├── author ├── src ├── http-get-dos.conf ├── img │ └── you.png ├── i_will_update.sh ├── .muttrc ├── 000-default.conf ├── portsentry ├── ssl-params.conf ├── i_will_monitor_cron.sh ├── img_hamster ├── img_hamster_name ├── default-ssl.conf ├── login.html ├── portsentry.conf └── jail.local ├── .DS_Store ├── img ├── .DS_Store ├── you.png ├── enp0s3.png ├── sudoers.png ├── update.png ├── ifconfig.png ├── interfaces.png ├── login_page.png ├── ufw_status.png ├── cron_update.png ├── fail2ban_ssh.png ├── http-get-dos.png ├── ifconfig_res.png ├── monitor_cron.png ├── partition_1.png ├── partition_2.png ├── partition_3.png ├── partition_4.png ├── partition_5.png ├── specify_img.png ├── fail2ban_check.png ├── fail2ban_http.png └── list_of_services.png ├── deploy.conf ├── deploy.sh └── README.md /author: -------------------------------------------------------------------------------- 1 | kprytkov 2 | -------------------------------------------------------------------------------- /src/http-get-dos.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | failregex = ^ -.*GET 3 | ignoreregex = 4 | -------------------------------------------------------------------------------- /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/.DS_Store -------------------------------------------------------------------------------- /img/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/.DS_Store -------------------------------------------------------------------------------- /img/you.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/you.png -------------------------------------------------------------------------------- /img/enp0s3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/enp0s3.png -------------------------------------------------------------------------------- /img/sudoers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/sudoers.png -------------------------------------------------------------------------------- /img/update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/update.png -------------------------------------------------------------------------------- /src/img/you.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/src/img/you.png -------------------------------------------------------------------------------- /img/ifconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/ifconfig.png -------------------------------------------------------------------------------- /img/interfaces.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/interfaces.png -------------------------------------------------------------------------------- /img/login_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/login_page.png -------------------------------------------------------------------------------- /img/ufw_status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/ufw_status.png -------------------------------------------------------------------------------- /img/cron_update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/cron_update.png -------------------------------------------------------------------------------- /img/fail2ban_ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/fail2ban_ssh.png -------------------------------------------------------------------------------- /img/http-get-dos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/http-get-dos.png -------------------------------------------------------------------------------- /img/ifconfig_res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/ifconfig_res.png -------------------------------------------------------------------------------- /img/monitor_cron.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/monitor_cron.png -------------------------------------------------------------------------------- /img/partition_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/partition_1.png -------------------------------------------------------------------------------- /img/partition_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/partition_2.png -------------------------------------------------------------------------------- /img/partition_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/partition_3.png -------------------------------------------------------------------------------- /img/partition_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/partition_4.png -------------------------------------------------------------------------------- /img/partition_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/partition_5.png -------------------------------------------------------------------------------- /img/specify_img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/specify_img.png -------------------------------------------------------------------------------- /img/fail2ban_check.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/fail2ban_check.png -------------------------------------------------------------------------------- /img/fail2ban_http.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/fail2ban_http.png -------------------------------------------------------------------------------- /img/list_of_services.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KseniiaPrytkova/roger-skyline-1/HEAD/img/list_of_services.png -------------------------------------------------------------------------------- /src/i_will_update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo apt-get update -y >> /var/log/update_script.log 3 | sudo apt-get upgrade -y >> /var/log/update_script.log 4 | -------------------------------------------------------------------------------- /deploy.conf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | MAIL_NAME="debian.lan" 4 | IP_ADDRESS="192.168.10.42" 5 | NETMASK="255.255.255.252" 6 | SSH_PORT=50000 7 | MAIL_HOME_MAILBOX=mail/ 8 | -------------------------------------------------------------------------------- /src/.muttrc: -------------------------------------------------------------------------------- 1 | set mbox_type=Maildir 2 | set folder="/root/mail" 3 | set mask="!^\\.[^.]" 4 | set mbox="/root/mail" 5 | set record="+.Sent" 6 | set postponed="+.Drafts" 7 | set spoolfile="/root/mail" 8 | -------------------------------------------------------------------------------- /src/000-default.conf: -------------------------------------------------------------------------------- 1 | 2 | ServerAdmin webmaster@localhost 3 | DocumentRoot /var/www/html 4 | ErrorLog ${APACHE_LOG_DIR}/error.log 5 | CustomLog ${APACHE_LOG_DIR}/access.log combined 6 | Redirect "/" "https://192.168.10.42/" 7 | 8 | 9 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 10 | -------------------------------------------------------------------------------- /src/portsentry: -------------------------------------------------------------------------------- 1 | # /etc/default/portsentry 2 | # 3 | # This file is read by /etc/init.d/portsentry. See the portsentry.8 4 | # manpage for details. 5 | # 6 | # The options in this file refer to commandline arguments (all in lowercase) 7 | # of portsentry. Use only one tcp and udp mode at a time. 8 | # 9 | TCP_MODE="atcp" 10 | UDP_MODE="audp" 11 | -------------------------------------------------------------------------------- /src/ssl-params.conf: -------------------------------------------------------------------------------- 1 | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 2 | SSLProtocol All -SSLv2 -SSLv3 3 | SSLHonorCipherOrder On 4 | 5 | Header always set X-Frame-Options DENY 6 | Header always set X-Content-Type-Options nosniff 7 | 8 | SSLCompression off 9 | SSLSessionTickets Off 10 | SSLUseStapling on 11 | SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 12 | -------------------------------------------------------------------------------- /src/i_will_monitor_cron.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo touch /home/kseniia/cron_md5 4 | sudo chmod 777 /home/kseniia/cron_md5 5 | m1="$(md5sum '/etc/crontab' | awk '{print $1}')" 6 | m2="$(cat '/home/kseniia/cron_md5')" 7 | 8 | if [ "$m1" != "$m2" ] ; then 9 | md5sum /etc/crontab | awk '{print $1}' > /home/kseniia/cron_md5 10 | echo "KO" | mail -s "Cronfile was changed" root@debian.lan 11 | fi 12 | -------------------------------------------------------------------------------- /src/img_hamster: -------------------------------------------------------------------------------- 1 | _ _ 2 | (`-`;- "```"-;`-`) 3 | \.' './ 4 | / \ 5 | ; ( ) () ; 6 | /| = = |\ 7 | ; \ '._Y_.' / ; 8 | ; `-._ \|/ _.-' ; 9 | ; `"""` ; 10 | ; `""-. .-""` ; 11 | /; '--._ \ / _.-- ;\ 12 | : `. `/|| ||\` .' : 13 | '. '-._ _.-' .' 14 | (((-'` `"""""` `'-))) 15 | 16 | -------------------------------------------------------------------------------- /src/img_hamster_name: -------------------------------------------------------------------------------- 1 | _____ __ __ __ 2 | / ___/ ____ ____ _ _____ ___ / / / /____ _ ____ ___ _____ / /_ ___ _____ 3 | \__ \ / __ \ / __ `// ___// _ \ / /_/ // __ `// __ `__ \ / ___// __// _ \ / ___/ 4 | ___/ // /_/ // /_/ // /__ / __/ / __ // /_/ // / / / / /(__ )/ /_ / __// / 5 | /____// .___/ \__,_/ \___/ \___/ /_/ /_/ \__,_//_/ /_/ /_//____/ \__/ \___//_/ 6 | /_/ 7 | -------------------------------------------------------------------------------- /src/default-ssl.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | ServerAdmin root@localhost 4 | ServerName 192.168.10.42 5 | DocumentRoot /var/www/html 6 | ErrorLog ${APACHE_LOG_DIR}/error.log 7 | CustomLog ${APACHE_LOG_DIR}/access.log combined 8 | SSLEngine on 9 | SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt 10 | SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key 11 | 12 | SSLOptions +StdEnvVars 13 | 14 | 15 | SSLOptions +StdEnvVars 16 | 17 | 18 | 19 | 20 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 21 | -------------------------------------------------------------------------------- /src/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 93 | 94 | 95 | 96 |

