EC2 Instance SSH Rate Limiting and Firewalling
Rate limiting is a strategy for limiting network traffic. It puts a limit on how often someone can repeat an action within a certain timeframe – for instance, trying to log in to an account. Rate limiting can help stop certain kinds of malicious bot activity. It can also reduce strain on web servers.
Users may find themselves locked out of an account if they unsuccessfully attempt to log in too many times in a short amount of time. This occurs when a website has login rate limiting in place. This precaution exists to block brute force attacks in which a bot tries thousands of different passwords to guess the correct one and break into the account.
Rate limiting implementation
- Install ufw (if it’s not been installed)
sudo apt install ufw ufw limit ssh comment 'Rate limit for ssh server'or
ufw limit log ssh comment 'Rate limit for SSH' (inserting log can log all new connections)
Enhancing Security by blocking IPs to prevent Brute-force
SSH Guard and Fail2Ban are two opensource tools for additive security on SSH login. Both are easily configurable, but Fail2Ban has more features like HTTP/HTTPS and Apache server monitoring.
Implementing Fail2Ban
- Install Fail2Ban by using this command
sudo apt-get install fail2ban
- To ensure Fail2Ban runs on system startup
sudo systemctl enable fail2ban.service
sudo cp /etc/fail2ban/jail.{conf,local}- Configure jail.local file. A text editor will open after running this command.
sudo nano /etc/fail2ban/jail.local
- To ban an IP address for 5 minutes after 10 suspicious attempts in 10 minutes. Change bantime to 5m, findtime to 10m and maxretry to 10.
- By default, backend is configured as auto. Change backend to polling
- Save the file by pressing CTRL + O and exit nano text editor by pressing CTRL + X
- Restart fail2ban
systemctl restart fail2ban
- Check if it’s running. It should show “Active”
systemctl status fail2ban
Monitoring with Fail2Ban Client
One advantage of Fail2Ban is that it allows you to monitor all the failed authentication attempts.
Fail2Ban Client is a tool to check the status of Fail2Ban and active jails.
- Run this command to check the status. It should show 1 jail in the list named sshd
sudo fail2ban-client status
- To view the status of a particular jail, run this command. It should show failed attempts and banned IP address.
sudo fail2ban-client status sshd
Check Log
Fail2Ban also generates log in the /var/log/fail2ban.log file. To view the full log file run:
sudo cat /var/log/fail2ban.log
To view the current log run:
sudo tail -f /var/log/fail2ban.log
Testing
By default, passwords are not allowed for login via SSH into EC2 instance. We can only log into the instance with private keys. In the first-place attacker will not be able to brute-force on our server. But we still implemented rate limiting as an additional layer for security. Suppose if attacker has our private keys (which is not possible unless your system where your keys are stored is compromised), this additional layer will help us at that moment. The attacker will try to guess the username of our instance and try to login with the private keys. If he/she makes 10 attempts to login with wrong username in 10 minutes, his/her IP address will be blocked for 5 mins (the blocked time can be configured in jail.local file). Admins can view the log file (/var/log/fail2ban.log).
Let’s try to brute-force with different usernames.
Here I had the correct secret key, but I tried using different usernames for logging in.
After 10 failed attempts, I got connection timed out error.
Now here’s the log file.
The log shows my IP address from which I tried to access the server. After 10 unsuccessful attempts, my IP address was banned.
Conclusion
Although it’s not possible to login to our instance with password via SSH. So, attacker will not be able to brute-force. But for the additional security with firewalling, we need to make sure that we use unique username for our instance. With correct secret keys and predictable username, attacker will be able to compromise our server.