Merge pull request #273 from cmckee786/u13-bonus-fixes

fix(u13-bonus): several clarifications and corrections

Author: kolkhis

src/u13b.md

@@ -39,7 +39,7 @@ the skills and principles outlined by this course.
 
 First lets identify a couple dependencies for this lab. Since many of the labs in
 this course are predicated on Rocky we will provide commands like `dnf` and `rpm`
-to accomplish this task.
+to accomplish this task:
 
 ```bash
 rpm -ql openssh-server
@@ -50,14 +50,29 @@ to run an SSH server if `openssh-server` is installed locally. But be careful,
 sometimes this query will list lingering configuration files and directories even though
 it isn't installed.
 
-To corroborate our findings, let's query `dnf`
+To corroborate our findings, let's query `dnf`:
 
 ```bash
 dnf list --installed | grep openssh-server
 ```
 
-If the piped grep command comes up empty `openssh-server` is not installed, install it.
-Hopefully these commands and strategies are familiar to you.
+All else fails you can always attempt a `find` command to verify the presence of SSH
+and its server side counter part SSHD (D for daemon):
+
+```bash
+find / -name ssh; find / -name sshd
+```
+
+You may need to use the `-xdev` flag if other filesystems are present or traversable that are
+external to the host that `find` executes from, this flag comes in handy with WSL subsystems or
+hosts residing within a hypervisor that have other host file systems mounted and accessible.
+
+Fair warning, this command may spit out a lot of output. Familiarity with the Linux filesystem
+and its inner machinations should prepare you for this moment. If not, this command attempts to
+find every file with ssh or sshd in it from the root of the host's file system '/'.
+
+If the piped grep or find command comes up empty `openssh-server` is likely not installed, attempt to
+install it. Hopefully these commands and strategies are familiar to you:
 
 ```bash
 dnf install openssh-server
@@ -137,7 +152,7 @@ Plus, it's kinda cool and pretty fun.
 
 #### How Fail2Ban Works
 
-Fail2Ban is designed to analyze log files and manipulates the host's firewall to programmatically ban
+Fail2Ban is designed to analyze log files and manipulate the host's firewall to programmatically ban
 offending IP addresses based on various conditions predicated by specific configuration files.
 
 First let's briefly skim Fail2Ban's main configuration file:
@@ -290,6 +305,7 @@ ignoreip           =  {IP_ADDRESS} # useful to prevent banning oneself
 backend            =  systemd # required for systemd based systems
 enabled            =  true
 ```
+
 Let's make sure to save our new `jail.local` file before we restart Fail2Ban. The following command
 will write and persist the local jail configuration file and quit out of Vim, if you didn't know how
 to do this already.
@@ -324,22 +340,23 @@ fail2ban-client status sshd
 
 <img src="./assets/downloads/u13/sshbans.png"></img>
 
-Typically SSH services are not exposed publicly to the internet. It is a far better solution to lock
-SSH behind a Virtual Private Network (VPN) where something like a "slow brute-force" attack will be
-mitigated almost entirely.
+Typically SSH services should not be exposed publicly to the internet, and if they are they should utilize
+[public key infrastructure](https://www.fortinet.com/resources/cyberglossary/public-key-infrastructure)
+(PKI) with specific security constraints (see STIG or CIS Benchmark Controls). Generally It is a far better
+solution to lock SSH access behind an internal or Virtual Private Network (VPN) where the potential of a
+"slow brute-force" attack will be mitigated almost entirely.
 
-However you still might institute Fail2Ban even behind the VPN in the event a threat actor does gain
-access to the VPN and attempts to brute force or slow brute force attack hosts with SSH services exposed.
-
-Given how easy it is to implement Fail2Ban, why wouldn't you? Well, there's always a bigger fish, but that
-is a different conversation.
+However you still might institute Fail2Ban even behind a VPN in the event a threat actor does gain
+access to the VPN and attempts to brute force or slow brute force attack hosts with SSH services exposed that utilize
+passwords instead of PKI. However in this day and age password protected SSH access could be considered a security controls
+finding. Use PKI whenever possible.
 
 ### NGINX
 
 If you've made it this far I appreciate your tenacity or perhaps deep captivation of this subject.
 
-Now where Fail2Ban really shines is when integrated with an application like `nginx`. As we'll see
-Fail2Ban allows us to configure what they call "filters" that can further protect `nginx` and our website,
+Now where Fail2Ban really shines is when integrated with an application like [nginx](https://nginx.org/).
+As we'll see Fail2Ban allows us to configure what they call "filters" that can further protect `nginx` and our website,
 if we had one. Since this lab has ran long I will keep it brief.
 
 Suffice it say for students this is theory, but as I will mention later these filters can be quite powerful.
@@ -387,25 +404,29 @@ journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 # Author: Jan Przybylak
 ```
 