Login

97 | 98 |
99 |
100 | Avatar 101 |
102 | 103 |
104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 114 |
115 | 116 |
117 | 118 | Forgot password? 119 |
120 |
121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Run with sudo. 4 | 5 | PRE_INFO="# " 6 | PRE_ERR="! " 7 | 8 | COLOR_INFO="\033[0;36m" 9 | COLOR_NOTICE="\033[0;33m" 10 | COLOR_ERR="\033[0;31m" 11 | COLOR_RESET="\033[0m" 12 | 13 | err () { 14 | echo -e ${COLOR_ERR}${PRE_ERR}${1}${COLOR_RESET} 15 | } 16 | 17 | err_exit () { 18 | err "${1} - exiting" 19 | exit 20 | } 21 | 22 | pr () { 23 | echo -e "${COLOR_INFO}${PRE_INFO}${1}${COLOR_RESET}" 24 | } 25 | 26 | pr_notice () { 27 | echo -e "${COLOR_NOTICE}${PRE_INFO}${1}${COLOR_RESET}" 28 | } 29 | 30 | # Get all configurable values. 31 | source deploy.conf 32 | 33 | # Save the full path to this script. 34 | SCRIPT_DIR="$( cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" 35 | 36 | SRC_DIR="${SCRIPT_DIR}/src/" 37 | # Check that the src/ directory exists. 38 | [ ! -d "${SRC_DIR}" ] && err_exit "Source directory \"${SRC_DIR}\" does not exist" 39 | 40 | pr "Updating system" 41 | apt-get update -y || err_exit 42 | echo 43 | pr "Upgrading system" 44 | apt-get upgrade -y || err_exit 45 | echo 46 | 47 | # All the packages to install. 48 | declare -a pkgs=( 49 | "vim" 50 | "openssh-server" #Should be installed already, but just in case. 51 | "net-tools" 52 | "ufw" 53 | "iptables" 54 | "fail2ban" 55 | "apache2" 56 | "portsentry" # Opens up an interactive screen (->ENTER). 57 | "bsd-mailx" # Not needed, but can be useful for testing (sending mails manually). 58 | "postfix" # Opens up an interactive screen. 59 | "mutt" # Terminal mail client for root. 60 | ) 61 | 62 | # Set these values to be pre-answered for these packages, 63 | # in order to skip the interactive screen. 64 | echo "postfix postfix/mailname string $MAIL_NAME" | debconf-set-selections 65 | echo "postfix postfix/main_mailer_type string Local only" | debconf-set-selections 66 | echo "postfix postfix/root_address string root@localhost" | debconf-set-selections 67 | echo "postfix postfix/protocols select ipv6" | debconf-set-selections 68 | echo "portsentry portsentry/startup_conf_obsolete note" | debconf-set-selections 69 | echo "portsentry portsentry/warn_no_block note" | debconf-set-selections 70 | 71 | # Use DEBIAN_FRONTEND=noninteractive here to skip interactive screens. 72 | for p in ${pkgs[@]}; do 73 | pr "Installing ${p}" 74 | apt-get install -y $p || err_exit "Failed to install ${p}" 75 | echo 76 | done 77 | 78 | pr "Setting up static IP ${IP_ADDRESS} with netmask ${NETMASK}" 79 | cd /etc/network/ 80 | chmod +w interfaces 81 | echo "# The primary network interface" >> interfaces 82 | echo "auto enp0s3" >> interfaces 83 | cd /etc/network/interfaces.d/ 84 | touch enp0s3 85 | echo "iface enp0s3 inet static" >> enp0s3 86 | echo " address ${IP_ADDRESS}" >> enp0s3 87 | echo " netmask ${NETMASK}" >> enp0s3 88 | service networking restart || err "Failed to restart the networking service" 89 | echo 90 | 91 | pr "Printing ifconfig" 92 | ifconfig || err "Failed to start ifconfig" 93 | echo 94 | 95 | pr "Printing the SSHD service process" 96 | ps -ef | grep sshd 97 | echo 98 | 99 | pr "Setting SSH port number to ${SSH_PORT}" 100 | cd /etc/ssh/ 101 | TMP=/tmp/roger_skyline_sshd_config.tmp 102 | cat sshd_config > $TMP 103 | sed -i "/^[[:blank:]]*#[[:blank:]]*Port[[:blank:]]*[0-9]*[[:blank:]]*$/c\Port ${SSH_PORT}" sshd_config 104 | diff sshd_config $TMP >/dev/null && err "Failed to change the SSH port - change the port (\"Port ${SSH_PORT}\") manually in /etc/ssh/sshd_config" 105 | rm $TMP 106 | echo 107 | 108 | pr "Disable SSH login for the root user" 109 | cd /etc/ssh/ 110 | cat sshd_config > $TMP 111 | sed -i "/^[[:blank:]]*#[[:blank:]]*PermitRootLogin[[:blank:]]*[[:graph:]]*[[:blank:]]*$/c\PermitRootLogin no" sshd_config 112 | diff sshd_config $TMP >/dev/null && err "Failed to disable SSH root login - change it (\"PermitRootLogin no\") manually in /etc/ssh/sshd_config" 113 | rm $TMP 114 | echo 115 | 116 | pr "Restarting the SSHD service" 117 | sudo service sshd restart || err "Restarting the SSHD service failed" 118 | echo 119 | 120 | pr "Printing the status of SSH" 121 | systemctl status ssh || err "Failed to check the status of SSH" 122 | echo 123 | 124 | pr "Enabling ufw" 125 | ufw enable || err_exit "Failed to enable ufw" 126 | echo 127 | 128 | declare -a ufw_allow=( 129 | "${SSH_PORT}/tcp (SSH)" 130 | "80/tcp (HTTP)" 131 | "443 (HTTPS)" 132 | ) 133 | for e in "${ufw_allow[@]}"; do 134 | pr "Make ufw allow ${e}" 135 | ufw allow `echo ${e} | awk '{print $1}'` || err_exit "Failed to make ufw allow ${e}" 136 | echo 137 | done 138 | 139 | pr "Printing the status of ufw" 140 | ufw status 141 | echo 142 | 143 | pr "Deploying fail2ban src files" 144 | cp ${SRC_DIR}/jail.local /etc/fail2ban || err_exit "Failed to copy \"jail.local\"" 145 | cp ${SRC_DIR}/http-get-dos.conf /etc/fail2ban/filter.d/ || err_exit "Failed to copy \"http-get-dos.conf\"" 146 | echo 147 | 148 | pr "Restarting ufw and starting fail2ban" 149 | ufw reload || err "Failed to restart ufw" 150 | service fail2ban start || err_exit "Failed to start fail2ban" 151 | echo 152 | 153 | pr "Printing the status of fail2ban" 154 | fail2ban-client status 155 | echo 156 | 157 | pr "Deploying portsentry src files" 158 | cp ${SRC_DIR}/portsentry /etc/default/ || err_exit "Failed to copy \"portsentry\"" 159 | cp ${SRC_DIR}/portsentry.conf /etc/portsentry/ || err_exit "Failed to copy \"portsentry.conf\"" 160 | echo 161 | 162 | pr "Starting portsentry (it will now begin to block the port scans)" 163 | /etc/init.d/portsentry start || err_exit "Failed to start portsentry" 164 | echo 165 | 166 | declare -a services_to_disable=( 167 | "bluetooth" 168 | "console-setup" 169 | "keyboard-setup" 170 | ) 171 | for e in "${services_to_disable[@]}"; do 172 | pr "Disable service ${e}" 173 | systemctl disable ${e}.service || err "Failed to disable the ${e} service" 174 | echo 175 | done 176 | 177 | # Deploy cron jobs to the /home/[user who called sudo]/cronjobs/. 178 | TMP="/home/${SUDO_USER}/cronjobs" 179 | declare -a cronjobs=( 180 | "i_will_update.sh" 181 | "i_will_monitor_cron.sh" 182 | ) 183 | 184 | pr "Deploying cron jobs to ${TMP}/" 185 | sudo -u $SUDO_USER mkdir $TMP >/dev/null 186 | for e in "${cronjobs[@]}"; do 187 | sudo -u $SUDO_USER cp "${SRC_DIR}/${e}" "${TMP}" || err_exit "Failed to copy \"${e}\"" 188 | sudo chmod u+x "${TMP}/${e}" 189 | done 190 | echo 191 | 192 | DIR_CRONJOBS="${TMP}" 193 | for e in "${cronjobs[@]}"; do 194 | pr "Adding crontab rules for ${e}" 195 | TMP=/tmp/roger_skyline_crontab.tmp 196 | sudo -u $SUDO_USER crontab -l > $TMP 197 | 198 | if [ "${e}" == "i_will_update.sh" ]; then 199 | echo "@reboot ${DIR_CRONJOBS}/${e} &" >> $TMP 200 | echo "0 4 * * MON ${DIR_CRONJOBS}/${e} &" >> $TMP 201 | elif [ "${e}" == "i_will_monitor_cron.sh" ]; then 202 | echo "* * * * * ${DIR_CRONJOBS}/${e} &" >> $TMP 203 | fi 204 | 205 | sudo -u $SUDO_USER crontab $TMP || err_exit "Failed to add ${e} cron job" 206 | echo 207 | done 208 | rm $TMP 209 | 210 | pr "Set root:root in etc/aliases" 211 | sed -i "/^[[:blank:]]*root:[[:blank:]]*[[:graph:]]*[[:blank:]]*$/c\root:root" /etc/aliases 212 | echo 213 | 214 | pr "Reload aliases" 215 | newaliases || err_exit "Failed reloading aliases" 216 | echo 217 | 218 | pr "Setting the home mailbox and restarting postfix" 219 | postconf -e "home_mailbox = ${MAIL_HOME_MAILBOX}" 220 | postfix reload || err_exit "Failed to restart postfix" 221 | echo 222 | 223 | pr "Deploying mutt src file" 224 | cp ${SRC_DIR}/.muttrc /root || err_exit "Failed to copy .muttrc" 225 | echo 226 | 227 | pr "Generate SSL self-signed key and certificate" 228 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ 229 | -subj "/C=UA/ST=/L=/O=/OU=/CN=${IP_ADDRESS}" \ 230 | -keyout /etc/ssl/private/apache-selfsigned.key \ 231 | -out /etc/ssl/certs/apache-selfsigned.crt \ 232 | || err_exit "Failed to generate SSL self-signed key and certificate" 233 | echo 234 | 235 | pr "Deploying SSL params src file" 236 | cp ${SRC_DIR}/ssl-params.conf /etc/apache2/conf-available/ || err_exit "Failed to copy ssl-params.conf" 237 | echo 238 | 239 | pr "Deploying default SSL conf src file" 240 | cp ${SRC_DIR}/default-ssl.conf /etc/apache2/sites-available/ || err_exit "Failed to copy default-ssl.conf" 241 | echo 242 | 243 | pr "Deploying 000-default.conf src file" 244 | cp ${SRC_DIR}/000-default.conf /etc/apache2/sites-available/ || err_exit "Failed to copy 000-default.conf" 245 | echo 246 | 247 | pr "Deploy the login page" 248 | cp ${SRC_DIR}/login.html /var/www/html/ || err_exit "Failed to copy login.html" 249 | echo 250 | 251 | pr_notice "Don't forget to setup SSH public key authentication on the host side!" 252 | echo 253 | pr_notice "Don't forget to copy the nameserver from host machine /etc/resolv.conf to this machine if needed!" 254 | echo 255 | 256 | pr "And finally..." 