Documentation

With a firewall some required ports like 80, 443 for webservers or 25 for FTP are still open. Through these open services potential attackers now have the opportunity to gain access to the server or application.
Basically potential attackers will try some standard procedures to test and analyze your server. This attack pattern can be found in log files and action can take place. The Cloud-IPS daemon works together with fail2ban to analyze the logfiles, but instead of internal action from fail2ban our system daemon get the information and transfer it in the cloud.
From the cloud all connected Cloud-IPS daemons can be informed to protect them from the attacker. This means every attack to any system is recorded and all connected systems can be protected against this attacker.

First download the Cloud-IPS installer:

wget https://cloud-ips.saas-secure.com/dl/clips-setup-1.2.tar.gz

Now uncompress the install scripts:

tar xfvz clips-setup-1.2.tar.gz

This creates a folder with the same name like archive. Change into the folder and start install script

cd clips-setup-1.2/
./ install.sh

First the install script check the base reqirements and will inform you if something is missing or wrong.
After that step, you be asked for the internet port which will be used for listening commands from the cloud. You can press enter to use the default port 933 or you enter a port number you wish to use. Please take care, the port is not used by other services.
Next you have to enter the Cloud-IPS API key. You can find the key after login into the Cloud-IPS dashboard and the opening the account settings page.

Finish the installation by registering the new server to the Cloud-IPS.

In Cloud-IPS dashbord, click the "Assign a new Server" icon and enter a unique name of the server, the IP Address of the new server and the port number you used with the installation.
Furthermore you can enter how much IP addresses should be banned at maximum and you can change the duration, which an IP is banned and if the server should be protected by the entire cloud or only by your network.

Click "Assign Server" button to store the new server.

If you want a server does not receive temporarily or permanently IP addresses from the cloud, the server can simply be deactivated.
A deactivated server is no longer notified of changes from the cloud, but is itself able to report IP addresses of attackers.
For example, a Honey Pot system can be connected.
Deactivation is simply possible in the dashboard.

Deactivated server will be grayed out in the server list and they go to the end of server list!
Enabling is also easy via the dashboard.

The Dashboard can be used to remove a server from the Cloud IPS. The action "Delete" is now selected with the relevant server via the context menu. A security prompt will appear asking if you are really sure that the server should be removed. Clicking "ok" removes the server from the server list.
The entry created automatically with the server in the whitelist is also removed.

The deleted server can now no longer create Cloud IPS connections, and it is no longer possible to block new IP addresses.

If the server is still blocking IP addresses you can easily re-enable these addresses.
Log in through the SSH console on the server and use the following command to unlock all IP addresses on the server.

Current database file is:
`- /var/lib/fail2ban/fail2ban.sqlite3

As result you get the path and name of the database file where fail2ban stores IP addresses. Now you have to stop fail2ban and then the database file can be removed.

service fail2ban stop
 * Stopping authentication failure monitor fail2ban            [ OK ]

rm /var/lib/fail2ban/fail2ban.sqlite3

Now you can restart fail2ban and a new database will be created.

service fail2ban start
 * Starting authentication failure monitor fail2ban            [ OK ]

Now you can check if fail2bans IP's are not longer blocked.

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-blocklist  tcp  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-blocklist (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Now you can remove the Cloud-IPS daemon as well.
First stop the daemon.

service clips stop
 Stopping CLIPS - Cloud based Intrusion Prevention System Client: clips.

Now remove the autorun script and other files not longer needed.

rm /etc/clips.conf
rm /etc/init.d/clips
rm /etc/rc2.d/S06clips
rm /etc/rc3.d/S06clips
rm /etc/rc4.d/S06clips
rm /etc/rc5.d/S06clips
rm /usr/bin/clips-daemon.php
rm /var/log/clips.log
rm -r /var/lib/clips

That's all.

With the Whitelist, you can specify IP addresses which, despite actually suspicious actions, are not blocked.

There are automatically added entries that were created with the creation of a connected cloud IPS server. This ensures that your own systems do not lock each other. These entries can be identified by the "Assigned with Server" message. These white list entries can not be edited and when deleting the associated server, the corresponding IP address is also deleted.
Manually entries can be added by clicking on the "Create Entry" icon in the Whitelist.

A valid IP address in the format IPv4 or IPv6 must be specified. The entry of a comment is optional, but helps with classification if there are a lot of entries in the whitelist.
When editing a whitelist entry, all fields can be edited, including the IP address.
An inactive entry is displayed at the end of the list and is grayed out. Inactive whitelist entries are ignored if an IP address is to be blocked.

If you have a new server assigned or your wish to check, a assigned server is reachable by Cloud-IPS, you can use the "Check Connection" function.
This function establishes a connection to the Cloud-IPS Daemon at your server IP address and send a unique text string to the server. If the server is correct assigned to the Cloud-IPS then you should get no error and a short moment the line will be highlighted green, also the last contact column will be updated.
If something went wrong, you see the assigned server line red highlighted and a error message appear at the bottom of screen, which will help you to find the reason of problem.

On the dashboard you can also find the area of Cloud-IPS actions.
In the actions, you have the ability to block individual IP addresses or unlock on your servers.

There may be several reasons for blocking an IP address. For example, it may be the case that an IP address has been noticed that causes an extremely high amount of traffic on a server. Unless Fail2Ban has been configured to detect such actions, you can manually disable such an IP address.
Simply enter the relevant IP address into the field and start the lock with the banish button. The system only checks if the IP address is not entered in a white list and blocks it.
As a special feature, the banish is only carried out on your own servers! The IP address is not blocked on all connected systems!

If you want to unlock an IP address, you can easily do it with the release action.
Submitting the action will briefly check if the IP address on one of your servers is blocked and if so, the IP will be unlocked on all your servers.
This function releases only IP addresses on your own system!

In the account settings you are able to select the frequency how often you like to receive reports of the Intrusion Prevention System Cloud. It can be daily, weekly or monthly or alternatively, you are able to deactivate the report function.

Depending on your selection you receive an report to your entered email address.
At the report you can see the active protected server quantity and you get a top ten list of you most attacked servers and the most attacking IP addresses.

With the following command on your server console you can check if the notification of attacks to the Cloud-IPS works:

fail2ban-client set sshd banip 1.0.1.0

You can choose the IP address you want to use to simulate the attack.
After typing on the console, you should see an attack on the Cloud-IPS Dashboard.

Download the version for your system:

wget https://github.com/fail2ban/fail2ban/archive/debian/0.9.3-1.zip

Now uncompress fail2ban source:

unzip 0.9.3-1.zip

This ceates a new folder (name can differ). Change into and start install script:

cd fail2ban-debian-0.9.3-1/
python setup.py install

After the installation is successfully done, copy the init scripts, to start fail2ban when your system boots:

cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
service fail2ban start

Now you can check if fail2ban is installed with a matching version:

fail2ban-client --v
Fail2Ban v0.9.3

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

Written by Cyril Jaquier .
Many contributions by Yaroslav O. Halchenko .

That's it!