Tutorial

How to Block Unwanted SSH Login Attempts with PyFilter on Ubuntu 16.04

How to Block Unwanted SSH Login Attempts with PyFilter on Ubuntu 16.04

The author selected Code.org to receive a donation as part of the Write for DOnations program.

Introduction

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely. It’s typically used for remote control of a computer system or for transferring files. When SSH is exposed to the public internet, it becomes a security concern. For example, you’ll find bots attempting to guess your password via brute force methods.

PyFilter aims to filter out all of the illegitimate login requests to your server and block them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user-configurable amount of time. It then adds rules to the firewall if it captures too many failed attempts, denying the ability to connect to your server.

In this tutorial, you’ll install and configure PyFilter to block SSH requests. Then you’ll install PyFilter as a service, and optionally configure cross-server ban syncing, a feature that lets multiple servers share the list of banned IP addresses, and enable PyFilter to record location data about an IP address. Finally, you’ll explore how to un-ban IP addresses.

Prerequisites

To complete this tutorial, you will need:

  • One Ubuntu 16.04 server set up by following the Ubuntu 16.04 initial server setup guide, including a sudo non-root user and a firewall.
  • Python 3, which is already installed by default on Ubuntu 16.04.
  • PIP installed with sudo apt-get install python3-pip.

Step 1 — Downloading and Configuring PyFilter

We will download PyFilter by cloning its repository from Github. Switch to your home directory and clone the repository:

  1. cd ~
  2. git clone https://github.com/Jason2605/PyFilter.git

This will create a directory called PyFilter. Move this folder to the /usr/local folder:

  1. sudo mv PyFilter /usr/local/PyFilter

Then change to the /usr/local/PyFilter directory:

  1. cd /usr/local/PyFilter

Next, we need to make a configuration file. PyFilter comes with a default configuration file located at Config/config.default.json. We’ll copy this and edit the copied version rather than editing the default file directly. This way if something was to go wrong, you have the default config file to compare against.

Copy the default configuration file:

  1. sudo cp Config/config.default.json Config/config.json

You can use the less command to view the contents of the configuration file:

  1. less Config/config.json

The defaults settings require the requests to be within 5 seconds of the last request and that needs to happen 5 times, they are good enough to get going. Let’s run PyFilter and ensure things work.

Step 2 — Running PyFilter

The PyFilter download includes a script called run.sh which you should use to launch PyFilter.

First, change the permissions on the script to make it executable.

  1. sudo chmod +x run.sh

Once the permissions have been granted, run the script to start PyFilter:

  1. ./run.sh

PyFilter will start watching logs and you will see output as events happen:

Output
No file to check within rule: Mysql No file to check within rule: Apache No file to check within rule: Nginx Checking Ssh logs

By default, PyFilter bans IPs that make five or more failed requests that happen within 5 seconds of the previous failed request. You can change this in the PyFilter configuration file.

These results are logged to the /usr/local/PyFilter/Log directory as well.

When an IP has reached the limits that warrant a ban, you will see output similar to this:

Output
2018-03-22 14:18:18 Found IP: 203.0.113.13 from server: your_server_name.

Note: If you accidentally lock yourself out of your Droplet because you’ve banned yourself, you can follow the tutorial How To Use the DigitalOcean Console to Access your Droplet to get back in. Then follow the steps in Step 6 to remove the banned IP.

To close PyFilter, press CTRL+C.

Now let’s install PyFilter as a service so it runs automatically.

Step 3 — Creating a service for PyFilter

Now that you know that PyFilter works, let’s configure it to run as a service so it starts every time we reboot the server.

Within the PyFilter directory, there is a script called install.sh which creates a service for PyFilter and enables it to run on system startup.

Modify the script so you can execute it:

  1. sudo chmod +x install.sh

Then launch the script:

  1. ./install.sh

You’ll see this output, indicating the installation was successful:

Output
Service created and enabled, check the status of it by using "sudo systemctl status PyFilter"

So lets do just that to ensure everything is running correctly:

  1. sudo systemctl status PyFilter

You’ll see this output, showing that the service is active:

Output
● PyFilter.service - PyFilter Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled) Active: <^>active^> (running) since Wed 2018-03-21 18:55:35 UTC; 12s ago Main PID: 8383 (bash) CGroup: /system.slice/PyFilter.service ├─8383 bash /usr/local/PyFilter/run.sh ├─8384 sudo python3 run.py └─8387 python3 run.py

If you see an error, review the installation steps again.

Next, let’s look at how to configure PyFilter to share banned IP addresses with other servers.

Step 4 — Configuring PyFilter for Cross Server Ban Syncing (Optional)

Cross server ban syncing allows the banned IP address to be synced with all the other servers using PyFilter to protect them, and ban that address even if it has not fulfilled the qualifications to be banned. This means it can be one step ahead of potential bots targeting your other systems as the IP is already banned.

As stated in the prerequisites, you’ll need Redis installed and configured.

