Beef up mail-in-a-box Fail2Ban jails and filters

In the past few posts of my blog/journal I detailed blocklist, nginx, and such. However I now have 12 jails in my MiaB server:

Munin, roundcube, owncloud, postfix, ssh-ddos, miab-management, sasl, ssh, dovecot, nginx-badbots, nginx-http-auth, and recidive.

Some of these jails had to be added manually to jails.local, I like to send my reports to two of my emails (work and personal) plus blocklist.de. So the sendmail-whois-lines is not required, and may be removed if wanted to do so.

[miab-munin]
enabled = true
port = http,https
filter = miab-munin
action = sendmail-whois-lines[name=miab-munin, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/nginx/access.log
maxretry = 20
findtime = 30

[miab-owncloud]
enabled = true
port = http,https
filter = miab-owncloud
action = sendmail-whois-lines[name=miab-owncloud, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /home/user-data/owncloud/owncloud.log
maxretry = 20
findtime = 30

[miab-postfix587]
enabled = true
port = 587
filter = miab-postfix-submission
action = sendmail-whois-lines[name=miab-postfix-submission, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/mail.log
maxretry = 20
findtime = 30

[miab-roundcube]
enabled = true
port = http,https
filter = miab-roundcube
action = sendmail-whois-lines[name=miab-roundcube, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/roundcubemail/errors
maxretry = 20
findtime = 30

In your filter.d folder create the following files with the content below

miab-munin.conf:

[INCLUDES]

before = common.conf

[Definition]
failregex=<HOST> – .*GET /admin/munin/.* HTTP/1.1\” 401.*
ignoreregex =

miab-owncloud:

[INCLUDES]

before = common.conf

[Definition]
failregex=Login failed: .*Remote IP: ‘<HOST>[\)’]
ignoreregex =

miab-postfix-submission.conf

[INCLUDES]

before = common.conf

[Definition]
failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
ignoreregex =

miab-roundcube.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*

ignoreregex =

Ideas pulled from Github with my additional touches for nginx prior

Send Fail2Ban logs to multiple addresses

So I was running into an issue where I wanted to send the logs to blocklist.de as well as my own personal email, and my business email. However I found myself running into issues of sending to more than one. So I figured out the proper syntax for the jail.conf and jail.local

sendmail-whois-lines[name=FILTERNAME, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]

Just replace the parts in all caps with the appropriate settings for you. I always add blocklist.de to report to a whole community of abusers

Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf

Free(dom) Software: Why Your PC should have Liberty

RYF-300x300

 

“Freedom” is the very word at the core of libertarianism: the ability for us to be able to do anything we believe in freely, so long as it does not infringe on the freedoms of another individual. When you think of freedom, what comes to your mind? Speech, religion, assembly, press, property, perhaps the right to bear arms, perhaps the ability for us to do whatever we please to our own bodies, and we can go on from there. So why do many not consider freedom to mean the ability to own our software in our own computers like we view our bodies or our vehicles? This is where Free, Libre, and Open Source Software (FLOSS aka Free or Libre) comes in. What exactly does Free and Open Source mean? Free and Open source software is software whose source code is available for modification or enhancement by anyone. But let us always remember, Free software came before Open Source.

“Source code” is the part of software that most computer users don’t ever see; it’s the code which computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Programmers who have access to a computer program’s source code can improve that program by adding features to it, or fixing parts that don’t always work correctly.

Source: https://opensource.com/resources/what-open-source

open source logo

 

The problems with Windows and Apple are that you can’t really trust them all that much in terms of privacy. They both have backdoors for the government. Now, while the government may have good intentions according to some, they are severely flawed. The problems with a backdoor in a system that I can’t close as a user, means that malicious hackers have another exploit to get into your system with and potentially monitor or steal information from you. Allowing software to be Free means that it is transparent and vetted by thousands of people all around the world, who are constantly working on the software.

Take for example Mozilla Firefox, formerly Netscape Navigator. It’s not maintained by some giant company like Google, Apple, or Microsoft that make their browsers and have parts that are completely closed. Firefox, being Free, is maintained by a large community who make one of the freest browsers, with a non-profit foundation maintaining all the thousands of additions to code that go on every day. We can ensure there are no intentional backdoors in the code, while making it as customizable as we want. In fact the GNU/Linux (often just called “Linux”) back door attempt of 2003 some suspected of being done by the NSA, is proof of that very fact that Free software is more secure.

“Free software” means software that respects users’ freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”. We sometimes call it “libre software” to show we do not mean it is gratis.

