Daily Archives: 12 February, 2021

How to install denyhosts on Ubuntu Linux 17.04 ( intrusion prevention security tool for SSH and more)

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is designed to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses using /etc/hosts.deny and sbin/iptables on Linux server. In this tutorial, you will learn how to install DenyHosts a python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny file.

The tutorial is tested on Ubuntu 17.04 server installation.

1. First lets install the software:

$ sudo apt-get install denyhosts
Code language: JavaScript (javascript)

2. Add your addresses to hosts.allow to ensure that they are not blocked.

sudo pico /etc/hosts.allow

Example of how to add more than one address:

sshd: 212.22.112.113 , 10.20.133.3 , 192.168.0.1 , 127.0.0.1
Code language: CSS (css)

3. Now lets configure the denyhosts configuration file:

$ sudo pico /etc/denyhosts.conf
Make sure SECURE_LOG set as follows: SECURE_LOG = /var/log/auth.log HOSTS_DENY set as follows: HOSTS_DENY = /etc/hosts.deny Block only sshd: BLOCK_SERVICE = sshd Deny threshold limit for login attempts: DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 Block incoming connections using the Linux firewall IPTABLES: IPTABLES = /sbin/iptables
Code language: PHP (php)

4. ENABLE DenyHosts service:

$ sudo systemctl enable denyhosts.service

You will se something like this:

5. Restart DenyHosts service:

sudo /etc/init.d/denyhosts restart

6. Some commands to check if all is working and to list addresses added to blocklist:

$ sudo grep 'something' /var/log/denyhosts $ sudo tail -f /var/log/denyhosts $ sudo cat /etc/hosts.deny sudo iptables -L INPUT -n -v | grep DROP
Code language: JavaScript (javascript)

Attention:
Please note that the DenyHosts is restricted to connections using IPv4. It does not work with IPv6 based IP address. Another option is to use the iptables command to see blocked IP address:

Enable centralized synchronization support?
The DenyHosts version 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site xmlrpc.denyhosts.net gathers statistics from computers running the software. Synchronization disabled by default. To enable synchronization, enter:

$ sudo pico /etc/denyhosts.conf

Then add:

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
Code language: JavaScript (javascript)

And restart:

$ sudo /etc/init.d/denyhosts restart

Ubuntu mycli install (mysql terminal – modern alternative to the default MySQL client)

Mycli is a modern alternative to the default MySQL client. This tool does to MySQL what bpython does to the standard Python REPL. Mycli will auto-complete keywords, table names, columns, and functions as you type them.

The completion suggestions are context-sensitive. For example, after the SELECT * FROM, only tables from the current database are listed in the completion, rather than every possible keyword under the sun.

1. install some packages:

apt-get install python3-click -y
Code language: Bash (bash)

2. now to install the software

apt-get install mycli -y
Code language: Bash (bash)

Install and configure fail2ban on ubuntu 17.04 and block on all ports

WHAT IS FAIL2BAN?
Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

HOW TO INSTALL IT?

sudo apt-get install fail2ban
Code language: Bash (bash)

HOW TO CONFIGURE?
1. Add IP’s to ignore

fail2ban-client set sshd addignoreip 151.237.48.31
Code language: Bash (bash)

2. Set ban time as permenent or 3600 if you want for 10 minutes or so

fail2ban-client set sshd bantime -1
Code language: Bash (bash)

3. Restart

service fail2ban restart
Code language: Bash (bash)

HOW TO BAN IP?

fail2ban-client set sshd banip 151.237.48.31
Code language: Bash (bash)

HOW TO UNBAN IP?

fail2ban-client set sshd unbanip 151.237.48.31
Code language: Bash (bash)

HOW TO CHECK THE JAIL LISTS?

fail2ban-client status
Code language: Bash (bash)

HOW TO LIST BANNED IP’s?

