fail2ban is a great IDPS tool, not only it can detect attacks but also block the malicious IP addresses by using Linux iptables.
Although fail2ban can be used for services like HTTP, SMTP, IMAP etc. but most of sys-admins use it to protect the SSH service. fail2ban daemon reads the log files and if there is a malicious pattern detected (e.g multiple failed login requests) it executes a command for blocking the IP for certain period of time or maybe forever.
In this article, I am using fail2ban version 0.11.2 and my base operating system is Kali Linux 2020.4. I have configured fail2ban with default settings and it is enabled only for SSH service.
Next, I tried SSH to kali box (f2b running) but I gave wrong passwords, which ultimately triggered f2b to block my IP.
We can see that IP 192.168.10.7 has been added to our iptables.
If we save the iptables rules to a file and read them, it blocked the IP with multiport configuration.
So, what is this multiport ? If we go to our fail2ban directory, which in my case is at /etc/fail2ban, inside there is action.d folder which has different types of configuration rules that can be applied for blocking an IP.
If we look closely at the iptables-multiport.conf file
There are two things actionban and actionunban. If we have write access to this file, we can add our malicious command and escalate our privileges.
Lets try to give 777 permissions (anyone can w+r+e file) /etc/shadow file, which has the hashed password of all the users. Just to be on safe side, I have copied this file to /dev/shm directory. You don’t need to copy it to /dev/shm.
Adding new malicious command to iptables-multiport.conf file.
Now, if we try false SSH attempts, fail2ban will not only block the IP but also give 777 permission to /dev/shm/shadow.
A malicious person can now replace the hash of root or privileged user with his/her own password hash and escalate easily.
Or maybe adding a reverse shell or setting SUID thing. Sky is limit !!!
Dont give everyone WRITE permissions to /etc/fail2ban/action.d folder.