Install Fail2ban intrusion prevention framework on Ubuntu

Jovan Stosic March 17, 2020

Installing Fail2ban

It operates by monitoring log files for certain type of entries and runs predetermined actions based on its findings. You can install the software with the following

sudo apt-get install fail2ban

Once installed, copy the default jail.conf file to make a local configuration with this command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then open the new local configuration file for edit with your favourite text editor, for example

sudo nano /etc/fail2ban/jail.local

Scroll down to go through some of the settings available in the configuration file.

First up are the basic defaults for ignoreip, which allows you to exclude certain IP addresses from being banned, for example if your own computer has a fixed IP you can enter it here. Next set the bantime which determines how long an offending host will remain blocked until automatically unblocked. Lastly check the findtime and maxretry counts, of which the find time sets the time window for the max retry attempts before the host IP attempting to connect is blocked.

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

If you have a sendmail service configured on your cloud server, you can enable the email notifications from Fail2ban by entering your email address to the parameter destemail and changing the action = %(action_)s to action = %(action_mw)s.

Once you’ve done the basic configurations, check the different jails available in the configuration options. Jails are the rules which fail2ban applies to any given application or log file. SSH jail settings, which you can find at the top of the jails list, are enabled by default.

[sshd]
enabled = true

You can enable any other jail module in the same fashion by editing the enabled parameter to true.

When you’ve enabled all the jails you wish, save the configuration file and exit the editor. Then you’ll need to restart the monitor with the following command

sudo service fail2ban restart

With that done, you should now check your iptable rules for the newly added jail sections on each of the application modules you enabled.

sudo iptables -L

Any banned IP addresses will appear in the specific chains that the failed login attempts occurred at. You can also manually ban and unban IP addresses from the services you defined jails for with the following commands.

sudo fail2ban-client set <jail> banip/unbanip <ip address>
# For example
sudo fail2ban-client set sshd unbanip 83.136.253.43

Fail2ban is a handy addition to the iptables and firewall access control in general, feel free to experiment with the configuration and don’t worry if you get your own IP address banned,

 

Source: Install Fail2ban intrusion prevention framework on Ubuntu – UpCloud

MQTT

Jovan Stosic March 17, 2020

MQTT (MQ Telemetry Transport) is an open OASIS and ISO standard (ISO/IEC PRF 20922) lightweight, publish-subscribe network protocol that transports messages between devices. The protocol usually runs over TCP/IP; however, any network protocol that provides ordered, lossless, bi-directional connections can support MQTT. It is designed for connections with remote locations where a “small code footprint” is required or the network bandwidth is limited.

https://en.m.wikipedia.org/wiki/MQTT

HowTo/PostfixDovecotLMTP

Jovan Stosic March 16, 2020

Postfix and Dovecot LMTP

Starting with Dovecot 2.x a LMTP-Server has been added.

Basic Configuration

The first step is to enable its stack via /etc/dovecot/dovecot.conf

!include conf.d/*.conf
protocols = imap lmtp

Socket configuration

The actual socket is configured in /etc/dovecot/conf.d/10-master.conf. The LMTP service can be bound to both INET or Unix sockets. In this example a Unix socket is placed inside the Postfix spool with appropriate permissions set:

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
  }
}

Note that the socket needs to be placed there because Postfix access is limited to this directory.

Plugin Support

Plugin support can be enabled at protocol level via /etc/dovecot/conf.d/20-lmtp.conf, for Quota and Sieve here:

protocol lmtp {
  postmaster_address = postmaster@domainname   # required
  mail_plugins = quota sieve
}

Postfix main.cf Configuration

The final step is to tell Postfix to use this socket for final delivery, in this case in a virtual user scenario:

virtual_transport = lmtp:unix:private/dovecot-lmtp

For a non virtual user setup ( as when mail_location = maildir:~/.maildir ) :

mailbox_transport = lmtp:unix:private/dovecot-lmtp

Dynamic address verification with LMTP

With Dovecot 2.0 you can also use LMTP and the Postfix setting “reject_unverified_recipient” for dynamic address verification. It’s really nice because Postfix doesn’t need to query an external datasource (MySQL, LDAP…). Postfix maintain a local database with existing/non existing addresses (you can configure how long positive/negative results should be cached). Postfix reject_unverified_recipient

To use LMTP and dynamic address verification you must first get Dovecot working. Then you can configure Postfix to use LMTP and set “reject_unverified_recipient” in the smtpd_recipient_restrictions.

On every incoming email Postfix will probe if the recipient address exists. You will see similar entries in your logfile:

Recipient address rejected: undeliverable address: host tux.example.com[private/dovecot-lmtp] said: 550 5.1.1 < tzknvtr@example.com > User doesn't exist: tzknvtr@example.com (in reply to RCPT TO command); from=< cnrilrgfclra@spammer.org > to=< tzknvtr@example.com >

If the recipient address exists (status=deliverable) Postfix accepts the mail.

Info: To eliminate this error put:

auth_username_format = %Ln

in:
conf.d/10-auth.conf

Source: HowTo/PostfixDovecotLMTP – Dovecot Wiki