Source: Postfix Monitoring With Mailgraph And pflogsumm On Debian Lenny
Migrate ownCloud to Nextcloud and protect it against brute force attacks with fail2ban
Updated on 2017/09/23: Fixed code in jail.local. Thank you !
Here is what I have done to migrate my ownCloud installation to Nextcloud. My installation is configured with the data directory outside of the webservers document root. To my surprise, the process was simple and painless.
- First, I have updated my ownCloud installation to version 9.0.2, which I think is the newest BETA version, via the updater app.
- Then I have made a full backup of the MySQL database via mysqldump and a full backup of the domains directory structure with tar (because of its size via sshfs to another server with sufficient space). There are howtos which are recommending exporting calendars and contacts prior to the migration, but I did not see what it should be good for after a full backup (and I do have filesystem snapshots on top of that).
- The next step was to delete everything in the ownCloud installation directory but /config, /data (and the /data direcory outside the document root of course) and /themes.
- After that I have extracted the Nextcloud 9.0.52 release ZIP just over what was left of my installation and then I have changed owner and group of the extracted files to the run user and group of the domain.
- Now it’s been time to point my browser to the GUI of the new Nextcloud installation and just walk through the steps.
- To finalize the migration I had to reactivate the calendar and contacts app.
To tighten the security of my Nextcloud installation a little, I have configured fail2ban to react on failed login attempts.
First you have to tell Nextcloud that you want to write a log file in /path/to/Nextcloud/config/config.php
<?php
$CONFIG = array (
'instanceid' => 'SECRET',
'passwordsalt' => 'SECRET',
'secret' => 'SECRET',
'trusted_domains' =>
array (
0 => 'SECRET',
1 => 'SECRET',
2 => 'SECRET',
3 => 'SECRET',
),
'datadirectory' => '/path/to/owncloud-data/',
'overwrite.cli.url' => 'SECRET',
'dbtype' => 'SECRET',
'version' => 'SECRET',
'dbname' => 'SECRET',
'dbhost' => 'SECRET',
'dbtableprefix' => 'SECRET',
'dbuser' => 'SECRET',
'dbpassword' => 'SECRET',
'installed' => true,
'maintenance' => false,
'theme' => '',
'logfile' => '/var/log/nextcloud.log',
'loglevel' => 2,
'appstore.experimental.enabled' => true,
'mail_smtpmode' => 'smtp',
'mail_from_address' => 'SECRET',
'mail_domain' => 'SECRET',
'mail_smtpauthtype' => 'PLAIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'SECRET',
'mail_smtpport' => '587',
'mail_smtpname' => 'SECRET',
'mail_smtppassword' => 'SECRET',
'mail_smtpsecure' => 'tls',
'htaccess.RewriteBase' => '/',
);
The next thing to do is to configure a filter definition /etc/fail2ban/filter.d/nextcloud.conf to tell fail2ban how to find IP-Adresses to ban:
[Definition] failregex = ^.*\"remoteAddr\":\"<HOST>\".*Login failed:.*$
Then you have to add a jail definition to /etc/fail2ban/jail.local (yep, I know that I have long bans)
[nextcloud] enabled = true logpath = /var/log/nextcloud.log port = http,https filter = nextcloud banaction = iptables-allports maxretry = 3
You can test your configuration with these commands:
fail2ban-regex /var/log/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/nextcloud.conf
Use log file : /var/log/nextcloud.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^.*\"remoteAddr\":\"\".*Login failed:.*$
|
`- Number of matches:
[1] 10 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
XXX.XXX.XXX.171 (Sun Jul 03 02:59:39 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:00:31 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:06:27 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:12:02 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:12:24 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:12:26 2016)
XXX.XXX.XXX.171 (Sun Jul 03 03:12:29 2016)
XXX.XXX.XXX.119 (Sun Jul 03 03:15:50 2016)
XXX.XXX.XXX.119 (Sun Jul 03 03:15:58 2016)
XXX.XXX.XXX.119 (Sun Jul 03 03:16:05 2016)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
67 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 10
However, look at the above section 'Running tests' which could contain important
information.
and
fail2ban-client status nextcloud
Status for the jail: nextcloud |- filter | |- File list: /var/log/nextcloud.log | |- Currently failed: 0 | `- Total failed: 3 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 1
kaputte Umlaute in per PHP erzeugtem PDF
$str = iconv(‘UTF-8’, ‘windows-1252’, $str);
remote logging with rsyslogd
- http://www.rsyslog.com/doc/rsconf1_allowedsender.html
- http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/
- https://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog
- https://devops.profitbricks.com/tutorials/configure-remote-logging-with-rsyslog/
Apache Monitoring
- watch -n 0.5 lynx –dump http://localhost/server-status
- apachetop -q -T 100 /var/log/ispconfig/httpd/<DOMAINNAME>/access.log
- tail -f /var/log/apache2/other_vhosts_access.log
Force HTTP To HTTPS
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Raspberry Pi – Raspian – Static Network Configuration
Static network configuration for Raspian Jessie Lite on a Raspberry Pi 2 B.