You also need the redis Python module, which you can install with pip:

  1. pip3 install redis

Then edit your configuration file to use Redis instead of SQLite. Open the Config/config.json file in your text editor:

  1. nano Config/config.json

Locate the following line:

Config/config.json
"database": "sqlite"

Change sqlite to redis:

Config/config.json
"database": "redis"

Next, change the Redis connection information. Locate this section of the file:

Config/config.json
  "redis": {
    "host": "127.0.0.1",
    "password": null,
    "database": 0,
    "sync_bans": {
      "active": true,
      "name": "your_hostname",
      "check_time": 600
    }
  },

Modify this section so it includes the connection details for your Redis server. Then, within the sync_bans section, change the name to your host name. This name has to be unique for each individual system running PyFilter using the same Redis server in order for the cross-server ban sync to work correctly.

Save the file and exit the editor. Then restart PyFilter to apply these changes:

  1. sudo systemctl restart PyFilter

PyFilter is now installed and running.

Step 5 — Configuring PyFilter to Gather Location Data About IP Addresses (Optional)

PyFilter can retrieve location data about the banned IP in order to provide statistical information about where the majority of attacks are coming from. This optional module will append this information to PyFilter’s logs.

To use this feature, you first need the geoip2 Python module, which you can install with pip:

  1. pip3 install geoip2

Once you have installed this module, restart PyFilter for it to recognize the new module:

  1. sudo systemctl restart PyFilter

Now, when you see a banned IP address, you’ll see additional information about the IP:

Output
2018-03-22 14:18:18 Found IP: 203.0.113.13 from server: your_server_name. The IP was from United Kingdom.

PyFilter is now successfully logging which country the requests are originating from.

Finally, let’s look at how to un-ban an address.

Step 6 — Un-banning IP Addresses

PyFilter is purely a means of banning IP addresses by creating iptables rules. When it bans an IP, it updates the firewall rules and then saves snapshots of the rules to the files /usr/local/PyFilter/Config/blacklist.v4 and /usr/local/PyFilter/Config/blacklist.v6.

Here’s an example of several banned IPv4 addresses in /usr/local/PyFilter/Config/blacklist.v4:

/usr/local/PyFilter/Config/blacklist.v4
# Generated by iptables-save v1.6.0 on Thu Mar 22 19:53:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 203.0.113.13/32 -j DROP
-A INPUT -s 203.0.113.14/32 -j DROP
-A INPUT -s 203.0.113.15/32 -j DROP
COMMIT
# Completed on Thu Mar 22 19:53:04 2018

To un-ban this IP address, open the associated blacklist file in your text editor:

  1. sudo nano /usr/local/PyFilter/Config/blacklist.v4

Remove the associated iptables rules from the file. In this case, we’ve removed 203.0.113.13 from the file:

/usr/local/PyFilter/Config/blacklist.v4
# Generated by iptables-save v1.6.0 on Thu Mar 22 19:53:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 203.0.113.14/32 -j DROP
-A INPUT -s 203.0.113.15/32 -j DROP
COMMIT
# Completed on Thu Mar 22 19:53:04 2018

Then save the file and close the editor. Restart PyFilter with sudo systemctl restart PyFilter and PyFilter will update your firewall rules using this file.

See How To List and Delete Iptables Firewall Rules for more on managing rules with iptables.

You can also tell PyFilter to ignore certain IP addresses by adding them to the whitelisted section within the /usr/local/PyFilter/Config/config.json file.

Conclusion

You now have PyFilter installed and monitoring your SSH connections.

To find out more about each section of the config file and how to configure monitoring for other services, such as MySQL and Apache, check the PyFilter site..

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
5 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Article is very helpful, thank you.

But there is a typo in copy command:

sudo cp Config/config.default.json Config/lonfig.json

It must be config.json

Is pyfilter different from fail2ban with a specific cage for sshd? Thanks!

Wonderful Tool, Unfortunately there are two issues in here, 1st one = you cannot edit the config.json file in step 4 unless you use sudo you might ask why? its because we copied the config.default.json to config.json using sudo cp

2nd one = the service is giving issues with Redis is not installed although ./run.sh or sudo python3 run.py works perfectly if you switch to redis instead of sqlite in Config/config.json (and i’m pretty sure redis is installed already because we’re on a production server)

i think it all depends on how you installed redis and its about the ownership of the files as well as the group.

and sometimes… really rare sometimes i get pip3 errors with permission-denied while installing either the geo-ip plugin or the redis one.

i’ve tested the commands exactly on 12 separate servers (production ones) and only 1 out of 12 worked fine with redis as a service after a very long struggle (idk honestly how it worked kept playing with the config file, service, pip3 plugins/modules and the permissions till it worked)

https://imgur.com/a/mGGxR

Edit: i compared the permissions and the setup procedure between the server that PyFilter is working on and the rest of the servers… unfortunately i couldnt find any single difference. i even checked the services like redis and PyFilter and did a file comparison for config.json

Does PyFilter use PyNotify to check log files or just periodically checks log files?

This comment has been deleted

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Join the Tech Talk
    Success! Thank you! Please check your email for further details.

    Please complete your information!

    Become a contributor for community

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    DigitalOcean Documentation

    Full documentation for every DigitalOcean product.

    Resources for startups and SMBs

    The Wave has everything you need to know about building a business, from raising funding to marketing your product.

    Get our newsletter

    Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

    New accounts only. By submitting your email you agree to our Privacy Policy

    The developer cloud

    Scale up as you grow — whether you're running one virtual machine or ten thousand.

    Get started for free

    Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

    *This promotional offer applies to new accounts only.