Author: Richard Applegate

  • Fail2ban – how to unbanip on your sshd

    IP address unban

    Fail2Ban is an intrusion prevention system that protects computer servers from brute-force attacks. It can monitor specific logs and block IP addresses that act like brute-force attacks.

    Fail2Ban particularly monitors the number of connection attempts. After 5 failed SSH connection attempts, Fail2Ban will ban the IP address from connecting via SSH for 10 minutes. If this address fails several times, it might be banned permanently until you contact admin@richardapplegate.io and explain why you are attacking my server.

    Unban an IP address

    To unblock an IP address, you must first access it from another IP (VPN) address or internet connection than the one that is blocked.

    Look at the Fail2Ban log to find out where the IP address was banned.jail

    sudo tail /var/log/fail2ban.log 
    2019-01-07 16:24:47 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
    2019-01-07 16:24:49 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
    2019-01-07 16:24:51 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
    2019-01-07 16:24:54 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
    2019-01-07 16:24:57 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
    2019-01-07 16:24:57 fail2ban.actions [1837]: NOTICE  [sshd] Ban 11.22.33.44 
    2019-01-07 16:24:57 fail2ban.filter  [1837]: NOTICE  [recidive] Ban 11.22.33.44

    Here, the 11.22.33.44 IP address has been banned in the sshd and recidive jails.

    Then use the following commands to unban the IP address.

    sudo fail2ban-client set sshd unbanip 11.22.33.44
    sudo fail2ban-client set recidive unbanip 11.22.33.44
  • Backup and Restore with Docker Compose

    All of my data is on folder drive mounts that where our data is to make backup and restore operations easier. Stopping your stack with docker-compose down will allow you to back up all the files and subfolders in the folder next to the docker-compose.yml file.

    For example, if you want to create a ZIP archive, you can use the following command:

    zip -r myarchive.zip .
    

    To restore from a ZIP archive, please unzip the archive into the original folder using the following command.

    unzip myarchive.zip -d /path/to/original/folder
    

    Once your backup has been completed, you can start your stack again with the following command:

    docker-compose up -d
    

    This is all. With these simple steps, you can easily backup and restore your data volumes with Docker Compose.

  • How to add SecurityEdge to allow our site on our business Internet? Here is how,

    Log in to your Comcast Business Account.

    https://business.comcast.com/connectivity/internetdashboard/

    After you log in, go to the correct location to update your internet. Scrolling down to Subscribed Services ⇾ SecuirtyEdge.

    After you click that SecuirtyEdge(https://securityedge.comcast.com/#home)

    You can go over to the Block and Allow list.

    Place your website into the Check URL text box and then click Check.

    Make sure that you click allow, so we can access your site from your stores or office.

    So yes you notice we disable our SecuirtyEdge because we had our own 3 DNS Server .

    After you publish and save, it will take about 30 min for your store’s or office’s modem to update, and then it will unblock/SSL invalid won’t show that anymore.

    If you still face the issue, I am happy to swing by and work that out for you to get it to success on the website for every customer view..

  • How to Install Immich(v1.99.0) on Docker Portainer with Nginx Proxy Manager

    This document presents Docker compose version 3.8 for Immich Latest (1.99.0). I just changed the volume to the correct path because I want them to save in our large storage data and permission user so that any users can’t see our file except root.

    I added networks because they’re going to be proxied by Nginx Proxy Manager and own Redis.

    version: "3.8"
    
    services:
      immich-server:
        container_name: immich_server
        image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
        command: [ "start.sh", "immich" ]
        volumes:
          - ${UPLOAD_LOCATION}:/usr/src/app/upload
          - /etc/localtime:/etc/localtime:ro
        env_file:
          - stack.env
        networks:
          - nginx
          - personalphotos
        labels:
          - com.centurylinklabs.watchtower.enable=false
        depends_on:
          - redis
          - database
        restart: always
    
      immich-microservices:
        container_name: immich_microservices
        image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
        command: [ "start.sh", "microservices" ]
        volumes:
          - ${UPLOAD_LOCATION}:/usr/src/app/upload
          - /etc/localtime:/etc/localtime:ro
        env_file:
          - stack.env
        networks:
          - personalphotos
        labels:
          - com.centurylinklabs.watchtower.enable=false
        depends_on:
          - redis
          - database
    
        restart: always
    
      immich-machine-learning:
        container_name: immich_machine_learning
        image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
        volumes:
          - ${MODEL_CACHE}:/cache
        labels:
          - com.centurylinklabs.watchtower.enable=false
        env_file:
          - stack.env
        networks:
          - personalphotos
        restart: always
    
    
      redis:
        container_name: immich_redis
        image: redis:6.2-alpine
        env_file:
          - stack.env
        labels:
          - com.centurylinklabs.watchtower.enable=false
        networks:
          - personalphotos
        restart: always
    
      database:
        container_name: immich_postgres
        image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
        labels:
          - com.centurylinklabs.watchtower.enable=false
        environment:
          POSTGRES_PASSWORD: ${DB_PASSWORD}
          POSTGRES_USER: ${DB_USERNAME}
          POSTGRES_DB: ${DB_DATABASE_NAME}
        networks:
          - personalphotos
        volumes:
          - ${PGDATA}:/var/lib/postgresql/data
    
        restart: always
    networks:
      nginx:
         external: true
      personalphotos:
         external: true
    

    Here is Environment variables

    DB_HOSTNAME=immich_postgres
    DB_USERNAME=postgres
    DB_PASSWORD=postgres
    DB_DATABASE_NAME=immich
    TZ=America/Los_Angeles
    REDIS_HOSTNAME=immich_redis
    UPLOAD_LOCATION=changeyourpath/data
    TYPESENSE_API_KEY=Your own create random letter
    PUBLIC_LOGIN_PAGE_MESSAGE=
    IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003
    MODEL_CACHE=/changeyourpath/model_cache
    PGDATA=/changeyourpath/postgresqlbackup
    TSDATA=/changeyourpath/tsdata
  • Nextcloud: Server has no maintenance window start time configured. Error.

