[PYTHON] Install and configure PyFilter client to monitor SSH connection to Alibaba Cloud Ubuntu server

This tutorial will show you how to configure the PyFilter client to monitor SSH (Secure Socket Shell) connections on ʻAlibaba Cloud`.

Tutorial requirements

The required requirements for this tutorial are:

--Alibaba Cloud ECS instance running Ubuntu 18.04. [This tutorial](https://www.alibabacloud.com/blog/how-to-set-up-your-first-ubuntu-16-04-server-on-alibaba-cloud_593747?spm=a2c65.11461447.0.0.61797 d1294HOzw) shows how to set up Ubuntu 18.04 server on Alibaba Cloud.

Download and configure PyFilter client

Start by git cloning PyFilter from the GitHub repository. Save the repository in a temporary directory on your machine.

Change to the / tmp directory with the following command.

cd /tmp

Now run the git clone command.

git clone https://github.com/Jason2605/PyFilter.git

The process creates a new directory called PyFilter in your home directory. Execute the following command to confirm the download.

ls

The snippet below shows the output of the previous command.

PyFilter
Other files and directories

Then move PyFilter to / usr / local as follows:

sudo mv PyFilter /usr/local/PyFilter

Also, execute the following command to change to the / usr / local / PyFilter directory.

cd /usr/local/PyFilter

Next, set up a working file for PyFilter. We already have a default config file with access to Config / config.default.json, so we'll use this as the basis for our working config file. Keeping the default files is not mandatory, but it is important to avoid mistakes.

cd Config
sudo cp config.default.json config.json

Use an editor to view and edit the contents of the configuration file.

sudo nano config.json

The snippet below shows a particularly interesting Redis section in this tutorial.

  "redis": {
    "host": "127.0.0.1",
    "password": null,
    "database": 0,
    "sync_bans": {
      "active": true,
      "name": "1",
      "check_time": 600
    }

Let's install Redis and fix the above part in the following segments.

Install Redis

Redis blocks automated bots that try to access your system. Run the following command to install Redis on your server.

sudo apt install python3-pip
pip3 install redis

The snippet below shows the output of the previous command.

Installing collected packages: redis
Successfully installed redis-3.2.1

Now edit Redis's config.json. Run the following command to open the file in an editor.

sudo nano config.json

Make the necessary changes to the file as follows:

Config.json
{
  "settings": {
    "database": "redis",


  "redis": {
    "host": "127.0.0.1",
    "password": null,
    "database": 0,
    "sync_bans": {
      "active": true,
      "name": "hostname",
      "check_time": 600
    }
  },
```

 The Redis parameter allows Pyfilter to connect to the Redis server. Redis is usually very important for synchronizing forbidden IP addresses between server instances. The sync_bans parameter shares the ban list with all servers, but the system must have a unique name, otherwise synchronization will fail.

 Save your changes and exit the editor. Next, let's run PyFilter.

# Launch the PyFilter client
 Now start the client using the run.sh script or the run.py script method. For this tutorial, let's use a python file like the one below.

```
sudo python3 run.py
```
 The following snippet shows the output of the log file when the client is started.

 output

```
No file to check within rule: Mysql
No file to check within rule: Apache
No file to check within rule: Nginx
Checking Ssh logs
IP: 58.242.83.35 has been blacklisted and the firewall rules have been updated.                                                                                         Acquired 5 bad connections via ssh.
IP: 168.227.56.242 has been blacklisted and the firewall rules have been updated                                                                                        . Acquired 5 bad connections via ssh.
IP: 103.28.57.86 has been blacklisted and the firewall rules have been updated.                                                                                         Acquired 5 bad connections via ssh.
IP: 51.158.69.8 has been blacklisted and the firewall rules have been updated. Acquired 5 bad connections via ssh.
Saving newly blacklisted IP's!
```
 The PyFilter client bans IP addresses if it tries to make a request 5 seconds after it fails. However, there is always an option in the configuration file to change such settings. To move on, you need a PyFilter service that runs automatically. Now let's install the same service in the next step.

# Creating a PyFilter service
 If the PyFilter client runs successfully, let's set the service to run automatically when the server restarts.

 The files in the PyFilter directory contain run.sh and install.sh scripts that help you start clients and create services.

 First, run the following command to modify the permissions of both scripts to make them executable.

