fail2ban installation and configuration notes

A couple of days ago one web site I volunteer to manage was under DDOS attack. I installed and configured fail2ban to protect us from future similar attacks. Here are some notes. The server is the RedHat/Fedora/CentOS variety, as you can tell from commands listed below. Please translate them to your distro’s corresponding commands as needed.

  • Installation is easy:
    sudo yum install fail2ban

    To make fail2ban starts automatically after a reboot, run this:

    sudo systemctl enable fail2ban

  • Configuring is relatively easy. It’s recommended that you create your own jail configuration file, using the jail.conf from the installation as a starting point. Three things are noteworthy from my experience:
    1. Make sure that you provide the correct log file. For web server, there are typically one access log file and one error log file. Ensure that you feed the right log file when using a particular filter;
    2. On this server, fail2ban didn’t properly expand the log and file names when I put wildcard characters in them. I got around that by listing them one by one.
    3. In the jail.conf file, no default banaction was defined. I added the following line:
    banaction = iptables-multiport
  • To write your own custom filter, make sure you put a sample log entry inside the filter file as a comment. Use the following command to debug your filter:
    sudo fail2ban-regex /path2testLogfile/test.log /etc/fail2ban/filter.d/my-filter.conf
    Here is a filter that I wrote:
    [Definition]

    failregex = ^ -.*”POST \/component\/mailto\/\?tmpl=component\&link=aHR0cHM6.*”$

    ignoreregex =

  • After getting your jail.local ready, run the following command to debug any potential issues. I’ve found that if you have issues with your jail or filter files, “sudo systemctl start fail2ban” doesn’t always give you a good enough error message. Use this instead:

    sudo /usr/bin/fail2ban-client -x start

    You may need to start/stop a couple of times. To stop, run

    sudo /usr/bin/fail2ban-client -x stop

  • After debugging, before you finally start fail2ban service, it’s better to search the current access/error log and see if there is a match to the filter you defined. If yes, then take a note of its IP address and the last time it appears in the log file. Then start fail2ban by running
    sudo systemctl enable fail2ban
  • To verify that it works, run iptables -S and if it catches one offender and puts it in jail, you should see it in the output. Now go back to the access/error log and ensure there is no entry from that IP address since the last timestamp.

Good luck in protecting your servers!

Accessing modem status information with Netgear router

If, like me, you bought your own cable modem and Netgear wireless router for Comcast service, the way to access your modem’s status information is different. When using the equipment provided by Comcast, in my case the Technicolor TC8305C, which is a combo of modem, router, and voice, I can easily see modem information while accessing the router page, because it is one device.

To stop paying Comcast’s 10 dollar monthly equipment leasing fee, I purchased my own cable modem and router. I am currently using Netgear Nighthawk R7000. In this combo, to see the modem status information, you need to go to:

http://192.168.100.1

By the way, I am thinking about returning the Nighthawk R7000, for the following reasons:
1. Its web interface is really slow and clunky;
2. Its range, according to this page, is not as good as ASUS;
3. More importantly, when assigning static IP address to a device, the device name cannot be more than 20 characters!

If I do return the Nighthawk R7000, I think I’ll try ASUS RT-AC68U. Do you have suggestions?

Eclipse PDT PHP Web Application Run Configuration

I had some trouble setting up Run Configurations in Eclipse for PHP (PDT plugin). Here is my note for future reference.

Machine: Ubuntu 15 64-bit, with Eclipse Mars. sudo apt-get install php5 installed apache2 for me, so no additional web server install is necessary.

  • Enable userdir mod:
    sudo a2enmod userdir
  • Your /etc/apache2/mods-enabled/userdir.conf should look like this, if not, make it so:
    [code language=”text”]

    UserDir public_html
    UserDir disabled root


    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require all granted Require all denied

    [/code]

  • Comment out the user directories section in /etc/apache2/mods-available/php5.conf, like so:
    [code language=”text”]
    # Running PHP scripts in user directories is disabled by default
    #
    # To re-enable PHP in user directories comment the following lines
    # (from to .) Do NOT set it to On as it
    # prevents .htaccess files from disabling it.
    #
    #
    #php_admin_flag engine Off
    #

    #

    [/code]
  • Create a public_html directory under your home directory;
  • Run sudo apt-get install php5-xdebug;
  • Run sudo apt-get install php5-mysql, as necessary;
  • Modify /etc/php5/mods-available/xdebug.ini so it has the following lines:
    [code language=”text”]
    zend_extension=xdebug.so
    xdebug.remote_enable=1
    [/code]
  • In Eclipse, create your PHP web application project under public_html in your home directory;
  • In Eclipse, while under PHP Perspective, click the drop down next to the green run button, and select “Run Configurations…”;
  • Create a new configuration for PHP Web Application. Pay attention to the following two things:
    a. In the Server tab, Server section, the PHP Server should be “Default PHP Web Server”, this is fine.
    eclipsePDT1
    b. Click the “Configure…” button, you’ll see this. Fill in proper “Document Root” value, in my case, /home/haidong/public_html
    eclipsePDT2
    c. Click the Debugger tab, and pick “XDebug”
    eclipsePDT3
    d. Go back to the original configuration screen, pick the proper file, and fill in th URL info, like below
    eclipsePDT1

By the way, Happy 2016 all!