-Whenever nginx receives a "bad request", think a request for a link, file, or directory that doesn't
-exist in the domain or shouldn't be accessible, Fail2Ban will recognize it from the `nginx` access.log
-by a 404 return made by `nginx` and act appropriately based upon our default action options.
+Whenever nginx receives a ["bad request"](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/400), think
+an HTTP method request for a link, file, or API call that is malformed or improperly formatted from a client, Fail2Ban
+will recognize it from the `nginx` access.log by an HTTP Status Code 400 returned by `nginx` and act appropriately based
+upon our default action options.
 
 (After 2 bad requests, you get banned for an hour. After that timeout, if you send 2 more bad requests
-the timeout is extended for 24 hours, growing exponentially for each occurrence afterwards up to a 5 week ban.
-It is typically advised against implementing permanent bans as over time this will lead to potentially significant
-overhead for the host.)
+the timeout is extended for 12 hours, growing exponentially for each occurrence afterwards up to a 5 week ban.
+It is typically advised against implementing permanent bans as over time this could lead to potentially significant
+overhead for the host or lockout legitimate users unintentionally.)
 
 When running this filter on my own personal nginx web server over the course of 30 days I will have
-banned over 40,000 IP addresses with varying ban times.
+banned over 40,000 IP addresses with varying ban times. But note that this filter can and will match requests that are
+malformed from the site itself. If a link or API implementation hosted from the nginx web server is incorrect Fail2Ban could be
+banning legitimate traffic unintentionally. Be sure to observe due diligence in log files or web traffic when first implementing
+such a filter.
 
 As of rebooting my publicly available website not minutes ago this is how many IP addresses are already banned.
 
 <img src="./assets/downloads/u13/nginxbans.png"></img>
 
-And here is how Fail2Ban manipulates `iptables` by default, though ideally Fail2Ban is configured to utilize
-`nftables`, [a modernized and significantly improved firewall solution](https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html),
-or `firewalld` which has access to firewall [architectures](https://firewalld.org/documentation/architecture.html) like `iptables`, and `nftables`.
+Ideally Fail2Ban is configured to utilize `nftables`, [a modernized and significantly improved Linux firewall backend solution](https://wiki.debian.org/nftables),
+and some type of firewall backend wrapper like `firewalld` which can be configured for specific firewall backend
+[architectures](https://firewalld.org/documentation/architecture.html) like `iptables`, and `nftables`.
 
 Configuring Fail2Ban with `firewalld` or `nftables` will look like such:
 
@@ -432,8 +453,8 @@ I highly, highly encourage students have a working understanding of Linux firewa
 It's important to be stated that this should be understood as a **mitigation**, not a perfect solution. Primarily
 to minimize automated bots scraping a domain, usually for nefarious purposes.
 
-And I will iterate there are far better solutions for free ([Cloudflare WAF](https://developers.cloudflare.com/waf/get-started/))
-that protect more intelligently and robustly than Fail2Ban. Migrating your domain over to Cloudflare or equivalent service
+And I will iterate that there are far better solutions. Some for free and others, ([Cloudflare WAF](https://developers.cloudflare.com/waf/get-started/)),
+for a modest fee that protect more intelligently and robustly than Fail2Ban. Migrating your domain over to Cloudflare or equivalent service
 is probably the far smarter and less work intensive task than a comprehensive Fail2Ban setup. But I like to think we're building our
 muscles... you know, putting in reps.
 
@@ -454,14 +475,15 @@ enabled  =  true
 port     =  http,https
 logpath  =  %(nginx_access_log)s
 ```
-Be sure to fave the file:
+
+Append these lines to the earlier file we implemented after our SSHD section and let the regex do the work for us.
+
+Be sure to save the file:
 
 ```bash
 :wq
 ```
 
-Append these lines to the earlier file we implemented after our SSHD section and let the regex do the work for us.
-
 Then finally restart Fail2Ban again:
 
 ```bash