This tutorial will show you how to configure the PyFilter client to monitor SSH (Secure Socket Shell) connections on ʻAlibaba Cloud`.
The required requirements for this tutorial are:
--Alibaba Cloud ECS instance running Ubuntu 18.04. [This tutorial](https://www.alibabacloud.com/blog/how-to-set-up-your-first-ubuntu-16-04-server-on-alibaba-cloud_593747?spm=a2c65.11461447.0.0.61797 d1294HOzw) shows how to set up Ubuntu 18.04 server on Alibaba Cloud.
Start by git cloning PyFilter from the GitHub repository. Save the repository in a temporary directory on your machine.
Change to the / tmp directory with the following command.
cd /tmp
Now run the git clone command.
git clone https://github.com/Jason2605/PyFilter.git
The process creates a new directory called PyFilter in your home directory. Execute the following command to confirm the download.
ls
The snippet below shows the output of the previous command.
PyFilter
Other files and directories
Then move PyFilter to / usr / local as follows:
sudo mv PyFilter /usr/local/PyFilter
Also, execute the following command to change to the / usr / local / PyFilter directory.
cd /usr/local/PyFilter
Next, set up a working file for PyFilter. We already have a default config file with access to Config / config.default.json, so we'll use this as the basis for our working config file. Keeping the default files is not mandatory, but it is important to avoid mistakes.
cd Config
sudo cp config.default.json config.json
Use an editor to view and edit the contents of the configuration file.
sudo nano config.json
The snippet below shows a particularly interesting Redis section in this tutorial.
"redis": {
"host": "127.0.0.1",
"password": null,
"database": 0,
"sync_bans": {
"active": true,
"name": "1",
"check_time": 600
}
Let's install Redis and fix the above part in the following segments.
Redis blocks automated bots that try to access your system. Run the following command to install Redis on your server.
sudo apt install python3-pip
pip3 install redis
The snippet below shows the output of the previous command.
Installing collected packages: redis
Successfully installed redis-3.2.1
Now edit Redis's config.json. Run the following command to open the file in an editor.
sudo nano config.json
Make the necessary changes to the file as follows:
Config.json
{
"settings": {
"database": "redis",
"redis": {
"host": "127.0.0.1",
"password": null,
"database": 0,
"sync_bans": {
"active": true,
"name": "hostname",
"check_time": 600
}
},
```
The Redis parameter allows Pyfilter to connect to the Redis server. Redis is usually very important for synchronizing forbidden IP addresses between server instances. The sync_bans parameter shares the ban list with all servers, but the system must have a unique name, otherwise synchronization will fail.
Save your changes and exit the editor. Next, let's run PyFilter.
# Launch the PyFilter client
Now start the client using the run.sh script or the run.py script method. For this tutorial, let's use a python file like the one below.
```
sudo python3 run.py
```
The following snippet shows the output of the log file when the client is started.
output
```
No file to check within rule: Mysql
No file to check within rule: Apache
No file to check within rule: Nginx
Checking Ssh logs
IP: 58.242.83.35 has been blacklisted and the firewall rules have been updated. Acquired 5 bad connections via ssh.
IP: 168.227.56.242 has been blacklisted and the firewall rules have been updated . Acquired 5 bad connections via ssh.
IP: 103.28.57.86 has been blacklisted and the firewall rules have been updated. Acquired 5 bad connections via ssh.
IP: 51.158.69.8 has been blacklisted and the firewall rules have been updated. Acquired 5 bad connections via ssh.
Saving newly blacklisted IP's!
```
The PyFilter client bans IP addresses if it tries to make a request 5 seconds after it fails. However, there is always an option in the configuration file to change such settings. To move on, you need a PyFilter service that runs automatically. Now let's install the same service in the next step.
# Creating a PyFilter service
If the PyFilter client runs successfully, let's set the service to run automatically when the server restarts.
The files in the PyFilter directory contain run.sh and install.sh scripts that help you start clients and create services.
First, run the following command to modify the permissions of both scripts to make them executable.
```
sudo chmod +x run.sh
sudo chmod +x install.sh
```
Run the following command to see the contents of the `run.sh` script.
```
nano run.sh
```
The snippet below shows the output of the previous command.
```
#!/usr/bin/env bash
sudo python3 run.py
```
Note that it is a script that launches the client as before.
Check the install.sh script again by running the following command:
```
nano install.sh
```
The snippet below shows the output of the previous command.
```
#!/usr/bin/env bash
if ![ -f "/etc/systemd/system/PyFilter.service" ]
then
sudo python3 create_service.py
sudo mv PyFilter.service /etc/systemd/system/PyFilter.service
sudo chmod +x run.sh
sudo systemctl daemon-reload
sudo systemctl start PyFilter
sudo systemctl enable PyFilter
echo Service created and enabled, check the status of it by using \"sudo systemctl status PyFilter\"
else
echo Service already created.
echo Check the status of it by using \"sudo systemctl status PyFilter\"
fi
```
When you launch the script, a series of commands are executed to create the PyFilter service in your system.
Start with the following command.
```
./install.sh
```
If the script runs successfully, you will get output similar to the following:
output
```
Service created and enabled, check the status of it by using "sudo systemctl status PyFilter"
```
Everything seems to be working fine.
Execute the following command to execute the status check.
```
sudo systemctl status PyFilter
```
When I run the above command, I get the following output:
```
- PyFilter.service - PyFilter
Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
Active: <^>active^> (running) since Wed 2019-05-01 07:50:38 UTC; 38min ago
Main PID: 12474 (bash)
CGroup: /system.slice/PyFilter.service
\A9\C0\A9\A412474 bash /usr/local/PyFilter/run.sh
\A9\C0\A9\A412475 sudo python3 run.py
\A9\B8\A9\A412478 python3 run.py
```
Don't skip the status check to make sure everything is working fine. Here is an example of the error.
