In the previous post we covered changing the port used for SSH logins and using SSH keys, along with turning password log in off. In this post we will cover installing and configuring a firewall and installing and configuring fail2ban.
The firewall we will use is called UFW or Uncomplicated firewall, it is a very simple & easy to set up firewall and is quick to get it working the way we want for this project.
Fail2ban is a small program that will block an IP address after a set number of failed log in attempts, for a set amount of time. There is no need for fail2ban if you have disabled password log ins.
These programs can increase the security of the Raspberry Pi 3.
Uncomplicated Firewall
As the name suggests this is a relatively simple firewall to set up, lets get to it!Log in to the Raspberry Pi 3 and in terminal type
sudo apt-get install ufw
Uncomplicated firewall will then install.
Now if we type the below in to the terminal, we will be shown the status of the firewall.
sudo ufw status
We can see the firewall even though installed is not currently active.
To activate the firewall type in to the terminal
sudo ufw enable
We will be warned that this may disrupt the existing SSH connections, press y and enter to continue, now if we check the status again we can see our firewall is now running. Do not disconnect your current SSH session now as you will not be able to reconnect if you do! If you do get disconnected, you will need to connect your Raspberry Pi 3 to a monitor and set this up using the Raspberry Pi 3 with a keyboard connected to it.
sudo ufw status
If we now try to connect to the Raspberry Pi 3 via SSH using a different PuTTY session it will fail, keep your current session connected and just double click on the PuTTY icon to attempt this.
Nothing will happen and after some time you will get the error message below from PuTTY
This is because by default all incoming is blocked by UFW and all outgoing is allowed, we need to configure our ports. Our SSH connection is made using port 22 (or what ever you changed it to, if you changed it in the last post), we need to get UFW to allow connections to this port.
At the same time, as the purpose of this project is for the web page on the Raspberry Pi 3 to be used as the interface, we need to open port 80 to allow access to the web page hosted on the Raspberry Pi 3.
In the terminal to open port 22 for SSH access from anywhere, type
sudo ufw allow 22
And then to open port 80, for access to the Raspberry Pi 3 served web page from anywhere, type
sudo ufw allow 80
This added 4 rules allowing access to port 22 and 80 from anywhere, 2 rules for IP v4 and 2 for IP v6. Now if a new PuTTY session is started, access will be granted.
To view our new rules in the terminal type
sudo ufw status numbered
This will list our rules with a number associated with each rule. These numbers can change, if we deleted rule 3 then rule 4 would move up to become rule 3, bare that in mind if you make any scripts that manipulate UFW.
Below we can see the rules that have been set-up
This is perfect, ability to access SSH from anywhere and also the web page served on port 80. Once we configure our local network router to allow outside traffic to these ports, we can access our Raspberry Pi 3 from anywhere in the world.
But something else we set-up in a previous post was the ability to remotely connect to the Raspberry Pi 3`s desktop, this runs on port 5901 using the example in the post, so if we want this to work still we need to add this port number also.
We will open this up only to the local network as there is no need for remote access to the desktop at the moment.
In the terminal type
sudo ufw allow proto tcp from 192.168.0.0/24 to any port 5900,5901,5902
And there we go local network access to the ports that maybe used for a remote desktop connection are now allowed.
There maybe further ports that require opening up in the future of this project but for now anywhere access to port 22 and 80 and local network access to the ports for use with VNC viewer are set-up.
If you find your self unable to access the Raspberry Pi 3 remotely using this firewall then connecting the Raspberry Pi 3 to a monitor and then typing the below in the terminal will disable the firewall.
sudo ufw disable
To display the available list of commands for UFW type the below in to the terminal
sudo ufw --help
Further details and commands can be found here and here.
You can enable UFW logging with the command sudo ufw logging on and view the logs on your system at /var/logs/messages
fail2ban
Fail2ban is an intrusion prevention software framework that protects computer servers from brute force attacks. It does this by banning the intruders IP address if they fail to log in after a set number of attempts. The ban will last as long as you choose. There is no need to use this if you have already turned off password log ins, but in case you haven't like me, lets get fail2ban installed and configured.
Installation of fail2ban is straight forward. In the terminal type.
sudo apt-get install fail2ban
You will be asked to confirm you want to use the required disc space, press y followed by enter to complete the installation.
The configuration file for fail2ban can be found at /etc/fail2ban, navigate there.
cd /etc/fail2ban
Once in the correct directory list the files with the ls command, you should see something similar to what is shown below in the screen shot, what we are going to do is copy the configuration file and create our own as updates can change the original configuration file.
sudo cp jail.conf jail.local
So now that we have a copy we will edit it.
sudo nano jail.local
Using the arrow keys move the cursor down to where it says ignoreip = and enter your local network IP address range, I have entered 192.168.0.0/24 this will make fail2ban ignore any devices within that range of 0/24 on my local network.
Next is setting up how many attempts a potential intruder gets before being banned and for how long we should ban them. Navigate with the arrow keys further down the file to where it says bantime = and set the amount of seconds you want an intruder to be banned for, I have chosen 86400 seconds or one day. below that is maxretry = I have changed this to 2 but you can set it to what ever you like.
sudo service fail2ban restart
That`s it fail2ban is installed and configured, there are many more options available but this is sufficient for now.
You can check the status of fail2ban using
sudo service fail2ban status
You can stop fail2ban using
sudo service fail2ban stop
Mini test
Remove the ignore IP bit from jail.local that refers to your local network (in my case 192.168.0.0/24).Then attempt to connect from another device on your local network and enter the wrong password the set amount of times, fail2ban will block that device for the time you set. Try it!And done
OK, that is it for the basic security section, certain parts of this will be revisited as we move through this project but for now these few options are enough. In the next post we will finally open up the Raspberry Pi 3 to the Internet so we can connect from anywhere! Thanks for reading!
Show support for aquaponicpi and like the Facebook page!
Click on the icon below to be taken to aquaponicpi on Facebook!
No comments:
Post a Comment