Intrusion Prevention with Fail2Ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper. Wikipedia

To assist in further locking down the exposed SSH endpoint I manage,I decided to use the tool Fail2Ban as it supports many of the services (sshd, apache, etc) that can be integrated with IPTables.

Installing Fail2Ban is simple and can be completed with a few simple steps, assuming you have su or root access to the system you are managing.

Here are steps you might follow to accomplish this:

Log into you system and issue the following command and update

sudo apt-get update
sudo apt-get upgrade -y

Next install the Fail2Ban software via apt-get

sudo apt-get install fail2ban

Edit Fail2Ban to work with your SSH configuration by opening ‘/etc/fail2ban/jail.local’ file with the following command:

sudo nano /etc/fail2ban/jail.local

Add the following to the file /etc/fail2ban/jail.local

[ssh]
 
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

Restart Fail2Ban service or reboot your host

sudo service fail2ban restart

To view banded IP’s you can use IPTables for this.
Use the following command:

sudo iptables -L -n --line

At the end of the day a secure password will always protect you as this solution will only slow the bad actor down, it doesn’t stop them.

Techshort: IP Addresses with PowerShell

Quick PowerShell Tip!

To list all of the IP addresses, both v4 and v6 on your local system, along with the associated interface name issue the following command:

Get-NetIPAddress | Select IPAddress, InterfaceAlias | Out-GridView

What you get from the above command is a grid view output which can be copied and pasted into a document.

Security News: Citrix Breach

If you haven’t heard, Citrix was breached through a compromised employee account due to password spraying.

Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.

The exploitation of weak passwords has become an increasing area of worry for all of us in the IT area where security is relevant. It’s been said that a compromised account was used to access and steal 6TB of sensitive data from email, file shares, and database applications.

At this point the question in your mind is or should be: What could have helped to prevented this?

My simple response is: Develop a policy of using and enforcing strong passwords, configuring proactive authentication monitoring to take the time to look for password spraying and please audit user passwords against common and aquired leaked password lists.

Citrix said it “still doesn’t know what specific data was stolen, but an initial investigation appears to show the attackers may have obtained business documents”.

While Citrix is moving as quickly as possible,  its a sad turn of events that companies are reactive only and measures to prevent such attacks are lacking.

Is this your company? Let’s hope not, because you can be next.

For more info from Citrix stop by their blog – https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/

Techshort: What is microk8s?

microk8s is Kubernetes, installed locally! microk8s is designed to be a fast and lightweight upstream Kubernetes install isolated from your host but not via a virtual machine. This isolation is achieved by packaging all the upstream binaries for Kubernetes, Docker.io, iptables, and CNI in a single appliication container

What I have learned is that if you have been a user of Docker then
Kubernetes is a lightweight variant.

Installing microk8s is simple (on Ubuntu 18.04):
Here are some quick steps to get started:

sudo snap install microk8s --classic

Once installed confirm its running with the following:

microk8s.kubectl cluster-info

You can (I have) expose the management UI – Buddy of mine say’s I shouldn’t. Do this by enabling it with the following command:

microk8s.enable dns dashboard ingress

Then expose this vis the host with the following:

microk8s.kubectl proxy --accept-hosts=.* --address=0.0.0.0 &

Now you can get to the dashboard by using the host’s IP address or host name:

http://{ip_or_hostname}:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Anyhow, more information can be located here: https://microk8s.io/docs/

Techshort: Difference between horizontal and vertical scaling

As system & application owners we encounter a point where we need to grow our environment, but the question that often occurs is in what way do we scale.

So let’s start with some defining methods of scaling today:

Horizontal scaling – where you scale by adding more machines (workers) into your pool of resources.

Vertical scaling – where you scale by adding more power (CPU, RAM, DISK) to an existing resource.

Use case:

Horizontal-scaling is easy as you can add more machines into the existing pool of resources, whereas vertical-scaling, on the contrary, may be limited to the capacity of a single machine. Scaling beyond that capacity results in downtime and comes with an upper limit.

Limitations:

I have been reading that hypervisors may pose limitations to the ability to scale as different hypervisors impose different limits on the number of resources that can be allocated

An example would be: VMware ESXi 6.7 – Limits such as: Each VM can support up to 128 virtual CPUs, 6.1 TB of memory, VM disk file sizes up to 62 TB and up to 10 virtual network interface controllers (NICs). Although there has been added support for things such as NVMe (virtual nonvolatile memory). The absolute limitations do present a scalability limitaiton.

Why are you thinking about this?

My recent work with Kubernetes & Docker has me looking at how they function from a resource level and I see the potential for them to surpass what I can do today with hypervisors alone.