```
sudo chmod +x run.sh
sudo chmod +x install.sh
```
 Run the following command to see the contents of the `run.sh` script.

```
nano run.sh
```
 The snippet below shows the output of the previous command.

```
#!/usr/bin/env bash

sudo python3 run.py
```
 Note that it is a script that launches the client as before.

 Check the install.sh script again by running the following command:

```
nano install.sh
```
 The snippet below shows the output of the previous command.

```
#!/usr/bin/env bash

if ![ -f "/etc/systemd/system/PyFilter.service" ]
then
    sudo python3 create_service.py
    sudo mv PyFilter.service /etc/systemd/system/PyFilter.service
    sudo chmod +x run.sh
    sudo systemctl daemon-reload
    sudo systemctl start PyFilter
    sudo systemctl enable PyFilter
    echo Service created and enabled, check the status of it by using \"sudo systemctl status PyFilter\"
else
    echo Service already created.
    echo Check the status of it by using \"sudo systemctl status PyFilter\"
fi
```
 When you launch the script, a series of commands are executed to create the PyFilter service in your system.

 Start with the following command.

```
./install.sh
```
 If the script runs successfully, you will get output similar to the following:

 output

```
Service created and enabled, check the status of it by using "sudo systemctl status PyFilter"
```
 Everything seems to be working fine.

 Execute the following command to execute the status check.

```
sudo systemctl status PyFilter
```

 When I run the above command, I get the following output:

```
- PyFilter.service - PyFilter
   Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
   Active: <^>active^> (running) since Wed 2019-05-01 07:50:38 UTC; 38min ago
 Main PID: 12474 (bash)
   CGroup: /system.slice/PyFilter.service
           \A9\C0\A9\A412474 bash /usr/local/PyFilter/run.sh
           \A9\C0\A9\A412475 sudo python3 run.py
           \A9\B8\A9\A412478 python3 run.py
```

 Don't skip the status check to make sure everything is working fine. Here is an example of the error.

```
- PyFilter.service - PyFilter
   Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-05-01 07:50:38 UTC; 38min ago
  Process: 12474 ExecStart=/usr/local/PyFilter/run.sh (code=exited, status=1/FAILURE)
 Main PID: 12474 (code=exited, status=1/FAILURE)

May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session opened for user root by (uid=0)
May 01 07:50:38 Tuts run.sh[12474]: Traceback (most recent call last):
May 01 07:50:38 Tuts run.sh[12474]:   File "run.py", line 4, in <module>
May 01 07:50:38 Tuts run.sh[12474]:     p = PyFilter()
May 01 07:50:38 Tuts run.sh[12474]:   File "/usr/local/PyFilter/pyFilter/py_filter.py", line 22, in __init__
May 01 07:50:38 Tuts run.sh[12474]:     with open(file_path, "r") as config:
May 01 07:50:38 Tuts run.sh[12474]: FileNotFoundError: [Errno 2] No such file or directory: 'Config/config.json'
May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session closed for user root
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Main process exited, code=exited, status=1/FAILURE
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Failed with result 'exit-code'.
```

 If you encounter any errors, reinstall the client and follow the highlighted steps above.

# Prohibition of using IP address
 It is very important to know how to remove the IP address ban, as PyFilter can lock you out of your server. In such cases, log in from the console and manually remove the forbidden IP. The file that stores the forbidden IP information is `-/usr/local/PyFilter/Config/blacklist.v4`. Also, the file `/usr/local/PyFilter/Config/blacklist.v6` contains information about IP rules.

 Get the list of forbidden IPS by running the following command:

```
cd /usr/local/PyFilter/Config
sudo nano blacklist.v4
```
 The following snippet shows a forbidden IP.

