×
Community Blog Using PyFilter on Alibaba Cloud to Filter SSH Login Attempts

Using PyFilter on Alibaba Cloud to Filter SSH Login Attempts

This tutorial explains how to set up the PyFilter client to monitor a Secure Socket Shell (SSH) connection on Alibaba Cloud.

By Alex, Alibaba Cloud Community Blog author.

Secure Socket Shell (SSH) is a network protocol that allows secure administration of remote computers. It also refers to the utilities that enable the protocol to work. With SSH, administrators have access to reliable authentication through secure and encrypted communication between computers. Therefore, SSH allows private communications via open and insecure internet.

Most network administrators use the protocol to remotely manage systems and applications by logging into computers, executing commands and modifying files or transferring data between networks. While all this is useful within the context of access, it is also crucial to understand how the protocol works.

SSH employs a client-server model wherein a shell client application securely displays the session of the connected SSH server. Most operating systems support SSH software including Ubuntu, Microsoft Windows, and Linux among others. SSH helps to tunnel requests, transfer files with a secure file transfer or secure copy, or forward arbitrary Transmission Control Protocol (TCP) ports and X11 connections. All SSH servers listen to incoming requests on a standard TCP port 22 by default. SSH has three key utilities that include slogin, ssh, and scp. With public-key cryptography, SSH enables remote computer authentication and remote user authentication from the remote computer.

On the other hand, PyFilter is a reliable server security tool that filters requests and blocks the illegitimate requests from getting through to the server. It also balances the authentication attempts by blocking excess requests. To execute the task, PyFilter must access log files and check failed attempts to form an IP address. If a particular IP address sends too many authentication requests, PyFilter adds rules to the firewall using a user-configurable protocol. The tool is easy to use and takes less than five minutes for installation. This tutorial gives a walkthrough on how to install and configure PyFilter on an Alibaba Cloud Ubuntu 18.04 Elastic Compute Service (ECS) instance.

Tutorial Requirements

The following are the essential requirements for this tutorial:

  • An Alibaba Cloud ECS instance running Ubuntu 18.04. Learn how to set up Ubuntu 18.04 server on Alibaba Cloud through this tutorial.
  • Python 3
  • PIP
  • Redis installed on the Ubuntu server for cross-server syncs.

Download and Configure PyFilter Client

Begin with git clone PyFilter from the GitHub repository. Save the repository in the machine's temporary directory.

Change to /tmp directory using the following command.

cd /tmp

Now run the git clone command.

git clone https://github.com/Jason2605/PyFilter.git

The process creates a new directory in the home directory called PyFilter. Execute the following command to confirm the download.

ls

The snippet below shows the output for the preceding command.

PyFilter
Other files and directories

Next, move PyFilter to /usr/local as shown below.

sudo mv PyFilter /usr/local/PyFilter

Also, change to the /usr/local/PyFilter directory by running the following command.

cd /usr/local/PyFilter

Next, configure a working file for PyFilter. Since it already has a default configuration file accessible at Config/config.default.json, use it as the base for the working configuration file. While it's not mandatory to retain the default file, it is important for avoiding mistakes.

cd Config
sudo cp config.default.json config.json

Use the editor to view and edit the configuration file contents.

sudo nano config.json

The snippet below shows the Redis section which is of particular interest for this tutorial.

  "redis": {
    "host": "127.0.0.1",
    "password": null,
    "database": 0,
    "sync_bans": {
      "active": true,
      "name": "1",
      "check_time": 600
    }

Let's install Redis and modify the section shown above in the subsequent segment.

Install Redis

Redis blocks automated bots that may be trying to gain access to the systems. Install Redis in the server by running the command below.

sudo apt install python3-pip
pip3 install redis

The snippet below shows the output for the preceding command.

Installing collected packages: redis
Successfully installed redis-3.2.1

Now edit config.json for Redis. Run the following command to open the file in the editor.

sudo nano config.json

Make the necessary changes in the file as shown below.

