Blocking of Unwanted SSH Login with PyFilter on Ubuntu Version 16.04 in Cloud

 

SSH (Secure Shell) is a cryptologic network protocol for the purpose of operational network services. Most Probably it is used for remote of an ADP system or for the purpose of transferring files. Once the SSH is being exposed to the general public net, it turns into a security concern. Eg: you will be able to find the bots trying to guess the password through brute force strategies.


PyFilter aims at filtering all the illegitimate login requests to the server and will block them if numerous are sent. PyFilter performs by reading log files and checks if any unsuccessful request has come from the similar IP address within a user-configurable quantity of time. And later it adds the rules to the firewall if in case it captures several unsuccessful attempts, which denies the ability to connect to the server.


Steps to Block the Unwanted SSH Login Attempts with the help of PyFilter on Ubuntu 16.04:


1) Downloading and Configuring of PyFilter:


You will be able to download PyFilter by cloning its repository and Switch to your home directory and clone the repository:


cd ~

git clone https://example.com/abcd2605/PyFilter.git


It will be creating a directory called as PyFilter. You need to move this folder to the /usr/local folder:


sudo mv PyFilter /usr/local/PyFilter


Then you need to change to the /usr/local/PyFilter directory:


cd /usr/local/PyFilter


You need to copy the default configuration file:


sudo cp Config/config.default.json Config/config.json


You will also be able to use the less command to see the contents of the configuration file:


less Config/config.json



2)Running the PyFilter:


The PyFilter download will consist of the script called as run.sh which can use to launch the PyFilter.


You need to change the permissions on the script to make it executable.


sudo chmod +x run.sh


As soon as the permissions are been granted, you will be able to run the script to begin the PyFilter:


./run.sh


PyFilter will begin to watch logs and you will be able to see the output as the events happen:


Output

No file to check within rule: Mysql

No file to check within rule: Apache

No file to check within rule: Nginx

Checking Ssh logs


As a default, PyFilter will ban the IPs that makes five or more failed requests which happen within the 5 seconds of the previously failed request. You will be able to change this in the PyFilter configuration file.


When the IP has reached the limits that warns a ban, you will see the output as mentioned below:


2017-06-29 15:20:45 Found IP: 000.0.000.00 from server: the_server_name.


3)Creating the service for PyFilter:


You need to modify the script so that you will be able to execute it:


sudo chmod +x install.sh


And then launch the script:


./install.sh


You will be able to see the below output, and it will indicate the installation was successful:


Service created and enabled, check the status of it by using sudo systemctl status PyFilter


You need to do just that to make sure everything is running properly:


sudo systemctl status PyFilter


You'll see the below output and it will show that the service is active:


PyFilter.service - PyFilter

  Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)

  Active: <^>active^> (running) since Fri 2017-08-17 20:14:19 UTC; 18s ago

Main PID: 8383 (bash)

  CGroup: /system.slice/PyFilter.service

          ├─8383 bash /usr/local/PyFilter/run.sh

          ├─8384 sudo python3 run.py

          └─8387 python3 run.py



4) Un-banning of IP Addresses:


PyFilter main source of banning the IP addresses by creating the iptables rules. During the ban of an IP, it will update the firewall rules and will save the snapshots of the rules to the files


/usr/local/PyFilter/Config/blacklist.v4

/usr/local/PyFilter/Config/blacklist.v6.


/usr/local/PyFilter/Config/blacklist.v4

# Generated by iptables-save v1.6.0 on Mon Apr 17 13:25:10 2017

*filter

:INPUT ACCEPT [217:30580]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [249:30796]

-A INPUT -s 203.0.113.13/32 -j DROP

-A INPUT -s 203.0.113.14/32 -j DROP

-A INPUT -s 203.0.113.15/32 -j DROP

COMMIT

# Completed on Mon Apr 17 13:25:10 2017


To un-ban the IP address, you need to open the associated blacklist file in the text editor:


sudo nano /usr/local/PyFilter/Config/blacklist.v4


You can remove the associated iptables rules from the file. For eg, we have removed 000.0.000.00 from the file:


/usr/local/PyFilter/Config/blacklist.v4

# Generated by iptables-save v1.6.0 on Mon Apr 17 13:25:10 2017

*filter

:INPUT ACCEPT [217:30580]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [249:30796]

-A INPUT -s 000.0.000.00/01 -j DROP

-A INPUT -s 000.0.000.00/02 -j DROP

COMMIT

# Completed on Mon Apr 17 13:25:10 2017


Later you need to save the file and close the editor. And restart the PyFilter with sudo systemctl restart PyFilter and PyFilter will be able to update the firewall rules using the file.