Source: https://gnu.org/philosophy/free-sw.html

Richard Stallman, founder of the Free Software Movement, said Windows and OS X are malware, even stated the observation Amazon’s Kindle has an Orwellian back door, and has said that only an idiot would trust the Internet of Things.

“Malware is the name for a program designed to mistreat its users,” Stallman wrote in The Guardian.

What kinds of programs constitute malware? Operating systems, first of all. Windows snoops on users, shackles users and, on mobiles, censors apps; it also has a universal backdoor that allows Microsoft to remotely impose software changes. Microsoft sabotages Windows users by showing security holes to the NSA before fixing them.

Apple systems are malware too: MacOS [OS X] snoops and shackles; iOS snoops, shackles, censors apps and has a backdoor. Even Android contains malware in a non-free component: a backdoor for remote forcible installation or de-installation of any app.

quote-to-have-the-choice-between-proprietary-software-packages-is-being-able-to-choose-your-master-richard-stallman-268889-768x361 (1)
Richard Stallman: Founder of the Free Software Movement. President of the Free Software Foundation

In fact the entire Free, Libre, and Open Software Software Movements are already unsung heroes of our most precious example of our freedom, the internet. People don’t recall, but many years ago the internet as a whole was very close to becoming proprietary in the software market. You had to buy a lot of closed source software to even connect to the internet. Once upon a time, you actually used to pay for an Internet browser. Microsoft was very close to choking off freedom on the internet when it had, at its peak, 95% of the market share on internet browsers. The internet stagnated for many years, and we were stuck with Internet Explorer, one of the worst browsers ever because it was so full of holes, for a very long time. Microsoft could have also done the same with Windows server,when in fact the majority of web servers and critical components that run the web today are run on GNU/Linux or FreeBSD which are both Free and Open Sourced. In fact GNU/Linux and FreeBSD were the first to have the components to even be able to connect to the internet. For years people were forced to pay for software to create documents, we had Open Office (now deprecated), and LibreOffice which has replaced Open Office. In fact I wrote this rough draft on my laptop running GNU/Linux using LibreOffice. The Being Libertarian site itself is run on GNU/Linux and WordPress, both are Free and Open Sourced software. In fact Bitcoin wouldn’t even exist were it not for FLOSS. I have actually been a member of the FOSS and FLOSS movements for 10 years now, starting when I was 14 years old. GNU/Linux and the FLOSS communities were the first to introduce many of the features now found common on Windows and Mac OS X, including, but not limited to, remote desktop, virtual desktops, and a TCP/IP stack so they can use the internet. In fact a lot of Mac OS X relies on Open Source software, but it’s not as Free as it actually should be, because there is no way I can have access to the complete source code and compile my own Mac OS X, like I can do with GNU/Linux or FreeBSD.

Use-of-Open-Source-Software-Is-Now-Mandatory-In-Indian-Government-Offices-477052-2-768x390 (1)

Now I know a lot of libertarians and conservatives would rather place their trust in businesses managing things. But this is where voluntarism come in, because no one is forcing you to contribute to the code. Far more people are using the software without contributing the software, but if you see a problem or feature that can be added you are more than welcome to do so. This is best explained in Eric Raymond’s “Cathedral and the Bazaar”, of why the FLOSS model of a bazaar with the community voluntarily working together is better than the cathedral approach of Apple or Microsoft. It’s also one of the most influential essays ever written in the IT world.

Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”
Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”

Linux overturned much of what I thought I knew. I had been preaching the Unix gospel of small tools, rapid prototyping and evolutionary programming for years. But I also believed there was a certain critical complexity above which a more centralized, a priori approach was required. I believed that the most important software (operating systems and really large tools like the Emacs programming editor) needed to be built like cathedrals, carefully crafted by individual wizards or small bands of mages working in splendid isolation, with no beta to be released before its time.

Linus Torvalds’s style of development—release early and often, delegate everything you can, be open to the point of promiscuity—came as a surprise. No quiet, reverent cathedral-building here—rather, the Linux community seemed to resemble a great babbling bazaar of differing agendas and approaches (aptly symbolized by the Linux archive sites, who’d take submissions from anyone) out of which a coherent and stable system could seemingly emerge only by a succession of miracles.