```
- PyFilter.service - PyFilter
Loaded: loaded (/etc/systemd/system/PyFilter.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-05-01 07:50:38 UTC; 38min ago
Process: 12474 ExecStart=/usr/local/PyFilter/run.sh (code=exited, status=1/FAILURE)
Main PID: 12474 (code=exited, status=1/FAILURE)
May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session opened for user root by (uid=0)
May 01 07:50:38 Tuts run.sh[12474]: Traceback (most recent call last):
May 01 07:50:38 Tuts run.sh[12474]: File "run.py", line 4, in <module>
May 01 07:50:38 Tuts run.sh[12474]: p = PyFilter()
May 01 07:50:38 Tuts run.sh[12474]: File "/usr/local/PyFilter/pyFilter/py_filter.py", line 22, in __init__
May 01 07:50:38 Tuts run.sh[12474]: with open(file_path, "r") as config:
May 01 07:50:38 Tuts run.sh[12474]: FileNotFoundError: [Errno 2] No such file or directory: 'Config/config.json'
May 01 07:50:38 Tuts sudo[12475]: pam_unix(sudo:session): session closed for user root
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Main process exited, code=exited, status=1/FAILURE
May 01 07:50:38 Tuts systemd[1]: PyFilter.service: Failed with result 'exit-code'.
```
If you encounter any errors, reinstall the client and follow the highlighted steps above.
# Prohibition of using IP address
It is very important to know how to remove the IP address ban, as PyFilter can lock you out of your server. In such cases, log in from the console and manually remove the forbidden IP. The file that stores the forbidden IP information is `-/usr/local/PyFilter/Config/blacklist.v4`. Also, the file `/usr/local/PyFilter/Config/blacklist.v6` contains information about IP rules.
Get the list of forbidden IPS by running the following command:
```
cd /usr/local/PyFilter/Config
sudo nano blacklist.v4
```
The following snippet shows a forbidden IP.
```
# Generated by iptables-save v1.6.1 on Wed May 1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
-A INPUT -s 128.199.230.16/32 -j DROP
-A INPUT -s 58.163.88.42/32 -j DROP
-A INPUT -s 76.79.74.58/32 -j DROP
-A INPUT -s 106.51.54.198/32 -j DROP
-A INPUT -s 180.151.8.180/32 -j DROP
-A INPUT -s 109.207.159.178/32 -j DROP
-A INPUT -s 120.29.156.251/32 -j DROP
-A INPUT -s 148.70.11.143/32 -j DROP
-A INPUT -s 179.110.29.67/32 -j DROP
-A INPUT -s 118.89.229.244/32 -j DROP
-A INPUT -s 193.112.174.67/32 -j DROP
-A INPUT -s 134.175.154.182/32 -j DROP
-A INPUT -s 36.103.243.247/32 -j DROP
-A INPUT -s 103.28.57.86/32 -j DROP
-A INPUT -s 168.227.56.242/32 -j DROP
-A INPUT -s 58.242.83.35/32 -j DROP
COMMIT
# Completed on Wed May 1 08:20:22 2019
```
Access the relevant blacklist file in the editor to remove the blockage of blocked IP addresses, as shown below.
```
sudo nano blacklist.v4
# Generated by iptables-save v1.6.1 on Wed May 1 08:20:22 2019
*filter
:INPUT ACCEPT [49:4006]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5180]
-A INPUT -s 51.158.69.8/32 -j DROP
-A INPUT -s 104.248.140.212/32 -j DROP
-A INPUT -s 149.202.55.176/32 -j DROP
-A INPUT -s 112.161.29.50/32 -j DROP
-A INPUT -s 58.242.83.38/32 -j DROP
COMMIT
# Completed on Wed May 1 08:20:22 2019
```
Save the file and exit the editor.
Now use the following command to restart the client for the changes to take effect.
```
sudo systemctl restart PyFilter
```
# Collection of IP location data
PyFilter also collects location information from banned IPs to analyze the location of the attack. To include such information in the log, you need to install the `geoip2` module.
```
pip3 install geoip2
```
Then run the following command to restart PyFilter.
```
sudo systemctl restart PyFilter
```
Now all the forbidden IPs will look like the output snippet below.
```
2018-08-14 14518:05 Found IP: 196.4.100.13 from server: my_server. The IP was from Kenya.
```
# Conclusion
This tutorial will show you how to install and configure the PyFilter client to monitor SSH connections to Alibaba Cloud Ubuntu server. PyFilter is known for its simple and effective features. Alibaba Cloud offers a full range of security features. However, to allow users better security management, PyFilter helps identify legitimate IP addresses and IP addresses that should not be allowed access to the server.
If you don't have an Alibaba Cloud account yet, sign up for one and it's worth up to $ 1,300 [Try over 40 products for free](https://account.alibabacloud.com/register) /intl_register.htm?spm=a2c65.11461447.0.0.61797d1294HOzw). For more information on Alibaba Cloud, please see [here](https://account.alibabacloud.com/register/intl_register.htm?spm=a2c65.11461447.0.0.61797d1294HOzw).
* Alibaba Cloud is the No. 1 (2019 Gartner) cloud infrastructure operator in the Asia Pacific region with two data centers in Japan and more than 60 availability zones in the world.
Click here for more information on Alibaba Cloud.
[Alibaba Cloud Japan Official Page](https://www.alibabacloud.com/en) *
Recommended Posts