Blog GL2i

User Tools

Site Tools

Trace:
en:security:reaction

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:security:reaction [2024/08/07 21:41] lonclegren:security:reaction [2024/08/13 21:58] (current) lonclegr
Line 3: Line 3:
 ===== Context ===== ===== Context =====
  
-When you have a server reachable from internet, it is a very good idea to control who has access to it and how. For years I was using the very good tool[[en:security:iptables|iptables]] that I was using a very restricted way. But it happened to me a story that I am going to share with you that made change my mind...+When you have a server reachable from internet, it is a very good idea to control who has access to it and how. For years I am using the very good tool called [[en:security:iptables|iptables]] in a very restricted way. But it happened to me a story that I am going to share with you that made change my mind...
  
 ===== Architecture ===== ===== Architecture =====
Line 11: Line 11:
  
 {{ :en:security:architecture-one-server-access.png?direct&600 |Architecture with one server}} {{ :en:security:architecture-one-server-access.png?direct&600 |Architecture with one server}}
 +
 +So I configured [[en:security:iptables|iptables]] on my server the most restrictive way I know from network perspective: only the two public IPs of my two ḧomes can access to SSH service. And it works fine. But by design, there is an issue about this choice I made. Indeed, my ISPs ((Internet Service Provider)) provide me dynamic IPs. It may change without notice but for the last 3 years it did not.
 +I accepted the risk because of two facts:
 +  - Since IPs don't change very often and I have two different ISP, the probability that both of them change at the same time is very low. So if one IP changes and I lose access to my server I can go the second home and update the configuration accordingly.
 +  - Worst case scenario, I can use the emergency console access from my server provider and update the configuration of [[en:security:iptables|iptables]].
 +
 +
 +===== Odds always win =====
 +
 +One day, one of my ISP put down my internet access for a few days. They had to fix something to improve bandwidth. No problem, I still have access to my server using my second ISP. But the following morning, bad news: all my backup reports came back to me with errors ((yes I use this server for backup)). Long story short, my second ISP decided to change my IP during the night ((I challenged them to know what happened and they decided to switch the subnet I was part of to a smaller/cheaper one)).
 +I decided that I was going to use my last option: emergency console access to my server from the provider. But bad surprise again, my provider did not provide such a service.
 +
 +As a result, I lost access to my server for days. In the meantime, I was looking for a more robust design. That's how [[https://en.wikipedia.org/wiki/Fail2ban|fail2ban]] came back to my mind and even better I remembered that one person from the [[https://www.chatons.org/en|CHATONS]] [[https://picasoft.net|Picasoft]] was working on the perfect tool for me: [[https://blog.ppom.me/en-reaction/|reaction]].
 +
 +===== New architecture =====
 +
 +In this new architecture, I introduced a new server "Bastion SSH Server" which has only SSH server and [[https://blog.ppom.me/en-reaction/|reaction]].
 +
 +{{ :en:security:architecture-one-server-access-with-bastion.png?direct&600 |Architecture with Bastion SSH server}}
 +===== Why not Fail2ban ? =====
 +
 +Well, for two main reasons I decided to use [[https://blog.ppom.me/en-reaction/|reaction]] instead of [[https://en.wikipedia.org/wiki/Fail2ban|fail2ban]]:
 +  - Fail2ban is an old software with few new features
 +  - Reaction uses recent technologies and is very efficient. And cherry on the cake, it has an ultimate goal of federating black-listed-IPs.
 +
 +
 +And since a good drawing is always better than long speech, let me share with you this one made by [[https://ptilouk.net/|Gee]].
 +
 +{{ :en:security:bd-reaction-english.png?direct&600 |Reaction the new Fail2ban}}
 +
 +
 +
 +===== Feedback =====
 +
 +I am using this tool within this new architecture for weeks now and I am very satisfied.
 +
 +==== Usage ====
 +
 +The service is up for 2 weeks and 2 days and memory usage is very low.
 +
 +{{ :en:security:reaction-usage-for-2-weeks.png?direct&600 |Reaction systemctl status}} 
 +
 +==== Ansible playbook ====
 +
 +Here is my playbook I use to setup it on my server. It is not perfect but if it can help you to test easily 8-)
 +
 +<code yaml>
 +- name: install packages required to have logs
 +  package:
 +    name: "{{ item }}"
 +    state: latest
 +  with_items:
 +    - iptables
 +    - iptables-persistent
 +    - logrotate
 +    - rsyslog
 +  become: True
 +
 +- name: stop reaction if running
 +  service:
 +    name: reaction.service
 +    state: stopped
 +  become: True
 +  ignore_errors: yes
 +
 +- name: download binary
 +  ansible.builtin.get_url:
 +    url: https://static.ppom.me/reaction/releases/v1.4.1/reaction
 +    dest: /usr/local/bin/reaction
 +    mode: '0755'
 +  become: True
 +
 +- name: copy systemd file
 +  copy:
 +    src: files/reaction.service
 +    dest: /etc/systemd/system/reaction.service
 +    owner: root
 +    group: root
 +    mode: 0700
 +  become: True
 +
 +
 +- name: copy reaction.yml
 +  copy:
 +    src: files/reaction.yml
 +    dest: /etc/reaction.yml
 +    owner: root
 +    group: root
 +    mode: 0755
 +  become: True
 +
 +- name: reload daemon
 +  command: "systemctl daemon-reload"
 +  become: True
 +
 +
 +- name: enable reaction
 +  command: "systemctl enable reaction.service"
 +  become: True
 +
 +- name: restart reaction
 +  service:
 +    name: reaction.service
 +    state: restarted
 +  become: True
 +</code>
 +
 +and the config file for SSH based on [[https://reaction.ppom.me/filters/ssh.html|official documentation]]
 +
 +<code>
 +patterns:
 +  ip:
 +    regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})'
 +streams:
 +  ssh:
 +    cmd: ['tail', '-F', '/var/log/auth.log']
 +    filters:
 +      fail:
 +        regex:
 +          - 'authentication failure;.*rhost=<ip>'
 +          - 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
 +          - 'Failed password for .* from <ip>'
 +
 +        retry: 3
 +        retryperiod: '3h'
 +        actions:
 +          ban:
 +            cmd: ['iptables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP']
 +          unban:
 +            cmd: ['iptables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP']
 +            after: '24h'
 +start:
 +  - [ 'iptables', '-w', '-N', 'reaction' ]
 +  - [ 'iptables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
 +stop:
 +  - [ 'iptables', '-w', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
 +  - [ 'iptables', '-w', '-F', 'reaction' ]
 +  - [ 'iptables', '-w', '-X', 'reaction' ]
 +</code>
 +
 +and the service
 +
 +<code>
 +[Install]
 +WantedBy=multi-user.target
 +[Service]
 +ExecStart=/usr/local/bin/reaction start -c /etc/reaction.yml
 +StateDirectory=reaction
 +RuntimeDirectory=reaction
 +WorkingDirectory=/var/lib/reaction
 +</code>
 +
 +This code is based on the one you can find on the official blog of [[https://blog.ppom.me/en-reaction/|reaction]].
 +
 +
 +===== Conclusion =====
 +
 +This tool is a very good initiative that everybody should support! At least everybody that needs such tool should give a try. The creator is very talented and tries to push the tool into a direction that can make everything more safe.
en/security/reaction.1723081308.txt.gz · Last modified: 2024/08/07 21:41 by lonclegr