iptables -nL
Code language: Bash (bash)
cd /etc/fail2ban sudo cp jail.conf jail.local sudo nano jail.local
Code language: Bash (bash)
# # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] #enabled = true # # See jail.conf(5) man page for more information # Comments: use '#' for comment lines and ';' (following a space) for inline comments [INCLUDES] #before = paths-distro.conf before = paths-debian.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 212.122.165.163 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 1 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = root@localhost # Sender email address used solely for some actions sender = root@localhost # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 fail2ban_agent = Fail2Ban/%(fail2ban_version)s # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docstring in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] # # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # # SSH servers # [sshd] enabled = true port = 0:65535 logpath = %(sshd_log)s backend = %(sshd_backend)s banaction = iptables-multiport [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = true port = 0:65535 logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] port = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = ssh logpath = %(auditd_log)s # # HTTP servers # [apache] enabled = true port = 0:65535 filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 findtime = 600 #ignoreip = 192.168.1.227 [apache-auth] enabled = true port = 0:65535 logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. enabled = true port = 0:65535 logpath = %(apache_access_log)s bantime = -1 maxretry = 1 [apache-noscript] enabled = true port = http,https logpath = %(apache_error_log)s [apache-overflows] enabled = true port = 0:65535 logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] enabled = true port = 0:65535 logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] enabled = true port = 0:65535 logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] enabled = true port = 0:65535 logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> [apache-modsecurity] enabled = true port = 0:65535 logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] enabled = true port = 0:65535 logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] #enabled = true port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https logpath = %(lighttpd_error_log)s # # Webmail and groupware servers # [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https # # Web Applications # # [drupal-auth] port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s # # HTTP Proxy servers # # [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log # # FTP servers # [proftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s # # Mail servers # # ASSP SMTP Proxy Jail [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s # # # DNS servers # # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks UDP traffic for DNS requests. # [named-refused-udp] # # filter = named-refused # port = domain,953 # protocol = udp # logpath = /var/log/named/security.log # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log # # Miscellaneous # [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warning = 2 # # for syslog (daemon facility) # [mysqld_safe] # syslog # # for own logfile # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] #enabled = true port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation port = 27017 logpath = /var/log/mongodb/mongodb.log # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 604800 ; 1 week findtime = 86400 ; 1 day # Generic filter for PAM. Has to be used with action which bans all # ports such as iptables-allports, shorewall [pam-generic] # pam-generic filter can be customized to monitor specific subset of 'tty's banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 # stunnel - need to set port for this [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log # Firewall: http://www.cstrike-planet.com/faq/6 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] # this pass2allow example allows FTP traffic after successful HTTP authentication port = ftp,ftp-data,ftps,ftps-data # knocking_url variable must be overridden to some secret value in jail.local knocking_url = /knocking/ filter = apache-pass[knocking_url="%(knocking_url)s"] # access log of the website with HTTP auth logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP bantime = 3600 maxretry = 1 findtime = 1 [murmur] # AKA mumble-server port = 64738 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] # For Mac OS Screen Sharing Service (VNC) logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] # HAProxy by default doesn't log to file you'll need to set it up to forward # logs to a syslog server which would then write them to disk. # See "haproxy-http-auth" filter for a brief cautionary note when setting # maxretry and findtime. logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps filter = slapd logpath = /var/log/slapd.log
Code language: Basic (basic)

After this we have to restart fail2ban with service fail2ban restart and check if all jails are loaded by:

fail2ban-client status status
Code language: Bash (bash)

How to enable apache2 cache to speed up your website on ubuntu

First enable the mods:

sudo a2enmod file_cache sudo a2enmod headers sudo a2enmod expires
Code language: Bash (bash)

Then edit the virtual host:

pico /etc/apache2/sites-enabled/000-default.conf
Code language: Bash (bash)

And add ifmodule between virtual host:

