====== Security ====== some tools for security ===== fail2ban ===== ban hosts that cause multiple authentication errors via iptables apt-get install fail2ban jails are defined in **/etc/fail2ban/jail.local** - setup all options there **to receive mail, you need to set default action to** action = %(action_mwl)s check, if it works iptables -n -L **Test, if it really works and actually blocks offending IPs!!** **If your INPUT chain allows everything, you need to change to FORWARD chain!** Try manually, if INPUT or FORWARD drops the IP: iptables -I INPUT -j DROP -s EV.IL.IP iptables -I FORWARD -j DROP -s EV.IL.IP The working chain must be setup in jail.conf or jail.local AND in /etc/fail2ban/action.d/iptables-multiport.conf # FORWARD required, because INPUT accepts all chain = FORWARD **Unban:** Use these commands to remove an IP from the blackhole - example for blocked courier mailserver logins: fail2ban-client get courierlogin actionunban xx.xx.xx.xx fail2ban-client get courierauth actionunban xx.xx.xx.xx /etc/init.d/fail2ban restart ==== debug ==== if the service doesn't start for some useful error messages: fail2ban-client -x start too much cpu / ram usage maybe a problem with /etc/localtime trace which files are opened / closed all the time by one of the server threads: strace -f -p blocked-ips-complete grep contactforms fail2ban.log | grep Ban >> blocked-ips-complete count: cat blocked-ips-complete | wc -l get unique IPs sorted by date: cat blocked-ips-complete | awk '{print $1 , $2 , $7}' | sort -u -k3,4 | sort -k1,1 > blocked-ips-by-date get only IPs and sort by IP: cat blocked-ips-by-date | awk '{print $3}' | sort -u \\ ===== apparmor ===== WIP install: apt-get install apparmor apparmor-profiles apparmor-utils add boot parameter: perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub update-grub reboot check: aa-status activate app profiles..