Edit /etc/network/interfaces:
/etc/network/interfaces# interfaces(5) # interfaces(5) file used by ifup(8) and ifdown(8) # Please note that this file is written to be used with dhcpcd # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto lo iface lo inet loopback auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.0.XXX netmask 255.255.255.0 gateway 192.168.0.XXX dns-nameservers 192.168.0.XXX #allow-hotplug wlan0 #iface wlan0 inet manual # wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf #allow-hotplug wlan1 #iface wlan1 inet manual # wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
And then disable dhcpd:
service dhcpcd stop systemctl disable dhcpcd
Block brute force with fail2ban
source: http://crycode.de/wiki/Fail2Ban, Peter Tuch
license: http://creativecommons.org/licenses/by/4.0/
Updated for Debian 8 (2017/02/15)
jail.local
# Fail2Ban [fail2ban] enabled = true filter = fail2ban banaction = iptables-allports protocol = all port = anyport logpath = /var/log/fail2ban.log # findtime: 1 week findtime = 604800 # bantime: 1 week bantime = 604800 maxretry = 5
/etc/fail2ban/filter.d/fail2ban.conf
[Definition] failregex = fail2ban.actions\[(.*)\]: WARNING \[(.*)\] Banignoreregex = fail2ban.actions\[(.*)\]: WARNING \[fail2ban\] Ban
List and delete IP-adresses in IPtables
List existing chains
To list IPs in tables:
iptables -L -n iptables -L -n -v iptables -L-n -v iptables -L fail2ban-fail2ban -n -v
List existing chains with line number
To display line numbers:
iptables -L INPUT -n --line-numbers iptables -L OUTPUT -n --line-numbers iptables -L OUTPUT -n --line-numbers | less iptables -L-n -v --line-numbers iptables -L failtoban-failtoban -n -v --line-numbers | grep
Example:
iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-fail2ban all -- 0.0.0.0/0 0.0.0.0/0
2 fail2ban-courierimaps tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 993
3 fail2ban-courierimap tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 143
4 fail2ban-courierpop3s tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 995
5 fail2ban-courierpop3 tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110
6 fail2ban-pureftpd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
7 fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995
8 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-courierimap (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-courierimaps (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-courierpop3 (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-courierpop3s (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-fail2ban (1 references)
num target prot opt source destination
1 DROP all -- 143.233.185.115 0.0.0.0/0
2 DROP all -- 43.229.53.56 0.0.0.0/0
3 DROP all -- 94.102.49.235 0.0.0.0/0
4 DROP all -- 69.39.193.51 0.0.0.0/0
5 DROP all -- 66.199.0.114 0.0.0.0/0
6 DROP all -- 218.65.30.107 0.0.0.0/0
7 DROP all -- 218.65.30.61 0.0.0.0/0
8 DROP all -- 94.102.63.139 0.0.0.0/0
9 DROP all -- 193.104.41.53 0.0.0.0/0
10 DROP all -- 79.58.55.44 0.0.0.0/0
11 DROP all -- 103.16.228.97 0.0.0.0/0
12 DROP all -- 89.248.168.40 0.0.0.0/0
13 DROP all -- 155.133.19.233 0.0.0.0/0
14 DROP all -- 93.174.95.81 0.0.0.0/0
15 DROP all -- 66.23.231.10 0.0.0.0/0
16 DROP all -- 14.29.80.42 0.0.0.0/0
17 DROP all -- 113.208.115.229 0.0.0.0/0
18 DROP all -- 203.177.147.211 0.0.0.0/0
19 DROP all -- 185.40.4.33 0.0.0.0/0
20 DROP all -- 59.63.188.45 0.0.0.0/0
