Skip to main content

Install an Intrusion Prevention System (IPS) on an EC2 Instance

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

Intrusion Prevention Systems (IPS) monitor systems for malicious activity or policy violation, and report them to systems administrators or take automatic action on suspicious traffic within the network. In this learning activity, we will use the popular fail2ban (http://fail2ban.org) to automate a response to an attack on our EC2 instance. With two EC2 instances, we will attack one from the other, and fail2ban will automatically block the attacking host's IP.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Install an Intrusion Prevention System (IPS) on an EC2 Instance

Introduction

Intrusion Prevention Systems (IPS) monitor systems for malicious activity or policy violation, and report them to systems administrators or take automatic action on suspicious traffic within the network.

In this learning activity, we will use the popular fail2ban (http://fail2ban.org) to automate a response to an attack on our EC2 instance.

With two EC2 instances, we will attack one from the other, and fail2ban will automatically block the attacking host's IP.

Solution

This solution does not use the AWS Management Console. All of the work will be doing using the terminal.

Install, Configure, and Start Fail2ban

  1. Connect to Instance A using the credentials provided on the lab page.

    ssh cloud_user@INSTANCE_A_ADDRESS
  2. Claim root access.

    sudo su
  3. Install fail2ban.

    yum install fail2ban -y
  4. Transfer to the /etc/fail2ban directory and verify it is populated.

    cd /etc/fail2ban/
    ll
  5. Create a local copy of the configuration file.

    cp jail.conf jail.local
  6. Edit the local configuration file.

    vi jail.local
  7. Find the setting for ssh-iptables. Edit the maxretry parameter to be equal to 2.

  8. Save your changes and exit the editor.

  9. Start the fail2ban service.

    service fail2ban start
  10. Check the log file for fail2ban activity.

    tail -f /var/log/messages

Trigger an Attack and Test Fail2ban

  1. Connect to Instance B using the credentials provided on the lab page.

    ssh cloud_user@INSTANCE_B_ADDRESS
  2. Attempt to log into Instance A with invalid credentials multiple times.

    ssh hacker@INSTANCE_A_ADDRESS
  3. Check Instance A to verify Instance B has been banned.

  4. In Instance B, attempt to log in again and verify that Instance B can't connect.

  5. After 10 minutes, try to reconnect from Instance B and verify Instance B can connect.

Conclusion

Congratulations — you've completed this hands-on lab!