Config.json
{
  "settings": {
    "database": "redis",


  "redis": {
    "host": "127.0.0.1",
    "password": null,
    "database": 0,
    "sync_bans": {
      "active": true,
      "name": "hostname",
      "check_time": 600
    }
  },

The Redis parameters enable Pyfilter to connect to the Redis server. Usually, Redis is very crucial for syncing banned IP addresses across server instances. The sync_bans parameter shares the banned lists to all the servers but the system must have a unique name else the sync fails.

Save the changes and exit the editor. Let's run PyFilter in the next step.

Launching PyFilter Client

Now launch the client using either the run.sh script or run.py script method. For this tutorial, let's use the python file as shown below.

sudo python3 run.py

The snippet below shows the output from the logs file output once the client starts.

Output

No file to check within rule: Mysql
No file to check within rule: Apache
No file to check within rule: Nginx
Checking Ssh logs
IP: 58.242.83.35 has been blacklisted and the firewall rules have been updated.                                                                                         Acquired 5 bad connections via ssh.
IP: 168.227.56.242 has been blacklisted and the firewall rules have been updated                                                                                        . Acquired 5 bad connections via ssh.
IP: 103.28.57.86 has been blacklisted and the firewall rules have been updated.                                                                                         Acquired 5 bad connections via ssh.
IP: 51.158.69.8 has been blacklisted and the firewall rules have been updated. Acquired 5 bad connections via ssh.
Saving newly blacklisted IP's!

The PyFilter client bans an IP address if it attempts to make a request five seconds after an unsuccessful attempt. However, there is always an option to change such settings in the configuration file. To move ahead, the system requires a PyFilter service that runs automatically. So, let's install service for the same in the next step.

Create a PyFilter Service

After successfully running the PyFilter client, now let's configure a service to run it automatically when the server reboots.

The files in the PyFilter directory include run.sh and install.sh scripts that help to launch the client and create a service.

First, run the following commands to amend the permissions on both scripts to make them executable.

sudo chmod +x run.sh
sudo chmod +x install.sh

Run the command below to see the contents of the run.sh script.

nano run.sh

The snippet below shows the output for the preceding command.

#!/usr/bin/env bash

sudo python3 run.py

Note that it's a script to launch the client as shown earlier.

Again, execute the following command to inspect the install.sh scripts.

nano install.sh

The snippet below shows the output for the preceding command.

#!/usr/bin/env bash

if ! [ -f "/etc/systemd/system/PyFilter.service" ]
then
    sudo python3 create_service.py
    sudo mv PyFilter.service /etc/systemd/system/PyFilter.service
    sudo chmod +x run.sh
    sudo systemctl daemon-reload
    sudo systemctl start PyFilter
    sudo systemctl enable PyFilter
    echo Service created and enabled, check the status of it by using \"sudo systemctl status PyFilter\"
else
    echo Service already created.
    echo Check the status of it by using \"sudo systemctl status PyFilter\"
fi

On launching the script, a series of commands executes and creates a PyFilter service in the system.

Use the command below to launch it.

./install.sh

Successful execution of the script results in the output similar to the one below.

Output

Service created and enabled, check the status of it by using "sudo systemctl status PyFilter"

Everything seems to be running well.

Run a status check by executing the following command.

sudo systemctl status PyFilter

Executing the above command results in an output similar to the one below.

- PyFilter.service - PyFilter
   Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
   Active: <^>active^> (running) since Wed 2019-05-01 07:50:38 UTC; 38min ago
 Main PID: 12474 (bash)
   CGroup: /system.slice/PyFilter.service
           \A9\C0\A9\A412474 bash /usr/local/PyFilter/run.sh
           \A9\C0\A9\A412475 sudo python3 run.py
           \A9\B8\A9\A412478 python3 run.py

Ensure not to skip the status check to verify whether everything is running well. Here is an example of an error.

