Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by MaddinXx (Contact Author) (Forums) on Mon, 2012-05-21 15:41. ::

7.2.7 Installing fail2ban

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

[roundcube]
enabled = true
port = http
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

Restart fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n

 

7.2.8 Installing mod_evasive With fail2ban Support

mod_evasive is an Apache module for handling DDoS attacks. We will install it and configure fail2ban to auto ban/unban reported attacks.

apt-get install libapache2-mod-evasive
mkdir /var/lock/mod-evasive
chown www-data /var/lock/mod-evasive
ln -s /etc/alternatives/mail /bin/mail
nano /etc/apache2/mods-available/mod-evasive.conf

and paste:

<IfModule  mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 3
   DOSSiteCount 60
   DOSPageInterval 1
   DOSSiteInterval 2
   DOSBlockingPeriod 15
   DOSEmailNotify username@example.tld
   DOSLogDir "/var/lock/mod_evasive"
</IfModule>

Afterwards we activate the module and restart apache

a2enmod mod-evasive
/etc/init.d/apache2 restart

mod_evasive will not detect DDoS attacks. To ban them by IPTables, we have to create the file: /etc/fail2ban/filter.d/apache-dosevasive.conf:

# Fail2Ban configuration file
#
# Author: Xela
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and to /etc/fail2ban/jail.local we add:

[apache-dosevasive]

enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache*/*error.log
bantime = 600
maxretry = 10

 

7.3 Extending the Mail Server

7.3.1 Enhanced e-mail SPAM protection

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart

 

7.3.2 Installing Postgrey

Postgrey will eliminate 99% of all spam emails you receive. To install it, run these commands:

apt-get install postgrey
/etc/init.d/postgrey start

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:60000 to the smtpd_recipient_restrictions.

Then reload postfix's configuration:

postfix reload

 

7.4 Securing The Servers Using SSL

Last but not least you should follow this tutorial: http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl. Don't forget to execute the commands on the right server!

 

8 Maintaining Our Servers

You should regulary run this to keep your servers up-to-date:

apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

 

9 Links/Credits/Sources

Since most is not from me, here are all the links used for this tutorial:


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Alexandre (not registered) on Thu, 2012-07-19 02:49.
First thing: Thank you for this guide, seems i get everything working!!! I wanna know if would be possible you add on this guide how to setup the horde mail, i followed this: http://www.howtoforge.com/install-horde-4-webmail-for-ispconfig-on-debian-squeeze-through-pear But only work if a do an second apache install on mailserver.... or if i join mailserver and webserver in one... I`m willing keep the setup of this guide with only one webserver, one mailserver, etc... Thanks in advice.
Submitted by lol (not registered) on Mon, 2012-05-28 14:41.

Hi,
May I suggest to you to correct the failregex:
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s
As following:
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

Because without it cause error in fail2ban:
2012-05-28 07:22:55,553 fail2ban.filter : ERROR No 'host' group in '^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s'

Submitted by MaddinXx (registered user) on Sat, 2012-06-23 11:20.

Thanks for the hint, I fixed the typo.

 @Yaroslav thx too, removed that part :)

Submitted by Sypher (registered user) on Tue, 2012-05-22 18:26.

It should be said that its not a good idea to run both nameservers:

  • on the same server
  • in the same datacenter
  • in the same network

Outages will lead to severe issues. A DNS server doesn't eat up much resources so it can be put on a cheap VPS somewhere else.

Submitted by Yaroslav Halchenko (not registered) on Tue, 2012-05-22 03:56.

Issue was fixed in 0.8.6 IIRC and present also in version in Debian stable 0.8.4-3+squeeze1: http://packages.debian.org/changelogs/pool/main/f/fail2ban/fail2ban_0.8.4-3+squeeze1/changelog

as of few days back

 

Enjoy