Source: http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/
*I highly recommend reading the entire essay (~36 Pages on paper)

 

Linux_Distro

I have mentioned LibreOffice and Mozilla Firefox as FLOSS software, but there are thousands of distributions of GNU/Linux to use, and thousands of Free, Libre, and Open Source Software out there. It’s all about freedom of choice. If you don’t like one part of the system or program you can change it. For example I used to be a Gentoo GNU/Linux user where I can completely build my own system the way I wanted, then I became a bit lazy and switched to Ubuntu a few years ago as I didn’t want to have to spend so much time on each installation. I, of course, still didn’t like Ubuntu on a few parts, so I modified a lot of the operating system, until eventually Ubuntu decided to add the Unity User Interface, which I hated with a passion. So I switched to Xubuntu as a day to day work OS, withKali GNU/Linux on the same laptop for all my tools to penetrate network security as part of my job. One GNU/Linux in particular a lot of people who love their privacy like is Tails, which leaves no trace of you on the host computer, and encrypts as well as anonymizes all of your data. The Condor intraoral scanner, which I previously covered inMarch of 2015, is running Manjaro GNU/Linux. I also have been looking into Trisquel GNU/Linux which is a completely Free version of GNU/Linux, which Richard Stallman himself uses. There are parts in a quite a few distributions of GNU/Linux that use “non-free” software meaning its use, redistribution or modification is prohibited, or requires you to ask for permission, or is restricted so much that you effectively can’t do it freely. There are a few classes of types of software which the Free Software Foundation does a good job of explaining to the average user.

But back to the main point. The beauty of GNU/Linux and FLOSS in general is freedom, as what works for some, doesn’t work for all. Linus Torvalds, the maker of the GNU/Linux kernel, himself didn’t like Ubuntu, whereas I kind of like the Ubuntu environment.

Linus Torvalds: Founder of the Linux Kernel. In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.
Linus Torvalds: Founder of the Linux Kernel.
In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.

So at the end of it all, those who call themselves true libertarians, conservatives, or even just a full out privacy rights advocate should be throwing their closed source software away whenever possible, and embrace the true freedom only granted by software to the user which is FOSS or even better, FLOSS. It’s time to really embrace freedom to its fullest extent in all facets of your life. You can even start slowly dipping your toes in the water of the open source movement. I use Mozilla Thunderbird instead of Microsoft Outlook, Mozilla Firefox or even better GNU IceCatinstead of Microsoft Edge or Internet Explorer, Notepad++ (NotepadQQ in GNU/Linux) instead of Notepad,LibreOffice instead of Microsoft Office, GNUCash instead of Quickbooks, ProjectLibre instead of Microsoft Project,7-zip instead of WinZIP and WinRAR, Dia instead of Microsoft Visio, Scribus instead of Microsoft Publisher, and etc. You can find a FOSS or FLOSS solution for almost any task that you need to do today.

download (3)

If any readers are interested in a deep look into the philosophy, culture, and history of the entire Free, Libre, and Open Source Movements, I highly recommend watching the documentary Revolution OS (About 1 1/2 hours) which is freely available on YouTube ( https://youtu.be/jw8K460vx1c) and elsewhere.

Update: After Speaking to Richard Stallman some changes were made

This article was originally written by me for Being Libertarian

Open Letter to Facebook on Censorship/I was literally banned for nothing

The following letter has been snail mailed to Facebook’s headquarters, with some personal information redacted. However I felt the public needed to be made aware of this issue of censorship on Facebook.
Update: A second slightly amended version has been sent to their legal department as of June 21, 2016
Update 2: Edits are being made to it

June 16, 2016

Facebook Headquarters
1 Hacker Way
Menlo Park, CA 94025

Dear Facebook,
Hello my name is Alon Ganon I am CTO of DTG3D LLC as well as a reporter and CTO for Being Libertarian LLC (www.beinglibertarian.com), I am mailing you about an issue I have been having for the past several years, which your online communication seems to have resulted in no progress on these issues. See I am an IT contractor by trade as well, and I have been wrongfully banned from facebook many times for things I have not posted. As I have to join pages sometimes to administrate their IT stuff, unfortunately some of these people on pages post some posts that have landed me in jail for things I never posted. I have been the target of Anti-Semitic mass reporting before as I am Jewish, and Pro-Israel. I even had to experience the utter devastation in my life of being assaulted and sent to the hospital merely for having been Jewish. However I woke up this morning, June 16, 2016 to find that I was postblocked again for having posted literally nothing on my account (original has direct link here) which you see the image below included which is blank. I have also never posted the content which resulted in my last ban, which was obviously when my account was compromised, yet Facebook failed to perform any action despite multiple reporting of the issue, as well as Facebook even notifying me that my account was appearing to send out spam and may have been compromised. Yet despite that warning when I logged in, I had still received a 30 day ban for my account being compromised. I have not posted anything in violation of facebook standards myself in many years, and if you look at my account history you will see most of the times I was banned never actually stemmed from me or were taken completely out of context. I find it completely unfair that I continuously am receiving a 30 day ban for things I have not posted, nor that violate Facebook Policy. Admittedly I am human a small minority of these were rightfully given, mostly when I was much younger, however facebook doesn’t even take context of discussions into consideration, and I have been banned for merely quoting other people.

