Tuesday, December 27th, 2016 at 11:31am

4 Days in the Life of a Firewall

Posted by Jordan Erickson

fail2ban, 4 days

I thought I’d share a screenshot of a firewall application that helps protect my public web + email server. This server hosts this domain (logicalnetworking.net) and a number of other domains.To me it symbolizes the constant barrage of attacks that public, Internet-facing servers and services face on a daily basis.

The above log shows entries for 4 days only. That’s 33 unique systems blocked in less than 100 hours.

Each line represents an IP address on the Internet that attempted to hack into a certain aspect of the server. Some tried to break into email server accounts (postfix, sasl), others tried to brute-force the secure shell (ssh) logins, and yet others tried to attack my webserver and create a “denial of service” situation (apache-noscript).

The firewall component I’m using (called, “fail2ban“) is actually a supplementary defense measure that works along with other, lower-lying mechanisms on the server (namely the low-level firewall command, “iptables” and system logging facility, “syslog”). Technically it is considered “intrusion prevention software (IPS)” which is a type of firewalling technique. How it works is this: after a certain number of unauthorized access attempts occur (from monitoring security logs via syslog), it “bans” the IP address associated with the attack on the service it is attacking (via iptables).

fail2ban is a great piece of software that swiftly handles attackers and protects servers from ignored intrusion attempts. In my opinion a secondary benefit is keeping resource usage to a minimum by blocking the subsequent attack attempts at the firewall (iptables) level. Even if an attacker keeps attempting to break in after it’s been blocked at the iptables level, the resources my system must exert to deny communications to the service in which it’s attacking is vastly less intense than the service itself denying access. I have my configuration for all services set to ban an IP address that fails 6 login attempts or conducts 6 consecutive attempts to somehow compromise the system. This quickly mitigates attacks before they get out of hand.

Along with common-sense I.T. security practices such as strong passwords, installing security updates as soon as they are released, encrypted communications on every service and a strong base-level firewall techniques, blocking offender IPs at the firewall level has done a lot of good for my servers. Otherwise, these IPs would continue to hammer on these services day in and day out. This would not only take up additional resources such as bandwidth, CPU, memory usage and electricity, but may actually give attackers enough time to break into one of the services, given enough attempts over months or years of time.

No firewall can replace common sense security practices. Given this fact, I feel that fail2ban is a great tool in the security conscious Linux systems administrator’s arsenal.

© 2016 Logical Networking Solutions: Lake and Sonoma County Computer Repair