257 | sleep 2 258 | pr "Deploy the" 259 | sleep 2 260 | cat ${SRC_DIR}/img_hamster_name 261 | mkdir /var/www/html/img/ >/dev/null 262 | cp ${SRC_DIR}/img/you.png /var/www/html/img/ || err_exit "Failed to copy you.png" 263 | echo 264 | 265 | sleep 1 266 | cat ${SRC_DIR}/img_hamster 267 | -------------------------------------------------------------------------------- /src/portsentry.conf: -------------------------------------------------------------------------------- 1 | # PortSentry Configuration 2 | # 3 | # $Id: portsentry.conf.Debian,v 1.6 2001/07/19 21:02:20 agx Exp $ 4 | # 5 | # Original portsentry.conf by Craig H. Rowland 6 | # modified for Debian by Guido Guenther 7 | # 8 | # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. 9 | # 10 | # The default ports will catch a large number of common probes 11 | # 12 | # All entries must be in quotes. 13 | 14 | 15 | ####################### 16 | # Port Configurations # 17 | ####################### 18 | # 19 | # 20 | # Some example port configs for classic and basic Stealth modes 21 | # 22 | # I like to always keep some ports at the "low" end of the spectrum. 23 | # This will detect a sequential port sweep really quickly and usually 24 | # these ports are not in use (i.e. tcpmux port 1) 25 | # 26 | # ** X-Windows Users **: If you are running X on your box, you need to be sure 27 | # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). 28 | # Doing so will prevent the X-client from starting properly. 29 | # 30 | # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode. 31 | # 32 | 33 | # Un-comment these if you are really anal: 34 | #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" 35 | #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321" 36 | # 37 | # Use these if you just want to be aware: 38 | TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320" 39 | UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321" 40 | # 41 | # Use these for just bare-bones 42 | #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320" 43 | #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321" 44 | 45 | ########################################### 46 | # Advanced Stealth Scan Detection Options # 47 | ########################################### 48 | # 49 | # This is the number of ports you want PortSentry to monitor in Advanced mode. 50 | # Any port *below* this number will be monitored. Right now it watches 51 | # everything below 1024. 52 | # 53 | # On many Linux systems you cannot bind above port 61000. This is because 54 | # these ports are used as part of IP masquerading. I don't recommend you 55 | # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 56 | # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been 57 | # warned! Don't write me if you have have a problem because I'll only tell 58 | # you to RTFM and don't run above the first 1024 ports. 59 | # 60 | # 61 | ADVANCED_PORTS_TCP="1024" 62 | ADVANCED_PORTS_UDP="1024" 63 | # 64 | # This field tells PortSentry what ports (besides listening daemons) to 65 | # ignore. This is helpful for services like ident that services such 66 | # as FTP, SMTP, and wrappers look for but you may not run (and probably 67 | # *shouldn't* IMHO). 68 | # 69 | # By specifying ports here PortSentry will simply not respond to 70 | # incoming requests, in effect PortSentry treats them as if they are 71 | # actual bound daemons. The default ports are ones reported as 72 | # problematic false alarms and should probably be left alone for 73 | # all but the most isolated systems/networks. 74 | # 75 | # Default TCP ident and NetBIOS service 76 | ADVANCED_EXCLUDE_TCP="113,139" 77 | # Default UDP route (RIP), NetBIOS, bootp broadcasts. 78 | ADVANCED_EXCLUDE_UDP="520,138,137,67" 79 | 80 | 81 | ###################### 82 | # Configuration Files# 83 | ###################### 84 | # 85 | # Hosts to ignore 86 | IGNORE_FILE="/etc/portsentry/portsentry.ignore" 87 | # Hosts that have been denied (running history) 88 | HISTORY_FILE="/var/lib/portsentry/portsentry.history" 89 | # Hosts that have been denied this session only (temporary until next restart) 90 | BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked" 91 | 92 | ############################## 93 | # Misc. Configuration Options# 94 | ############################## 95 | # 96 | # DNS Name resolution - Setting this to "1" will turn on DNS lookups 97 | # for attacking hosts. Setting it to "0" (or any other value) will shut 98 | # it off. 99 | RESOLVE_HOST = "0" 100 | 101 | ################### 102 | # Response Options# 103 | ################### 104 | # Options to dispose of attacker. Each is an action that will 105 | # be run if an attack is detected. If you don't want a particular 106 | # option then comment it out and it will be skipped. 107 | # 108 | # The variable $TARGET$ will be substituted with the target attacking 109 | # host when an attack is detected. The variable $PORT$ will be substituted 110 | # with the port that was scanned. 111 | # 112 | ################## 113 | # Ignore Options # 114 | ################## 115 | # These options allow you to enable automatic response 116 | # options for UDP/TCP. This is useful if you just want 117 | # warnings for connections, but don't want to react for 118 | # a particular protocol (i.e. you want to block TCP, but 119 | # not UDP). To prevent a possible Denial of service attack 120 | # against UDP and stealth scan detection for TCP, you may 121 | # want to disable blocking, but leave the warning enabled. 122 | # I personally would wait for this to become a problem before 123 | # doing though as most attackers really aren't doing this. 124 | # The third option allows you to run just the external command 125 | # in case of a scan to have a pager script or such execute 126 | # but not drop the route. This may be useful for some admins 127 | # who want to block TCP, but only want pager/e-mail warnings 128 | # on UDP, etc. 129 | # 130 | # 131 | # 0 = Do not block UDP/TCP scans. 132 | # 1 = Block UDP/TCP scans. 133 | # 2 = Run external command only (KILL_RUN_CMD) 134 | 135 | BLOCK_UDP="1" 136 | BLOCK_TCP="1" 137 | 138 | ################### 139 | # Dropping Routes:# 140 | ################### 141 | # This command is used to drop the route or add the host into 142 | # a local filter table. 143 | # 144 | # The gateway (333.444.555.666) should ideally be a dead host on 145 | # the *local* subnet. On some hosts you can also point this at 146 | # localhost (127.0.0.1) and get the same effect. NOTE THAT 147 | # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!! 148 | # 149 | # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you 150 | # uncomment the correct line for your OS. If you OS is not listed 151 | # here and you have a route drop command that works then please 152 | # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION 153 | # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES. 154 | # 155 | # NOTE: The route commands are the least optimal way of blocking 156 | # and do not provide complete protection against UDP attacks and 157 | # will still generate alarms for both UDP and stealth scans. I 158 | # always recommend you use a packet filter because they are made 159 | # for this purpose. 160 | # 161 | 162 | # Generic 163 | #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" 164 | 165 | # Generic Linux 166 | #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" 167 | 168 | # Newer versions of Linux support the reject flag now. This 169 | # is cleaner than the above option. 170 | #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" 171 | 172 | # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) 173 | #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" 174 | 175 | # Generic Sun 176 | #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1" 177 | 178 | # NEXTSTEP 179 | #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1" 180 | 181 | # FreeBSD 182 | #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" 183 | 184 | # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) 185 | #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1" 186 | 187 | # Generic HP-UX 188 | #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1" 189 | 190 | ## 191 | # Using a packet filter is the PREFERRED. The below lines 192 | # work well on many OS's. Remember, you can only uncomment *one* 193 | # KILL_ROUTE option. 194 | ## 195 | 196 | # ipfwadm support for Linux 197 | #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" 198 | # 199 | # ipfwadm support for Linux (no logging of denied packets) 200 | #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" 201 | # 202 | # ipchain support for Linux 203 | #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" 204 | # 205 | # ipchain support for Linux (no logging of denied packets) 206 | #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" 207 | # 208 | # iptables support for Linux 209 | KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" 210 | # 211 | # iptables support for Linux with limit and LOG support. Logs only 212 | # a limited number of packets to avoid a denial of service attack. 213 | # KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '" 214 | # 215 | # For those of you running FreeBSD (and compatible) you can 216 | # use their built in firewalling as well. 217 | # 218 | #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" 219 | # 220 | # 221 | # For those running ipfilt (OpenBSD, etc.) 222 | # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!! 223 | # 224 | #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -" 225 | 226 | 227 | ############### 228 | # TCP Wrappers# 229 | ############### 230 | # This text will be dropped into the hosts.deny file for wrappers 231 | # to use. There are two formats for TCP wrappers: 232 | # 233 | # Format One: Old Style - The default when extended host processing 234 | # options are not enabled. 235 | # 236 | #KILL_HOSTS_DENY="ALL: $TARGET$" 237 | 238 | # Format Two: New Style - The format used when extended option 239 | # processing is enabled. You can drop in extended processing 240 | # options, but be sure you escape all '%' symbols with a backslash 241 | # to prevent problems writing out (i.e. \%c \%h ) 242 | # 243 | KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" 244 | 245 | ################### 246 | # External Command# 247 | ################### 248 | # This is a command that is run when a host connects, it can be whatever 249 | # you want it to be (pager, etc.). This command is executed before the 250 | # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below 251 | # 252 | # 253 | # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING 254 | # YOU! 255 | # 256 | # TCP/IP is an *unauthenticated protocol* and people can make scans appear out 257 | # of thin air. The only time it is reasonably safe (and I *never* think it is 258 | # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode. 259 | # This mode requires a full connect and is very hard to spoof. 260 | # 261 | # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command 262 | # to run *before* the blocking occurs and should be set to "0" to make the 263 | # command run *after* the blocking has occurred. 264 | # 265 | #KILL_RUN_CMD_FIRST = "0" 266 | # 267 | # 268 | #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$" 269 | # for examples see /usr/share/doc/portsentry/examples/ 270 | 271 | 272 | ##################### 273 | # Scan trigger value# 274 | ##################### 275 | # Enter in the number of port connects you will allow before an 276 | # alarm is given. The default is 0 which will react immediately. 277 | # A value of 1 or 2 will reduce false alarms. Anything higher is 278 | # probably not necessary. This value must always be specified, but 279 | # generally can be left at 0. 280 | # 281 | # NOTE: If you are using the advanced detection option you need to 282 | # be careful that you don't make a hair trigger situation. Because 283 | # Advanced mode will react for *any* host connecting to a non-used 284 | # port below your specified range, you have the opportunity to 285 | # really break things. (i.e someone innocently tries to connect to 286 | # you via SSL [TCP port 443] and you immediately block them). Some 287 | # of you may even want this though. Just be careful. 288 | # 289 | SCAN_TRIGGER="0" 290 | 291 | ###################### 292 | # Port Banner Section# 293 | ###################### 294 | # 295 | # Enter text in here you want displayed to a person tripping the PortSentry. 296 | # I *don't* recommend taunting the person as this will aggravate them. 297 | # Leave this commented out to disable the feature 298 | # 299 | # Stealth scan detection modes don't use this feature 300 | # 301 | #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY." 302 | 303 | # EOF 304 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # roger-skyline-1 2 | 3 | ## Summary 4 | 5 | - [V.1 VM Part](#VMPart) 6 | - [V.2 Network and Security Part](#NetworkSecurityPart) 7 | - [Install and configure `sudo`](#sudo) 8 | - [Configure a static IP on Virtual Machine](#StaticIP) 9 | - [Change the default port of the SSH service](#SSHDefault) 10 | - [Setup SSH Public Key Authentication](#SSHKeySetup) 11 | - [Set up Firewall with UFW (Uncomplicated Firewall)](#UFW) 12 | - [Set a DOS (Denial Of Service Attack) protection on open ports of VM(server) with `fail2ban`](#DOS) 13 | - [Set a protection against scans of open ports with `portsentry`](#StopScan) 14 | - [Stop services that are not needed](#StopServices) 15 | - [Update packages regularly](#UpdatePackages) 16 | - [Monitor changes of the `/etc/crontab` periodically](#UpdateCron) 17 | - [Set up local mail delivery with Postfix and Mutt](#SetUpMail) 18 | - [V.2 Web Part](#WebPart) 19 | - [V.3 Deployment Part](#DepPart) 20 | 21 | ## V.1 VM Part 22 | ***hypervisor:*** VirtualBox; ***Linux OS:*** Debian(64-bit); size of the hard disk is 8.00 GB(VDI, fixed size); 23 | Next you should run the virtual machine and specify the image of the OS - i downloaded `debian-10.1.0-amd64-netinst.iso` from https://www.debian.org/distrib/. 24 | ![specify_img](img/specify_img.png) 25 | 26 | Then you need to set up you Debian, process is quite simple, but i'll pay some attention on `Partition disks` part. Choose `Partition method` as `manual` and next choose: 27 | ![partition_1](img/partition_1.png) 28 | 29 | then: 30 | 31 | ![partition_2](img/partition_2.png) 32 | 33 | go for `Create a new partition` and specify new partition size: 34 | 35 | ![partition_3](img/partition_3.png) 36 | 37 | choose type and location (i choosed beggining); choose file system(i went for `/ - the root file system`): 38 | 39 | ![partition_4](img/partition_4.png) 40 | 41 | i created 2 partitions: one `primary` with mout point on the `/ (root)` of OS and with 4.2GB capacity, second `logical` with mount point on the `/home` dir and 4.4GB of space: 42 | 43 | ![partition_5](img/partition_5.png) 44 | 45 | then go for `Finish partitioning and write changes to disk`. 46 | Finally, i did not install desktop envirinment; GRUB i accepted. 47 | ## V.2 Network and Security Part 48 | ### You must create a non-root user to connect to the machine and work. 49 | Non-root login was created while setting up the OS. Just log in. 50 | ### Use sudo, with this user, to be able to perform operation requiring special rights. 51 | First, we need to install `sudo`, what we can do only as root, so: 52 | ``` 53 | $ su 54 | $ apt-get update -y && apt-get upgrade -y 55 | $ apt-get install sudo vim -y 56 | ``` 57 | exit root mode: 58 | ``` 59 | $ exit 60 | ``` 61 | but now, if we'll try to use `sudo`, the OS will respond: `kseniia is not in the sudoers file. This incident will be reported`. That means we need to open `/etc/sudoers` file (again under the root). Don't forget to check rights on the file (must be writible!). 62 | ``` 63 | $ pwd 64 | /etc 65 | $ chmod +w sudoers 66 | $ vim sudoers 67 | ``` 68 | add `username ALL=(ALL:ALL) ALL` to `# User priviliege specification` section: 69 | 70 | ![sudoers](img/sudoers.png) 71 | 72 | ### We don’t want you to use the DHCP service of your machine. You’ve got to configure it to have a static IP and a Netmask in \30. 73 | First, go to VirtualBox settings -> Network -> in `Attached to` subsection change ***NAT*** on ***Bridged Adapter***; i like using `ifconfig`, that's why i'll install it (it's always possible to use `ip`): 74 | ``` 75 | $ sudo apt-get install net-tools 76 | $ sudo ifconfig 77 | ``` 78 | As we see, the name of our `bridged adapter` is ***enp0s3***. Let's setup ***static ip*** (not dynamical) - check [How to setup a Static IP address on Debian Linux](https://linuxconfig.org/how-to-setup-a-static-ip-address-on-debian-linux) and [Network of VirtualBox instances with static IP addresses and Internet access](https://www.codesandnotes.be/2018/10/16/network-of-virtualbox-instances-with-static-ip-addresses-and-internet-access/). 79 | 80 | ***1.*** We should modify `/etc/network/interfaces` network config file (don't forget to`$ sudo chmod +w interfaces`): 81 | 82 | ![interfaces](img/interfaces.png) 83 | 84 | [Файл настройки сети /etc/network/interfaces)](https://notessysadmin.com/fajl-nastrojki-seti) 85 | 86 | ***2.*** Define your network interfaces separately within `/etc/network/interfaces.d/` directory. During the networking daemon initiation the `/etc/network/interfaces.d/` directory is searched for network interface configurations. Any found network configuration is included as part of the `/etc/network/interfaces`. So: 87 | ``` 88 | $ cd interfaces.d 89 | $ sudo touch enp0s3 90 | $ sudo vim enp0s3 91 | ``` 92 | 93 | ![enp0s3](img/enp0s3.png) 94 | 95 | next restart the network service: 96 | ``` 97 | $ sudo service networking restart 98 | ``` 99 | run `ifconfig` to see the result: 100 | 101 | ![ifconfig_res](img/ifconfig_res.png) 102 | 103 | ### You have to change the default port of the SSH service by the one of your choice. SSH access HAS TO be done with publickeys. SSH root access SHOULD NOT be allowed directly, but with a user who can be root. 104 | let's check status of ssh server: 105 | ``` 106 | $ ps -ef | grep sshd 107 | ``` 108 | next we need to change `/etc/ssh/sshd_config` file [Changing the SSH Port for Your Linux Server](https://se.godaddy.com/help/changing-the-ssh-port-for-your-linux-server-7306): 109 | ``` 110 | $ sudo vim /etc/ssh/sshd_config 111 | ``` 112 | and change the line `# Port 22` - remove `#` and type choosen port number; you can use range of numbers from 49152 to 65535 (accordingly to IANA); i chosed port number ***50000***; restart the sshd service: 113 | ``` 114 | $ sudo service sshd restart 115 | ``` 116 | login with ssh and check status of our connection: 117 | ``` 118 | $ sudo ssh kseniia@192.168.10.42 -p 50000 119 | $ sudo systemctl status ssh 120 | ``` 121 | #### Finaly 122 | let's test the ssh conection from host. We need to setup SSH public key authentication [Setup SSH Public Key Authentication](https://www.cyberciti.biz/faq/ubuntu-18-04-setup-ssh-public-key-authentication/); OS of my host is macOS Sierra; run from ***your host's terminal***: 123 | 124 | ``` 125 | # host terminal 126 | 127 | $ ssh-keygen -t rsa 128 | ``` 129 | to connect 2 interfaces they must be in one subnet; for the ip on VM allowed 2 ip adresses (because we use netmask /30): 192.168.10.42(for VM, ip addr that we set) and 192.168.10.41(for host); we need to set up the ip addr to the host: ***System Preferences*** -> ***Network*** -> ***Advanced*** -> ***TCP/IP*** -> ***Select Manual*** -> ***Enter the new ip addr (192.168.10.41)*** -> ***Apply***; you can also try to change ip via `ifconfig`. Now we can connect to our server(VM): 130 | ``` 131 | # host terminal 132 | 133 | $ ping 192.168.10.42 134 | $ ssh kseniia@192.168.10.42 -p 50000 135 | $ exit (logout from the ssh) 136 | ``` 137 | last step is [HOW DO I DISABLE SSH LOGIN FOR THE ROOT USER?](https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user). To disable root SSH login, edit `/etc/ssh/sshd_config`, by changing line `# PermitRootLogin yes` to `PermitRootLogin no`. Restart the SSH daemon: `sudo service sshd restart`. And read [Why should I really disable root ssh login?](https://superuser.com/questions/1006267/why-should-i-really-disable-root-ssh-login) 138 | 139 | ### You have to set the rules of your firewall on your server only with the services used outside the VM. 140 | I'll set up a Firewall with the help of ***UFW (Uncomplicated Firewall)***, whisch is an interface to ***iptables*** that is geared towards simplifying the process of configuring a firewall. 