Install Fail2Ban on Ubuntu to protect services

Many common adminstrative services such as VPN and SSH are exposed on known port numbers, unfortunately this makes it easy for hackers to use tools to attempt to access the systems. Use of countermeasures such as Fail2Ban can block them after a few failed attempts.

Installation Steps:

  1. sudo apt-get install fail2ban
  2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. sudo vi /etc/fail2ban/jail.local
  4. Update:
    destemail & sender
  5. OPTIONAL:
    Splunk:
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/fail2ban.log -index main -sourcetype Fail2Ban

    Splunk (manual):
    sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf

    [monitor:///var/log/fail2ban.log]
    disabled = false
    index = main
    sourcetype = Fail2Ban

  6. sudo service fail2ban restart

REFERENCES:

Adding OpenVPN logs to Splunk on Ubuntu

By default, in most Linux distros, OpenVPN log output goes to the syslog, which is usually at /var/log/syslog. However, your config files can set the logfile location explicitly, as shown below:

  1. sudo vi /etc/openvpn/server.conf
  2. Change or add:
    log-append /var/log/openvpn.log
  3. Restart to use the new config:
    sudo service openvpn restart
  4. Add to Splunk forwarder:
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openvpn.log -index main -sourcetype OpenVPN

    Splunk (manual):
    sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf

    [monitor:///var/log/openvpn.log]
    disabled = false
    index = main
    sourcetype = OpenVPN

REFERENCES:

Private SSH SOCKS Tunnel

The use of SSH private tunnels as a “poor man’s VPN” is pretty common. When doing so, you can easily tunnel (map) traffic destined to specific ports thru the tunnel to their intended destination.

Common Ports:

  • CVS: ┬áL2401
  • SVN: L3690
  • git: L9418 tcp
  • mysql: L3306
  • rdp: L3389 tcp
  • socks4/socks5: D1080 (no host required)

REFERENCES: