IT - Network System Administrator & Hacking: linux

Apache is one of the most widely used and popular web servers in the world, so it is important to protect your website and users from Brute-force attacks. Fail2ban is an open-source intrusion prevention software written in Python. Fail2Ban continuously analyzes various services’ log files (like Apache, ssh, postfix …), and if it detects malicious attacks, then it creates rules on the firewall to block hackers IP addresses for a specified amount of time. Fail2Ban also informs a system admin with an email of its activity.

In this article I will explain how to install fail2ban and configure it to monitor your Apache logs for malicious authentication failure attempts.

Requirements

Ubuntu server 14.04 with Apache installed
Apache configured with password authentication

Installing Fail2Ban

First, make sure the Apache server is running and password authentication is enabled.

Next, you can install Fail2ban by running:

sudo apt-get update
sudo apt-get install fail2ban

Configure fail2ban for Apache

The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It contains a set of pre-defined filters for various services, and it is recommended that you not edit this file. You need to enable predefined Apache jails by creating a “/etc/fail2ban/jail.local” file:

To create new “jail.local” file, run:

sudo nano /etc/fail2ban/jail.local

Add the following content:

[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227
 
[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227
 
[apache-overflows]
enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227
 
[apache-badbots]
enabled  = true
port     = http,https
filter   = apache-badbots
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227

Save and close the file, then restart fail2ban for the changes to take effect.

sudo /etc/init.d/fail2ban restart

You can verify the rules that were added by Fail2Ban in iptables using the following command:

sudo iptables -L

The output will look something like this:

Note : You can find the details of each jail described below:

[apache] : this jail is used to block failed login attempts.
[apache-noscript] : this jail is used to block remote clients who are searching for scripts on the website to execute.
[apache-overflows] : this jail is used to block clients who are attempting to request suspicious URLs.
[apache-noscript] : this jail is used to block remote clients who are searching for scripts on website to execute.
[apache-badbots] : this jail is used to block malicious bot requests.

Note : You can find the details of each rule described below.

enabled : this option means Apache protection is on.
port : this option specifies the services that fail2ban monitors.
filter : this option refers the config file located in the /etc/fail2ban/filter.d/ directory.
logpath : this option specifies the location of log file.
bantime : this option specifies the number of seconds that a remote host will be blocked from the server.
maxretry : this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time.
ignoreip : this option allows you to whitelist certain IP addresses from blocking.

Check Fail2ban Banning Status

Once jails are activated, you can check fail2ban using the fail2ban-clientcommand:

sudo fail2ban-client status

You can see a list of all of the jails you enabled.

To see the status of a particular jail like apache, apache-badbots by running the following commands:

sudo fail2ban-client status apache

The output looks like this:

You can also manually set ban or unban IP addresses.

For example, to ban an IP address (192.168.1.20) with an apache jail:

sudo fail2ban-client set apache banip 192.168.1.20

To unban an IP address (192.168.1.21) with an apache jail:

sudo fail2ban-client set apache unbanip 192.168.1.21

Testing Fail2Ban

It is important to test your fail2ban whether it is working as expected or not. Now on a remote machine, open your web browser and type the URL of your domain (or your server’s IP address). When Apache prompts for authentication, give an incorrect user name and password repeatedly. After you have reached the limit you should be blocked and unable to access the site.

Check the status with the fail2ban-client command:

sudo fail2ban-client status apache

You will see your IP address being blocked from the site.

Conclusion

Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the number of bad requests you receive on your Apache webserver.

Install Kali dualboot windows 7

It was hard to install Kali Linux with the EFI system because you encounter some weird errors and you have to fix them manually.

I am going to write a complete guide here (I don’t really know much, but I’ve followed most of the guides on Google and spent 2 days for it. So I might be able to get you out of desperating installing Kali in EFI system).

Installing with Normal ISO Kali file:

Requirements:

Internet (Wifi or Cable)
USB (4 GBs)
Rufus or Win32 Disk Imager (to make bootable USB)
EFI system (obviously, if you don’t have EFI system, you can just install it normally)
2 hours of your time

1. Download Kali Linux ISO with this link: http://www.kali.org/downloads/

2. Download Rufus or Win32 Disk Imager and make bootable USB with theKali Linux ISOyou just downloaded in step 1. See Picture.

