Denying Hosts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hello Cybrarians and welcome back to
00:00
the Linux plus course here at Cybrary.
00:00
I'm your instructor Rob Gills and in today's lesson,
00:00
we're going to be discussing denying hosts access.
00:00
Upon completion of this lesson,
00:00
you are going to be able to understand
00:00
the importance of denying access to hosts,
00:00
and we're going to differentiate
00:00
between the different methods
00:00
we can use for denying hosts access.
00:00
We know by now that any portion of your network that's
00:00
publicly accessible is going to
00:00
turn that into an attack vector,
00:00
and any device or service that can be
00:00
accessed from the public network will become a target.
00:00
SSH is a prime example and it's
00:00
generally a magnet for brute force attacks,
00:00
and we know also that intrusion attacks
00:00
can happen at anytime, day or night.
00:00
It's important to block hosts involved
00:00
in attacks and it's really important to
00:00
do it automatically if possible
00:00
just in case we're not around when they occur.
00:00
We already covered one of the most
00:00
important and basic host.deny
00:00
methods which your host deny methods
00:00
which is using the host.deny file.
00:00
We talked about that when we talked about
00:00
TCP wrappers in that Module 16 lesson.
00:00
Host IPs or ranges that are in the
00:00
etc/host.deny file create effective rear block list,
00:00
and these hosts are denied network access to
00:00
any resources on the system.
00:00
Now, TCP wrappers require IPs and ranges,
00:00
and these do have to be put in manually.
00:00
But we talked about wanting to do this
00:00
automatically in case we're not around
00:00
when an intrusion attempt occurs.
00:00
How do we automatically deny access?
00:00
Well, there are a couple of utilities
00:00
that we can use to do this.
00:00
The first one is to deny host, and DenyHost,
00:00
that utility automatically updates
00:00
host.deny as well as the firewall,
00:00
in this case, generally IPtables.
00:00
The other application or utility that we
00:00
can use is called Fail2Ban,
00:00
and Fail2Ban updates host.deny and IPtables as well,
00:00
but it also monitors
00:00
the auth logs for different applications.
00:00
So for instance, it looks at var/log/auth.log for SSH,
00:00
and looks in vsftp.log for FTP,
00:00
and then for web services is going to look in things
00:00
like var/log/apache2/access/log and it
00:00
comes pre-configured for things
00:00
like this but it is tunable.
00:00
We're going to dig into DenyHost and
00:00
Fail2Ban more in Module 19.
00:00
Now, any of the previous methods can be used to set up
00:00
a network for attack defense, and this is important.
00:00
We want to be able to defend against this,
00:00
so what we might do,
00:00
is place a system with external access as a honeypot.
00:00
We may not configure that system
00:00
to really protect against anything,
00:00
we just want to sit out there and get attacked,
00:00
and then once it's attacked,
00:00
we can harvest these bad host IPs
00:00
and ranges and use them.
00:00
We can use these attacking host IPs and
00:00
ranges to be denied at the firewall level.
00:00
Well, we can also use the IP set utility to do this.
00:00
We can use that to specify IP or ranges to deny,
00:00
and this can be used to update IP tables
00:00
as well as firewall D. We'll
00:00
talk more about using IP set in Module 19,
00:00
but keep in mind this is not
00:00
just the realm of local host firewalls.
00:00
We don't need to just do this on our Linux systems,
00:00
we should be denying things at
00:00
the network edge if possible.
00:00
If we have physical firewalls
00:00
that are sitting out there on
00:00
the edge and they're filtering external network access,
00:00
we should really do ourselves
00:00
a favor and put these hosts in there and
00:00
these IP addresses in there to make sure that
00:00
this traffic doesn't get into
00:00
our system any further than it needs to.
00:00
But with that, in this lesson,
00:00
we covered the importance of denying hosts access,
00:00
and we talked about a few different methods
00:00
of denying hosts access.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next