Engineering and technology notes

Install Fail2ban intrusion prevention framework on Ubuntu

Jovan Stosic March 17, 2020

Installing Fail2ban

It operates by monitoring log files for certain type of entries and runs predetermined actions based on its findings. You can install the software with the following

sudo apt-get install fail2ban

Once installed, copy the default jail.conf file to make a local configuration with this command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then open the new local configuration file for edit with your favourite text editor, for example

sudo nano /etc/fail2ban/jail.local

Scroll down to go through some of the settings available in the configuration file.

First up are the basic defaults for ignoreip, which allows you to exclude certain IP addresses from being banned, for example if your own computer has a fixed IP you can enter it here. Next set the bantime which determines how long an offending host will remain blocked until automatically unblocked. Lastly check the findtime and maxretry counts, of which the find time sets the time window for the max retry attempts before the host IP attempting to connect is blocked.

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

If you have a sendmail service configured on your cloud server, you can enable the email notifications from Fail2ban by entering your email address to the parameter destemail and changing the action = %(action_)s to action = %(action_mw)s.

Once you’ve done the basic configurations, check the different jails available in the configuration options. Jails are the rules which fail2ban applies to any given application or log file. SSH jail settings, which you can find at the top of the jails list, are enabled by default.

[sshd]
enabled = true

You can enable any other jail module in the same fashion by editing the enabled parameter to true.

When you’ve enabled all the jails you wish, save the configuration file and exit the editor. Then you’ll need to restart the monitor with the following command

sudo service fail2ban restart

With that done, you should now check your iptable rules for the newly added jail sections on each of the application modules you enabled.

sudo iptables -L

Any banned IP addresses will appear in the specific chains that the failed login attempts occurred at. You can also manually ban and unban IP addresses from the services you defined jails for with the following commands.

sudo fail2ban-client set <jail> banip/unbanip <ip address>
# For example
sudo fail2ban-client set sshd unbanip 83.136.253.43

Fail2ban is a handy addition to the iptables and firewall access control in general, feel free to experiment with the configuration and don’t worry if you get your own IP address banned,

 

Source: Install Fail2ban intrusion prevention framework on Ubuntu – UpCloud

MQTT

Jovan Stosic March 17, 2020

MQTT (MQ Telemetry Transport) is an open OASIS and ISO standard (ISO/IEC PRF 20922) lightweight, publish-subscribe network protocol that transports messages between devices. The protocol usually runs over TCP/IP; however, any network protocol that provides ordered, lossless, bi-directional connections can support MQTT. It is designed for connections with remote locations where a “small code footprint” is required or the network bandwidth is limited.

https://en.m.wikipedia.org/wiki/MQTT

HowTo/PostfixDovecotLMTP

Jovan Stosic March 16, 2020

Postfix and Dovecot LMTP

Starting with Dovecot 2.x a LMTP-Server has been added.

Basic Configuration

The first step is to enable its stack via /etc/dovecot/dovecot.conf

!include conf.d/*.conf
protocols = imap lmtp

Socket configuration

The actual socket is configured in /etc/dovecot/conf.d/10-master.conf. The LMTP service can be bound to both INET or Unix sockets. In this example a Unix socket is placed inside the Postfix spool with appropriate permissions set:

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
  }
}

Note that the socket needs to be placed there because Postfix access is limited to this directory.

Plugin Support

Plugin support can be enabled at protocol level via /etc/dovecot/conf.d/20-lmtp.conf, for Quota and Sieve here:

protocol lmtp {
  postmaster_address = postmaster@domainname   # required
  mail_plugins = quota sieve
}

Postfix main.cf Configuration

The final step is to tell Postfix to use this socket for final delivery, in this case in a virtual user scenario:

virtual_transport = lmtp:unix:private/dovecot-lmtp

For a non virtual user setup ( as when mail_location = maildir:~/.maildir ) :

mailbox_transport = lmtp:unix:private/dovecot-lmtp

Dynamic address verification with LMTP

With Dovecot 2.0 you can also use LMTP and the Postfix setting “reject_unverified_recipient” for dynamic address verification. It’s really nice because Postfix doesn’t need to query an external datasource (MySQL, LDAP…). Postfix maintain a local database with existing/non existing addresses (you can configure how long positive/negative results should be cached). Postfix reject_unverified_recipient

To use LMTP and dynamic address verification you must first get Dovecot working. Then you can configure Postfix to use LMTP and set “reject_unverified_recipient” in the smtpd_recipient_restrictions.

On every incoming email Postfix will probe if the recipient address exists. You will see similar entries in your logfile:

Recipient address rejected: undeliverable address: host tux.example.com[private/dovecot-lmtp] said: 550 5.1.1 < tzknvtr@example.com > User doesn't exist: tzknvtr@example.com (in reply to RCPT TO command); from=< cnrilrgfclra@spammer.org > to=< tzknvtr@example.com >

If the recipient address exists (status=deliverable) Postfix accepts the mail.

Info: To eliminate this error put:

auth_username_format = %Ln

in:
conf.d/10-auth.conf

Source: HowTo/PostfixDovecotLMTP – Dovecot Wiki

gcc command in Linux with examples – GeeksforGeeks

Jovan Stosic March 14, 2020

gcc command in Linux with examples

GCC stands for GNU Compiler Collections which is used to compile mainly C and C++ language. It can also be used to compile Objective C and Objective C++. The most important option required while compiling a source code file is the name of the source program, rest every argument is optional like a warning, debugging, linking libraries, object file etc. The different options of gcc command allow the user to stop the compilation process at different stages.

Syntax:

gcc [-c|-S|-E] [-std=standard]

Example: This will compile the source.c file and give the output file as a.out file which is default name of output file given by gcc compiler, which can be executed using ./a.out

gcc source.c

Most Usefull Options with Examples: Here source.c is the C program code file.

  • -o opt: This will compile the source.c file but instead of giving default name hence executed using ./opt, it will give output file as opt. -o is for output file option. 
    gcc source.c -o opt

  • -Werror: This will compile the source and show the warning if any error is there in the program, -W is for giving warnings. 
    gcc source.c -Werror -o opt

  • -Wall: This will check not only for errors but also for all kinds warning like unused variables errors, it is good practice to use this flag while compiling the code. 
    gcc source.c -Wall -o opt

  • -ggdb3: This command give us permissions to debug the program using gdb which will be described later, -g option is for debugging. 
    gcc -ggdb3 source.c -Wall -o opt

  • -lm : This command link math.h library to our source file, -l option is used for linking particular library, for math.h we use -lm. 
    gcc -Wall source.c -o opt -lm

  • -std=c11 :This command will use the c11 version of standards for compiling the source.c program, which allows to define variable under loop initializations also using newer standards version is preferred. 
    gcc -Wall -std=c11 source.c -o opt

  • -c : This command compile the program and give the object file as output, which is used to make libraries.
  • -v : This option is used for the verbose purpose.

Source: gcc command in Linux with examples – GeeksforGeeks