Amazon Web Services: Install an Intrusion Prevention System (IPS) on an EC2 Instance
Intall fail2ban on first instance
SSH into first instance as cloud_user
Install fail2ban
sudo yum install fail2ban -y sudo service fail2ban start
Output
Last login: Tue Sep 24 15:15:47 on ttys000
austinsonger@Songer ~ % ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password:
Password:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-185 ~]$ sudo yum install fail2ban -y
[sudo] password for cloud_user:
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main | 2.1 kB 00:00:00
amzn-updates | 2.5 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.10-3.6.amzn1 will be installed
--> Processing Dependency: python27-inotify for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Processing Dependency: gamin-python(python27) for package: fail2ban-0.8.10-3.6.amzn1.noarch
--> Running transaction check
---> Package gamin-python.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Processing Dependency: gamin = 0.1.10-16.14.amzn1 for package: gamin-python-0.1.10-16.14.amzn1.x86_64
--> Processing Dependency: libgamin-1.so.0()(64bit) for package: gamin-python-0.1.10-16.14.amzn1.x86_64
---> Package python27-inotify.noarch 0:0.9.1-1.7.amzn1 will be installed
--> Running transaction check
---> Package gamin.x86_64 0:0.1.10-16.14.amzn1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=======================================================================================================
Package Arch Version Repository Size
=======================================================================================================
Installing:
fail2ban noarch 0.8.10-3.6.amzn1 amzn-main 169 k
Installing for dependencies:
gamin x86_64 0.1.10-16.14.amzn1 amzn-main 146 k
gamin-python x86_64 0.1.10-16.14.amzn1 amzn-main 34 k
python27-inotify noarch 0.9.1-1.7.amzn1 amzn-main 87 k
Transaction Summary
=======================================================================================================
Install 1 Package (+3 Dependent packages)
Total download size: 436 k
Installed size: 1.3 M
Downloading packages:
(1/4): gamin-python-0.1.10-16.14.amzn1.x86_64.rpm | 34 kB 00:00:00
(2/4): fail2ban-0.8.10-3.6.amzn1.noarch.rpm | 169 kB 00:00:00
(3/4): gamin-0.1.10-16.14.amzn1.x86_64.rpm | 146 kB 00:00:00
(4/4): python27-inotify-0.9.1-1.7.amzn1.noarch.rpm | 87 kB 00:00:00
-------------------------------------------------------------------------------------------------------
Total 791 kB/s | 436 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : gamin-0.1.10-16.14.amzn1.x86_64 1/4
Installing : gamin-python-0.1.10-16.14.amzn1.x86_64 2/4
Installing : python27-inotify-0.9.1-1.7.amzn1.noarch 3/4
Installing : fail2ban-0.8.10-3.6.amzn1.noarch 4/4
Verifying : fail2ban-0.8.10-3.6.amzn1.noarch 1/4
Verifying : python27-inotify-0.9.1-1.7.amzn1.noarch 2/4
Verifying : gamin-0.1.10-16.14.amzn1.x86_64 3/4
Verifying : gamin-python-0.1.10-16.14.amzn1.x86_64 4/4
Installed:
fail2ban.noarch 0:0.8.10-3.6.amzn1
Dependency Installed:
gamin.x86_64 0:0.1.10-16.14.amzn1 gamin-python.x86_64 0:0.1.10-16.14.amzn1
python27-inotify.noarch 0:0.9.1-1.7.amzn1
Complete!
[cloud_user@ip-10-99-1-185 ~]$ sudo service fail2ban start
Starting fail2ban: [ OK ]
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/logmessages
tail: cannot open ‘/var/logmessages’ for reading: No such file or directory
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ tail -f /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
tail: no files remaining
[cloud_user@ip-10-99-1-185 ~]$ sudo tail -f /var/log/messages
[sudo] password for cloud_user:
Sep 25 02:21:09 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 116860ms.
Sep 25 02:21:33 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2606:c680:0:b:3830:34ff:fe66:6663
Sep 25 02:22:13 ip-10-99-1-185 fail2ban.filter : WARNING Determined IP using DNS Lookup: 23-116-10-38.lightspeed.cicril.sbcglobal.net = ['23.116.10.38']
Sep 25 02:22:39 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:1f07:9fe::f00d
Sep 25 02:22:52 ip-10-99-1-185 fail2ban.actions: WARNING [ssh-iptables] Ban 54.227.171.118
Sep 25 02:23:06 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 120710ms.
Sep 25 02:23:44 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2001:470:d43f:fff6:a:e:0:53
Sep 25 02:24:48 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.50.238.163
Sep 25 02:25:07 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 111610ms.
Sep 25 02:25:53 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 198.60.22.240
Sep 25 02:26:58 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 17.253.24.125
Sep 25 02:26:59 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 117400ms.
Sep 25 02:28:04 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 52.34.132.170
Sep 25 02:28:56 ip-10-99-1-185 dhclient[2188]: XMT: Solicit on eth0, interval 131450ms.
Sep 25 02:29:08 ip-10-99-1-185 ntpd[2536]: Soliciting pool server 2604:880:398:371::1
Trigger a ban through multiple failed logins
SSH into Second Instance
Attempt SSH logins to First Instance using bad credentials
Do this 5 times to trigger a ban
Output
Last login: Tue Sep 24 21:16:29 on ttys000
austinsonger@Songer ~ % ssh cloud_user@54.227.171.118
The authenticity of host '54.227.171.118 (54.227.171.118)' can't be established.
ECDSA key fingerprint is SHA256:+bVHTcqDnwONAyHq29ep5KdOvK1oXJjcabPllvpVjgg.
Are you sure you want to continue connecting (yes/no)? zIhatexrpi
Please type 'yes' or 'no': yes
Warning: Permanently added '54.227.171.118' (ECDSA) to the list of known hosts.
Password:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[cloud_user@ip-10-99-1-182 ~]$ ssh cloud_user@34.229.235.163
The authenticity of host '34.229.235.163 (34.229.235.163)' can't be established.
ECDSA key fingerprint is SHA256:JKRV/KYx3t6rwXxuc4fRFbIFE8NnO3laDLM4Y4RcObU.
ECDSA key fingerprint is MD5:c7:79:54:cd:e3:c2:4b:78:20:18:58:b4:d0:c0:de:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '34.229.235.163' (ECDSA) to the list of known hosts.
Password:
Password:
Password:
cloud_user@34.229.235.163's password:
Permission denied, please try again.
cloud_user@34.229.235.163's password:
Permission denied, please try again.
cloud_user@34.229.235.163's password:
Authentication failed.
[cloud_user@ip-10-99-1-182 ~]$