- PyFilter.service - PyFilter
   Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-05-01 07:50:38 UTC; 38min ago
  Process: 12474 ExecStart=/usr/local/PyFilter/run.sh (code=exited, status=1/FAILURE)
 Main PID: 12474 (code=exited, status=1/FAILURE)

May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session opened for user root by (uid=0)
May 01 07:50:38 Tuts run.sh[12474]: Traceback (most recent call last):
May 01 07:50:38 Tuts run.sh[12474]:   File "run.py", line 4, in <module>
May 01 07:50:38 Tuts run.sh[12474]:     p = PyFilter()
May 01 07:50:38 Tuts run.sh[12474]:   File "/usr/local/PyFilter/pyFilter/py_filter.py", line 22, in __init__
May 01 07:50:38 Tuts run.sh[12474]:     with open(file_path, "r") as config:
May 01 07:50:38 Tuts run.sh[12474]: FileNotFoundError: [Errno 2] No such file or directory: 'Config/config.json'
May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session closed for user root
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Main process exited, code=exited, status=1/FAILURE
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Failed with result 'exit-code'.

In case of errors, re-install the client and follow the highlighted steps above.

Unban IP Addresses

It is crucial to know how to unban IP addresses as PyFilter may lock you out of your server. In such a scenario, login from the console and manually delete banned IPs. The file that stores information on banned IPs is - /usr/local/PyFilter/Config/blacklist.v4. Also, the file /usr/local/PyFilter/Config/blacklist.v6 holds information about IP rules.

Run the following commands to get the list of banned IPS

cd /usr/local/PyFilter/Config
sudo nano blacklist.v4

The following snippet shows the banned IPs.

# Generated by iptables-save v1.6.1 on Wed May  1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
-A INPUT -s 128.199.230.16/32 -j DROP
-A INPUT -s 58.163.88.42/32 -j DROP
-A INPUT -s 76.79.74.58/32 -j DROP
-A INPUT -s 106.51.54.198/32 -j DROP
-A INPUT -s 180.151.8.180/32 -j DROP
-A INPUT -s 109.207.159.178/32 -j DROP
-A INPUT -s 120.29.156.251/32 -j DROP
-A INPUT -s 148.70.11.143/32 -j DROP
-A INPUT -s 179.110.29.67/32 -j DROP
-A INPUT -s 118.89.229.244/32 -j DROP
-A INPUT -s 193.112.174.67/32 -j DROP
-A INPUT -s 134.175.154.182/32 -j DROP
-A INPUT -s 36.103.243.247/32 -j DROP
-A INPUT -s 103.28.57.86/32 -j DROP
-A INPUT -s 168.227.56.242/32 -j DROP
-A INPUT -s 58.242.83.35/32 -j DROP
COMMIT
# Completed on Wed May  1 08:20:22 2019

Unban blocked IP addresses by accessing the associated blacklist file in the editor as shown below.

sudo nano blacklist.v4
# Generated by iptables-save v1.6.1 on Wed May  1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
COMMIT
# Completed on Wed May  1 08:20:22 2019

Save the file and exit the editor.

Now restart the client to effect the changes using the command below.

sudo systemctl restart PyFilter

Gathering IP Location Data

PyFilter also collects location data from banned IPs for analysis on the location of attacks. Including such information in logs requires installing geoip2 module.

pip3 install geoip2

Next, restart PyFilter by running the command below.

sudo systemctl restart PyFilter

Now, all banned IPs will appear as shown in the following output snippet.

2018-08-14 14518:05 Found IP: 196.4.100.13 from server: my_server. The IP was from Kenya.

Conclusion

This tutorial explains how to install and configure the PyFilter client to monitor SSH connection to the Alibaba Cloud Ubuntu server. The PyFilter is known for its simplicity and effective features. Alibaba Cloud offers extensive security features. However, to ensure that users are in better control of their security, PyFilter helps to determine legitimate IP addresses as well as the ones that should not be allowed to access the server.

If you don't have an Alibaba Cloud account yet, sign up for an account and try over 40 products for free worth up to $1300. Get Started with Alibaba Cloud to learn more.

0 0 0
Share on

Alex

42 posts | 4 followers

You may also like

Alex

42 posts | 4 followers

Related Products