Failban Error – Centos 7

Hi,

from logwatch I saw this error :

ERROR   Failed to execute ban jail ‘ssh-iptables’ action ‘iptables’ info ‘CallingMap({‘ipjailmatches’: <function <lambda> at 0x7f8e24d2b578>, ‘matches’: u’Jan 28 00:15:51 saic sshd[30705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ti0100a400-1587.bb.online.no  user=root\n

Failed password for root from 85.165.177.58 port 45430 ssh2\n

Failed password for root from 85.165.177.58 port 45430 ssh2′, ‘ip’: ‘85.165.177.58’, ‘ipmatches’: <function <lambda> at 0x7f8e24d2b488>, ‘ipfailures’: <function <lambda> at 0x7f8e24d2bb90>, ‘time’: 1485558957.444361, ‘failures’: 3, ‘ipjailfailures’: <function <lambda> at 0x7f8e24d2b5f0>})’: Error starting action

To solve I follow this : https://github.com/fail2ban/fail2ban/issues/973

and than this : https://github.com/fail2ban/fail2ban/issues/878#issuecomment-65732113

Not necessarily… But if you will really stand-alone fail2ban, so download direct from github or checkout via git (from github). – master – https://github.com/fail2ban/fail2ban/archive/master.zip – debian – https://github.com/fail2ban/fail2ban/archive/debian.zip – repo – git://github.com/fail2ban/fail2ban.git
Hereafter unzip it and run install:

cd /tmp/f2b
?sudo? python setup.py install

So I reinstalled fail2ban, previous backup fine (/etc/fail2ban).

After installation I overwrote /etc/fail2ban with my previous file.

Logwatch Centos 7

useful link to install logwatch:
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps

example
logwatch –detail Low –mailto info@saic.it –service http –range today

Amavis – Clamd – Centos 7

I’ve ths error in /var/log/maillog:
(!)connect to /var/run/clamd.amavisd/clamd.sock failed

I solved in this way:

Edit /etc/clamd/clamd.conf

LocalSocket /var/run/clamd.amavisd/clamd.sock
User amavis

the User I defined (amavis), have to be the owner of the folder /var/run/clamd.amavisd
in the file /etc/amavisd/amavisd.conf you need the same file before : /var/run/clamd.amavisd/clamd.sock in this position
# ### http://www.clamav.net/
[‘ClamAV-clamd’,
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamd.amavisd/clamd.sock“],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Configuration for helo hostname and accept mail without postgray check

1.
add the following to the /etc/postfix/main.cf configuration file

smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access
hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

2.
create the file /etc/postfix/helo_access
and add your restriction like example:

myowndomain.com REJECT
pcname PERMIT

3.
create the database (you don’t need restart postfix)
postmap /etc/postfix/helo_access 

4.
postfix check
restart or reload postfix
/etc/init.d/postfix reload

or
/etc/init.d/postfix restart

print out configuration
postconf -n

mailq to see the mail in queue

To remove all mail from the queue, enter:
postsuper -d ALL

Accept mail without any postgray check:

vim  /etc/postfix/rbl_override

gmail.com OK

gmail.it OK

yahoo.com OK

hotmail.com OK

outlook.com OK

startcomca.com OK

libero.it OK

and my main.cf

smtpd_recipient_restrictions =
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/rbl_override,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
reject_non_fqdn_helo_hostname,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_destination,
reject_unverified_recipient,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
#check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
#####reject_rbl_client dnsbl-1.uceprotect.net,
#reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client dnsrbl.org,
#reject_rbl_client bl.blocklist.de,
#reject_rbl_client babl.rbl.webiron.net,
#reject_rbl_client cabl.rbl.webiron.net,
permit

 

after this configuration type:

postmap /etc/postfix/rbl_override

restart postfix

 

Failban Configuration file for WordPress

a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf

# Fail2Ban filter for WordPress hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =

b) set jail.conf

[wordpress]

enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800

restart failban

 

 

Failban Configuration for ISPConfig

vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.

vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.

# Fail2Ban filter for ISPConfig hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:ispconfig)

failregex = Failed login for user .* from <HOST>
ignoreregex =

vim /etc/fail2ban/jail.conf

add this line

[ispconfig]
enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.

fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.

service fail2ban restart

usefull

https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server

Failban configuration

Today I found an error in the regular expression of failban filter :

/etc/fail2ban/filter.d/postfix-sasl.conf

with this useful site https://regex101.com/ gave me an error so I changed the expression from

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*     

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+\/:]*={0,2})?\s*     

failban conf file : jail.conf

[postfix-sasl]

enabled = true
filter = postfix-sasl
action = iptables[name=postfix-sasl, port=”smtp,465,submission,imap3,imaps,pop3,pop3s”, protocol=tcp]
sendmail-whois[name=postfix-sasl, dest=postmaster@saic.it, sender=postmaster@saic.it]
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# “warn” level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
bantime = 10800

here /etc/fail2ban/paths-fedora.conf the configuration of the variable postfix_log and postfix_backend

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal

Linux Centos 7 – Startup Services – Functions

systemctl disable httpd
Running systemctl disable removes the symlink to the service in /etc/systemd/system/*

systemctl status httpd

systemctl list-unit-files

systemctl start application.service

systemctl list-units –type=service
systemctl list-units –all –state=inactive

systemctl mask nginx.service
systemctl unmask nginx.service

systemctl edit nginx.service

To remove any additions you have made, either delete the unit’s .d configuration directory or the modified service file from /etc/systemd/system. For instance, to remove a snippet, we could type:

sudo rm -r /etc/systemd/system/nginx.service.d
To remove a full modified unit file, we would type:

sudo rm /etc/systemd/system/nginx.service
After deleting the file or directory, you should reload the systemd process so that it no longer attempts to reference these files and reverts back to using the system copies. You can do this by typing:

sudo systemctl daemon-reload

very usefull
https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

 

Migration to Contabo from SeFlow – Nameserver and DNS

Hi to everybody,

I migrated from SeFlow, good service but awful support.

Only in the person of Matteo Berlonghi.

No professional skill, but I understood how works DNS world.

This is wants to be my personal diary.

Difference between Authority and Registrar.

usefull link to find which nameserver are registered to the Authority:

https://intodns.com/saic.it or http://mxtoolbox.com

in the DNS zone (NS record) you have to insert the nameserver that the Registrar sent to Authority.

to see the propagation: https://www.whatsmydns.net