Install Fail2Ban on Ubuntu to protect services

Many common adminstrative services such as VPN and SSH are exposed on known port numbers, unfortunately this makes it easy for hackers to use tools to attempt to access the systems. Use of countermeasures such as Fail2Ban can block them after a few failed attempts.

Installation Steps:

  1. sudo apt-get install fail2ban
  2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. sudo vi /etc/fail2ban/jail.local
  4. Update:
    destemail & sender
  5. OPTIONAL:
    Splunk:
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/fail2ban.log -index main -sourcetype Fail2Ban

    Splunk (manual):
    sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf

    [monitor:///var/log/fail2ban.log]
    disabled = false
    index = main
    sourcetype = Fail2Ban

  6. sudo service fail2ban restart

REFERENCES:

Adding OpenSSH server logs to Splunk

By default, in most Linux distros, OpenVPN log output goes to the authlog, which is usually at /var/log/auth.log, as such it is trivial to add them to Splunk monitoring:

Splunk:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/auth.log -index main -sourcetype OpenSSH

Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf


[monitor:///var/log/auth.log]
disabled = false
index = main
sourcetype = OpenSSH

REFERENCES:

WordPress credentials for update

After moving or updating WordPress, later plugin updates may start asking for FTP and/or SSH credentials. This can be easily avoided by setting the following:

  1. In wp_config.php

    define('FS_METHOD', 'direct');
  2. Verify file ownership permissions, on Ubuntu, this is typically:

    sudo chown -R www-data:www-data YOURFOLDER

Install OpenSSH Server on Ubuntu

I’ve discussed the use of SSH in several posts in the past, but while recently building a new environment, I realized that I’ve never indicated how the service itself should be installed.

INSTALLATION:

sudo apt-get install openssh-server

If you desire to change any of the default configuration such as port or cyphers…


sudo vi /etc/ssh/ssh_config

NOTE: If you intend to access the server from the Internet, you will have to verify that port forwarding is enabled on your routers and firewalls.

REFERENCES:

Comcast Business Class gateway forwarding port 22 for SSH

For as long as I’ve had Comcast, and other providers for that matter, I’ve been able to configure my internet gateway/router to allow port 22 (SSH) access to an internal machine. It came as a surprise to me earlier this week that I was blocked when I tried to use their web admin console to change the internal forwarding to a newer machine. As usual, Technical Support was less that helpful and said that it was not possible to do so, and never should have been as Comcast uses that port to administer the gateway. To make matters more disturbing, I was told that I could not have similar SSH access to the gateway, and that replacing their hardware, while permitted, would prevent my use of a static IP.

Back to the solution, as I know that I had only setup this forwarding about a year ago, and it was working only minutes before I tried to change it, I knew that the configuration was possible if I could figure out how it was being blocked. The message in the web console was a javascript alert(); and gave me a starting point. I opened up Firefox and used Firebug to look for the message. Here are a few interesting findings from:

http://HOSTNAME/user/feat-firewall-port-forward-edit.asp

var RemoteManagementPortsCgiBase = “8080,8080,1\|8181,8181,1\|2323,2323,1\|22,22,1\|”;

msg += “Public Port Range conflict with Remote Management Ports.\n”;

if (msg.length > 1)
{
alert(msg);
return false;
}
return true;
}

If you even a little bit of javascript (or simple computer programming for that matter), the solution is clear…. if the ‘msg’ value is empty you will not see the alert or be prevented from making the change you desire.

Lesson to be learned by the Comcast developers (or most likely = subcontractors), always validate submitted form data in your application code, NEVER rely upon javascript alone to verify user entered data!

I also find it interesting that they are also preventing 8080, 8081 and 2323… perhaps that’s their other back doors in these gateways for their access. The same approach should work for those ports if you need it!

Private SSH SOCKS Tunnel

The use of SSH private tunnels as a “poor man’s VPN” is pretty common. When doing so, you can easily tunnel (map) traffic destined to specific ports thru the tunnel to their intended destination.

Common Ports:

  • CVS: ┬áL2401
  • SVN: L3690
  • git: L9418 tcp
  • mysql: L3306
  • rdp: L3389 tcp
  • socks4/socks5: D1080 (no host required)

REFERENCES:

 

Free website uptime monitoring

Regardless if you host your own websites, or pay to have them hosted elsewhere, up-time, availability and network performance metrics are important to your visiting guests.

Here are two free services that I’ve found useful for monitoring, notification and reporting.

BTW, you can even use these to watch competitors or sites that you frequent.

Accessing VirtualBox client from host

Assuming that you are a developer on Windows that run a VirtualBox instance for a server, you might find it difficult to browse/access the “virtual” server that are running as a client. Here’s an example of the config required for standard HTTP, HTTPS and SSH, you can easily expand for other services as needed. Example assumes that your client is named “Ubuntu64”, you need to change appropriately for each client.

NOTE: if you are using a Linux host, the commands are similar.

cd C:\Program Files\Oracle\VirtualBox
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/HostPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/GuestPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/HostPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/GuestPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/HostPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/GuestPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/HostPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/GuestPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/Protocol TCP
VBoxManage.exe getextradata "Ubuntu64" enumerate

Colored terminal window text on Ubuntu (Linux)

After a clean install, or simply access to a new machine, I often find it helpful to enable colored prompts in the terminal/command line environment.
For standard Ubuntu / Debian / Linux environments, this only requires you to remove a comment from a single line in a config file.

In /home/%USERID%/.bashrc you will find the following text, the last line simply needs to have the hash removed:

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

Open vi/vim or your editor of choice and remove it and you are done!

NOTE: If you are using Nautilus, you will not see this file as it is hidden, choose “View”, “Show Hidden Files” (CTRL-H) and it should appear.

NoMachineNX – SSH Remote Desktop for Linux/Unix

I’ve used a variety of means to connect to remote machines. Long ago, PCAnywhere was common place, later replaced by VNC and Windows Remote Desktop (RDP). As I’ve migrated nearly all of my work to Ubuntu, I’ve found that VNC is generally too slow, and SSH alone only gives access to my command line environment. NX over SSH allows for efficiently visual access to my entire desktop and all accessories remotely, regardless of my client system.

Setup on the server/host system only takes a few minutes, but is only available on Linux and Solaris. Installation of SSH on the host is required first.

Setup of the client is even easier, and is available for Linux, OS/X and Windows.

NOTE: A “NX Free Edition” is available for use.

REFERENCES: