Sign in Subscribe
By Austin Songer in Amazon Linux AMI

Amazon Web Services: Install an Intrusion Prevention System (IPS) on an EC2 Instance

Amazon Web Services: Install an Intrusion Prevention System (IPS) on an EC2 Instance

Intall fail2ban on first instance

SSH into first instance as cloud_user
Install fail2ban

sudo yum install fail2ban -y
sudo service fail2ban start

Output

Last login: Tue Sep 24 15:15:47 on ttys000
austinsonger@Songer ~ % ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password: 
Password: 

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-185 ~]$ sudo yum install fail2ban -y
[sudo] password for cloud_user: 
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main                                                                       | 2.1 kB  00:00:00     
amzn-updates                                                                    | 2.5 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.10-3.6.amzn1 will be installed
--> Processing Dependency: python27-inotify for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Processing Dependency: gamin-python(python27) for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Running transaction check
---> Package gamin-python.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Processing Dependency: gamin = 0.1.10-16.14.amzn1 for package: gamin-python-0.1.10-16.14.amzn1.x86_64
--> Processing Dependency: libgamin-1.so.0()(64bit) for package: gamin-python-0.1.10-16.14.amzn1.x86_64
---> Package python27-inotify.noarch 0:0.9.1-1.7.amzn1 will be installed
--> Running transaction check
---> Package gamin.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                    Arch             Version                         Repository           Size
=======================================================================================================
Installing:
 fail2ban                   noarch           0.8.10-3.6.amzn1                amzn-main           169 k
Installing for dependencies:
 gamin                      x86_64           0.1.10-16.14.amzn1              amzn-main           146 k
 gamin-python               x86_64           0.1.10-16.14.amzn1              amzn-main            34 k
 python27-inotify           noarch           0.9.1-1.7.amzn1                 amzn-main            87 k

Transaction Summary
=======================================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 436 k
Installed size: 1.3 M
Downloading packages:
(1/4): gamin-python-0.1.10-16.14.amzn1.x86_64.rpm                               |  34 kB  00:00:00     
(2/4): fail2ban-0.8.10-3.6.amzn1.noarch.rpm                                     | 169 kB  00:00:00     
(3/4): gamin-0.1.10-16.14.amzn1.x86_64.rpm                                      | 146 kB  00:00:00     
(4/4): python27-inotify-0.9.1-1.7.amzn1.noarch.rpm                              |  87 kB  00:00:00     
-------------------------------------------------------------------------------------------------------
Total                                                                  791 kB/s | 436 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : gamin-0.1.10-16.14.amzn1.x86_64                                                     1/4 
  Installing : gamin-python-0.1.10-16.14.amzn1.x86_64                                              2/4 
  Installing : python27-inotify-0.9.1-1.7.amzn1.noarch                                             3/4 
  Installing : fail2ban-0.8.10-3.6.amzn1.noarch                                                    4/4 
  Verifying  : fail2ban-0.8.10-3.6.amzn1.noarch                                                    1/4 
  Verifying  : python27-inotify-0.9.1-1.7.amzn1.noarch                                             2/4 
  Verifying  : gamin-0.1.10-16.14.amzn1.x86_64                                                     3/4 
  Verifying  : gamin-python-0.1.10-16.14.amzn1.x86_64                                              4/4 

Installed:
  fail2ban.noarch 0:0.8.10-3.6.amzn1                                                                   

Dependency Installed:
  gamin.x86_64 0:0.1.10-16.14.amzn1                  gamin-python.x86_64 0:0.1.10-16.14.amzn1         
  python27-inotify.noarch 0:0.9.1-1.7.amzn1         

Complete!
[cloud_user@ip-10-99-1-185 ~]$ sudo service fail2ban start
Starting fail2ban:                                         [  OK  ]
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/logmessages
tail: cannot open ‘/var/logmessages’ for reading: No such file or directory
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ sudo tail -f /var/log/messages
[sudo] password for cloud_user: 
Sep 25 02:21:09 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 116860ms.
Sep 25 02:21:33 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2606:c680:0:b:3830:34ff:fe66:6663
Sep 25 02:22:13 ip-10-99-1-185 fail2ban.filter : WARNING Determined IP using DNS Lookup: 23-116-10-38.lightspeed.cicril.sbcglobal.net = ['23.116.10.38']
Sep 25 02:22:39 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:1f07:9fe::f00d
Sep 25 02:22:52 ip-10-99-1-185 fail2ban.actions: WARNING [ssh-iptables] Ban 54.227.171.118
Sep 25 02:23:06 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 120710ms.
Sep 25 02:23:44 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:d43f:fff6:a:e:0:53
Sep 25 02:24:48 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.50.238.163
Sep 25 02:25:07 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 111610ms.
Sep 25 02:25:53 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.60.22.240
Sep 25 02:26:58 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 17.253.24.125
Sep 25 02:26:59 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 117400ms.
Sep 25 02:28:04 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 52.34.132.170
Sep 25 02:28:56 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 131450ms.
Sep 25 02:29:08 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2604:880:398:371::1

Trigger a ban through multiple failed logins

SSH into Second Instance
Attempt SSH logins to First Instance using bad credentials
Do this 5 times to trigger a ban

Output

Last login: Tue Sep 24 21:16:29 on ttys000
austinsonger@Songer ~ % ssh cloud_user@54.227.171.118
The authenticity of host '54.227.171.118 (54.227.171.118)' can't be established.
ECDSA key fingerprint is SHA256:+bVHTcqDnwONAyHq29ep5KdOvK1oXJjcabPllvpVjgg.
Are you sure you want to continue connecting (yes/no)? zIhatexrpi
Please type 'yes' or 'no': yes
Warning: Permanently added '54.227.171.118' (ECDSA) to the list of known hosts.
Password: 

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-182 ~]$ ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
ECDSA key fingerprint is MD5:c7:79:54:cd:e3:c2:4b:78:20:18:58:b4:d0:c0:de:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password: 
Password: 
Password: 
cloud_user@34.229.235.163's password: 
Permission denied, please try again.
cloud_user@34.229.235.163's password: 
Permission denied, please try again.
cloud_user@34.229.235.163's password: 

Authentication failed.
[cloud_user@ip-10-99-1-182 ~]$

Previous

Linux Security: Managing File Attributes and Permissions

 Next

Linux Security: Working with OpenVPN (and iptables)

You might also like...