Archiv des Autor: Martin Berger

OCI Compute Instances – Stop SSH Brute Force Attacks with fail2ban & UseDNS

Every day and night, the SSH login by key into my public accessible Oracle Cloud Infrastructure Linux Compute Instance was permitted for hours. And sometimes, when I had luck, it worked. For me it was not clear when it works and when not. But something has blocked me. The password authentification in the OCI Linux instance is basically disabled, the key is the only way to log in.

After some investigation on the OCI instance, I found a huge amount of login trials in the /var/log/secure file. These brute force attacks were locking me out!

There is a interesting OCI documentation available called Securing Compute with steps how to secure OCI compute cloud instances – and one of this recommendation is: install fail2ban.

https://docs.cloud.oracle.com/iaas/Content/Security/Reference/compute_security.htm

fail2ban

fail2ban is an open source tool which reads several types of logfiles and creates based on rules new entries in the firewall table to block remote connections. I has default filters for ssh, apache postfix and many more. From Wikipedia: 

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Link: https://www.fail2ban.org/wiki/index.php/Main_Page

Installation

All steps have to be executed as user root. FYI: I wanted to be informed when a new IP was banned, therefore I have installed sendmail too.

Configuration

For my fail2ban configuration I have created a new file called jail.local and made my settings there.

jail.local

After 2 unsuccesful logins, the source IP will be banned for 86400 seconds. And if a new IP is added to the ban list, I get an email.

/etc/fail2ban/jail.d/00-firewalld.conf

For OL7 where firewalld is used, verify if the command firewallcmd-ipset is set in /etc/fail2ban/jail.d/00-firewalld.conf. If you use iptables, the command can be changed. Please read the documentation how to change the firewall.

Start fail2ban

Verification

Status Check

Status Check with details, there is already one IP listed.

After some minutes, more entries were recognized in the /var/log/secure log file and added.

firewall-cmd

A new rule is automatically added with the match set failban-sshd.

sshd Configuration

After the fail2ban installation, there were other entries left in  /var/log/secure.

After changing the parameter UseDNS to no in /etc/ssdh/sshd_config and a restart, these entries were history.

Summary

Never let a OCI compute cloud running with a public IP without to monitor login attemps! fail2ban is one step to get more security. It is easy to configure and it helps a lot. But you have to do the basic work like software updates, SSH key enabling etc. The Oracle documentation is a good base to start! My next step will be to install and configure WAZUH – I keep you up to date!

Links

https://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html

https://fedoraproject.org/wiki/Fail2ban_with_FirewallD

Easy Database Migration to Oracle Cloud Infrastructure OCI by Creating a Backup in the Cloud

Oracle has provided an updated OCI command line toolset with a new and easy method to migrate an on-premises database into the Oracle Cloud Infrastructure as DBaaS. According the document here, I have tried it out – and it works:

https://docs.cloud.oracle.com/iaas/Content/Database/Tasks/mig-onprembackup.htm

My Test Setup

  • Oracle 18c Enterprise Edition with SID=ORA18
  • Single Tenant Architecture
  • Oracle Linux 7.4
  • non TDE – Attention: non TDE on-premises data stays unencrypted in the cloud !!!

Database and Server Prerequisites

The OCI CLI Directory 

OCI CLI and opc_install.jar plus the .pem file have to be in the same directory.

Set Environment Variables

Execute the Database Migration Job

In the background:

  1. The script installs and configures temporarily the OPC Backup Module
  2. A RMAN backup job will be started with encrypted backups into the cloud on ObjectStorage
  3. After the successful backup, the temporarily created files are removed

Created  Files for Backup and Transfer and the RMAN Logfile

Excerpt from the rman.log

Well known from the Oracle Cloud Backup module .

 

 

RMAN List Backup – Excerpt and Verification

The RMAN backup is encrypted by default.

OCI Cloud Console the Backup called testimport is available to create a new DaBaaS Database

Listed as Standalone Backup.

Now we create a new database based on the Standalon Backup.

Enter the RMAN backup password from the CLI job.

The database will be re-created now.

CLI Error Messages

Summary

The new CLI script makes OCI migrations much easier. than before. Depending on the database size and your network bandwith, it works smart and fast. Take time to read the manual carefully to fullfill the prerequisites,

Oracle Autonomous Transaction Processing – Move your Data with Oracle Data Pump – Part 3

In this blog post serie which has three parts, I want to describe how data will be uploaded from an on-premises environment into the Oracle Autonomous Transaction Processing database using Oracle Data Pump. 

Oracle Import Prerequisites

Credentials

To get acccess to the dump file on the Oracle Object Storage, a credential has to be created in the Oracle Autonomous Transaction Processing database with the DBMS_CLOUD procedure. For more information about the package, see the blog post from Christian Antognini – DBMS_CLOUD Package – A Reference Guide.

The DBMS_CLOUD procedure needs a password value which is the token from the user account. If you don’t now your token, create a new one. Go to Identity – Users – your username and click on the left side on „Auth Tokens“. Create a new token by click on „Generate Token“. The random generated string is the value for the DBMS_CLOUD password.

Enter a name for the token and click on „Generate Token“.

Note your generated token and „Close“ the window.

Login into the Autonomous Transaction Processing database as admin user and create a new credential called ATPCS_CRED.

A new Database User called HRATP

In the ATP, we create a new user called HRATP. The tablespace DATA is the default tablespace in an Autonomous Transaction Processing database and does not have to be defined.

Oracle Data Pump Import

The impdp tool is part of my Instant Client installation in Part 1 of this blog serie. Oracle recommends to set parameters like 

  • partition_options=merge
  • transform=segment_attributes:n
  • transform=dwcs_cvt_iots:y
  • transform=constraint_use_default_index:y
  • exclude=index, cluster, indextype, materialized_view, materialized_view_log, materialized_zonemap, db_link

Two new Oracle Data Pump parameters to work with the Oracle cloud databases are credential and and dumpfile.

  • credential: The DBM_CLOUD created credential
  • dumpfile: The URL where the dumpfile is located

Attention

The URL provided by the Object Storage menu cannot be accessed directly by impdp:

The URL has to be mapped from objectstorage to swiftobjectstorage:

to

Data Pump Import Execution with REMAP of Schema and Tablespace

Start of the Oracle Data Pump job from my Windows client:

The message about the existing user can be ignored. 

Data Pump Logfile

The logfile of the import process cannot be access directly, it has to be moved into the Object Storage with the DBMS_CLOUD package first.

Now the file can be access in the Object Storage menu:

Connect as new User HRATP to verify the Data

Summary of Part 3

If all prerequistes are met, the data transfer with Oracle Data Pump is easy to configure and easy to handle. Take care about the token, only 2 token per user can be generated. If you losed it, you have to delete a existing token, rebuild it and re-create the credentials before you can import data again.