Interesting findings on ssh fail2ban

As this is my private VPS, it is super annoying to see people attempting to try to ssh into my server.

I am current using fail2ban to filter out IPs that are attempting to ssh into my server multiple times and have them permabanned.

It’s been one month since it is implemented and this is the current statistics.

It is interesting to see China being the main source of IP being banned.

Maybe they are being too aggressive and keeps on triggering my ban rules?

Still there are plenty of other countries being banned too.

Banned IP country status
Total IP banned: 126
1 GeoIP Country Edition: A1, Anonymous Proxy
2 GeoIP Country Edition: CA, Canada
1 GeoIP Country Edition: CH, Switzerland
57 GeoIP Country Edition: CN, China
1 GeoIP Country Edition: CO, Colombia
1 GeoIP Country Edition: CZ, Czech Republic
4 GeoIP Country Edition: DE, Germany
1 GeoIP Country Edition: DO, Dominican Republic
4 GeoIP Country Edition: GB, United Kingdom
1 GeoIP Country Edition: HK, Hong Kong
1 GeoIP Country Edition: ID, Indonesia
4 GeoIP Country Edition: IN, India
5 GeoIP Country Edition: IP Address not found
2 GeoIP Country Edition: IT, Italy
1 GeoIP Country Edition: JP, Japan
5 GeoIP Country Edition: KR, Korea, Republic of
1 GeoIP Country Edition: NI, Nicaragua
5 GeoIP Country Edition: NL, Netherlands
1 GeoIP Country Edition: PE, Peru
1 GeoIP Country Edition: PK, Pakistan
1 GeoIP Country Edition: RO, Romania
3 GeoIP Country Edition: RU, Russian Federation
1 GeoIP Country Edition: SE, Sweden
3 GeoIP Country Edition: TH, Thailand
1 GeoIP Country Edition: TR, Turkey
2 GeoIP Country Edition: TW, Taiwan
2 GeoIP Country Edition: UA, Ukraine
11 GeoIP Country Edition: US, United States
2 GeoIP Country Edition: VN, Vietnam
1 GeoIP Country Edition: ZA, South Africa

Sample bash script source code to get the results above

#!/bin/bash

#Gets the list of IP being banned for sshd in fail2ban
IP_LIST=$(fail2ban-client status sshd | grep Banned | cut -d":" -f2 | tr " " "\n" | sed -e 's/^[ \t]*//' )

#Count the list of IP
echo "Total IP banned: " $(echo "$IP_LIST" | wc -l)

#Uses geoiplookup to locate the country of the IPs and count them
( for IP in $IP_LIST ; do geoiplookup $IP ; done ) | sort | uniq -c

Website is UP

After a few days of work in the server backend, finally I believe almost everything is up right now.

There are quite a lot of things that cause me issues in the backend.

DNS and Domain Issues

Firstly, I got my domain name and proceeded to register my DNS nameservers.

I waited for 3 days and thinking why the nameservers would not propagate to the world.

It turns out that I didn’t create the DNS zone in my hosting provider and assumed that I can only create the zone after the nameservers propagated.

I kept on getting an invalid hostname when trying to create a DNS zone on my hosting provider, and after I logged a ticket with them, they said I left an empty space after my domain name and causing the field being not validated correctly.

It seems like stupid stuff happens everywhere when I assumed empty spaces in strings should be already trimmed before being sent to server.

It is not as if I have not seen that before though so I reminded myself not be complacent anymore.

 

HTTPS Issues

HTTPS was pretty straight forward. After all the DNS records getting validated, getting Let’s Encrypt to obtain my cert was pretty easy.

Then it is all about getting Apache to use the certs and redirect all http requests to https.

The certs are having a validity of 90 days and can only be renewed after 60 days, so I just set a cronjob to run weekly to attempt to renew the cert.

Hopefully there are no issues with this, but I need to check 2 months later.

 

Security Issues

Within a few hours of bring up the server, I am already seeing frequent attempts to login to my server.

That means I have to do anything I can think of to make it secure, enabling SELinux, firewall, disable password login, disable root ssh login etc.

Hopefully it will remain secure, but I would need to check my logs often.

 

Email Issues

The website is not able to send out emails, and after some investigation, SELinux blocked Apache from sending emails.

After opening up the rule httpd_can_sendmail, everything was fine.

 

Contents

Not yet decided on what to post in this site yet.

I suppose it will mostly be about my personal interest.

 

Finally, welcome to my website, and don’t expect this to be updated.