Rufus: http://rufus.akeo.ie/ (here’s the guide to use Rufus:http://bootableusb.net/install-windo…e-using-rufus/)
Win 32 Disk Imager: http://sourceforge.net/projects/win32diskimager/(Have no idea how to use this, but it seems a little easy)

3. Create a folder /EFI/Boot in your USB (You now have some data of Kali Linux in your USB already). See Picture.

4. Download bootx64.efi, MokManager.efi (don’t know if this is needed, but I just do it anyway), and grubx64.efi from here:ftp://mirrors.kernel.org/fedora/rele…4/os/EFI/BOOT/
then put them into /EFI/Boot folder you created in step 3.

5. Create a file named grub.cfg in /EFI/Boot in your USB with the following contents:
Note: You can download the file here too: grub.txt. But make sure you put it into/EFI/Bootfolder in your USB along with the 3 files in step 4 and change the name to grub.cfg. See Picture.

Code:

# Config file for GRUB2 - The GNU GRand Unified Bootloader
# /boot/grub/grub.cfg

# DEVICE NAME CONVERSIONS
#
# Linux Grub
# -------------------------
# /dev/fd0 (fd0)
# /dev/sda (hd0)
# /dev/sdb2 (hd1,2)
# /dev/sda3 (hd0,3)
#
# root=UUID=dc08e5b0-e704-4573-b3f2-cfe41b73e62b persistent

set menu_color_normal=yellow/blue
set menu_color_highlight=blue/yellow

function load_video {
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
insmod all_video
}

load_video
set gfxpayload=keep

# Timeout for menu
set timeout=5

# Set default boot entry as Entry 0
set default=0
set color_normal=yellow/blue

menuentry "Kali - Live Non-persistent" {
set root=(hd0,1)
linuxefi /live/vmlinuz boot=live noconfig=sudo username=root hostname=kali
initrdefi /live/initrd.img
}

menuentry "Kali - Live Persistent" {
set root=(hd0,1)
linuxefi /live/vmlinuz boot=live noconfig=sudo username=root hostname=kali persistence
initrdefi /live/initrd.img
}

menuentry "Kali Failsafe" {
set root=(hd0,1)
linuxefi /live/vmlinuz boot=live config memtest noapic noapm nodma nomce nolapic nomodeset nosmp nosplash vga=normal
initrdefi /live/initrd.img
}

menuentry "Kali Forensics - No Drive or Swap Mount" {
set root=(hd0,1)
linuxefi /live/vmlinuz boot=live noconfig=sudo username=root hostname=kali noswap noautomount
initrdefi /live/initrd.img
}

menuentry "Kali Graphical Install" {
set root=(hd0,1)
linuxefi /install/gtk/vmlinuz video=vesa:ywrap,mtrr vga=788
initrdefi /install/gtk/initrd.gz
}

menuentry "Kali Text Install" {
set root=(hd0,1)
linuxefi /install/vmlinuz video=vesa:ywrap,mtrr vga=788
initrdefi /install/initrd.gz
}

You now have the bootable USB that EFI system can recognize it.

6. Disable Secure Boot in BIOS but enable UEFI or EFI Mode (DO NOT USELegacy/CMS mode).
See picture

If you’re using Windows 8, follow this guide:http://forums.toshiba.com/t5/Windows…-8/ta-p/329292 (I know, Windows 8 is god damn weird)
If you’re just using normal Windows 7 or something like that, just press F2 while booting to get to BIOS.

7. You can now see in the Boot section of your BIOS has the Boot Option for your USB. Boot it (anyway you can, if you don’t know. Google them a little bit for your computer model, because each BIOS is different, I guess?)
See picture

Make sure Legacy Mode is turned off, or CMS is turned off.

8. Install your Kali Linux as you see fit, BUT manually set up the Partition like this:
See picture 1
See picture 2
See picture 3

Code:

Name: Kali Linux (your choice)
Use as: Ext4 journaling file system
Mount point: /
Mount options: Default
Label: none (you can label it if you want)
Reserved blocks: 5%
Typical usage: Standard
Bootable flag: off

Then you just need to press “Done setting up the partition” and “Finish partitioning and write changes to disk.”
(Maybe you could set a swap parition and others if you would like. Otherwise, you can just stick with this. I have no idea if it affects anything, but I’m new to Linux.)

8. Follow the installation till you done. If no error occurs, you will be able to see a new Boot Option in your BIOS after you installed Kali Linux.

Happy with your adventure if no error occurs. However, if error of grub-efi failed to install, take a look at below post.

I will write a how-to on installing with Mini Kali Linux in EFI system later. I don’t have the files with me right now, gotta change some stuffs on it too. But I can assure you that I’ll do it tonight.

If you have any question, or my instructions didn’t clear anything. Please ask, I’ll try to fix the Instructions and answer some of the questions if I can. But remember, I’m new to Linux.

Thank you for reading the post.

Backing up a Remote Linux Machine With Windows (Using Rsync and Cygwin)

Problem

The goal here was for me to get a backup of my VPS server (Running CentOS 6). My background is primarily Windows based, so I wanted a solution where I can just run the backup from a Windows machine, (i.e. my my laptop) and let it connect, login and perform the backup.

What is Rsync? If you are familiar with Robocopy it’s similar, it can perform a backup/sync of data and encrypt that data while it’s passing over the network. In addition, once the initial sync has been done, the next time you run it, it only replicates the changes. This makes it ideal for backups.

What is Cygwin? Basically it’s a Linux ‘Shell’ that will run on a Windows machine.

Solution

Step 1: Install Cygwin on My Windows Client

1. Download Cygwin (URL is on the image below), and install on the machine that will be performing the backups. When prompted accept all the defaults todownload form the internet > Accept the install directory C:\cgywin64 > Install for All users > Set the local Package Directory to the Desktop > Internet = Direct Connection > Choose a Download site > Next.

2. When asked to select packages > Expand Net.

3. Select openssh and rsync to be installed.

4. Expand shells > Select bash to be installed. > Complete the installation.

Step 2: Generate SSH Keys in Cygwin

5. Launch Cygwin and generate some SSH Keys.

ssh-keygen -t rsa -b 2048

KEEP PRESSING ENTER TO ACCEPT THE DEFAULTS, AND HAVE A BLANK PASSPHRASE

Step:3 Create a User (On the Remote Linux Host) to Perform Backups

6. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.

useradd {username} -s /bin/bash
passwd {username}
ENTER AND CONFIRM THE PASSWORD

7. To ensure your user has the correct folders in their home folder the easiest way is generate a pair of keys on the remote Linux machine (the same as you did before).

ssh-keygen -t rsa -b 2048

Step 4: Copy the Public SSH Key from the Windows Machine to the Linux Machine

8. Above, Cygwin told us the keys are in /home/{username}/.ssh > Go to that directory and make sure they are there > Make a copy of the id_rsa.pub key > Call the copy authorized_keys > Copy that key to the correct folder on the remote Linux machine (via SCP).

cd /home/{username}/.ssh <<Note This is the username on the Cygwin machine)
ls
CHECK id_rsa.pub IS LISTED
cp id_rsa.pub authorized_keys
ls
CHECK authorized_keys IS LISTED
scp authorized_keys {username}@{Linux Machine’s name/IP}:/home/{username}/.ssh

Note The username (above) is the username on the Linux Machine

9. Now check we can login to the remote Linux machine, from the Windows machine (without having to provide a password for the user we created). Note: Sometimes you need to do this twice before it will work.

ssh {username}@{Linux Machine’s name/IP}

If successful, your prompt should change to that of the remote Linux machine.

10. To return to Cygwin, simply type exit.

Step 5: On the Windows Machine Create a Backup Job

11. On the Windows machine create a folder that will hold the backup files (create it in the C:\cygwin64 folder).

12. Lets test our backup to that folder. (Note: This does not back any data up it just performs a ‘dry run’).

rsync -avzun {username}@{Linux Machine’s name/IP}:/ /VPS-Backup

Note: Above I’ve chosen the root ‘/’ directory, you may just want to select specific folders to backup e.g.

/var/www/ The Default location for Apache’s Website Files.
/var/lib/mysql The Default location for MySQL Databases.

Warning: Folder locations may differ depending on the server and how it was setup.

13. Tailor the following, and save it on the Windows machine, in the C:\cyqwin\bindirectory as Remote-Server-Backup.sh

# Remote-Server-Backup.sh
#
#
# rsync tool to download server data
# from [Remote Linux Server name] to [Windows Backup Machine]
#
#
# download only those files on [Remote Linux Server name] in
# [server directory]
# Only files that are newer than what is already on the
# [Windows Backup Machine Directory]
#
# Syntax
#
# rsync -avzu [user name]@[Remote Linux Server name]:
#[server directory] [Windows Backup Machine Directory]
# Windows Shortcut Target Should be
#C:\cygwin64\bin\bash.exe –login -i ‘/bin/Remote-Server-Backup.sh’

rsync -avzu {username}@{Linux Machine’s name/IP}:/ /VPS-Backup

14. On the Windows machine create a new shortcut.

15. Browse to, and select c:\cygwin\bin\bash.exe

16. Give it a sensible name > Finish

17. Open the properties of the shortcut and change the Target: to;

C:\cygwin64\bin\bash.exe –login -i ‘/bin/Remote-Server-Backup.sh’

Note: You may also want to change the icon to the Cygwin one at C:\cygwin64\Cygwin.ico

18. Run the shortcut to perform the backup.

You could (if you wanted), use the Window scheduler to schedule this for you, but I prefer to do it myself.

Configuration Iptables

Ví dụ về cách cấu hình Iptables

Để iptables hoạt động đúng bạn cần phải load một số kernel modules hỗ trợ như iptable_nat hỗ trợ NAT, ip_contrack_fpt hỗ trợ FTP, ip_contrack hỗ trợ tính năng xác định trạng thái connection…
load kernel modules có thể thực hiện bằng file /etc/rc.local như sau

# File: /etc/rc.local

# Module to track the state of connections
modprobe ip_conntrack

# Load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp

# Load iptables NAT module when required
modprobe iptable_nat

# Module required for active an FTP server using NAT
modprobe ip_nat_ftp

Trước khi bạn triển khai firewall script của mình bạn nên thay đổi một số thông số linux kernel thông qua file /etc/sysctl.conf để tăng hiệu năng cho firewall của hệ thống như sau

# File: /etc/sysctl.conf

#—————————————————————
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#—————————————————————

net/ipv4/conf/all/rp_filter = 1

#—————————————————————
# Enable logging of packets with malformed IP addresses
#—————————————————————

net/ipv4/conf/all/log_martians = 1

#—————————————————————
# Disable redirects
#—————————————————————

net/ipv4/conf/all/send_redirects = 0

#—————————————————————
# Disable source routed packets
#—————————————————————

net/ipv4/conf/all/accept_source_route = 0

#—————————————————————
# Disable acceptance of ICMP redirects
#—————————————————————

net/ipv4/conf/all/accept_redirects = 0

#—————————————————————
# Turn on protection from Denial of Service (DOS) attacks
#—————————————————————

net/ipv4/tcp_syncookies = 1

#—————————————————————
# Disable responding to ping broadcasts
#—————————————————————

net/ipv4/icmp_echo_ignore_broadcasts = 1

#—————————————————————
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#—————————————————————

net/ipv4/ip_forward = 1

chống ip spoofing (thực hiện việc kiểm tra địa chỉ ip nguồn của gói tin, nếu thấy không hợp lệ so với địa chỉ của card mạng mà gói tin đi vào từ đó thì gói tin sẽ bị loại bỏ), log những gói tin có địa chỉ ip không hợp lệ, không cho phép redirect, không route những gói tin đến những hệ thống khác,bật tính năng tcp_syscookies chống kiểu tấn công SYN flood, không trả lời những gói tin ping broadcast, cho phép forward qua hệ thống.

Cho phép hệ thống thực hiện query DNS

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 \
-j ACCEPT

iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 \

Mở dịch vụ Web và cho phép truy cập hệ thống thông qua dịch vụ SSH

# chỉ cho phép những gói tin thuộc những kết nối đã được chấp nhận đi ra
iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED \
-j ACCEPT

# chỉ nhận những kết nối truy cập Web và SSH
iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 \
-m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 \
-m state –state NEW -j ACCEPT

Cho phép truy cập Internet thông qua hệ thống Firewall

#cho phép thực hiện những kết nối đến cổng 80,443 (http,https) ra bên ngoài.
iptables -A OUTPUT -j ACCEPT -m state \
–state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
-m multiport –dports 80,443 –sport 1024:65535

#cho phép nhận những gói tin thuộc những kết nối đã được thiết lập
iptables -A INPUT -j ACCEPT -m state –state ESTABLISHED,RELATED \
-i eth0 -p tcp

Cho phép máy của bạn truy cập vào hệ thống Firewall

iptables -A INPUT -j ACCEPT -p all -s 192.168.1.5 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.5 -o eth1

192.168.1.5 là địa chỉ ip của máy bạn.