自建vpn之四:安装启动客户端

openvpn服务器和客户profile建立之后,安装设置客户端软件后就可以使用了!这篇博客介绍如何在Windows、Linux、和Mac上使用openvpn。我们假定你已经安全地把profile,即.ovpn文件转移到电脑上。

Windows

  1. 到这里下载客户端软件。一般来讲你要下载64位的。目前的文件名是openvpn-install-2.3.8-I601-x86_64.exe
  2. 下载完毕后安装。它可能会问要不要安装一个叫TAP的东西。你需要安装;
  3. 安装完毕,把那个.ovpn文件挪到C:\Program Files\OpenVPN\config之下
  4. Run OpenVPN GUI as administrator。这只是开启了程序,现在还没有连接到openvpn服务器上;
  5. 在屏幕右下角的空间里,找到OpenVPN GUI的图标,然后选择“connect/连接”;
  6. 连接成功。打开浏览器,试试访问以前不能访问的网站,看效果如何。

Windows 10注意事项
我发现一些不是通过安装而是通过升级到Windows 10的机器会碰到一些问题,我猜和IPv6兼容有关。我发现如果我用火狐浏览器,就可以避免这个问题。全新的Windows好像没这个问题。

Linux

  1. 打开命令行,安装openvpn:
    apt-get install openvpn
  2. [code language=”text”]sudo openvpn –config /EnterPathTo/xxx.ovpn[/code]
  3. 你可以看到vpn连接的信息。在使用openvpn的时候,你不能中断或关闭这个程序。你可以把这个Window缩小
  4. 连接成功。打开浏览器,试试访问以前不能访问的网站,看效果如何。
  5. 用完了openvpn,按Ctrl-C就可以终止了。

Mac
Tunnelblick是一个免费开源的openvpn客户端。我目前没有Mac机器,但这个客户端应当可以。

iPhone
在App Store里安装免费的OpenVPN Connect。之后你可以把爱疯连到iTunes上,用File Sharing,点击OpenVPN,然后把那个profile的.ovpn的文件拖进来。之后打开这个app,你可以看到一个新的profile可以import。之后就可以顺利连接。

Android
在App Store里找OpenVPN Connect后安装。然后把profile的.ovpn文件传到Android上。打开后利用Import功能,把profile引进后就可以很方便的应用。

祝玩得开心!

PS. 本系列其它文章
自建vpn之一:挑选供应商
自建vpn之二:保护你的机器
自建vpn之三:搭建openvpn service和生成客户端Profile

自建vpn之三:搭建openvpn service和生成客户端Profile

注:本文于2017年6月8日更新,涉及到用tcp还是udp和如何无错误地启动openvpn。
给虚机设定了基本的防护措施后,我们来安装openvpn服务器终端并生成profile文件。以下指令都是root级别。我假定你已经通过命令行连到服务器上。请根据需要在命令行前自行添加sudo或变成root。

我原计划给读者提供一步一步的说明,但那样会太繁琐。前两天注意到github上有人已经把这一切打包成一个shell脚本。我今天看了下,觉得写得很好。经过我成功测试后,推荐给你使用。并且这个脚本对Ubuntu,Debian, CentOS, RedHat啥的都管用。

  1. 请到 https://github.com/Nyr/openvpn-install 下载openvpn-install.sh脚本文件;
  2. 打开命令行,运行:
    bash /EnterRightPathHere/openvpn-install.sh
  3. 脚本程序会自动探测到你的IP网址,按回车键;
  4. 脚本问你用tcp或udp。如果你在大陆,我建议你用udp。udp因为不需要确认数据包安全抵达目的地信息,所以理论上比tcp要快;
  5. 脚本问你port number。我建议你用443。443是https的端口,这样你的vpn和https用同一个端口,我觉得可能更难以堵截;
  6. 脚本程序让你选择DNS。我不建议第一个选项(Current system resolvers)。2和6均可.
  7. 脚本程序让你命名客户端名字。默认是client。我不建议你用默认。建议你根据其所用的设备和数据中心命名,如androidFrankfurt,iphoneFrankfurt,或winPcFrankfurt等等。请用英文字母来命名;
  8. 再敲一次回车,程序就开始运行。运行时间差不多三五分钟,请等待,稍安毋躁。
  9. 运行结束后,openvpn服务器已经搭建完成并开始运行。接下来你要把它产生的.ovpn文件(profile 文件),比如winPcFrankfurt.ovpn输送到你的Windows/MacBook/Linux/Android/iPhone设备上。强烈建议你用WinSCP(Windows)或scp(Linux/Mac)来输送文件,防止在传送途中被偷窥;
  10. 如你需要产生更多的.ovpn文件,只要重新运行
    bash /EnterRightPathHere/openvpn-install.sh
    并选择第一个选项即可。

我注意到新版脚本在我的一个Debian服务器上不能正常启动。为了找到问题所在,在命令行运行:

[code language=”text”]
haidong@localhost:~/openvpn-install-master$ sudo openvpn –config /etc/openvpn/server.conf
Options error: –dh fails with ‘dh.pem’: No such file or directory
Options error: –ca fails with ‘ca.crt’: No such file or directory
Options error: –cert fails with ‘server.crt’: No such file or directory
Options error: –key fails with ‘server.key’: No such file or directory
Options error: –crl-verify fails with ‘crl.pem’: No such file or directory
Options error: –tls-auth fails with ‘ta.key’: No such file or directory
Options error: Please correct these errors.
Use –help for more information.
[/code]
问题出在openvpn找不到需要的pem、crt、key等文件。只要编辑下/etc/openvpn/server.conf,给上面提到的文件提供绝对路径就可以了。它们都在/etc/openvpn/下面。

祝玩得开心。下一篇,我们来谈谈怎样设立PC、Mac、和Linux客户端来使用vpn。

PS. 本系列其它文章
自建vpn之一:挑选供应商
自建vpn之二:保护你的机器
自建vpn之四:安装启动客户端