I used Rufus to make a USB bootable after I burned the ISO to USB. I then went to the USB folder simple-CDD, and pasted the scripts eee-ignore-realtek-patch.sh and late_command.sh to the folder.
Next, paste the two files you just downloaded and extract them.
Then, now plug the USB in and install the files fresh. This will disable network EEE to allow you to process, and make sure you don’t enable it in the future.
All my Google Drive accounts are migrated to my Nextcloud. I had built my Nextcloud on my server and finished it. I love that Nextcloud allows me to put private data where I can store to my Server instead of Google, OneDrive, or Apple Cloud Server data. We had to pay them to hold our data. I had the office installed on Nextcloud, and now we can do word, PowerPoint, spreadsheet, and draw. And also have Nextcloud Talk on Nextcloud, which is benefits to have all in one app.
If you want to build your own server, you can! 🙂 Here link.
I installed a mini BOSGAME computer that was enough for speed internet and the performance was excellent with a multiserver firewall. Furthermore, I have also installed WireGuard VPN on the firewall to enable remote access to my server from a single IP address. I won’t get attacked or hacked from ssh.
Firewall to protect our server to avoid any hacking, malware, ransomware and more… Our firewall had Phishing Blocker and spam blocker for our Email server. Very benefits for our business.
I also like bandwidth control for our server to improve performance.
Testing Speed Test with WireGuard with mini PC.
With WireGuard VPN
without VPN
I am happy with the speed because I had Server at location was 600mbps download and 200 uploads from Comcast business. So My firewall can handle VPN and firewall and many features. Now our Server and Web hosting is safe again. My home is 300 and 35 from Xfinity, So My Upload is perfect.
I finally got this to work with cloudron AdGuard Home because it won’t work just use DNS port or encryption until you add IP or Client ID in allowed Clients, so I am using Client ID. This will show you how to set up DOH AdGuard Home with TpLink Omada DNS Proxy.
This explains to us what Client IDs are, and I found DNS over HTTPS is useful for our networks, since I had a wildcard certification.
Open AdGuard home and log into your admin account. Navigate to the DNS settings and find allow clients. I put laketapp that I would use for our stores nickname. Then make sure you save it.
Then go to TpLink Omada Controller Webgui and Login your admin, then select the location you want to set DNS over HTTPS with cloudron AdGuard Home.
After you select Location, go to Services on the left side.
Then go to DNS Proxy then go enable DNS proxy then DoH then add your AdGuard Server, mine is https://laketapp.dns195.richardapplegate.io.
Now go check AdGuard Home, see if there are any queries,
yep, it’s working, Now My Router is communicating with my DNS Server secured.
I built another mini computer for Sunrise Village and added another network card to my mini computer for internal and external network. Not only that, but I also set Internal to “bridge” and set my Modem wire to firewall “external” and then firewall “internal” to a 1 gigabit switch. So I can put more Server in one 1gig switch. We had static IP, and we’re using these on our server, so My Firewall will not protect my server until I create rules and firewall and Threat Prevention and virus Blocker.
We can upgrade to 2.5Gig or 10gig speed on our server and firewall, but our plans are 600mbps and 200mbps uploads, so it is enough for all my server to hosting on switch.
Not only that, but we have Three locations that require a firewall. I set up a firewall at Sunrise Village a few days ago, and it is working well. We need to protect where our server is that runs all of our store network and slack alternative and cloud storage.
User 1: Omada TpLink Router Hosting User 2: Web and Email Hosting User 3: all apps in one server solution.
A firewall serves as a safeguard against distributed denial-of-service attacks on the Internet. The firewall on our modem is weak, and we’re still getting DDoS attacks. We need a better firewall, so we can’t worry about our server and network systems.
Fail2Ban is a Python program that helps safeguard Linux systems and servers from brute-force attacks. This program can be configured to provide SSH protection for your server. With it, you can be sure that your server is secure from attacks that employ brute force. It also enables you to see how strong the attacks are in terms of how many authentication attempts are being made.
Brute-force attacks can be powerful and may result in thousands of failed authentication attempts each day. Understanding how to safeguard your server against these attacks and how to block IP addresses is essential.
