Fail2Ban Intrusion Prevention on Solaris 11 OPENINDIANA SunOS 5.11 Illumos with Reporting to Blocklist.de

I run a internet-facing hobbyist SunOS 5.11 illumos Solaris 11 openindiana server with guest account available. It is accessible using ssh sanyal.duckdns.org.

Being internet exposed means having to deal with continuous attempts at breaking in from across the world - mostly idiotic automated dictionary attacks and sometimes more dangerous attempts involving human hackers.

As with my linux servers, fail2ban provides the first line of defense for openindiana as well. However, it was a bit tricky to get fail2ban to work on a Solaris 11 / openindiana platform. Now that fail2ban is working on openindiana including automatic reporting of intruder IP addresses to www.blocklist.de, this is a summary of what I did.

1. Prerequisites

Before starting, you should already have setup your account at www.blocklist.de and added your openindiana server you will be using for reporting intrusion attempts and DOS attacks to them. Specifically you need the API KEY as we will be using the HTTP API interface (not email) to communicate intrusions to blocklist.de. You can take a look at my post on setting up fail2ban with blocklist.de on linux  to get started before coming back here.

Optionally, your email should be working, i.e. sendmail, postfix or whatever else you use should be sending emails successfully using SMTP to internet email addresses. In particular, you should already have mailx installed and configured working. This way you can get notified by email whenever fail2ban sends an intrusion report over HTTP API to blocklist.de.

Finally, fail2ban uses gamin to monitor files. You need to have gamin installed. One source of gamin for Solaris 11 is the OpenCSW project. The following commands worked for me:

# wget http://mirror.opencsw.org/opencsw/pkgutil.pkg

# pkgadd -d pkgutil.pkg

# /opt/csw/bin/pkgutil -U

# /opt/csw/bin/pkgutil -y -i gamin

# /usr/sbin/pkgchk -L CSWgamin # list files

2. Download and extract fail2ban stable installation tarball

Head over to the fail2ban official download page and download the latest stable version. I downloaded the current stable release 0.9.4 from https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz.

After downloading the gzip compressed tarball, extract it. Then change into the top directory of the extracted directory tree.

# tar xvzf 0.9.4.tar.gz

# cd fail2ban-0.9.4

3. Install fail2ban

First execute the supplied python installer to install the fail2ban files in their proper directories.

# ./setup.py install

After the above step, you should see the fail2ban executables in the /usr/bin directory:

# ls -l /usr/bin/fail2ban-* 

-rwxr-xr-x 1 root root 187 Jul  3 01:59 /usr/bin/fail2ban-client 

-rwxr-xr-x 1 root root 185 Jul  3 01:59 /usr/bin/fail2ban-regex 

-rwxr-xr-x 1 root root 187 Jul  3 01:59 /usr/bin/fail2ban-server 

-rwxr-xr-x 1 root root 193 Jul  3 01:59 /usr/bin/fail2ban-testcases

You should also see the default configuration files in the /etc/fail2ban directory.

# ls -l /etc/fail2ban

Next, add the fail2ban service to Solaris so that it is started, stopped and managed by the standard Solaris service daemon management tools. The files required to do so are included in the fail2ban installation tarball in the files directory.

# svccfg import files/solaris-fail2ban.xml
# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
# chmod +x /lib/svc/method/svc-fail2ban

We then update the Solaris system logger syslogd to enable authentication related logging into a log file for fail2ban to use for monitoring login attempts. Using vi or any editor of choice, edit the /etc/syslog.conf file and append the following line to the end, and save and exit the editor.

auth.info        /var/adm/auth.log

Execute the following commands to create an empty authentication log file (Solaris syslogd does not create it if it is not there) and restart the system logger:

# touch /var/adm/auth.log
# svcadm restart system-log

Logging is set up at this point. Run a basic test to make sure login attempts are now being captured in the authorization log file by:

# ssh nosuchuser@localhost

Enter garbage passwords and examine /var/adm/auth.log to validate log entries capture your owned failed login attempt:

Sep 21 21:08:22 anubis-solaris.sanyalnet.lan sshd[24761]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user nosuchuser from 127.0.0.1
Sep 21 21:08:27 anubis-solaris.sanyalnet.lan last message repeated 2 times
Sep 21 21:08:27 anubis-solaris.sanyalnet.lan sshd[24761]: [ID 800047 auth.error] error: maximum authentication attempts exceeded for invalid user nosuchuser from 127.0.0.1 port 33111 ssh2 [preauth]

4. Configure fail2ban for notifying blocklist.de

We need to customize only a couple of fail2ban configuration files.

