Amazon Web Services: Install an Intrusion Prevention System (IPS) on an EC2 Instance

Amazon Web Services: Install an Intrusion Prevention System (IPS) on an EC2 Instance

Intall fail2ban on first instance

SSH into first instance as cloud_user
Install fail2ban

sudo yum install fail2ban -y
sudo service fail2ban start

Output

Last login: Tue Sep 24 15:15:47 on ttys000
austinsonger@Songer ~ % ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password: 
Password: 

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-185 ~]$ sudo yum install fail2ban -y
[sudo] password for cloud_user: 
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main                                                                       | 2.1 kB  00:00:00     
amzn-updates                                                                    | 2.5 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.10-3.6.amzn1 will be installed
--> Processing Dependency: python27-inotify for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Processing Dependency: gamin-python(python27) for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Running transaction check
---> Package gamin-python.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Processing Dependency: gamin = 0.1.10-16.14.amzn1 for package: gamin-python-0.1.10-16.14.amzn1.x86_64
--> Processing Dependency: libgamin-1.so.0()(64bit) for package: gamin-python-0.1.10-16.14.amzn1.x86_64
---> Package python27-inotify.noarch 0:0.9.1-1.7.amzn1 will be installed
--> Running transaction check
---> Package gamin.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                    Arch             Version                         Repository           Size
=======================================================================================================
Installing:
 fail2ban                   noarch           0.8.10-3.6.amzn1                amzn-main           169 k
Installing for dependencies:
 gamin                      x86_64           0.1.10-16.14.amzn1              amzn-main           146 k
 gamin-python               x86_64           0.1.10-16.14.amzn1              amzn-main            34 k
 python27-inotify           noarch           0.9.1-1.7.amzn1                 amzn-main            87 k

Transaction Summary
=======================================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 436 k
Installed size: 1.3 M
Downloading packages:
(1/4): gamin-python-0.1.10-16.14.amzn1.x86_64.rpm                               |  34 kB  00:00:00     
(2/4): fail2ban-0.8.10-3.6.amzn1.noarch.rpm                                     | 169 kB  00:00:00     
(3/4): gamin-0.1.10-16.14.amzn1.x86_64.rpm                                      | 146 kB  00:00:00     
(4/4): python27-inotify-0.9.1-1.7.amzn1.noarch.rpm                              |  87 kB  00:00:00     
-------------------------------------------------------------------------------------------------------
Total                                                                  791 kB/s | 436 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : gamin-0.1.10-16.14.amzn1.x86_64                                                     1/4 
  Installing : gamin-python-0.1.10-16.14.amzn1.x86_64                                              2/4 
  Installing : python27-inotify-0.9.1-1.7.amzn1.noarch                                             3/4 
  Installing : fail2ban-0.8.10-3.6.amzn1.noarch                                                    4/4 
  Verifying  : fail2ban-0.8.10-3.6.amzn1.noarch                                                    1/4 
  Verifying  : python27-inotify-0.9.1-1.7.amzn1.noarch                                             2/4 
  Verifying  : gamin-0.1.10-16.14.amzn1.x86_64                                                     3/4 
  Verifying  : gamin-python-0.1.10-16.14.amzn1.x86_64                                              4/4 

Installed:
  fail2ban.noarch 0:0.8.10-3.6.amzn1                                                                   

Dependency Installed:
  gamin.x86_64 0:0.1.10-16.14.amzn1                  gamin-python.x86_64 0:0.1.10-16.14.amzn1         
  python27-inotify.noarch 0:0.9.1-1.7.amzn1         

Complete!
[cloud_user@ip-10-99-1-185 ~]$ sudo service fail2ban start
Starting fail2ban:                                         [  OK  ]
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/logmessages
tail: cannot open ‘/var/logmessages’ for reading: No such file or directory
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ sudo tail -f /var/log/messages
[sudo] password for cloud_user: 
Sep 25 02:21:09 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 116860ms.
Sep 25 02:21:33 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2606:c680:0:b:3830:34ff:fe66:6663
Sep 25 02:22:13 ip-10-99-1-185 fail2ban.filter : WARNING Determined IP using DNS Lookup: 23-116-10-38.lightspeed.cicril.sbcglobal.net = ['23.116.10.38']
Sep 25 02:22:39 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:1f07:9fe::f00d
Sep 25 02:22:52 ip-10-99-1-185 fail2ban.actions: WARNING [ssh-iptables] Ban 54.227.171.118
Sep 25 02:23:06 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 120710ms.
Sep 25 02:23:44 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:d43f:fff6:a:e:0:53
Sep 25 02:24:48 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.50.238.163
Sep 25 02:25:07 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 111610ms.
Sep 25 02:25:53 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.60.22.240
Sep 25 02:26:58 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 17.253.24.125
Sep 25 02:26:59 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 117400ms.
Sep 25 02:28:04 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 52.34.132.170
Sep 25 02:28:56 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 131450ms.
Sep 25 02:29:08 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2604:880:398:371::1

Trigger a ban through multiple failed logins

SSH into Second Instance
Attempt SSH logins to First Instance using bad credentials
Do this 5 times to trigger a ban

Output

Last login: Tue Sep 24 21:16:29 on ttys000
austinsonger@Songer ~ % ssh cloud_user@54.227.171.118
The authenticity of host '54.227.171.118 (54.227.171.118)' can't be established.
ECDSA key fingerprint is SHA256:+bVHTcqDnwONAyHq29ep5KdOvK1oXJjcabPllvpVjgg.
Are you sure you want to continue connecting (yes/no)? zIhatexrpi
Please type 'yes' or 'no': yes
Warning: Permanently added '54.227.171.118' (ECDSA) to the list of known hosts.
Password: 

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-182 ~]$ ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
ECDSA key fingerprint is MD5:c7:79:54:cd:e3:c2:4b:78:20:18:58:b4:d0:c0:de:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password: 
Password: 
Password: 
cloud_user@34.229.235.163's password: 
Permission denied, please try again.
cloud_user@34.229.235.163's password: 
Permission denied, please try again.
cloud_user@34.229.235.163's password: 

Authentication failed.
[cloud_user@ip-10-99-1-182 ~]$ 


Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.