The author selected Code.org to receive a donation as part of the Write for DOnations program.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely. It’s typically used for remote control of a computer system or for transferring files. When SSH is exposed to the public internet, it becomes a security concern. For example, you’ll find bots attempting to guess your password via brute force methods.
PyFilter aims to filter out all of the illegitimate login requests to your server and block them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user-configurable amount of time. It then adds rules to the firewall if it captures too many failed attempts, denying the ability to connect to your server.
In this tutorial, you’ll install and configure PyFilter to block SSH requests. Then you’ll install PyFilter as a service, and optionally configure cross-server ban syncing, a feature that lets multiple servers share the list of banned IP addresses, and enable PyFilter to record location data about an IP address. Finally, you’ll explore how to un-ban IP addresses.
To complete this tutorial, you will need:
sudo apt-get install python3-pip
.We will download PyFilter by cloning its repository from Github. Switch to your home directory and clone the repository:
- cd ~
- git clone https://github.com/Jason2605/PyFilter.git
This will create a directory called PyFilter
. Move this folder to the /usr/local
folder:
- sudo mv PyFilter /usr/local/PyFilter
Then change to the /usr/local/PyFilter
directory:
- cd /usr/local/PyFilter
Next, we need to make a configuration file. PyFilter comes with a default configuration file located at Config/config.default.json
. We’ll copy this and edit the copied version rather than editing the default file directly. This way if something was to go wrong, you have the default config file to compare against.
Copy the default configuration file:
- sudo cp Config/config.default.json Config/config.json
You can use the less
command to view the contents of the configuration file:
- less Config/config.json
The defaults settings require the requests to be within 5 seconds of the last request and that needs to happen 5 times, they are good enough to get going. Let’s run PyFilter and ensure things work.
The PyFilter download includes a script called run.sh
which you should use to launch PyFilter.
First, change the permissions on the script to make it executable.
- sudo chmod +x run.sh
Once the permissions have been granted, run the script to start PyFilter:
- ./run.sh
PyFilter will start watching logs and you will see output as events happen:
OutputNo file to check within rule: Mysql
No file to check within rule: Apache
No file to check within rule: Nginx
Checking Ssh logs
By default, PyFilter bans IPs that make five or more failed requests that happen within 5 seconds of the previous failed request. You can change this in the PyFilter configuration file.
These results are logged to the /usr/local/PyFilter/Log
directory as well.
When an IP has reached the limits that warrant a ban, you will see output similar to this:
Output2018-03-22 14:18:18 Found IP: 203.0.113.13 from server: your_server_name.
Note: If you accidentally lock yourself out of your Droplet because you’ve banned yourself, you can follow the tutorial How To Use the DigitalOcean Console to Access your Droplet to get back in. Then follow the steps in Step 6 to remove the banned IP.
To close PyFilter, press CTRL+C
.
Now let’s install PyFilter as a service so it runs automatically.
Now that you know that PyFilter works, let’s configure it to run as a service so it starts every time we reboot the server.
Within the PyFilter
directory, there is a script called install.sh
which creates a service for PyFilter and enables it to run on system startup.
Modify the script so you can execute it:
- sudo chmod +x install.sh
Then launch the script:
- ./install.sh
You’ll see this output, indicating the installation was successful:
OutputService created and enabled, check the status of it by using "sudo systemctl status PyFilter"
So lets do just that to ensure everything is running correctly:
- sudo systemctl status PyFilter
You’ll see this output, showing that the service is active
:
Output● PyFilter.service - PyFilter
Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
Active: <^>active^> (running) since Wed 2018-03-21 18:55:35 UTC; 12s ago
Main PID: 8383 (bash)
CGroup: /system.slice/PyFilter.service
├─8383 bash /usr/local/PyFilter/run.sh
├─8384 sudo python3 run.py
└─8387 python3 run.py
If you see an error, review the installation steps again.
Next, let’s look at how to configure PyFilter to share banned IP addresses with other servers.
Cross server ban syncing allows the banned IP address to be synced with all the other servers using PyFilter to protect them, and ban that address even if it has not fulfilled the qualifications to be banned. This means it can be one step ahead of potential bots targeting your other systems as the IP is already banned.
As stated in the prerequisites, you’ll need Redis installed and configured.