21 DROP all -- 176.0.36.81 0.0.0.0/0
22 DROP all -- 185.63.252.128 0.0.0.0/0
23 DROP all -- 176.0.44.124 0.0.0.0/0
24 DROP all -- 221.194.57.246 0.0.0.0/0
25 DROP all -- 212.91.171.178 0.0.0.0/0
26 DROP all -- 176.4.58.196 0.0.0.0/0
27 DROP all -- 218.87.111.110 0.0.0.0/0
28 DROP all -- 185.63.252.222 0.0.0.0/0
29 DROP all -- 116.204.96.150 0.0.0.0/0
30 DROP all -- 93.174.93.177 0.0.0.0/0
31 DROP all -- 119.57.151.34 0.0.0.0/0
32 DROP all -- 62.210.151.54 0.0.0.0/0
33 DROP all -- 115.214.234.135 0.0.0.0/0
34 DROP all -- 176.4.14.45 0.0.0.0/0
35 DROP all -- 92.47.201.183 0.0.0.0/0
36 DROP all -- 222.42.146.175 0.0.0.0/0
37 DROP all -- 1.255.86.241 0.0.0.0/0
38 DROP all -- 109.109.38.139 0.0.0.0/0
39 DROP all -- 140.90.114.114 0.0.0.0/0
40 DROP all -- 46.114.78.216 0.0.0.0/0
41 DROP all -- 88.67.212.104 0.0.0.0/0
42 DROP all -- 112.101.135.160 0.0.0.0/0
43 DROP all -- 113.160.248.120 0.0.0.0/0
44 DROP all -- 66.135.38.7 0.0.0.0/0
45 DROP all -- 182.100.67.113 0.0.0.0/0
46 DROP all -- 218.87.111.107 0.0.0.0/0
47 DROP all -- 183.38.146.183 0.0.0.0/0
48 DROP all -- 85.154.11.21 0.0.0.0/0
49 DROP all -- 218.87.111.109 0.0.0.0/0
50 DROP all -- 218.87.111.108 0.0.0.0/0
51 DROP all -- 218.4.117.26 0.0.0.0/0
52 DROP all -- 204.151.15.181 0.0.0.0/0
53 DROP all -- 193.201.224.133 0.0.0.0/0
54 DROP all -- 24.179.227.180 0.0.0.0/0
55 DROP all -- 93.174.93.28 0.0.0.0/0
56 DROP all -- 43.229.53.62 0.0.0.0/0
57 DROP all -- 193.104.41.206 0.0.0.0/0
58 DROP all -- 27.109.17.42 0.0.0.0/0
59 DROP all -- 80.82.65.64 0.0.0.0/0
60 DROP all -- 113.195.145.12 0.0.0.0/0
61 DROP all -- 98.25.77.42 0.0.0.0/0
62 DROP all -- 212.83.176.26 0.0.0.0/0
63 DROP all -- 2.185.148.73 0.0.0.0/0
64 DROP all -- 58.218.211.166 0.0.0.0/0
65 DROP all -- 72.167.140.72 0.0.0.0/0
66 DROP all -- 85.214.19.249 0.0.0.0/0
67 DROP all -- 78.158.161.158 0.0.0.0/0
68 DROP all -- 173.201.187.229 0.0.0.0/0
69 DROP all -- 210.14.157.171 0.0.0.0/0
70 DROP all -- 46.219.50.112 0.0.0.0/0
71 DROP all -- 176.0.37.130 0.0.0.0/0
72 DROP all -- 43.229.53.53 0.0.0.0/0
73 DROP all -- 182.100.67.4 0.0.0.0/0
74 DROP all -- 185.40.4.45 0.0.0.0/0
75 DROP all -- 222.73.99.51 0.0.0.0/0
76 DROP all -- 146.0.72.166 0.0.0.0/0
77 DROP all -- 176.6.106.27 0.0.0.0/0
78 DROP all -- 65.181.127.72 0.0.0.0/0
79 DROP all -- 176.2.120.146 0.0.0.0/0
80 DROP all -- 218.87.111.71 0.0.0.0/0
81 DROP all -- 176.31.128.45 0.0.0.0/0
82 DROP all -- 31.180.129.125 0.0.0.0/0
83 DROP all -- 80.82.64.127 0.0.0.0/0
84 DROP all -- 82.165.35.88 0.0.0.0/0
85 DROP all -- 115.210.75.58 0.0.0.0/0
86 DROP all -- 62.210.187.221 0.0.0.0/0
87 DROP all -- 193.107.17.72 0.0.0.0/0
88 DROP all -- 121.41.14.128 0.0.0.0/0
89 DROP all -- 176.4.111.1 0.0.0.0/0
90 DROP all -- 218.65.30.217 0.0.0.0/0
91 DROP all -- 97.74.198.140 0.0.0.0/0
92 DROP all -- 104.155.36.117 0.0.0.0/0
93 DROP all -- 119.163.120.202 0.0.0.0/0
94 DROP all -- 212.83.175.192 0.0.0.0/0
95 DROP all -- 176.4.13.226 0.0.0.0/0
96 DROP all -- 94.102.52.147 0.0.0.0/0
97 DROP all -- 162.213.153.89 0.0.0.0/0
98 DROP all -- 104.217.216.174 0.0.0.0/0
99 DROP all -- 184.107.214.130 0.0.0.0/0
100 DROP all -- 202.198.129.78 0.0.0.0/0
101 DROP all -- 80.82.64.134 0.0.0.0/0
102 DROP all -- 58.187.84.243 0.0.0.0/0
103 DROP all -- 5.63.119.34 0.0.0.0/0
104 DROP all -- 62.210.190.69 0.0.0.0/0
105 DROP all -- 62.210.187.244 0.0.0.0/0
106 DROP all -- 82.165.37.87 0.0.0.0/0
107 DROP all -- 201.71.174.31 0.0.0.0/0
108 DROP all -- 192.227.219.18 0.0.0.0/0