141 | > by the way - couple of times i had the problem with `upd-get install` - for some reason my VM could nor reach the server with package, also `ping` did not work; ***SOLUTION*** for problem `apt-get update fails to fetch files, “Temporary failure resolving …” error`: open `/etc/resolv.conf` file on your host, copy the `namserver` value (`nameserver fdb8:8db8:81bd::1`) and modify `/etc/resolv.conf` on VM with this value 142 | ``` 143 | $ sudo apt-get install ufw 144 | $ sudo ufw status 145 | $ sudo ufw enable 146 | ``` 147 | we can allow or deny by service name since ufw reads from `/etc/services`. To see get a list of services: 148 | ``` 149 | $ less /etc/services 150 | ``` 151 | let's allow services, that we need: 152 | ``` 153 | # allow ssh 154 | $ sudo ufw allow 50000/tcp 155 | # allow http 156 | $ sudo ufw allow 80/tcp 157 | # allow https 158 | $ sudo ufw allow 443 159 | ``` 160 | now let's check status of our firewall: 161 | 162 | ![ufw_status](img/ufw_status.png) 163 | 164 | here are some usefull links: 165 | - [Linux firewalls: What you need to know about iptables and firewalld](https://opensource.com/article/18/9/linux-iptables-firewalld) 166 | - [UFW](https://help.ubuntu.com/community/UFW) 167 | - [How To Set Up a Firewall with UFW on Debian 9](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-9) 168 | 169 | ### You have to set a DOS (Denial Of Service Attack) protection on your open ports of your VM. 170 | There are a lot of methods to set a DOS protection: [A guide to secure your server from DDoS!](https://bobcares.com/blog/centos-ddos-protection/) Let's use one of listed via the link - `Fail2Ban`: 171 | ``` 172 | $ sudo apt-get install iptables fail2ban apache2 173 | ``` 174 | Fail2Ban keeps its configuration files in `/etc/fail2ban` folder. The configuration file is `jail.conf` which is present in this directory. This file can be modified by package upgrades so we will keep a copy of it `jail.local` and edit it. 175 | ``` 176 | $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 177 | $ sudo vim /etc/fail2ban/fail2ban.local 178 | ``` 179 | 180 | 1. SSH protocol security (protect open port 50000). Edit `/etc/fail2ban/jail.local`: 181 | 182 | ![fail2ban_ssh](img/fail2ban_ssh.png) 183 | 184 | - [Fail2Ban Port 80 to protect sites from DOS Attacks](http://www.tothenew.com/blog/fail2ban-port-80-to-protect-sites-from-dos-attacks/) 185 | - [Настройка Fail2ban](https://vps.ua/wiki/configuring-fail2ban/) 186 | 187 | 2. HTTP protocol security (protect our port 80). Edit `/etc/fail2ban/jail.local`: 188 | 189 | ![fail2ban_http](img/fail2ban_http.png) 190 | 191 | Now we need to create the filter, to do that, create the file `/etc/fail2ban/filter.d/http-get-dos.conf` and add this text: 192 | 193 | ![http-get-dos.png](img/http-get-dos.png) 194 | 195 | - [Install fail2ban to protect your site from DOS attacks](https://www.garron.me/en/go2linux/fail2ban-protect-web-server-http-dos-attack.html) 196 | 197 | finaly: 198 | ``` 199 | $ sudo ufw reload 200 | $ sudo service fail2ban restart 201 | ``` 202 | let's see the result: 203 | 204 | ![fail2ban_check](img/fail2ban_check.png) 205 | 206 | ### You have to set a protection against scans on your VM’s open ports. 207 | 208 | ``` 209 | $ sudo apt-get install portsentry 210 | ``` 211 | modify the file `/etc/default/portsentry`: 212 | 213 | ``` 214 | TCP_MODE="atcp" 215 | UDP_MODE="audp" 216 | ``` 217 | We also wish that `portsentry` is a blockage. We therefore need to activate it by passing BLOCK_UDP and BLOCK_TCP to 1; modify `/etc/portsentry/portsentry.conf`: 218 | ``` 219 | ################## 220 | # Ignore Options # 221 | ################## 222 | # 0 = Do not block UDP/TCP scans. 223 | # 1 = Block UDP/TCP scans. 224 | # 2 = Run external command only (KILL_RUN_CMD) 225 | 226 | BLOCK_UDP="1" 227 | BLOCK_TCP="1" 228 | ``` 229 | We opt for a blocking of malicious persons through iptables. We will therefore comment on all lines of the configuration file that begin with KILL_ROUTE except this one: 230 | ``` 231 | KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" 232 | ``` 233 | verify your actions: 234 | ``` 235 | $ cat portsentry.conf | grep KILL_ROUTE | grep -v "#" 236 | ``` 237 | relaunch service `portsentry` and it will now begin to block the port scans: 238 | ``` 239 | $ sudo /etc/init.d/portsentry start 240 | ``` 241 | `portsentry` logs are in the `/var/log/syslog` file. 242 | 243 | - [To protect against the scan of ports with portsentry](https://en-wiki.ikoula.com/en/To_protect_against_the_scan_of_ports_with_portsentry) 244 | - [How to protect against port scanners?](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners) 245 | 246 | ### Stop the services you don’t need for this project. 247 | All the services are controlled with special shell scripts in `/etc/init.d`, so: 248 | ``` 249 | $ ls /etc/init.d 250 | ``` 251 | ![list_of_services](img/list_of_services.png) 252 | 253 | ``` 254 | $ sudo systemctl disable bluetooth.service 255 | $ sudo systemctl disable console-setup.service 256 | $ sudo systemctl disable keyboard-setup.service 257 | ``` 258 | - [List of available services](https://unix.stackexchange.com/questions/108591/list-of-available-services) 259 | 260 | ### Create a script that updates all the sources of package, then your packages and which logs the whole in a file named /var/log/update_script.log. Create a scheduled task for this script once a week at 4AM and every time the machine reboots. 261 | 262 | ``` 263 | $ touch i_will_update.sh 264 | $ chmod a+x i_will_update.sh 265 | ``` 266 | ![update](img/update.png) 267 | 268 | ``` 269 | $ sudo crontab -e 270 | ``` 271 | 272 | ![cron_update](img/cron_update.png) 273 | 274 | - [crontab guru](https://crontab.guru/#0_4_*_*_MON) 275 | 276 | ### Make a script to monitor changes of the /etc/crontab file and sends an email to root if it has been modified. Create a scheduled script task every day at midnight. 277 | 278 | ``` 279 | $ touch i_will_monitor_cron.sh 280 | $ chmod a+x i_will_monitor_cron.sh 281 | ``` 282 | ![monitor_cron](img/monitor_cron.png) 283 | 284 | Add this line to `crontab`: 285 | ``` 286 | * * * * * /home/kseniia/i_will_monitor_cron.sh & 287 | ``` 288 | #### to be able to use the mail command 289 | install the `bsd-mailx package`: 290 | ``` 291 | $ sudo apt install bsd-mailx 292 | ``` 293 | Install `postfix` (setup happens after installation): 294 | ``` 295 | $ sudo apt install postfix 296 | ``` 297 | In postfix setup, select "Local only" to create a local mail server. 298 | + System mail name: "debian.lan" 299 | + Root and postmaster mail recipient: "root@localhost" 300 | + Other destinations to accept mail for: "debian.lan, debian.lan, localhost.lan, , localhost" 301 | + Force synchronous updates on mail queue? - No 302 | + Local networks: ENTER 303 | + Mailbox size limit (bytes): 0 (no limit) 304 | + Local address extension character: ENTER 305 | + Internet protocols to use: all 306 | 307 | Edit `/etc/aliases`: 308 | ``` 309 | root: root 310 | ``` 311 | Then: 312 | ``` 313 | $ sudo newaliases 314 | ``` 315 | To update the aliases here. 316 | 317 | Then change the home mailbox directory: 318 | ``` 319 | $ sudo postconf -e "home_mailbox = mail/" 320 | ``` 321 | Restart the postfix service: 322 | ``` 323 | $ sudo service postfix restart 324 | ``` 325 | Install the CLI (non-graphical) mail client `mutt`: 326 | ``` 327 | $ sudo apt install mutt 328 | ``` 329 | Create a config file `".muttrc"` for `mutt` in the `/root/` directory and edit it: 330 | ``` 331 | set mbox_type=Maildir 332 | set folder="/root/mail" 333 | set mask="!^\\.[^.]" 334 | set mbox="/root/mail" 335 | set record="+.Sent" 336 | set postponed="+.Drafts" 337 | set spoolfile="/root/mail" 338 | ``` 339 | Start `mutt` and exit: 340 | ``` 341 | $ mutt 342 | Enter 'q' to exit 343 | ``` 344 | Test sending a simple mail to root: 345 | ``` 346 | $ echo "Text" | sudo mail -s "Subject" root@debian.lan 347 | ``` 348 | Then login as root and start `mutt`. The mail should now be visible. 349 | 350 | The crontab script should now work. 351 | - [Setting Up Local Mail Delivery on Ubuntu with Postfix and Mutt](https://www.cmsimike.com/blog/2011/10/30/setting-up-local-mail-delivery-on-ubuntu-with-postfix-and-mutt/) 352 | 353 | > to copy file from host to VM via SSH: `scp -P 50000 i_will_monitor_cron.sh kseniia@192.168.10.42:~` (~ means home dir) 354 | ## V.2 Web Part 355 | my login page: 356 | 357 | ![login_page](img/login_page.png) 358 | 359 | 360 | > scp -P 50000 kseniia@192.168.10.42:/var/www/html/index.html . 