How are you handling bruteforce protection?

hwcltjn

I've had my eye on Enhance for a while now and it looks great, but I was wondering how you've all approached brute force protection for FTP/SSH/Email with UFW + Docker?

I found a couple of threads where some are using iptables and crowdsec, but what are the rest of you doing?

kyzoeadmin

hwcltjn I would love to use Crowdsec, but the installation is too difficult at the moment. WE use for now CPguard. and that works fine. have a look at one of our servers: https://images.kyzoe.be/chrome_Qk6AiXeOc2.png

Aldy

I look that enhance have a brute force for control panel login. I don't know with FTP/SSH and Email.
but in the roadmap they will add Immunify360 support on September. I am waiting for it to get advance security.

MediaServe

Aldy cPGuard (https://www.opsshield.com/) already supports Enhance, and BitNinja as well.

mac5701

MediaServe I have been using cpguard quite a while in directadmin and enhance. My understanding is cpguard utilize lfd from csf for bruteforce protection. but csf doesn't work with enhance, what is the option for bruteforce protection?
I know that cpguard has ipdb but that another part of protection.

I have been using csf in directadmin and really like it. the problem is we have to disable ufw to install csf.

hwcltjn

MediaServe

Never tried it!
Will give it a go, thanks.

ss88us

Sounds really interesting. Don’t suppose you’d be willing to share some of your jail configs for Fail2Ban?

MediaServe

mac5701 CSF does integrate with cPGuard, but I'm not sure it's required for brute force handling. However, I can't claim enough knowledge about it either. I'll ask this of the opsshield folks and get back with an answer supplied directly from them.

The cPGuard portal in Settings > Security Tools > Bruteforce Protection has a toggle, and then separately beneath it is a CSF Integration option right below which is related to Bruteforce Protection but doesn't imply it's necessary to use it. (It's too late for me to be interested in uploading the screenshot and linking to it.)

And ufw is required for Enhance AFAIK. Without it enabled for example the WordPress dashboard seems to not work at all...can't be logged into on LiteSpeed anyway without it.

MediaServe

mac5701 Here's the reply:

The CSF firewall is required with cPGuard for complete brute-force protection. Without CSF, we will monitor only web application brute-force and not other services like SSH. So it is recommended to use another IPS/IDS to stop such attacks since CSF is not compatible.

This means ufw should be configured to limit ssh brute force, and as you've said "ufw limit ssh/tcp" is there but I don't know how it works. ufw status just shows "22/tcp LIMIT Anywhere"

ufw app info OpenSSH doesn't really help either. Need a better handle on ufw it seems!

ss88us

I use Fail2Ban and Cloudflare.

Fail2bBan needs a little bit of 'hackery' to iptables (docker is the problem!), but works. Waiting on Enhance to either fix iptables or release a working Firewall allow/deny API then I can use Fail2Ban the correct way.

Right now Fail2Ban communicates with Cloudflare to block the IP address account-wide.

mac5701

I read ufw documentation, there is a way to limit number of failed login. with this simple command:
ufw limit ssh/tcp

or other port:
ufw limit 25/tcp

however, this will protect the linux host. Will it propagate to docker container? Anybody here ever try this approch?

mac5701

MediaServe thanks for checking in with opsshield. So my assumption is correct, cpguard relies on csf for complete bruteforce protection. Yes, I can configure ufw limit at the host, but I haven't tested if it also protect the services inside docker. I'm not familiar with docker's networking.

hwcltjn

mac5701 Enhance by default is using UFW, so I'm assuming crowdsec needs some configuration.

@mendozal could you possibly share you config steps? Is it working well with Docker's unique networking? I'm assuming yes if it's using IPtables.

I'm assuming/hoping eventually Enhance will have all of this baked in.

MediaServe I'm guessing you've got CPGuard installed on every web, mail and DB server?

I haven't found the time to test it out, but I'm assuming fail2ban can't be that complicated to configure? Just need to point it to the correct log files and use IPtables which will bypass the ufw/docker quircks?

mendozal

I'm testing crowdsec in one server with the email role.
It has rules for ssh, open-proxy, spam, rbl, and others.

It works fine after a few configuration steps. No issues so far. It uses iptables.

mac5701

mendozal so we just need to install crowdsec and it doesn't break enhance?

mendozal

hwcltjn What I did:

https://docs.crowdsec.net/docs/getting_started/install_crowdsec/

Install crowdsec security engine (not the ip bouncer yet)
You can install more collection scenarios, for example apache, nginx, etc. from the crowdsec hub.
Each scenario will come with instructions on how to configure the acquisition file to tell it where the logs are.
You can edit this file: /etc/crowdsec/acquis.yaml, to add those configurations (I'll share my configuration file below)

Once you have all the scenarios you need, you can check if the logs are being parsed correctly doing:
sudo cscli metrics

Once you're satisfied you can install the iptables bouncer.

Once the bouncer is installed and before starting the service, you need to edit the configuration file:
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

In the section "iptables_chains", you need to uncomment - DOCKER-USER, so the rules work for docker too.
An additional thing I needed to do was to set: disable_ipv6: true, if you have it enabled, the bouncer won't start. I couldn't determine why yet.

Once those changes are made you can start the iptables bouncer.

And that's it.

Example: My crowdsec config file: acquis.yml
I'm just testing crowdsec in an email server, only email related and ssh rules are installed.

#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:
  - /var/log/syslog
  - /var/log/kern.log
labels:
  type: syslog
---
#Postfix
filenames:
  - /var/local/enhance/email/data/logs/postfix/postfix.log
labels:
  type: syslog
---
#dovecot
filenames:
  - /var/local/enhance/email/data/logs/dovecot/dovecot.log
labels:
  type: syslog
---

MediaServe

hwcltjn We combine web/db currently and protect that with cPGuard. Email is separate and not protected with anything yet other than what's available in Enhance but using mail.baby as a smarthost. We're not yet able to properly migrate cPanel (still too many issues) so only about 60 websites so far and no more planned until things improve unfortunately.

hwcltjn

MediaServe I feel you. I still haven't been able to roll out Enhance - as much as I'd like to. But I ditched cPanel ages ago.

mendozal This is extremely helpful, thank you!

MediaServe

hwcltjn what did you use post cPanel? DA or IW?

hwcltjn

MediaServe DA