Fail2ban – block failed login attempts

Fail2ban is a log parsing application that monitors system logs for symptoms of an automated attack on your server. If you pay attention to application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike. Use this to block failed login attempts.

Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2ban will also alert you through email that an attack is occurring.

fail2ban block failed login attempt

block failed login attempt

The fail2ban package is available under Debian/unstable and also as a download for other Linux systems.

Installing Fail2ban on CentOS 7

Ensure your system is up to date and install the EPEL repository:

# yum update && yum install epel-release
# yum install fail2ban

This will be installed fail2ban and will be running as a daemon. However, you might want to edit the configuration file and stop/start the daemon to get it running how you want. The configuration file can be found at /etc/fail2ban.conf.
Install Sendmail if you are looking email support to send alerts.

# yum install sendmail

Start and enable Fail2ban

# systemctl start fail2ban
# systemctl enable fail2ban

For Sendmail

# systemctl start sendmail
# systemctl enable sendmail

 

Installing Fail2ban on Debian / Ubuntu

Make sure all are up to date.

# apt-get update && apt-get upgrade -y
# apt-get install fail2ban

The service will automatically start.
fail2ban will monitor the auth.log file for failed access attempts. As soon as the daemon is running your ssh port (22) will be protected from brute-force attacks – preventing more than a small number of attempts at one time.

Actions taken by the daemon are logged by default in /var/log/fail2ban.log

 

Configure fail2ban

Most entries don’t need to be changed but there are a few that you might want to edit. The DEFAULT settings apply to all sections:

[DEFAULT]

maxfailures = 3
bantime = 900
findtime = 600

Needs to be set to true if you want to receive emails.

[MAIL]

enabled = true
to = [email protected]

If you want to monitor apache logs,

[Apache]

enabled = false

fail2ban will monitor the auth.log file for failed access attempts.

[SSH]

enabled = true
logfile = /var/log/auth.log

 

To customize the configuration file, check the fail2ban documentation.

 

 

ARP Scan tool NetScanTools

The ARP Scan Tool (AKA ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).

The ARP Scan Tool shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping.

  • Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate.
    This is useful for system discovery, where you may need to scan large address spaces.
  • Construct the outgoing ARP packet in a flexible way.
    arp-scan gives control of all of the fields in the ARP packet and the fields in the Ethernet frame header.
  • Decode and display any returned packets.
    arp-scan will decode and display any received ARP packets and lookup the vendor using the MAC address.
  • Fingerprint IP hosts using the arp-fingerprint tool.

 

How to install arp-scan

To install arp-scan on Ubuntu or Debian:

# sudo apt-get install arp-scan

To install arp-scan on CentOS, Fedora or Redhat:

# sudo yum install arp-scan

To detect IP address with arp-scan, run the following.

# sudo arp-scan -I eth1 -l
Starting arp-scan 1.9.2 with 32 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
10.10.11.193 cc:4e:24:c7:71:14 test Communications Systems, Inc.
10.10.11.194 00:50:56:3e:57:25 VMware, Inc.
10.10.11.196 00:50:56:09:67:4e VMware, Inc.
10.10.11.197 00:50:56:w4:1d:fb VMware, Inc.
10.10.11.199 00:50:56:61:f8:f6 VMware, Inc.
10.10.11.202 00:50:56:a2:0d:09 VMware, Inc.
10.10.11.203 00:50:56:89:2n:a8 VMware, Inc.
10.10.11.204 00:50:56:89:27:77 VMware, Inc.
10.10.11.205 00:50:56:59:76:e7 VMware, Inc.
10.10.11.206 00:50:56:2e:3a:e3 VMware, Inc.
10.10.11.207 00:50:56:89:18:33 VMware, Inc.
10.10.11.208 00:50:56:2e:21:60 VMware, Inc.
10.10.11.209 00:50:56:1e:27:0a VMware, Inc.
10.10.11.210 00:50:56:89:24:46 VMware, Inc.
10.10.11.211 00:50:56:1e:3b:9a VMware, Inc.
10.10.11.212 00:50:56:89:3c:11 VMware, Inc.
10.10.11.216 00:50:56:2e:1e:da VMware, Inc.
10.10.11.218 00:50:56:3e:21:5c VMware, Inc.
10.10.11.220 00:0c:29:57:69:74 VMware, Inc.
10.10.11.222 00:50:56:8e:31:66 VMware, Inc.
10.10.11.213 00:50:56:89:45:00 VMware, Inc.
10.10.11.214 00:50:56:89:44:d8 VMware, Inc.
10.10.11.215 00:50:56:c4:1d:bb VMware, Inc.
10.10.11.217 00:50:56:89:3a:0f VMware, Inc.
10.10.11.219 00:50:56:49:12:db VMware, Inc.
10.10.11.221 00:50:56:89:8c:a6 VMware, Inc.

That’s it.

 

How to detect IP address conflicts

If you have any IP address conflict issue, you can see any two different MAC addresses are claiming the same IP address.

 

 

jnettop – Visualises network traffic monitoring tool

Jnettop is visualising active network traffic as the top does with processes. It displays active network streams sorted by bandwidth used. This is often usable when you want to get a fast grip on what is going on on your outbound router. Jnettop was done as a basic analysis tool and does not interpret most of the protocols on Internet. Namely, it can only interpret TCP/UDP/IP (v4 as well as v6 since 0.10) on EtherNet or Linux “any” device. This is one of the active visualises network traffic monitoring tool in Linux.

Features

  • list connections going across this host in a nice way
  • runs on almost any Unix flavor (see Porting)
  • supports IPv6
  • It supports customizable text output for further analysis
  • Jnettop supports machine-friendly mode to support further analysis
jnettop

visualises network traffic tool

 

jnettop installation

RPM Installation

Download the latest nux-dextop-release rpm from

http://li.nux.ro/download/nux/dextop/el7/x86_64/

Install nux-dextop-release rpm:

rpm -Uvh nux-dextop-release*rpm
yum install jnettop
jnettop -h
Usage: jnettop [-hv] [-i interface] [-d filename]

-h, –help display this help message
-v, –version display version information

-b, –bit-units show BPS in bits per second, not bytes per second
-c, –content-filter disable content filtering
-d, –debug filename write debug information into file (or syslog)
–display type type of display (curses, text, uia)
-f, –config-file name reads configuration from file. defaults to ~/.jnettop
–format format list of fields to list in text output
-i, –interface name capture packets on specified interface
–local-aggr arg set local aggregation to none/host/port
-n, –no-resolver disable resolving of addresses
-p, –promiscuous enable promisc mode on the devices
–remote-aggr arg set remote aggregation to none/host/port
-s, –select-rule rule selects one of the rules defined in config file
by it’s name
-t, –timeout sec timeout in seconds after which jnettop ends (text display)
-x, –filter rule allows for specification of custom filtering rule
this follows tcpdump(1) syntax. don’t forget to
enclose the filter into quotes when running from shell

 

Source Installation

Download source file from http://jnettop.kubs.info/wiki/?id=Download

If you just want jnettop to detect what’s available and compile, run:

gzip -dc jnettop-<version>.tar.gz | tar xf -
cd jnettop-<version>
./configure
make
make install

you’re done.