<VirtualHost *:80> ServerName www.webleit.info ServerAdmin admin@webleit.info DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined #Include conf-available/serve-cgi-bin.conf <IfModule mod_expires.c> # Turn on the module. ExpiresActive on # Set the default expiry times. ExpiresDefault "access plus 2 days" ExpiresByType image/jpg "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType text/css "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType text/x-javascript "access plus 1 month" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresByType text/css "now plus 1 month" ExpiresByType image/ico "access plus 1 month" ExpiresByType image/x-icon "access plus 1 month" ExpiresByType text/html "access plus 600 seconds" </IfModule> </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Code language: Apache (apache)

Then restart the apache service:

service apache2 restart
Code language: Bash (bash)

Linux: How to get remote page load time with a command from the terminal?

Linux: How to get remote page load time with a command from the terminal?
This will give you the remote page load time in miliseconds.

time wget -p http://www.webleit.info >/dev/null 2>&1
Code language: Bash (bash)

You can implement the command with php like:

<?php $output = shell_exec('time wget -p http://www.webleit.info >/dev/null 2>&1'); echo "<pre>$output</pre>"; ?>
Code language: PHP (php)

How to install google’s mod pagespeed in ubuntu server and how to disable it

About this article
Introduction One of the more recently popular modules for Apache is mod_pagespeed. It is an output filter for Apache 2.2+ that can be configured through a variety of options through configuration files or a .htaccess file. An “output filter” is a something that transforms the data before it’s sent to the client. In other words, it’s a layer between your website and what the user’s browser receives when they visit your URL. Speed Up the Web The goal of mod_pagespeed is to speed up your website. It does this by applying filters to a variety of files in order to reduce the number of trips the browser has to make to grab what it needs, to reduce the size of those files and to optimize the length those files are cached. Installation Installation is very simple. It’ll vary depending on the operating system you use. Ubuntu and Debian have packages you can download and install (or any Linux distribution that uses .DEB packages). Other Linux distributions can download the source and build from that.

1 – Download Software

wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb
Code language: Bash (bash)

2 – Install pagespeed

sudo dpkg -i mod-pagespeed-*.deb apt-get -f install rm mod-pagespeed-*.deb
Code language: Bash (bash)
service apache2 restart <strong>or</strong> /etc/init.d/apache2 restart
Code language: Bash (bash)

You should now have a working version of mod_pagespeed up and running on your VPS. You can check this by looking at your page’s response headers. There should be a value for “X-Mod-Pagespeed” with the version number you installed. Setup The installation package handles a lot of configuration out-of-the-box. In fact, there are conservative defaults that are automatically enabled on Apache. Depending on the Apache version you’re running, you’ll get a different version of the module installed and enabled. If you’re running Apache 2.2, mod_pagespeed.so will be installed; Apache 2.4 users will use mod_pagespeed_ap24.so. Note: mod_pagespeed only works with Apache 2.2 and greater. There is also a bug with Apache 2.4.1 that prevents it from working with that version. Apache 2.4.2 or greater should be used. Additionally, configuration files have been added to your Apache installation. The primary configuration file is pagespeed.conf. This file is located at: /etc/apache2/mods-available/ How to configure mod_pagespeed You can use whatever text editor you want to edit the configuration file. For this tutorial, we’ll be using nano. To start editing the main configuration file, use the following command:

pico /etc/apache2/mods-available/pagespeed.conf
Code language: Bash (bash)

By default, mod_pagespeed rewrites everything it can. You can disable certain files (for example Javascript libraries) from being rewritten.

DISABLE MODULE

If for some reason you want to disable pagespeed you can run this command and restart apache2:

sudo a2dismod pagespeed systemctl restart apache2
Code language: Bash (bash)

Here is the output

How to enable mod_rewrite on ubuntu web server?