361 | 362 | Generate SSL self-signed key and certificate: 363 | ``` 364 | $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt 365 | Country name: UA 366 | State or Province Name: ENTER 367 | Locality Name: ENTER 368 | Organization Name: ENTER 369 | Organizational Unit Name: ENTER 370 | Common Name: 192.168.10.42 (VM IP address) 371 | Email Address: root@debian.lan 372 | ``` 373 | 374 | Create the file /etc/apache2/conf-available/ssl-params.conf and edit it: 375 | ``` 376 | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 377 | SSLProtocol All -SSLv2 -SSLv3 378 | SSLHonorCipherOrder On 379 | 380 | Header always set X-Frame-Options DENY 381 | Header always set X-Content-Type-Options nosniff 382 | 383 | SSLCompression off 384 | SSLSessionTickets Off 385 | SSLUseStapling on 386 | SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 387 | ``` 388 | 389 | Edit the file /etc/apache2/sites-available/default-ssl.conf so it looks like this: 390 | 391 | ``` 392 | 393 | 394 | ServerAdmin root@localhost 395 | ServerName 192.168.10.42 396 | DocumentRoot /var/www/html 397 | ErrorLog ${APACHE_LOG_DIR}/error.log 398 | CustomLog ${APACHE_LOG_DIR}/access.log combined 399 | SSLEngine on 400 | SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt 401 | SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key 402 | 403 | SSLOptions +StdEnvVars 404 | 405 | 406 | SSLOptions +StdEnvVars 407 | 408 | 409 | 410 | ``` 411 | 412 | Add a redirect rule to /etc/apache2/sites-available/000-default.conf, to redirect HTTP to HTTPS: 413 | ``` 414 | Redirect "/" "https://192.168.10.42/" 415 | ``` 416 | 417 | Enable everything changed and restart the Apache service: 418 | ``` 419 | $ sudo a2enmod ssl 420 | $ sudo a2enmod headers 421 | $ sudo a2ensite default-ssl 422 | $ sudo a2enconf ssl-params 423 | $ sudo apache2ctl configtest (to check that the syntax is OK) 424 | $ sudo systemctl restart apache2 425 | ``` 426 | 427 | The SSL server is tested by entering "https://192.168.10.42" in a host browser. The expected result is a "Your connection is not private" warning page. Continue from this by selecting Advanced->Proceed to... 428 | HTTP->HTTPS redirection is tested by entering "http://192.168.10.42" in the host browser. 429 | 430 | ## V.3 Deployment Part 431 | 432 | The deployment script deploy.sh can be run after the prerequisites are met, which are: 433 | ``` 434 | 1) A VM has been created using Virtualbox with the settings stated above. 435 | 2) The VM network is set to Bridged Adapter. 436 | 3) sudo has been set up for the user. 437 | 4) Git is installed on the VM ("$ apt-get install git" as root) 438 | ``` 439 | 440 | Clone the repository to the VM: 441 | ``` 442 | git clone https://github.com/KseniiaPrytkova/roger-skyline-1 443 | ``` 444 | Execute the deployment script (must be done with sudo): 445 | ``` 446 | $ chmod +x ./deploy.sh 447 | $ sudo ./deploy.sh 448 | ``` 449 | Test that the deployment went fine by logging in to `192.168.10.42://login.html` on the host machine browser. 450 | 451 | To get a checksum of the VM disk, go to /home/admin/VirtualBox VMs/, select the VM and then run: 452 | ``` 453 | $ shasum < [vdi file] 454 | ``` 455 | - [ASCII Art](http://patorjk.com/software/taag/#p=display&f=Graffiti&t=Type%20Something%20) 456 | -------------------------------------------------------------------------------- /src/jail.local: -------------------------------------------------------------------------------- 1 | # 2 | # WARNING: heavily refactored in 0.9.0 release. Please review and 3 | # customize settings for your setup. 4 | # 5 | # Changes: in most of the cases you should not modify this 6 | # file, but provide customizations in jail.local file, 7 | # or separate .conf files under jail.d/ directory, e.g.: 8 | # 9 | # HOW TO ACTIVATE JAILS: 10 | # 11 | # YOU SHOULD NOT MODIFY THIS FILE. 12 | # 13 | # It will probably be overwritten or improved in a distribution update. 14 | # 15 | # Provide customizations in a jail.local file or a jail.d/customisation.local. 16 | # For example to change the default bantime for all jails and to enable the 17 | # ssh-iptables jail the following (uncommented) would appear in the .local file. 18 | # See man 5 jail.conf for details. 19 | # 20 | # [DEFAULT] 21 | # bantime = 1h 22 | # 23 | # [sshd] 24 | # enabled = true 25 | # 26 | # See jail.conf(5) man page for more information 27 | 28 | 29 | 30 | # Comments: use '#' for comment lines and ';' (following a space) for inline comments 31 | 32 | 33 | [INCLUDES] 34 | 35 | #before = paths-distro.conf 36 | before = paths-debian.conf 37 | 38 | # The DEFAULT allows a global definition of the options. They can be overridden 39 | # in each jail afterwards. 40 | 41 | [DEFAULT] 42 | 43 | # 44 | # MISCELLANEOUS OPTIONS 45 | # 46 | 47 | # "ignorself" specifies whether the local resp. own IP addresses should be ignored 48 | # (default is true). Fail2ban will not ban a host which matches such addresses. 49 | #ignorself = true 50 | 51 | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban 52 | # will not ban a host which matches an address in this list. Several addresses 53 | # can be defined using space (and/or comma) separator. 54 | #ignoreip = 127.0.0.1/8 ::1 55 | 56 | # External command that will take an tagged arguments to ignore, e.g. , 57 | # and return true if the IP is to be ignored. False otherwise. 58 | # 59 | # ignorecommand = /path/to/command 60 | ignorecommand = 61 | 62 | # "bantime" is the number of seconds that a host is banned. 63 | bantime = 10m 64 | 65 | # A host is banned if it has generated "maxretry" during the last "findtime" 66 | # seconds. 67 | findtime = 10m 68 | 69 | # "maxretry" is the number of failures before a host get banned. 70 | maxretry = 5 71 | 72 | # "backend" specifies the backend used to get files modification. 73 | # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". 74 | # This option can be overridden in each jail as well. 75 | # 76 | # pyinotify: requires pyinotify (a file alteration monitor) to be installed. 77 | # If pyinotify is not installed, Fail2ban will use auto. 78 | # gamin: requires Gamin (a file alteration monitor) to be installed. 79 | # If Gamin is not installed, Fail2ban will use auto. 80 | # polling: uses a polling algorithm which does not require external libraries. 81 | # systemd: uses systemd python library to access the systemd journal. 82 | # Specifying "logpath" is not valid for this backend. 83 | # See "journalmatch" in the jails associated filter config 84 | # auto: will try to use the following backends, in order: 85 | # pyinotify, gamin, polling. 86 | # 87 | # Note: if systemd backend is chosen as the default but you enable a jail 88 | # for which logs are present only in its own log files, specify some other 89 | # backend for that jail (e.g. polling) and provide empty value for 90 | # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 91 | backend = auto 92 | 93 | # "usedns" specifies if jails should trust hostnames in logs, 94 | # warn when DNS lookups are performed, or ignore all hostnames in logs 95 | # 96 | # yes: if a hostname is encountered, a DNS lookup will be performed. 97 | # warn: if a hostname is encountered, a DNS lookup will be performed, 98 | # but it will be logged as a warning. 99 | # no: if a hostname is encountered, will not be used for banning, 100 | # but it will be logged as info. 101 | # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) 102 | usedns = warn 103 | 104 | # "logencoding" specifies the encoding of the log files handled by the jail 105 | # This is used to decode the lines from the log file. 106 | # Typical examples: "ascii", "utf-8" 107 | # 108 | # auto: will use the system locale setting 109 | logencoding = auto 110 | 111 | # "enabled" enables the jails. 112 | # By default all jails are disabled, and it should stay this way. 113 | # Enable only relevant to your setup jails in your .local or jail.d/*.conf 114 | # 115 | # true: jail will be enabled and log files will get monitored for changes 116 | # false: jail is not enabled 117 | enabled = false 118 | 119 | 120 | # "mode" defines the mode of the filter (see corresponding filter implementation for more info). 121 | mode = normal 122 | 123 | # "filter" defines the filter to use by the jail. 124 | # By default jails have names matching their filter name 125 | # 126 | filter = %(__name__)s[mode=%(mode)s] 127 | 128 | 129 | # 130 | # ACTIONS 131 | # 132 | 133 | # Some options used for actions 134 | 135 | # Destination email address used solely for the interpolations in 136 | # jail.{conf,local,d/*} configuration files. 137 | destemail = root@localhost 138 | 139 | # Sender email address used solely for some actions 140 | sender = root@ 141 | 142 | # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the 143 | # mailing. Change mta configuration parameter to mail if you want to 144 | # revert to conventional 'mail'. 145 | mta = sendmail 146 | 147 | # Default protocol 148 | protocol = tcp 149 | 150 | # Specify chain where jumps would need to be added in ban-actions expecting parameter chain 151 | chain = 152 | 153 | # Ports to be banned 154 | # Usually should be overridden in a particular jail 155 | port = 0:65535 156 | 157 | # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 158 | fail2ban_agent = Fail2Ban/%(fail2ban_version)s 159 | 160 | # 161 | # Action shortcuts. To be used to define action parameter 162 | 163 | # Default banning action (e.g. iptables, iptables-new, 164 | # iptables-multiport, shorewall, etc) It is used to define 165 | # action_* variables. Can be overridden globally or per 166 | # section within jail.local file 167 | banaction = iptables-multiport 168 | banaction_allports = iptables-allports 169 | 170 | # The simplest action to take: ban only 171 | action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 172 | 173 | # ban & send an e-mail with whois report to the destemail. 