I really do not feel like having to track down your Ombudsman to resolve this issue, nor have to tell my Rabbi who is good friends with the person who runs the Anti-Defamation League, as it is negatively effecting my business, as I need facebook for communication as well as the ability to administrate my clients pages. So I am attaching two images one from the ban this morning, and the one prior to show that Facebook’s system is not always correct in banning people. There is in no way that I have violated Facebook Policy, especially seeing as I am not a supporter of Donald Trump and his vitriolic speech, along with the fact many on my fathers side are Muslim as well. Facebook should make an effort not to punish an entire page, even for the wrong doings of one single poster, because as we all know one bad apple should not spoil the bunch. I had to leave a Facebook page and cancel a contract for building a website for a conservative page as I kept being banned by association for things I myself have never posted. Yet ever since that long stay trying to do their IT work, I consistently am banned for 30 days at a time. In case you are curious as to the images authenticity in question I have uploaded my original screenshots in my company’s own cloud at this link (original has direct link here but images are below

I would like to kindly request an archive of all of my activity resulting in prior bans sent to my email below. I would kindly also like to request whatever arbitrary “strike system” you use against offenders re-evaluate my account, because the majority of times I have been banned were not a result

of my own doing. So I would like to request a re-evaluation of the continual use of a 30 day ban on my account consistently when I myself haven’t posted the majority of the content that resulted in my ban. I would also like to note I have every single security option enabled on facebook that is possible so it appears as if my account was compromised on your end. My security features include, 2FA with Authy, 2FA with my cell number, my Public PGP key is even added, as well as my passwords being created randomly via KeePassX. I do not use Windows or Mac computers, I use a complete GNU/Linux environment which is secured and tightened down. I access everything through a VPN which I built myself, and at times through your onion link via Tor when abroad in places that may not allow it so easily, e.g. China. I am very displeased as a journalist that Facebook is able to take down such content without anyway for humans to appeal the process. As we can quite evidently see, one should not be banned for a post they have not made, nor are they actually in violation of facebook policy.

I thank you taking the time to read this letter, and if there are any further questions or concerns, all of my contact information is down below my signature. I hope we can resolve this matter easily and expeditiously.

Sincerely,
Alon Ganon, CTO DTG3D LLC, CTO BeingLibertarian LLC
www.dtg3d.com
www.alonganon.info
www.beinglibertarian.com
The last ban I received was obviously not from a human source, but was copy pasted, there were about a dozen people in my circle taken down by the same attack

facebook_block

This is from the latest ban, along with mobile screenshots from a fellow admin of the Being Libertarian facebook page. This one resulted in me being banned for 30 days, and is far from the first time I have wrongfully been banned for 30 days from Facebook

Screenshot_2016-06-16_06-38-03

13406995_10209518490941830_6731617608132812957_n 13413648_10209518491101834_5518321967832745473_n

Automatic Filters for IPTables Firewall

So I have been building servers for quite sometime, and if you have been operating servers for a while, you know of attempted intrusions into your server. I have been using Fail2Ban and UFW for quite some time on my Ubuntu servers and they work rather well. I would have them automate the job of managing IPTables, which can be rather cumbersome. Especially with IT people whose specialty may not be firewalls. So I have been looking around for a way to automate my job. My favorite tools thus far include

  1. Fail2Ban – scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action(e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
  2. UFW – Uncomplicated Firewall, The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
    Gufw is a GUI that is available as a frontend.
  3. Blocklist.de – www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked on SSH-, Mail-Login-, FTP-, Webserver- and other services.
    The mission is to report all attacks to the abuse deparments of the infected PCs/servers to ensure that the responsible provider can inform the customer about the infection and disable them.

It’s rather easy to set up these update the IPTables with a simple crontab daily, which will sync with blocklist.de

First become root
sudo -i

Then download the script to cron.daily and make it executable
curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban

chmod a+x /etc/cron.daily/sync-fail2ban

Optional but Recommended, Initial run manually:
time /etc/cron.daily/sync-fail2ban

Tomorrow, check your /tmp/iptables.fail2ban.log file to see who’s been blocked.
The lists you get are stored locally for now at /etc/fail2ban/blacklist.*
Your server should now be a little bit more secure with a few thousand new IP addresses added to your IPTables