Tango Devlopment

Tag: ubuntu

Posts related to Ubuntu/Debian Linux

  • fail2ban non-root startup

    fail2ban runs as root by default. This is unnecessary for its functionality, other than to alter firewall rules. The firewall rules can be safely done, using sudo to enable the required calls. The Debian/Ubuntu init.d file has provisions to start fail2ban as a non-root user, but newer releases use systemd to start and stop the process. This requires a different procedure. ​ This procedure is for my servers which use Shorewall to maintain the firewall. I will document my process for configuring fail2ban in another post. ​First, create the user fail2ban as system user with group(s) required to read the logs. Fail2ban does not need a shell. The home directory is set like similar system users on Ubuntu systems.

    This procedure is for my servers which use Shorewall to maintain the firewall. I will document my process for configuring fail2ban in another post. ​First, create the user fail2ban as system user with group(s) required to read the logs. Fail2ban does not need a shell. The home directory is set like similar system users on Ubuntu systems.

    useradd --system --no-create-home --home-dir /var/lib/fail2ban --groups adm,www-data --shell /usr/sbin/nologin fail2ban

    If you are using an init.d script to start fail2ban, set the user in /etc/default/fail2ban. This value is not used by systemd. If you are using systemd there is no need to alter the /etc/default/fail2ban file.

    If you are using systemd to start fail2ban, create the systemd file /etc/systemd/system/fail2ban.service.d/override.conf. Omit the [Unit] section if you are not using Shorewall.

    [Service]
User=fail2ban
Group=adm
# Run ExecStartPre with root-permission
PermissionsStartOnly=true
ExecStartPre=/bin/chown -R fail2ban:adm /var/run/fail2ban
[Unit]
Requires=shorewall.service
After=shorewall.service

    Create a sudoers file for fail2ban such as /etc/sudoers.d/fail2ban Ensure required operations are included in the Cmnd_Aalias definition. This file is configured to use shorewall and includes all the actions that could be called. If your sudoers configuration does not use an include directory, add the rules to your sudoers file, or enable use of an include directory.

    # Sudoer rules for fail2ban
User_Alias FAIL2BAN = fail2ban
Cmnd_Alias FAIL2BAN = /sbin/shorewall allow, /sbin/shorewall6 allow, \
    /sbin/shorewall logdrop, /sbin/shorewall6 logdrop, \
    /sbin/shorewall drop, /sbin/shorewall6 drop, \
    /sbin/shorewall logreject, /sbin/shorewall6 logreject, \
    /sbin/shorewall logreject, /sbin/shorewall6 reject
FAIL2BAN ALL = NOPASSWD: FAIL2BAN
# EOF

    Change the ownership of existing files.

    chown -R fail2ban /var/log/fail2ban* /var/lib/fail2ban

    Finally, stop and restart fail2ban, check for the fail2ban process, and check your fail2ban log for errors.

    systemctl stop fail2ban
systemctl start fail2ban
ps -fu fail2ban
tail -60 /var/log/fail2ban.log | less

    If you are using fail2ban or a similar application to rotate logs, edit the configuration to create new logs owned by the fail2ban userid.

    If you are using fail2ban or a similar application to rotate logs, edit the configuration to create new logs owned by the fail2ban userid.

  • WordPress SSH2 configuration

    Instead of the packaged WordPress I run the version provided by WordPress. It is installed using a different userid from the userid the web server runs as.  To enable updates from the Admin Dashboard, I enabled sftp (ssh). This is how I did it.

    Using the sftp option requires the php ssh module. This command installs the php ssh module.

    apt install php-ssh2

    The FTP funtionality includes the sftp (ssh2) option for connectivity.  To enable this the /etc/wordpress/config.php file must be updated to include the following lines. (Use the appropriate directories for your installation.)

    // This value should be ssh2 not ssh
    define('FS_METHOD', 'ssh2');
    define('FTP_BASE', '/var/www/');
    define('FTP_CONTENT_DIR', '/var/www/wp-content/');
    define('FTP_PLUGIN_DIR ', '/var/www/wp-content/plugins/');
    define('FTP_PUBKEY', '/etc/wordpress/.ssh/id_rsa.pub');
    define('FTP_PRIKEY', '/etc/wordpress/.ssh/id_rsa');
    // user that owns wordpress install - should not be root
    define('FTP_USER', 'wordpress');
    // password for FTP_USER username - may be empty
    define('FTP_PASS', 'changeme');
    // hostname:port combo for your SSH/FTP server
    define('FTP_HOST', 'localhost');

    The following script creates and populates the directories required for ssh to work. An ssh key is generated and granted restricted access to the user owning the distribution. The last command verifies the setup.

    # Make the directories
www-data mkdir -p -m 0755 ~www-data/.ssh /etc/wordpress/.ssh
sudo chown www-data /etc/wordpress/.ssh
# Create the known hosts fi
sudo ssh-keyscan -c "localhost > ~www-data/.ssh/known_hosts"
sudo chmod 444 ~www-data/.ssh/known_hosts
# Generate the key file 
sudo -u www-data ssh-keygen -b 4096 -f /etc/wordpress/.ssh/id_rsa -N changeme
# Secure the directories
sudo chown root:www-data /etc/wordpress/.ssh ~www-data/.ssh
# Authorize the key - with restricted access
echo -n 'from="127.0.0.1,::1",restrict,pty ' >> ~/.ssh/authorized_keys
sudo cat /etc/wordpress/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Test the configuration - should be prompted for the key's password.
sudo -u www-data ssh -i /etc/wordpress/.ssh/id_rsa $(logname)@localhost

    I hope this is useful for you. As always, please change the password used above.

