)
   CGroup: /system.slice/PyFilter.service
           ├─8383 bash /usr/local/PyFilter/run.sh
           ├─8384 sudo python3 run.py
           └─8387 python3 run.py


If you see an error, review the installation steps again.


Un-banning IP Addresses
PyFilter is purely a means of banning IP addresses by creating iptables rules. When it bans an IP, it updates the firewall rules and then saves snapshots of the rules to the files /usr/local/PyFilter/Config/blacklist.v4 and /usr/local/PyFilter/Config/blacklist.v6.

Here's an example of several banned IPv4 addresses in /usr/local/PyFilter/Config/blacklist.v4:

more /usr/local/PyFilter/Config/blacklist.v4

# Generated by iptables-save v1.6.0 on Thu Mar 26 11:02:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 202.0.112.11/32 -j DROP
-A INPUT -s 202.0.112.12/32 -j DROP
-A INPUT -s 202.0.112.13/32 -j DROP

COMMIT
# Completed on Thu Mar 26 11:02:04 2018



To un-ban this IP address, open the associated blacklist file in your text editor:

sudo nano /usr/local/PyFilter/Config/blacklist.v4

Remove the associated iptables rules from the file. In this case, we've removed 202.0.112.11 from the file:

more /usr/local/PyFilter/Config/blacklist.v4

# Generated by iptables-save v1.6.0 on Thu Mar 26 11:05:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 202.0.112.12/32 -j DROP
-A INPUT -s 202.0.112.13/32 -j DROP
COMMIT
# Completed on Thu Mar 26 11:05:04 2018


Then save the file and close the editor. Restart PyFilter with sudo systemctl restart PyFilter and PyFilter will update your firewall rules using this file.

You can also tell PyFilter to ignore certain IP addresses by adding them to the whitelisted section within the /usr/local/PyFilter/Config/config.json file.


Conclusion
You now have PyFilter installed and monitoring your SSH connections.

No comments