174 | action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 175 | %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] 176 | 177 | # ban & send an e-mail with whois report and relevant log lines 178 | # to the destemail. 179 | action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 180 | %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] 181 | 182 | # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action 183 | # 184 | # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines 185 | # to the destemail. 186 | action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 187 | xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] 188 | 189 | # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines 190 | # to the destemail. 191 | action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] 192 | %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] 193 | 194 | # Report block via blocklist.de fail2ban reporting service API 195 | # 196 | # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. 197 | # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation 198 | # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` 199 | # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 200 | # corresponding jail.d/my-jail.local file). 201 | # 202 | action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] 203 | 204 | # Report ban via badips.com, and use as blacklist 205 | # 206 | # See BadIPsAction docstring in config/action.d/badips.py for 207 | # documentation for this action. 208 | # 209 | # NOTE: This action relies on banaction being present on start and therefore 210 | # should be last action defined for a jail. 211 | # 212 | action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] 213 | # 214 | # Report ban via badips.com (uses action.d/badips.conf for reporting only) 215 | # 216 | action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] 217 | 218 | # Report ban via abuseipdb.com. 219 | # 220 | # See action.d/abuseipdb.conf for usage example and details. 221 | # 222 | action_abuseipdb = abuseipdb 223 | 224 | # Choose default action. To change, just override value of 'action' with the 225 | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local 226 | # globally (section [DEFAULT]) or per specific section 227 | action = %(action_)s 228 | 229 | 230 | # 231 | # JAILS 232 | # 233 | 234 | # 235 | # SSH servers 236 | # 237 | 238 | [sshd] 239 | 240 | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: 241 | # normal (default), ddos, extra or aggressive (combines all). 242 | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. 243 | #mode = normal 244 | enable = true 245 | port = ssh 246 | logpath = %(sshd_log)s 247 | backend = %(sshd_backend)s 248 | maxentry = 3 249 | bantime = 600 250 | 251 | 252 | [dropbear] 253 | 254 | port = ssh 255 | logpath = %(dropbear_log)s 256 | backend = %(dropbear_backend)s 257 | 258 | 259 | [selinux-ssh] 260 | 261 | port = ssh 262 | logpath = %(auditd_log)s 263 | 264 | 265 | # 266 | # HTTP servers 267 | # 268 | 269 | [apache-auth] 270 | 271 | port = http,https 272 | logpath = %(apache_error_log)s 273 | 274 | 275 | [apache-badbots] 276 | # Ban hosts which agent identifies spammer robots crawling the web 277 | # for email addresses. The mail outputs are buffered. 278 | port = http,https 279 | logpath = %(apache_access_log)s 280 | bantime = 48h 281 | maxretry = 1 282 | 283 | 284 | [apache-noscript] 285 | 286 | port = http,https 287 | logpath = %(apache_error_log)s 288 | 289 | 290 | [apache-overflows] 291 | 292 | port = http,https 293 | logpath = %(apache_error_log)s 294 | maxretry = 2 295 | 296 | 297 | [apache-nohome] 298 | 299 | port = http,https 300 | logpath = %(apache_error_log)s 301 | maxretry = 2 302 | 303 | 304 | [apache-botsearch] 305 | 306 | port = http,https 307 | logpath = %(apache_error_log)s 308 | maxretry = 2 309 | 310 | 311 | [apache-fakegooglebot] 312 | 313 | port = http,https 314 | logpath = %(apache_access_log)s 315 | maxretry = 1 316 | ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot 317 | 318 | 319 | [apache-modsecurity] 320 | 321 | port = http,https 322 | logpath = %(apache_error_log)s 323 | maxretry = 2 324 | 325 | 326 | [apache-shellshock] 327 | 328 | port = http,https 329 | logpath = %(apache_error_log)s 330 | maxretry = 1 331 | 332 | 333 | [openhab-auth] 334 | 335 | filter = openhab 336 | action = iptables-allports[name=NoAuthFailures] 337 | logpath = /opt/openhab/logs/request.log 338 | 339 | 340 | [nginx-http-auth] 341 | 342 | port = http,https 343 | logpath = %(nginx_error_log)s 344 | 345 | # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 346 | # and define `limit_req` and `limit_req_zone` as described in nginx documentation 347 | # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html 348 | # or for example see in 'config/filter.d/nginx-limit-req.conf' 349 | [nginx-limit-req] 350 | port = http,https 351 | logpath = %(nginx_error_log)s 352 | 353 | [nginx-botsearch] 354 | 355 | port = http,https 356 | logpath = %(nginx_error_log)s 357 | maxretry = 2 358 | 359 | 360 | # Ban attackers that try to use PHP's URL-fopen() functionality 361 | # through GET/POST variables. - Experimental, with more than a year 362 | # of usage in production environments. 363 | 364 | [php-url-fopen] 365 | 366 | port = http,https 367 | logpath = %(nginx_access_log)s 368 | %(apache_access_log)s 369 | 370 | 371 | [suhosin] 372 | 373 | port = http,https 374 | logpath = %(suhosin_log)s 375 | 376 | 377 | [lighttpd-auth] 378 | # Same as above for Apache's mod_auth 379 | # It catches wrong authentifications 380 | port = http,https 381 | logpath = %(lighttpd_error_log)s 382 | 383 | 384 | # 385 | # Webmail and groupware servers 386 | # 387 | 388 | [roundcube-auth] 389 | 390 | port = http,https 391 | logpath = %(roundcube_errors_log)s 392 | # Use following line in your jail.local if roundcube logs to journal. 393 | #backend = %(syslog_backend)s 394 | 395 | 396 | [openwebmail] 397 | 398 | port = http,https 399 | logpath = /var/log/openwebmail.log 400 | 401 | 402 | [horde] 403 | 404 | port = http,https 405 | logpath = /var/log/horde/horde.log 406 | 407 | 408 | [groupoffice] 409 | 410 | port = http,https 411 | logpath = /home/groupoffice/log/info.log 412 | 413 | 414 | [sogo-auth] 415 | # Monitor SOGo groupware server 416 | # without proxy this would be: 417 | # port = 20000 418 | port = http,https 419 | logpath = /var/log/sogo/sogo.log 420 | 421 | 422 | [tine20] 423 | 424 | logpath = /var/log/tine20/tine20.log 425 | port = http,https 426 | 427 | 428 | # 429 | # Web Applications 430 | # 431 | # 432 | 433 | [drupal-auth] 434 | 435 | port = http,https 436 | logpath = %(syslog_daemon)s 437 | backend = %(syslog_backend)s 438 | 439 | [guacamole] 440 | 441 | port = http,https 442 | logpath = /var/log/tomcat*/catalina.out 443 | 444 | [monit] 445 | #Ban clients brute-forcing the monit gui login 446 | port = 2812 447 | logpath = /var/log/monit 448 | 449 | 450 | [webmin-auth] 451 | 452 | port = 10000 453 | logpath = %(syslog_authpriv)s 454 | backend = %(syslog_backend)s 455 | 456 | 457 | [froxlor-auth] 458 | 459 | port = http,https 460 | logpath = %(syslog_authpriv)s 461 | backend = %(syslog_backend)s 462 | 463 | 464 | # 465 | # HTTP Proxy servers 466 | # 467 | # 468 | 469 | [squid] 470 | 471 | port = 80,443,3128,8080 472 | logpath = /var/log/squid/access.log 473 | 474 | 475 | [3proxy] 476 | 477 | port = 3128 478 | logpath = /var/log/3proxy.log 479 | 480 | 481 | # 482 | # FTP servers 483 | # 484 | 485 | 486 | [proftpd] 487 | 488 | port = ftp,ftp-data,ftps,ftps-data 489 | logpath = %(proftpd_log)s 490 | backend = %(proftpd_backend)s 491 | 492 | 493 | [pure-ftpd] 494 | 495 | port = ftp,ftp-data,ftps,ftps-data 496 | logpath = %(pureftpd_log)s 497 | backend = %(pureftpd_backend)s 498 | 499 | 500 | [gssftpd] 501 | 502 | port = ftp,ftp-data,ftps,ftps-data 503 | logpath = %(syslog_daemon)s 504 | backend = %(syslog_backend)s 505 | 506 | 507 | [wuftpd] 508 | 509 | port = ftp,ftp-data,ftps,ftps-data 510 | logpath = %(wuftpd_log)s 511 | backend = %(wuftpd_backend)s 512 | 513 | 514 | [vsftpd] 515 | # or overwrite it in jails.local to be 516 | # logpath = %(syslog_authpriv)s 517 | # if you want to rely on PAM failed login attempts 518 | # vsftpd's failregex should match both of those formats 519 | port = ftp,ftp-data,ftps,ftps-data 520 | logpath = %(vsftpd_log)s 521 | 522 | 523 | # 524 | # Mail servers 525 | # 526 | 527 | # ASSP SMTP Proxy Jail 528 | [assp] 529 | 530 | port = smtp,465,submission 531 | logpath = /root/path/to/assp/logs/maillog.txt 532 | 533 | 534 | [courier-smtp] 535 | 536 | port = smtp,465,submission 537 | logpath = %(syslog_mail)s 538 | backend = %(syslog_backend)s 539 | 540 | 541 | [postfix] 542 | # To use another modes set filter parameter "mode" in jail.local: 543 | mode = more 544 | port = smtp,465,submission 545 | logpath = %(postfix_log)s 546 | backend = %(postfix_backend)s 547 | 548 | 549 | [postfix-rbl] 550 | 551 | filter = postfix[mode=rbl] 552 | port = smtp,465,submission 553 | logpath = %(postfix_log)s 554 | backend = %(postfix_backend)s 555 | maxretry = 1 556 | 557 | 558 | [sendmail-auth] 559 | 560 | port = submission,465,smtp 561 | logpath = %(syslog_mail)s 562 | backend = %(syslog_backend)s 563 | 564 | 565 | [sendmail-reject] 566 | # To use more aggressive modes set filter parameter "mode" in jail.local: 567 | # normal (default), extra or aggressive 568 | # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. 