Mod_rewrite enables your links to be user friendly. For example webleit.info/post.php?id=121 is going to be converted to webleit.info/How-to-enable-mod_rewrite-on-ubuntu-web-server/. And that is better for users and search engines. So how do we do that? First we enable mod rewrite:

sudo a2enmod rewrite
Code language: Bash (bash)

Then we have to edit our apache configuration:

sudo pico /etc/apache2/sites-available/000-default.conf
Code language: Bash (bash)

And we add to the file:

<IfModule mod_ssl.c> <VirtualHost *:443> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin sonik.blast@gmail.com ServerName webleit.info ServerAlias www.webleit.info DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/webleit.info/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/webleit.info/privkey.pem <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> </VirtualHost> </IfModule>
Code language: Bash (bash)

And finally the restart of the apache web server:

service apache2 restart
Code language: Bash (bash)

How to block ip addresses and protect files and folders with apache and .htaccess in ubuntu?

In this tutorial we are going to create block list for our website so that IP addresses that we know are bad can’t connect to our server. Also we are going to protect files that we don’t want to be opened by other people online.

First we edit 000-default.conf and make the needed changes:

<code>pico /etc/apache2/sites-enabled/000-default.conf</code>
Code language: Bash (bash)
<VirtualHost *:80> <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> ServerName www.webleit.info ServerAdmin your@mail.com DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost>
Code language: Apache (apache)

Now we havo to create a .htaccess file and put ip addresses to be blocked and files to be protected:

order allow,deny deny from 91.247.38.54 deny from 91.247.38.55 deny from 91.247.38.57 deny from 198.15.180.240 deny from 67.229.79.154 deny from 188.120.229.212 deny from 85.128.142.38 allow from all # Protect the htaccess file <Files .htaccess> Order Allow,Deny Deny from all </Files> # Protect functions.php <Files functions.php> Order Allow,Deny Deny from all </Files> # Protect header.php <Files header.php> Order Allow,Deny Deny from all </Files> # Protect footer.php <Files footer.php> Order Allow,Deny Deny from all </Files> # Protect snowstorm.js <Files snowstorm.js> Order Allow,Deny Deny from all </Files>
Code language: Apache (apache)

How to check the installation date of your linux operating system?

Have you ever wondered when did you installed your operating system? Was a year ago or maybe two, three who knows right? Well, linux is a smart system and knows everything for itself! You can open the terminal, write a simple command and the answer is going to be in front of you. So lets do it open the terminal and type:

sudo dumpe2fs /dev/sda1 | grep 'Filesystem created:'
Code language: Bash (bash)

You are going to see something like:

root@ro22proxy3:~# sudo dumpe2fs /dev/sda1 | grep 'Filesystem created:' dumpe2fs 1.42.13 (17-May-2015) Filesystem created: Tue May 9 13:24:21 2017
Code language: Bash (bash)

So our operating system was installed in May 2017 and we even have the date and exact time… May 9 13:24:21.

So thats it in one single command we found the full information about are operating system installation date.

How to check for large files in the console

If you just need to find large files, you can use find with the -size option. The next command will list all files larger than 10MiB (not to be confused with 10MB):

find / -size +10M -ls
Code language: Bash (bash)

If you want to find files between a certain size, you can combine it with a “size lower than” search. The next command find files between 10MiB and 12MiB:

find / -size +10M -size -12M -ls

apt-cache search ‘disk usage’ lists some programs available for disk usage analysis. One application that looks very promising is gt5.

From the package description:

Years have passed and disks have become larger and larger, but even on this incredibly huge harddisk era, the space seems to disappear over time. This small and effective programs provides more convenient listing than the default du(1). It displays what has happened since last run and displays dir size and the total percentage. It is possible to navigate and ascend to directories by using cursor-keys with text based browser (links, elinks, lynx etc.)
Screenshot of gt5

On the “related packages” section of gt5, I found ncdu. From its package description:

Ncdu is a ncurses-based du viewer. It provides a fast and easy-to-use interface through famous du utility. It allows to browse through the directories and show percentages of disk usage with ncurses library.