Masquerading
là một tên gọi khác của NAT, thông qua nó tất cả các gói tin đi qua hệ thống sẽ được sửa lại địa chỉ nguồn thành địa chỉ của hệ thống firewall ( địa chỉ của card mạng firewall hướng ra ngoài ) và nó sẽ được xem như là xuất phát từ hệ thống.
Để hệ thống có khả năng NAT iptables cần phải nạp module iptables_nat, Linux kernel phải hộ trợ tính khả năng forward
(echo 1 > /proc/sys/net/ipv4/ip_forward)
Để thực hiện được masquerading thông qua POSTROUTING chain của bảng NAT bạn cũng cần phải config để iptables cho phép forward gói tin giữa các card mạng, cho phép những gói tin yêu cầu kết nối hoặc của một kết nối đã được thiết lập đi ra ngoài và chỉ cho phép những gói tin của những kết nối đã được thiết lập đi vào hệ thống.

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
-j MASQUERADE

iptables -A FORWARD -t filter -o eth0 -m state \
–state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state \
–state ESTABLISHED,RELATED -j ACCEPT

bạn muốn đặt một Web site được bảo vệ bởi một hệ thống firewall có địa chỉ ip nhận được thông qua DHCP từ ISP.

modprobe iptable_nat
external_int=”eth0″
external_ip=”`ifconfig $external_int | grep ‘inet addr’ | \
awk ‘{print $2}’ | sed -e ‘s/.*://’`”
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip \
–dport 80 –sport 1024:65535 -j DNAT –to 192.168.1.200:8080
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.200 \
–dport 8080 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A FORWARD -t filter -o eth0 -m state \
–state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state \
–state ESTABLISHED,RELATED -j ACCEPT

Hệ thống cho phép nhận những gói tin gửi tới Web Server của bạn từ ngoài vào, trước khi FORWARD nó sửa địa chỉ ip đích và port đích của gói tin thành (192.168.1.200: 8080).
Thực hiện FORWARD những gói tin yêu cầu kết nối từ eth0 sang eth1, cấu hình để FORWARD chain của bảng filter cho phép những gói tin này đi qua.

Static NAT

sử dụng one to one NAT để bên ngoài xem Server của bạn (192.168.1.100) như là có địa chỉ 97.158.253.26
dùng many to one NAT để bên ngoài xem tất cả những hệ thống nằm trong mạng 192.168.1.0 như đều có địa chỉ 97.158.253.26

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \
-j DNAT –to-destination 192.168.1.100

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \
-j SNAT –to-source 97.158.253.29

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-j SNAT -o eth0 –to-source 97.158.253.29

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 \
-m multiport –dports 80,443,22 \
-m state –state NEW -j ACCEPT

iptables -A FORWARD -t filter -o eth0 -m state \
–state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state \
–state ESTABLISHED,RELATED -j ACCEPT

SNAT được dùng để làm cho các kết nối xuất phát từ trong ra ngoài (internet) được xem như xuất phát từ địa chỉ 97.158.253.29
DNAT hướng các gói tin gửi đến địa chỉ 97.158.253.29 vào Server (192.168.1.100)
FORWARD chain chỉ cho chấp nhận những gói tin của các dịch vụ http,https,ssh đi qua.

LOG hệ thống
việc log lại tất cả những gói tin mà bạn loại bỏ tại /var/log/messages sẽ giúp ích cho bạn rất nhiều trong việc troubleshooting iptables.

iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

phần log thường đặt ở vị trí cuối cùng trong các firewall script của iptables.

Khi iptables khởi động nó sẽ tìm kiếm file /etc/sysconfig/iptables để đọc các rule, nếu file này không tồn tại iptables sẽ không khởi động được.
Do đó sau khi cài đặt iptables bạn phải tạo file này

touch /etc/sysconfig/iptables
chmod 600 /etc/sysconfig/iptables