Fail2Ban makes it easier to block brute-force attacks by restricting the number of failed authentication attempts a user can make before being blocked.
This is extremely useful for servers that have user accounts that utilize passwords for remote authentication, rather than SSH key-pair authentication.
First, update and upgrade your server to Ubuntu.
sudo apt update && sudo apt upgrade
Installing and Configure Fail2ban
Fail2Ban is completely free and works with most of the most popular software package managers.
Please install Fail2Ban by running the following command:
sudo apt-get install fail2ban
2. Please use the following command to ensure that Fail2ban runs at system startup:
sudo systemctl enable fail2ban.service
3. After you have installed Fail2Ban, you can start setting up Fail2Ban to create a jail for your SSH server. The configuration files for Fail2Ban are in the directory /etc/fail2ban.
Fail2Ban uses the default configuration in the jail.conf file, but it’s not recommended to use the default configuration files. This is because the default configuration files can be overwritten by new updates to the Fail2Ban package. The preferred approach to creating configurations for a particular service is by creating a new configuration file in the /etc/fail2bandirectory with the .local extension. For example :
path is /etc/fail2ban/jail.local
Creating SSH Jails With Fail2Ban
Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail.
sudo nano /etc/fail2ban/jail.local
2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. Fail2Ban Configuration Options:
Configurations
Function
enabled
Jail status (true/false) — This enables or disables the jail
port
Port specification
filter
Service specific filter (Log filter)
logpath
What logs to use
maxretry
Number of attempts to make before a ban
findtime
Amount of time between failed login attempts
bantime
Number of seconds an IP is banned for
ignoreip
IP to be allowed
3. With the information in the table above, you can create the jail.local configuration for OpenSSH server (sshd). The values used in this guide example are listed in the sample file after you have entered the configuration options and I created file: /etc/fail2ban/jail.local and configured it for SSH ban if wrong Password 3 times.
4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:
sudo systemctl restart fail2ban.service
5. After you restart the OpenSSH server service, Fail2Ban uses this new configuration, and the jail for the sshd service is activated and runs.
I would prefer if my server utilized DNS over TLS instead of Plain 53 port. I did it, and it works really well. Furthermore, I no longer have an attack from 53 ports now.
Assume systemd-resolved is enabled, restart the service
systemctl restart systemd-resolved.service
Use local stub resolver
systemd-resolved provides a local DNS stub listener on IP address 127.0.0.53 on the local loopback interface, so to use the DNS over TLS capable stub resolver, we’ll need to somehow manage /etc/resolv.conf and make sure 127.0.0.53 is used as a nameserver.
NOTE: systemd maintains /run/systemd/resolve/stub-resolv.conf for compatibility with traditional Linux programs. We can simply link to this file by symlinking.
I am using Ntfy for my SSH alert and watchtower update. It is pretty cool to have this feature, so I can know who is accessing my server without my authorization. And know my docker needs to be updated as well.
You should create a script file called /usr/local/bin/ntfy-ssh-login.sh
nano /usr/local/bin/ntfy-ssh-login.sh
Here code, make sure you change the server URL and username and password for nginx auth.
#!/bin/bash
# This is a PAM script hook that shows how to notify you when
# somebody logs into your server. Place at /usr/local/bin/ntfy-ssh-login.sh (with chmod +x!).
TOPIC_URL=yourntfydomain
NGINXUSER=yourusername
NGINXPASSWORD=yourpassword
if [ "${PAM_TYPE}" = "open_session" ]; then
curl -u ${NGINXUSER}:${NGINXPASSWORD} -H tags:warning -H prio:high -d "SSH login to $(hostname): ${PAM_USER} from ${PAM_RHOST}" "${TOPIC_URL}"
fi
Then Now you save Ctrl +x then yes
Make sure you have chmod permissions. Here is the command.
chmod +x /usr/local/bin/ntfy-ssh-login.sh
Go try logging into another terminal and see if it notifications you, then try logging in again and see if it notifications you. 🙂
It works well. It shows the username and IP address, so the IT team can protect the account if they don’t have permission to access our server.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.AcceptPrivacy Policy
