Introducing IPset-Assassin

Completed installation
completed installation

I recently wrote a nice little program to setup and maintain your firewall on Ubuntu GNU/Linux 14.04. This will install a cron job to run daily and pull lists from multiple sites to block malicious IP addresses. Adding around ~40,000 or more individual IP addresses as well as the top 20 malicious IP blocks per day, all voluntarily and freely contributed. All of the malicious individual addresses are managed with ipset, while the IP blocks are managed with IPTables. This leads to a very efficient way of managing the tables easily and automatically. This optionally allows you to enable or disable Tor Exit node connections. I have also created an optional weekly cron job that will block whatever countries you may wish. I hand typed all 233 countries codes into a dialog menu. I added a new iptables-persistent from another Github repository which also works with ipsets to keep it persistent upon reboot for both iptables.

Screenshot_2016-07-03_04-44-54
When installing it may get stuck here for a minute or two that’s fine. It’s setting a lot rules up

The lists that are regularly installed:

Project Honey Pot Directory of Dictionary Attacker IPs
TOR Exit Nodes this will block all access to Tor*
BruteForceBlocker
Spamhaus
C.I. Army
OpenBL.org
Autoshun
Blocklist.de
Malware Domain List
ZeusTracker
Malc0de IP blacklist
MaxMind GeoIP Anonymous Proxies
StopForumSpam
GreenSnow

 

*Tor exit node blocking is optional
*Tor exit node blocking is optional

It’s simple enough to install. Simply run the script as root and select if you want to block Tor exit nodes or if you want to block any countries. If there are any issues or suggestions please let me know on GitHub. I want to eventually make this also capable of running on CentOS for my PhonePBX.

https://github.com/ChiefGyk/ipset-assassin

Tested on Ubuntu 14.04 servers, and Xubuntu 14.04 running server applications. Test it on your own machine as well if you like

233 Countries to block if you choose to.
233 Countries to block if you choose to.

Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf

Automatic Filters for IPTables Firewall

So I have been building servers for quite sometime, and if you have been operating servers for a while, you know of attempted intrusions into your server. I have been using Fail2Ban and UFW for quite some time on my Ubuntu servers and they work rather well. I would have them automate the job of managing IPTables, which can be rather cumbersome. Especially with IT people whose specialty may not be firewalls. So I have been looking around for a way to automate my job. My favorite tools thus far include

  1. Fail2Ban – scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action(e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
  2. UFW – Uncomplicated Firewall, The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
    Gufw is a GUI that is available as a frontend.
  3. Blocklist.de – www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked on SSH-, Mail-Login-, FTP-, Webserver- and other services.
    The mission is to report all attacks to the abuse deparments of the infected PCs/servers to ensure that the responsible provider can inform the customer about the infection and disable them.

It’s rather easy to set up these update the IPTables with a simple crontab daily, which will sync with blocklist.de

First become root
sudo -i

Then download the script to cron.daily and make it executable
curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban

chmod a+x /etc/cron.daily/sync-fail2ban

Optional but Recommended, Initial run manually:
time /etc/cron.daily/sync-fail2ban

Tomorrow, check your /tmp/iptables.fail2ban.log file to see who’s been blocked.
The lists you get are stored locally for now at /etc/fail2ban/blacklist.*
Your server should now be a little bit more secure with a few thousand new IP addresses added to your IPTables

Install the latest Mozilla Thunderbird or Firefox in Ubuntu GNU/Linux

So I ran into an issue with my Mozilla Thunderbird today when I was finished setting up my new email, contact, and calendar server with Mail-in-a-box. So I go to add the lightning extension for calendars, and low and behold I find out my Thunderbird (the one that came in the the default Xubuntu repos for 14.04LTS) was out of date and not supported by lightning. The Ubuntu repos had version 38.8, but what version was Mozilla at themselves? 45.1 as of this post. So I quickly installed the latest binary but I tend to be forgetful about updates, so I wanted to tie it into the apt package manager so I found a PPA that works.

First if thunderbird is installed remove it, and maybe backup your .thunderbird folder just in case. But you shouldn’t have to worry about losing any data.

sudo apt-get remove -y thunderbird

Next we need to add a new repository called Ubuntuzilla so edit your sources.list. I used nano for this, but feel free to use whatever you like.

sudo nano /etc/apt/sources.list
add to the end
deb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

or you can do that all with one command
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | sudo tee -a /etc/apt/sources.list > /dev/null

Then grab the keys and update
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
sudo apt-get update

Install your desired package, with one of the following commands:
sudo apt-get install firefox-mozilla-build
sudo apt-get install thunderbird-mozilla-build
sudo apt-get install seamonkey-mozilla-build

Source

How to make “WHOIS” work with new TLD’s e.g. *.xyz, *.online

So I have been building a lot of servers and generally I like to segment them to different domains but whois by default only will work with *.com, *.info, *.net you know the usual TLD’s you think of. But now there are so many new ones I like to scoop up I still want to test my server settings with whois. Well have no fear on my Xubuntu 14.04LTS I use everyday simply create the file “whois.conf” in the /etc/ folder. So use your favorite text editor and paste this file in to get any new TLD resolved.
Open Nano (or whatever text editor you prefer)
sudo nano /etc/whois.conf

Once inside your text editor paste this list (list is very long so I added a read more section you will need to open to see the entire list)

#
# WHOIS servers for new TLDs (http://www.iana.org/domains/root/db)
# Current as of 2015-09-12
#

Continue reading “How to make “WHOIS” work with new TLD’s e.g. *.xyz, *.online”

Redis Caching with OwnCloud

While setting up an OwnCloud server for my company, I couldn’t really find any good way to cache, and with the Ubuntu repos having an old version of Redis, meant of course it couldn’t be used for best performance and stability. I tried installing it manually from some guides I found, and trying to see OwnCloud’s documentation and was last using an Apcu and Redis (older version) combined so I stumbled upon a guide from TechandMe.se which actually resolved my issues of an old Redis, and dramatically sped up my server.

This guide is also scripted for an automated install, you can download the script here.

  1. GET RID OF APCU & MEMCACHED
    $~: sudo php5dismod apcu && sudo apt-get purge php5-apcu -y
    $~: rm /etc/php5/mods-available/apcu-cli.ini
    $~: sudo apt-get purge --auto-remove memcached -y && php5dismod memcached
  2. INSTALL NEEDED DEPENDENCIES TO PREPARE THE REDIS INSTALLATION
    $~: sudo apt-get update && sudo apt-get install build-essential -y

Continue reading “Redis Caching with OwnCloud”

Tip for OwnCloud

I was building my OwnCloud file storage on Ubuntu 14.04LTS (upgrading to 16.04.1 LTS this summer), which if you haven’t heard of definitely check out it is the most amazing cloud storage program and you control it yourself. It even offers server side encryption, and tons of options to make it how you want it for you or your company. See it at www.owncloud.org

But I was coming across an .htaccess issue that kept popping up so I modified Apache so much and it still appeared. So I finally stumbled across my fix. Move the OwnCloud data directory out of the default location. So here are the steps I took

Stop apache2

sudo service apache2 stop

Edit config file in default location

sudo nano /var/www/html/owncloud/config/config.php

Change default location to new location

(pick one, I chose /mnt/owncloud_data but put it anywhere you like)

Move the data folder to new location

sudo mv /var/www/html/owncloud/data /new/data/directory/here

if required change permissions

sudo chown -R www-data:www-data /new/data/directory/here

Restart apache2

sudo service apache2 start

Voila .htaccess issue is GONE!