    My original installation used a key without a password. At the time sftp access was not stable. I have not yet done an upgrade with a password on the key.

  • init.d for Non-root Processes

    When installing third-party applications, they often default to running as root. The server applications for TeamSite/LiveSite are among those. I have applied a simple modification to the init.d scripts that starts them as a non-root user. It also allows the scripts to be run by members of an administration group via sudo. This approach is applicable to other applications. (more…)

  • Geo blocking with tcpwrappers

    i recently had an issue with frequent login attempts against on of my services. These were almost all from countries that should not be accessing my service. To resolve the issue I implemented geo blocking with TCP Wrappers. This is how I went about geo blocking connections. (more…)

  • WordPress Tuning

    I’ve done a little tuning to my WordPress setup. In order to keep up to date, I’ve switched from the Ubuntu installation to a downloaded installation under /opt/wordpress. This is owned by my user and served by apache running as www-data. Updates are done using the sftp add-on.

    Securing /opt/wordpress

    I added myself to the www-data group. This allow apache to read any files with group access, but prevents writing if the web-server is compromised.

    I set the group sticky bit on all the directories. If required, setting it on the wp-content/upgrade directory should be sufficient.

    SSH Key

    I generated my key outside the home directory for www-data which is /var/www. The directory I chose is not one I would publish. However, ssh requires a .ssh/known_hosts file in its home directory. This was created and the appropriate security added. The key is password protected.

    Outstanding Issues

    There are some outstanding issues. I’ll look into these as time permits.

    Native ssh

    The WordPress ssh2 modules does not work on my server. I’ve found a couple of issues.

    • Passwords on the key don’t work. This is a known issue with a work-around. The initial connection appears to fail, but a second call should resolve the issue.
    • The is_dir function does not work. Returning true for paths that end in a slash (/) is a workaround. This got me as far as trying to install. This may be a result of how the path is constructed and there is a published workaround.
    • The is_file function appear to fail as WordPress reports the download contains no files. This is likely the same issue as for the is_dir function.

    Theme upgrades

    My modifications to the theme are getting a little old. The theme works reasonably well on mobile devices, but I would like to update to a more streamlined theme. The site statistics I have indicate a surprisingly high percentage of viewers use a mobile device.

  • Hostnames for eximstats Rejections

    I use eximstats to report my daily email traffic. I have a fairly high rate of rejections, and wanted hostnames listed in the rejection reports.    To resolve this I developed a patch to capture the hostname related to the IP address, and add this data to the rejection reports.

    The enhanced list saves me the effort of looking up IP addresses that were repeatedly addressed.   Occasionally, these are from legitimate servers that have been misconfigured.  DNS problems are often the cause. (more…)

  • Providing IPv6 DNS resolver data with radvd

    One nagging issue I had with IPv6 was how to distribute DNS server addresses and search lists to my clients.   It took a little research to find the solution.  On IPv4 I had been using DHCP to do this, but DHCP didn’t seem to be right approach for IPv6. radvd can be used to distribute both types of data.  The following article covers setup on Ubuntu and OpenWRT.  The Ubuntu (Debian) examples below should work with any distribution using/etc//radvd.conf to configure radvd. (more…)

  • Setting Up BackupPC on Windows

    My original intent in setting up BackupPC was to be able to backup my laptops. The mainly run Windows, and have a lot of shared files. Therefore I wanted a backup solution which handled de-duplication. BackupPC was just what I needed. I have already posted an article about Setting Up BackupPC on Ubuntu that includes setting up a server.

    This article covers setting up BackupPC on Windows using rsyncd as the protocol.   (I tried using Samba, but didn’t like the results with Windows Home editions.) This is done with an extremely minimal cygwin install available from the BackupPC site on SourceForge.  The backups described here are not designed for bare metal recovery.   They should include all the user’s files, and some of the configuration data for installed applications. (more…)

  • Setting Up BackupPC on Ubuntu

    I recently started to do regular backups of all my systems using BackupPC. It uses the rsync protocol to limit the amount of data transferred during backups. Once the initial backup is done, future backups only need to copy incremental changes. This requires far less resources than other software I have used

    This article covers setting up the server on Ubuntu and configuring backups for Ubuntu and OpenWRT. A future article will cover backing up Windows systems using an rsyncd daemon process. (more…)

  • Email Logins for Dovecot and Exim

    While I was cleaning up my Ubuntu Email server configuration, I consolidated my login security.  My SMTP server is Exim and my IMAP server is Dovecot.  Mail User Agents (MUAs) use authentication over TLS encrypted connections to access IMAP and SMTP.   Both programs had their own password configuration.

    Exim includes Dovecot in its supported authentication mechanisms.  This enables one authentication mechanism to be used for both SMTP and IMAP (or POP3).   This post also includes configuration details for forced authentication over the Submission port. (more…)