You also need the redis
Python module, which you can install with pip
:
- pip3 install redis
Then edit your configuration file to use Redis instead of SQLite. Open the Config/config.json
file in your text editor:
- nano Config/config.json
Locate the following line:
"database": "sqlite"
Change sqlite
to redis
:
"database": "redis"
Next, change the Redis connection information. Locate this section of the file:
"redis": {
"host": "127.0.0.1",
"password": null,
"database": 0,
"sync_bans": {
"active": true,
"name": "your_hostname",
"check_time": 600
}
},
Modify this section so it includes the connection details for your Redis server. Then, within the sync_bans
section, change the name
to your host name. This name has to be unique for each individual system running PyFilter using the same Redis server in order for the cross-server ban sync to work correctly.
Save the file and exit the editor. Then restart PyFilter to apply these changes:
- sudo systemctl restart PyFilter
PyFilter is now installed and running.
PyFilter can retrieve location data about the banned IP in order to provide statistical information about where the majority of attacks are coming from. This optional module will append this information to PyFilter’s logs.
To use this feature, you first need the geoip2
Python module, which you can install with pip
:
- pip3 install geoip2
Once you have installed this module, restart PyFilter for it to recognize the new module:
- sudo systemctl restart PyFilter
Now, when you see a banned IP address, you’ll see additional information about the IP:
Output2018-03-22 14:18:18 Found IP: 203.0.113.13 from server: your_server_name. The IP was from United Kingdom.
PyFilter is now successfully logging which country the requests are originating from.
Finally, let’s look at how to un-ban an address.
PyFilter is purely a means of banning IP addresses by creating iptables rules. When it bans an IP, it updates the firewall rules and then saves snapshots of the rules to the files /usr/local/PyFilter/Config/blacklist.v4
and /usr/local/PyFilter/Config/blacklist.v6
.
Here’s an example of several banned IPv4 addresses in /usr/local/PyFilter/Config/blacklist.v4
:
# Generated by iptables-save v1.6.0 on Thu Mar 22 19:53:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 203.0.113.13/32 -j DROP
-A INPUT -s 203.0.113.14/32 -j DROP
-A INPUT -s 203.0.113.15/32 -j DROP
COMMIT
# Completed on Thu Mar 22 19:53:04 2018
To un-ban this IP address, open the associated blacklist file in your text editor:
- sudo nano /usr/local/PyFilter/Config/blacklist.v4
Remove the associated iptables rules from the file. In this case, we’ve removed 203.0.113.13
from the file:
# Generated by iptables-save v1.6.0 on Thu Mar 22 19:53:04 2018
*filter
:INPUT ACCEPT [217:30580]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:30796]
-A INPUT -s 203.0.113.14/32 -j DROP
-A INPUT -s 203.0.113.15/32 -j DROP
COMMIT
# Completed on Thu Mar 22 19:53:04 2018
Then save the file and close the editor. Restart PyFilter with sudo systemctl restart PyFilter
and PyFilter will update your firewall rules using this file.
See How To List and Delete Iptables Firewall Rules for more on managing rules with iptables.
You can also tell PyFilter to ignore certain IP addresses by adding them to the whitelisted section within the /usr/local/PyFilter/Config/config.json
file.
You now have PyFilter installed and monitoring your SSH connections.
To find out more about each section of the config file and how to configure monitoring for other services, such as MySQL and Apache, check the PyFilter site..
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Article is very helpful, thank you.
But there is a typo in copy command:
It must be config.json
Is pyfilter different from fail2ban with a specific cage for sshd? Thanks!
Wonderful Tool, Unfortunately there are two issues in here, 1st one = you cannot edit the config.json file in step 4 unless you use sudo you might ask why? its because we copied the config.default.json to config.json using sudo cp
2nd one = the service is giving issues with Redis is not installed although ./run.sh or sudo python3 run.py works perfectly if you switch to redis instead of sqlite in Config/config.json (and i’m pretty sure redis is installed already because we’re on a production server)
i think it all depends on how you installed redis and its about the ownership of the files as well as the group.
and sometimes… really rare sometimes i get pip3 errors with permission-denied while installing either the geo-ip plugin or the redis one.
i’ve tested the commands exactly on 12 separate servers (production ones) and only 1 out of 12 worked fine with redis as a service after a very long struggle (idk honestly how it worked kept playing with the config file, service, pip3 plugins/modules and the permissions till it worked)
https://imgur.com/a/mGGxR
Edit: i compared the permissions and the setup procedure between the server that PyFilter is working on and the rest of the servers… unfortunately i couldnt find any single difference. i even checked the services like redis and PyFilter and did a file comparison for config.json
Does PyFilter use PyNotify to check log files or just periodically checks log files?
This comment has been deleted