Richard Applegate

Blog

  • Using Fail2Ban for SSH Brute-force Protection on your server.

    Fail2Ban is a Python program that helps safeguard Linux systems and servers from brute-force attacks. This program can be configured to provide SSH protection for your server. With it, you can be sure that your server is secure from attacks that employ brute force. It also enables you to see how strong the attacks are in terms of how many authentication attempts are being made.

    Brute-force attacks can be powerful and may result in thousands of failed authentication attempts each day. Understanding how to safeguard your server against these attacks and how to block IP addresses is essential.

    Fail2Ban makes it easier to block brute-force attacks by restricting the number of failed authentication attempts a user can make before being blocked.

    This is extremely useful for servers that have user accounts that utilize passwords for remote authentication, rather than SSH key-pair authentication.

    First, update and upgrade your server to Ubuntu. 

    sudo apt update && sudo apt upgrade

    Installing and Configure Fail2ban

    Fail2Ban is completely free and works with most of the most popular software package managers.

    1. Please install Fail2Ban by running the following command:
    sudo apt-get install fail2ban

    2. Please use the following command to ensure that Fail2ban runs at system startup:

      sudo systemctl enable fail2ban.service

      3. After you have installed Fail2Ban, you can start setting up Fail2Ban to create a jail for your SSH server. The configuration files for Fail2Ban are in the directory /etc/fail2ban.

      Fail2Ban uses the default configuration in the jail.conf file, but it’s not recommended to use the default configuration files. This is because the default configuration files can be overwritten by new updates to the Fail2Ban package. The preferred approach to creating configurations for a particular service is by creating a new configuration file in the /etc/fail2ban directory with the .local extension. For example :

      path is /etc/fail2ban/jail.local

      Creating SSH Jails With Fail2Ban

      1. Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail.
      sudo nano /etc/fail2ban/jail.local

      2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. Fail2Ban Configuration Options:

      ConfigurationsFunction
      enabledJail status (true/false) โ€” This enables or disables the jail
      portPort specification
      filterService specific filter (Log filter)
      logpathWhat logs to use
      maxretryNumber of attempts to make before a ban
      findtimeAmount of time between failed login attempts
      bantimeNumber of seconds an IP is banned for
      ignoreipIP to be allowed

      3. With the information in the table above, you can create theย jail.localย configuration for OpenSSH server (sshd). The values used in this guide example are listed in the sample file after you have entered the configuration options and I created file: /etc/fail2ban/jail.local and configured it for SSH ban if wrong Password 3 times.

      [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1

      4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:

      sudo systemctl restart fail2ban.service

      5. After you restart the OpenSSH server service, Fail2Ban uses this new configuration, and the jail for the sshd service is activated and runs.

      How to Unban IP here instructions

      Fail2ban – how to unbanip on your sshd
    1. I did upgrade Network Cabinet at Sunrise Village.

      I did upgrade Network Cabinet at Sunrise Village.

      The amount of wiring and stacking up each other wasn’t a good idea for the long term. So I asked my boss to upgrade and make it secure and long-term because the cabinet network will help reduce dust and overheat. A cabinet network exhaust fan pulls all the hot air out of the cabinet network. It will also assist in cooling the system. 3 more stores to go to finish up the network cabinet.

      Before
      I intend to rewire and cable everything next month to ensure proper cable management.
      After.


    2. How to get to know your Linux operating system.

      This command line can be used to look up the operating system.

      The command is here.

      hostnamectl

    3. DNS over TLS with systemd-resolved on Ubuntu 22.04.4 LTS.

      I would prefer if my server utilized DNS over TLS instead of Plain 53 port. I did it, and it works really well. Furthermore, I no longer have an attack from 53 ports now.

      Use DNS Over TLS (DOT) on generic Linux systems

      So for Specific Ubuntu 22.04.4 LTS

      1. edit /etc/systemd/resolved.conf
      [Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
#FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
#Domains=
#LLMNR=yes
#MulticastDNS=yes
#DNSSEC=allow-downgrade
#DNSOverTLS=opportunistic
#DNSSEC=yes
#DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes

      Ubuntu 22.04.04 LTS specificย resolved.conf remove hashtag on these highlights.

      [Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
FallbackDNS=1.1.1.1 8.8.8.10 8.8.8.8
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
      1. Assume systemd-resolved is enabled, restart the service
      systemctl restart systemd-resolved.service
      1. Use local stub resolver

      systemd-resolved provides a local DNS stub listener on IP address 127.0.0.53 on the local loopback interface, so to use the DNS over TLS capable stub resolver, we’ll need to somehow manage /etc/resolv.conf and make sure 127.0.0.53 is used as a nameserver.

      NOTE: systemd maintains /run/systemd/resolve/stub-resolv.conf for compatibility with traditional Linux programs. We can simply link to this file by symlinking. 

      ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

      Done.

    4. Ntfy: Watchtower, How to set it up with portainer?

      Well, it’s easy, let get this start,

      Example:

      Watchtower Docker-compose

      version: "3"
services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
      
      WATCHTOWER_SCHEDULE=* 22 * * *
WATCHTOWER_NOTIFICATIONS=shoutrrr
WATCHTOWER_NOTIFICATION_SKIP_TITLE=True
WATCHTOWER_NOTIFICATION_URL=ntfy://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates

      Then the second file is a stack.env, make sure it is a same path.

      WATCHTOWER_SCHDULE: cron job I choose at night, so I can work on the server without being outrage services.

      WATCHTOWER_NOTIFICATIONS: We use Shoutrrr

      WATCHTOWER_NOTIFICATION_SKIP_TITLE: True (I leave it as default)

      WATCHTOWER_NOTIFICATION_URL: ntfy://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates

      After you run, you should get a notification from your ntfy app or your ntfy browser.

    5. Ntfy: push notification for services.

      I am using Ntfy for my SSH alert and watchtower update. It is pretty cool to have this feature, so I can know who is accessing my server without my authorization. And know my docker needs to be updated as well.

      SSH Alert Example

      Command this to open code, 

      nano /etc/pam.d/sshd

      Please add this code to the bottom of the page.

      session optional pam_exec.so /usr/local/bin/ntfy-ssh-login.sh

      You should create a script file called /usr/local/bin/ntfy-ssh-login.sh

      nano /usr/local/bin/ntfy-ssh-login.sh

      Here code, make sure you change the server URL and username and password for nginx auth.

      #!/bin/bash
# This is a PAM script hook that shows how to notify you when
# somebody logs into your server. Place at /usr/local/bin/ntfy-ssh-login.sh (with chmod +x!).

TOPIC_URL=yourntfydomain
NGINXUSER=yourusername
NGINXPASSWORD=yourpassword

if [ "${PAM_TYPE}" = "open_session" ]; then
  curl -u ${NGINXUSER}:${NGINXPASSWORD} -H tags:warning -H prio:high -d "SSH login to $(hostname): ${PAM_USER} from ${PAM_RHOST}" "${TOPIC_URL}"
fi

      Then Now you save Ctrl +x then yes

      Make sure you have chmod permissions. Here is the command.

      chmod +x /usr/local/bin/ntfy-ssh-login.sh

      Go try logging into another terminal and see if it notifications you, then try logging in again and see if it notifications you. ๐Ÿ™‚

      It works well. It shows the username and IP address, so the IT team can protect the account if they don’t have permission to access our server.

    6. How to use Richard’s Bitwarden Server?

      Step by step:

      1. Download the Android apps โ€œBitwarden Password Managerโ€ and for apple โ€œBitwarden Password Managerโ€
      2. Open Bitwarden password app
      3. Login in on โ†’ self-hosted
      4. Server URL is Https://bitwarden.richardapplegate.io
      5. Login to your account. If you don’t have one, ask Richard Applegate to open a registration. I have to close the register to be more secure and stay away from bots.

    7. How to Set up Nextcloud with Richard Applegate Repo with Portainer?

      So easy, I recommend you guy to do use Repo and then enjoy the services you use.

      1. Open my git repo Nextcloud to copy all the environment variables, or you will get an error.
      2. Go to your Portainer site, then go to create stack.
      3. click git repo, and copy and paste my Nextcloud repo, https://gitlab.richardapplegate.io/docker/nextcloud.git
      4. Scroll Down until Environments variables and paste all environment variables
      5. Start the services and go check your Nextcloud http://yourIP:Port
      6. If you want proxy Services Coming soon for tutorial.

    8. How to build a Dockerfile on Windows 10?

      Step-by-step Instructions:

      1. Open Visual Studio, and open the folder where your Dockerfile is. Open Visual Studio, and open the folder where your Dockerfile is.
      2. Click Settings bottom then click Extension.
      3. Please install the extension ‘Docker’.
      4. After you install, go ahead and change the Dockerfile. After you finish, save it.
      5. Go to the left side where the file manager is. Go to Dockerfile, highlight it on your mouse, right click, then click build with Docker.
      6. then open cmd.exe to docker login and docker push
      7. Please fill out your username and password for the docker login.
      8. If you then command this ‘docker push username/imagename:tag’, then your image will now be on the Docker Hub.

    9. Upgrading PC for My boss

      I upgraded his PC, Graphic Card, Power Supply, RAM, WiFi6 Network Card to improve speed and stabilized his golf game.

      New 3080 Graphic card
      Boot up fast and Improving grapghic
      Before Old power Supply
      removing old Power Supply
      This is USB WiFi Speed 2.0
      upgrade RAM Memory
      Result all done and working again.
      This is WiFi6 Network Card Big change