109 DROP all -- 46.114.5.157 0.0.0.0/0
110 DROP all -- 210.143.144.87 0.0.0.0/0
111 DROP all -- 212.83.147.83 0.0.0.0/0
112 DROP all -- 212.129.15.231 0.0.0.0/0
113 DROP all -- 58.67.199.9 0.0.0.0/0
114 DROP all -- 89.248.164.63 0.0.0.0/0
115 DROP all -- 103.27.27.36 0.0.0.0/0
116 DROP all -- 176.0.110.18 0.0.0.0/0
117 DROP all -- 218.65.30.92 0.0.0.0/0
118 DROP all -- 119.252.171.158 0.0.0.0/0
119 DROP all -- 43.229.53.28 0.0.0.0/0
120 DROP all -- 221.203.142.69 0.0.0.0/0
121 DROP all -- 180.166.152.146 0.0.0.0/0
122 DROP all -- 74.208.72.135 0.0.0.0/0
123 DROP all -- 118.139.160.95 0.0.0.0/0
124 DROP all -- 95.215.0.203 0.0.0.0/0
125 DROP all -- 74.208.199.13 0.0.0.0/0
126 DROP all -- 212.83.175.238 0.0.0.0/0
127 DROP all -- 212.129.14.252 0.0.0.0/0
128 DROP all -- 62.210.188.139 0.0.0.0/0
129 DROP all -- 65.181.123.242 0.0.0.0/0
130 DROP all -- 94.79.33.21 0.0.0.0/0
131 DROP all -- 106.248.211.195 0.0.0.0/0
132 DROP all -- 218.4.90.246 0.0.0.0/0
133 DROP all -- 176.120.40.86 0.0.0.0/0
134 DROP all -- 188.42.216.107 0.0.0.0/0
135 DROP all -- 46.114.38.13 0.0.0.0/0
136 DROP all -- 43.229.53.15 0.0.0.0/0
137 DROP all -- 62.210.167.104 0.0.0.0/0
138 DROP all -- 221.203.142.72 0.0.0.0/0
139 DROP all -- 213.165.70.245 0.0.0.0/0
140 DROP all -- 212.83.175.205 0.0.0.0/0
141 DROP all -- 222.171.202.10 0.0.0.0/0
142 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pureftpd (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-sasl (1 references)
num target prot opt source destination
1 DROP all -- 81.45.76.209 0.0.0.0/0
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 DROP all -- 218.87.111.116 0.0.0.0/0
2 DROP all -- 193.201.227.128 0.0.0.0/0
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Delete an entry from IPtables
To delete an entry from IPtables:
iptables -Diptables -D fail2ban-ssh 1
How to delete an IP-address from IPtables the fail2ban-way
https://www.howtoforge.com/community/threads/how-to-manually-unban-ip-blocked-by-fail2ban.51366/
http://serverfault.com/questions/285256/how-to-unban-an-ip-properly-with-fail2ban
With a pre 0.8.8 version of fail2ban it is:
fail2ban-client getactionunban fail2ban-client get fail2ban actionunban 95.90.219.173
From version 0.8.8 it is:
fail2ban-client setunbanip
How to make the rules persistent
Install the package ‘iptables-persistent’:
apt-get install iptables-persistent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
iptables-persistent
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 10.3 kB of archives.
After this operation, 61.4 kB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian/ wheezy/main iptables-persistent all 0.5.7 [10.3 kB]
Fetched 10.3 kB in 0s (247 kB/s)
Preconfiguring packages ...
Selecting previously unselected package iptables-persistent.
(Reading database ... 53276 files and directories currently installed.)
Unpacking iptables-persistent (from .../iptables-persistent_0.5.7_all.deb) ...
update-rc.d: using dependency based boot sequencing
Setting up iptables-persistent (0.5.7) ...
[ ok ] Loading iptables rules... IPv4... IPv6...done.
Usage:
/etc/init.d/iptables-persistent
Usage: /etc/init.d/iptables-persistent {start|restart|reload|force-reload|save|flush}
how to inspect remote SMTP server TLS certificate
openssl s_client -connect host.domain.de:25 -starttls smtp | openssl x509 -text
echo | openssl s_client -connect mx1.wiretrip.de:25 -starttls smtp | openssl x509 -dates