```
# Generated by iptables-save v1.6.1 on Wed May  1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
-A INPUT -s 128.199.230.16/32 -j DROP
-A INPUT -s 58.163.88.42/32 -j DROP
-A INPUT -s 76.79.74.58/32 -j DROP
-A INPUT -s 106.51.54.198/32 -j DROP
-A INPUT -s 180.151.8.180/32 -j DROP
-A INPUT -s 109.207.159.178/32 -j DROP
-A INPUT -s 120.29.156.251/32 -j DROP
-A INPUT -s 148.70.11.143/32 -j DROP
-A INPUT -s 179.110.29.67/32 -j DROP
-A INPUT -s 118.89.229.244/32 -j DROP
-A INPUT -s 193.112.174.67/32 -j DROP
-A INPUT -s 134.175.154.182/32 -j DROP
-A INPUT -s 36.103.243.247/32 -j DROP
-A INPUT -s 103.28.57.86/32 -j DROP
-A INPUT -s 168.227.56.242/32 -j DROP
-A INPUT -s 58.242.83.35/32 -j DROP
COMMIT
# Completed on Wed May  1 08:20:22 2019
```
 Access the relevant blacklist file in the editor to remove the blockage of blocked IP addresses, as shown below.

```
sudo nano blacklist.v4
# Generated by iptables-save v1.6.1 on Wed May  1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
COMMIT
# Completed on Wed May  1 08:20:22 2019
```
 Save the file and exit the editor.

 Now use the following command to restart the client for the changes to take effect.

```
sudo systemctl restart PyFilter
```

# Collection of IP location data
 PyFilter also collects location information from banned IPs to analyze the location of the attack. To include such information in the log, you need to install the `geoip2` module.

```
pip3 install geoip2
```
 Then run the following command to restart PyFilter.

```
sudo systemctl restart PyFilter
```
 Now all the forbidden IPs will look like the output snippet below.

```
2018-08-14 14518:05 Found IP: 196.4.100.13 from server: my_server. The IP was from Kenya.
```
# Conclusion
 This tutorial will show you how to install and configure the PyFilter client to monitor SSH connections to Alibaba Cloud Ubuntu server. PyFilter is known for its simple and effective features. Alibaba Cloud offers a full range of security features. However, to allow users better security management, PyFilter helps identify legitimate IP addresses and IP addresses that should not be allowed access to the server.

 If you don't have an Alibaba Cloud account yet, sign up for one and it's worth up to $ 1,300 [Try over 40 products for free](https://account.alibabacloud.com/register) /intl_register.htm?spm=a2c65.11461447.0.0.61797d1294HOzw). For more information on Alibaba Cloud, please see [here](https://account.alibabacloud.com/register/intl_register.htm?spm=a2c65.11461447.0.0.61797d1294HOzw).

 * Alibaba Cloud is the No. 1 (2019 Gartner) cloud infrastructure operator in the Asia Pacific region with two data centers in Japan and more than 60 availability zones in the world.
 Click here for more information on Alibaba Cloud.
 [Alibaba Cloud Japan Official Page](https://www.alibabacloud.com/en) *


Recommended Posts

Install and configure PyFilter client to monitor SSH connection to Alibaba Cloud Ubuntu server
[Postgresql] SSH connection to the external DB server from the client
How to install and configure blackbird
Install and Configure TigerVNC server on Linux
Install Puppet Master and Client on Ubuntu 16.04
How to install Fast.ai on Alibaba Cloud GPU and run it on Jupyter notebook
How to set up a VPN gateway to establish a connection between Alibaba Cloud and AWS
Install and configure KVM
screen and split screen with python and ssh login to remote server
SSH connection to a private server using a bastion server on EC2
Ssh to an external server under http proxy [from Ubuntu 18.04]