1) We move the fail2ban log file to under /var/log/adm by creating a file /etc/fail2ban/fail2ban.local with the contents

2) Create /etc/fail2ban/jail.local with the following contents, adjusted for your account and server API-KEY details:


3) Create /etc/fail2ban/action.d/mail-whois-common.local. This just adds the "n" parameter to the whois command executed when sending a email by fail2ban for a slightly cleaner email.


4) Create /etc/fail2ban/action.d/mail-whois-lines.local from the template below, and then modify it; Adjust /usr/gnu/bin/grep to contain the full path to the grep utility on your Solaris 11 openindiana installation. Typing in "which grep" should tell you where grep lives on your system.

`/usr/gnu/bin/grep <grepopts> <ip> <logpath>`\n

5. Enable fail2ban

You should be ready to fire up fail2ban on your solaris openindiana server now. Enable and start the service up, and check on the status. If the service does not start, look at the log files /var/svc/log/network-fail2ban:default.log and /var/adm/fail2ban.log for clues on what you need to fix.

# svcadm refresh fail2ban 

# svcadm enable fail2ban 

# svcs -xv fail2ban 

svc:/network/fail2ban:default (?) State: online since September 22, 2016 05:05:36 PM UTC  See: /var/svc/log/network-fail2ban:default.logImpact: None.

If everything is working, you should see something like this in /var/adm/fail2ban.log and the statistics for your server at blocklist.de should be going up.

2016-10-21 15:58:10,454 fail2ban.server         [10020]: INFO    Changed logging target to /var/adm/fail2ban.log for Fail2ban v0.9.4
2016-10-21 15:58:10,469 fail2ban.database       [10020]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2016-10-21 15:58:10,485 fail2ban.jail           [10020]: INFO    Creating new jail 'ssh-tcpwrapper'
2016-10-21 15:58:10,546 fail2ban.jail           [10020]: INFO    Jail 'ssh-tcpwrapper' uses Gamin
2016-10-21 15:58:10,604 fail2ban.filter         [10020]: INFO    Set jail log file encoding to 646
2016-10-21 15:58:10,684 fail2ban.jail           [10020]: INFO    Initiated 'gamin' backend
2016-10-21 15:58:10,728 fail2ban.filter         [10020]: INFO    Added logfile = /var/adm/auth.log
2016-10-21 15:58:10,732 fail2ban.filter         [10020]: INFO    Set maxRetry = 3
2016-10-21 15:58:10,817 fail2ban.filter         [10020]: INFO    Set jail log file encoding to 646
2016-10-21 15:58:10,818 fail2ban.actions        [10020]: INFO    Set banTime = 172800
2016-10-21 15:58:10,819 fail2ban.filter         [10020]: INFO    Set findtime = 1800
2016-10-21 15:58:10,819 fail2ban.filter         [10020]: INFO    Set maxlines = 10
2016-10-21 15:58:11,177 fail2ban.server         [10020]: INFO    Jail ssh-tcpwrapper is not a JournalFilter instance
2016-10-21 15:58:11,719 fail2ban.jail           [10020]: INFO    Jail 'ssh-tcpwrapper' started
2016-10-21 15:58:13,238 fail2ban.actions        [10020]: NOTICE  [ssh-tcpwrapper] Ban 162.220.166.163
2016-10-21 15:58:17,741 fail2ban.actions        [10020]: NOTICE  [ssh-tcpwrapper] Ban 80.250.3.246

...

...