569 | #mode = normal 570 | port = smtp,465,submission 571 | logpath = %(syslog_mail)s 572 | backend = %(syslog_backend)s 573 | 574 | 575 | [qmail-rbl] 576 | 577 | filter = qmail 578 | port = smtp,465,submission 579 | logpath = /service/qmail/log/main/current 580 | 581 | 582 | # dovecot defaults to logging to the mail syslog facility 583 | # but can be set by syslog_facility in the dovecot configuration. 584 | [dovecot] 585 | 586 | port = pop3,pop3s,imap,imaps,submission,465,sieve 587 | logpath = %(dovecot_log)s 588 | backend = %(dovecot_backend)s 589 | 590 | 591 | [sieve] 592 | 593 | port = smtp,465,submission 594 | logpath = %(dovecot_log)s 595 | backend = %(dovecot_backend)s 596 | 597 | 598 | [solid-pop3d] 599 | 600 | port = pop3,pop3s 601 | logpath = %(solidpop3d_log)s 602 | 603 | 604 | [exim] 605 | # see filter.d/exim.conf for further modes supported from filter: 606 | #mode = normal 607 | port = smtp,465,submission 608 | logpath = %(exim_main_log)s 609 | 610 | 611 | [exim-spam] 612 | 613 | port = smtp,465,submission 614 | logpath = %(exim_main_log)s 615 | 616 | 617 | [kerio] 618 | 619 | port = imap,smtp,imaps,465 620 | logpath = /opt/kerio/mailserver/store/logs/security.log 621 | 622 | 623 | # 624 | # Mail servers authenticators: might be used for smtp,ftp,imap servers, so 625 | # all relevant ports get banned 626 | # 627 | 628 | [courier-auth] 629 | 630 | port = smtp,465,submission,imap,imaps,pop3,pop3s 631 | logpath = %(syslog_mail)s 632 | backend = %(syslog_backend)s 633 | 634 | 635 | [postfix-sasl] 636 | 637 | filter = postfix[mode=auth] 638 | port = smtp,465,submission,imap,imaps,pop3,pop3s 639 | # You might consider monitoring /var/log/mail.warn instead if you are 640 | # running postfix since it would provide the same log lines at the 641 | # "warn" level but overall at the smaller filesize. 642 | logpath = %(postfix_log)s 643 | backend = %(postfix_backend)s 644 | 645 | 646 | [perdition] 647 | 648 | port = imap,imaps,pop3,pop3s 649 | logpath = %(syslog_mail)s 650 | backend = %(syslog_backend)s 651 | 652 | 653 | [squirrelmail] 654 | 655 | port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks 656 | logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log 657 | 658 | 659 | [cyrus-imap] 660 | 661 | port = imap,imaps 662 | logpath = %(syslog_mail)s 663 | backend = %(syslog_backend)s 664 | 665 | 666 | [uwimap-auth] 667 | 668 | port = imap,imaps 669 | logpath = %(syslog_mail)s 670 | backend = %(syslog_backend)s 671 | 672 | 673 | # 674 | # 675 | # DNS servers 676 | # 677 | 678 | 679 | # !!! WARNING !!! 680 | # Since UDP is connection-less protocol, spoofing of IP and imitation 681 | # of illegal actions is way too simple. Thus enabling of this filter 682 | # might provide an easy way for implementing a DoS against a chosen 683 | # victim. See 684 | # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html 685 | # Please DO NOT USE this jail unless you know what you are doing. 686 | # 687 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 688 | # This jail blocks UDP traffic for DNS requests. 689 | # [named-refused-udp] 690 | # 691 | # filter = named-refused 692 | # port = domain,953 693 | # protocol = udp 694 | # logpath = /var/log/named/security.log 695 | 696 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 697 | # This jail blocks TCP traffic for DNS requests. 698 | 699 | [named-refused] 700 | 701 | port = domain,953 702 | logpath = /var/log/named/security.log 703 | 704 | 705 | [nsd] 706 | 707 | port = 53 708 | action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] 709 | %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] 710 | logpath = /var/log/nsd.log 711 | 712 | 713 | # 714 | # Miscellaneous 715 | # 716 | 717 | [asterisk] 718 | 719 | port = 5060,5061 720 | action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] 721 | %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] 722 | %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] 723 | logpath = /var/log/asterisk/messages 724 | maxretry = 10 725 | 726 | 727 | [freeswitch] 728 | 729 | port = 5060,5061 730 | action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] 731 | %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] 732 | %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] 733 | logpath = /var/log/freeswitch.log 734 | maxretry = 10 735 | 736 | 737 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or 738 | # equivalent section: 739 | # log-warning = 2 740 | # 741 | # for syslog (daemon facility) 742 | # [mysqld_safe] 743 | # syslog 744 | # 745 | # for own logfile 746 | # [mysqld] 747 | # log-error=/var/log/mysqld.log 748 | [mysqld-auth] 749 | 750 | port = 3306 751 | logpath = %(mysql_log)s 752 | backend = %(mysql_backend)s 753 | 754 | 755 | # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') 756 | [mongodb-auth] 757 | # change port when running with "--shardsvr" or "--configsvr" runtime operation 758 | port = 27017 759 | logpath = /var/log/mongodb/mongodb.log 760 | 761 | 762 | # Jail for more extended banning of persistent abusers 763 | # !!! WARNINGS !!! 764 | # 1. Make sure that your loglevel specified in fail2ban.conf/.local 765 | # is not at DEBUG level -- which might then cause fail2ban to fall into 766 | # an infinite loop constantly feeding itself with non-informative lines 767 | # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) 768 | # to maintain entries for failed logins for sufficient amount of time 769 | [recidive] 770 | 771 | logpath = /var/log/fail2ban.log 772 | banaction = %(banaction_allports)s 773 | bantime = 1w 774 | findtime = 1d 775 | 776 | 777 | # Generic filter for PAM. Has to be used with action which bans all 778 | # ports such as iptables-allports, shorewall 779 | 780 | [pam-generic] 781 | # pam-generic filter can be customized to monitor specific subset of 'tty's 782 | banaction = %(banaction_allports)s 783 | logpath = %(syslog_authpriv)s 784 | backend = %(syslog_backend)s 785 | 786 | 787 | [xinetd-fail] 788 | 789 | banaction = iptables-multiport-log 790 | logpath = %(syslog_daemon)s 791 | backend = %(syslog_backend)s 792 | maxretry = 2 793 | 794 | 795 | # stunnel - need to set port for this 796 | [stunnel] 797 | 798 | logpath = /var/log/stunnel4/stunnel.log 799 | 800 | 801 | [ejabberd-auth] 802 | 803 | port = 5222 804 | logpath = /var/log/ejabberd/ejabberd.log 805 | 806 | 807 | [counter-strike] 808 | 809 | logpath = /opt/cstrike/logs/L[0-9]*.log 810 | # Firewall: http://www.cstrike-planet.com/faq/6 811 | tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 812 | udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 813 | action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] 814 | %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] 815 | 816 | # consider low maxretry and a long bantime 817 | # nobody except your own Nagios server should ever probe nrpe 818 | [nagios] 819 | 820 | logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility 821 | backend = %(syslog_backend)s 822 | maxretry = 1 823 | 824 | 825 | [oracleims] 826 | # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above 827 | logpath = /opt/sun/comms/messaging64/log/mail.log_current 828 | banaction = %(banaction_allports)s 829 | 830 | [directadmin] 831 | logpath = /var/log/directadmin/login.log 832 | port = 2222 833 | 834 | [portsentry] 835 | logpath = /var/lib/portsentry/portsentry.history 836 | maxretry = 1 837 | 838 | [pass2allow-ftp] 839 | # this pass2allow example allows FTP traffic after successful HTTP authentication 840 | port = ftp,ftp-data,ftps,ftps-data 841 | # knocking_url variable must be overridden to some secret value in jail.local 842 | knocking_url = /knocking/ 843 | filter = apache-pass[knocking_url="%(knocking_url)s"] 844 | # access log of the website with HTTP auth 845 | logpath = %(apache_access_log)s 846 | blocktype = RETURN 847 | returntype = DROP 848 | action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s] 849 | bantime = 1h 850 | maxretry = 1 851 | findtime = 1 852 | 853 | 854 | [murmur] 855 | # AKA mumble-server 856 | port = 64738 857 | action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] 858 | %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] 859 | logpath = /var/log/mumble-server/mumble-server.log 860 | 861 | 862 | [screensharingd] 863 | # For Mac OS Screen Sharing Service (VNC) 864 | logpath = /var/log/system.log 865 | logencoding = utf-8 866 | 867 | [haproxy-http-auth] 868 | # HAProxy by default doesn't log to file you'll need to set it up to forward 869 | # logs to a syslog server which would then write them to disk. 870 | # See "haproxy-http-auth" filter for a brief cautionary note when setting 871 | # maxretry and findtime. 872 | logpath = /var/log/haproxy.log 873 | 874 | [slapd] 875 | port = ldap,ldaps 876 | logpath = /var/log/slapd.log 877 | 878 | [domino-smtp] 879 | port = smtp,ssmtp 880 | logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log 881 | 882 | [phpmyadmin-syslog] 883 | port = http,https 884 | logpath = %(syslog_authpriv)s 885 | backend = %(syslog_backend)s 886 | 887 | 888 | [zoneminder] 889 | # Zoneminder HTTP/HTTPS web interface auth 890 | # Logs auth failures to apache2 error log 891 | port = http,https 892 | logpath = %(apache_error_log)s 893 | 894 | # Protect port 80 (HTTP) 895 | [http-get-dos] 896 | enabled = true 897 | port = http,https 898 | filter = http-get-dos 899 | logpath = %(apache_error_log)s 900 | maxentry = 300 901 | findtime = 300 902 | bantime = 600 903 | action = iptables[name=HTTP, port=http, protocol=tcp] 904 | --------------------------------------------------------------------------------