    Nextcloud Version: 28.0.3

    There’s a link in the warning message to the documentation

    You have to add the following line to your config.php:'maintenance_window_start' => 1,

    Nextcloud Documentation:
    https://docs.nextcloud.com/server/28/go.php?to=admin-background-jobs

  • Mailcow : renew Certification with nginx proxy manager

    Make a file called “scriptmailssl.sh” and open the nano file editor. Paste these codes and save it!

    
    #!/bin/bash
    
    # This script takes the certs generated by Nginx Proxy Manager
    # and copies it to the mailcow docker container.
    # Before use, make sure you update the path to your docker data and locate which cert belongs to mailcow
    
    cp /home/applegater/docker/nginx/letsencrypt/live/npm-7/fullchain.pem /home/applegater/docker/mailu/mailcow-dockerized/data/assets/ssl/my.richardapplegate.io/cert.pem
    cp /home/applegater/docker/nginx/letsencrypt/live/npm-7/privkey.pem /home/applegater/docker/mailu/mailcow-dockerized/data/assets/ssl/my.richardapplegate.io/key.pem
    postfix_c=$(docker ps -qaf name=postfix-mailcow)
    dovecot_c=$(docker ps -qaf name=dovecot-mailcow)
    nginx_c=$(docker ps -qaf name=nginx-mailcow)
    docker restart ${postfix_c} ${dovecot_c} ${nginx_c}
    chmod +x /home/applegater/docker/scriptmailssl.sh
    
    

    Add a cronjob every month.

    crontab -e 
    0 1 * */2 * bash /home/applegater/docker/scriptmailssl.sh >/dev/null 2>&1

    It’s going to do the job for you every month.

  • Nextcloud 28.03 : annoy error message: 4 errors in the logs since… on Portainer

    Nextcloud 28.03 : annoy error message: 4 errors in the logs since… on Portainer

    Delete Nextcoud.log to fix the error, but it will come back again and make sure you fix the error, so it won’t pop up again. This is similar to the engine light.

    Follow this command line

    After deleting the logs, Checks have now passed.

  • Nextcloud After Update and get this Error Message. I am Use Portainer, Docker.

    Nextcloud After Update and get this Error Message. I am Use Portainer, Docker.

    Error Message:

    Go to Portainer Web and log in with your admin account. Then select the correct environment server. Then go to Nextcloud Container to enter the console.

    Please make sure you change the user root to www-data, then connect.

    Now you can see that you have a terminal on your webgui and fill out this command line.

    php occ db:add-missing-indices
    Sucess and now Error gone.

    Before:

    After

  • Anthem upgraded the network shelf to a cabinet.

    On Sept 2023, I established this network, and unfortunately, it experienced the most severe condition of overheating due to the presence of grease. I upgraded it to a cabinet in October 2023, and it is currently functioning flawlessly. All the devices are fan less, resulting in a reduction in dust and grease buildup. 🙂

    Before

    After

  • SSH – Make Sure Our Server Is Secure And Create A Key For SSH.

    SSH – Make Sure Our Server Is Secure And Create A Key For SSH.

    If you are looking to remote your server from home, you can, but you cannot simply install OpenSSH with a password, which is very insecure. I strongly recommend using type Ed25519 ssh, which is the most secure and fast access to ssh. I recommend checking out this website. Follow the instructions on the red hat website to protect your Linux Server. These answers are the most accurate. Or here is my config for server ssh I made.

    But first, we must generate the ed25519 key for our SSH or SFTP access.

    1. Download Putty
    2. open program on Windows PC putty gen (Putty Key Generator)
    3. select EdDSA then select Ed25519 then generate
    4. Please generate some random by moving the mouse over the blank area on puTTygen (Putty Key Generator).
    5. After you generate, you can modify key comment and key passphrase
    6. Go over your server, type the command to modify authorized_keys – “nano ~/.ssh/authorized_keys” then add your Public Key from your puTTygen (Putty Key Generator) on your Windows pc copy these to Your Linux Server.
    7. Save authorized_keys, then restart ssh services.

    The server can still be accessed with a password, so we must proceed with the server Linux SSH configuration and generate the file richardprofile.conf or whatevername.conf. The SSH path is /etc/ssh/sshd_config/sshd_config.d/richardprofile.conf.

    Port 22
    PermitEmptyPasswords no
    PermitRootLogin no
    PubkeyAuthentication yes
    PasswordAuthentication no
    PermitEmptyPasswords no
    ClientAliveInterval 60
    ClientAliveCountMax 3
    
    

    Save the configuration file and then restart ssh. Currently, you are 100% safe because we will set up fail ban to block certain IP addresses so that our network doesn’t get too busy.

    These are great, and I plan to make a banner in ssh soon.