Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 5

11. Hardening you system

First of all, make sure that you have set the security level to High, in Server Config - Web (tab) of ISPConfig3 panel.

The following instructions are just a demostration. Please fully understand them (by reading documentation over the Internet), before you apply and use them.

In general, if you follow them, you can rate limit traffic on specific ports, reduce syn connections and prevent intrusions that use known bad packets. To apply them create the folder /root/scripts (if it doesn't exist) and the following 5 files. (loadfw, unloadfw, IPs, fwrules and reloadfail2ban). The first will contain the script to load the rules, the second the script to unload the rules, the third will contain the "BAD" IPs and the "BAD" networks, the fourth the custom rules and the fifth some commands to reload eveything (including fail2ban).

mkdir /root/scripts
touch /root/scripts/loadfw
touch /root/scripts/unloadfw
touch /root/scripts/IPs
touch /root/scripts/fwrules
touch /root/scripts/reloadfail2ban
cd /root/scripts
nano loadfw

Paste the following:

#!/bin/bash
# Simple iptables IP/subnet load script
# ----------------------------------------------------------

cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -I INPUT $fwrule

done < /root/scripts/fwrules

for ipblock in $BADIPS
do
$IPT -I INPUT -s $ipblock -j DROP
$IPT -I INPUT -s $ipblock -j LOG --log-prefix "$DROPMSG"
done

Edit unloadfw:

nano unloadfw

Paste the following:

#!/bin/bash
# Simple iptables IP/subnet unload script
# ---------------------------------------------------------


cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -D INPUT $fwrule

done < /root/scripts/fwrules
for ipblock in $BADIPS
do
$IPT -D INPUT -s $ipblock -j DROP
$IPT -D INPUT -s $ipblock -j LOG --log-prefix "$DROPMSG"done

Edit IPs:

nano IPs

Paste the annoying IPs (e.g. IPs banned multiple times by fail2ban) or whole networks. You can add here IPs or netwroks at any time, but before you make any modification (especially if you remove sth) you have to run "/root/scripts/unloadfw". Afterward you can edit the file, inserting IPs or networks and finally you have to run "/root/scripts/loadfw" (see below)

#IP
x.y.z.w
x.q.a.r

#netwroks
d.r.t.h/24

#mailservers
a.g.h.j

(You can use http://www.countryipblocks.net to see the networks that are assosiated with each country). Edit fwrules:

nano fwrules

Paste the following (and anything else that can be inserted (-I) or deleted (-D) in/from INPUT chain. The rules are for servers with a single network interface (eth0). Please change them to fit your needs (e.g. change eth0 if your network interface is different).

-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50022 -j DROP
-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50022 -j LOG --log-prefix "LMfwport50022"
-p tcp --dport 50022 -i eth0 -m state --state NEW -m recent --set --name fw50022
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50000 -j DROP
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50000 -j LOG --log-prefix "LMfwport50000"
-p tcp --dport 50000 -i eth0 -m state --state NEW -m recent --set --name fw50000
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw10000 -j DROP
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw10000 -j LOG --log-prefix "LMfwport10000"
-p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --set --name fw10000
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw25 -j DROP
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw25 -j LOG --log-prefix "LMfwport25"
-p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set --name fw25
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw110 -j DROP
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw110 -j LOG --log-prefix "LMfwport110"
-p tcp --dport 110 -i eth0 -m state --state NEW -m recent --set --name fw110
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw50443 -j DROP
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw50443 -j LOG --log-prefix "LMfwport50443"
-p tcp --dport 50443 -i eth0 -m state --state NEW -m recent --set --name fw7443
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw22 -j DROP
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw22 -j LOG --log-prefix "LMfwport22"
-p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set --name fw22
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw20 -j DROP
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw20 -j LOG --log-prefix "LMfwport20"
-p tcp --dport 20 -i eth0 -m state --state NEW -m recent --set --name fw20
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw21 -j DROP
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw21 -j LOG --log-prefix "LMfwport21"
-p tcp --dport 21 -i eth0 -m state --state NEW -m recent --set --name fw21
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 20 --name fw143 -j DROP
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name fw143 -j LOG --log-prefix "LMfwport143"
-p tcp --dport 143 -i eth0 -m state --state NEW -m recent --set --name fw143
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw53 -j DROP
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw53 -j LOG --log-prefix "LMfwport53"
-p tcp --dport 53 -i eth0 -m state --state NEW -m recent --set --name fw53
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw443 -j DROP
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw443 -j LOG --log-prefix "LMfwport443"
-p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set --name fw443
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 20 --name fw8081 -j DROP
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 --name fw8081 -j LOG --log-prefix "LMfwport8081"
-p tcp --dport 8081 -i eth0 -m state --state NEW -m recent --set --name fw8081
-p icmp -j DROP
-p icmp -m limit --limit 2/s -j ACCEPT
-p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn80"
-p tcp --syn --dport 443 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 443 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn443"
-p tcp --syn --dport 50443 -m connlimit --connlimit-above 25 -j DROP
-p tcp --syn --dport 50443 -m connlimit --connlimit-above 25 -j LOG --log-prefix "BLfwsyn50443"
-p tcp --syn --dport 50022 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 50022 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn50022"
-p tcp --syn --dport 22 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 22 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn22"
-p tcp --syn --dport 50000 -m connlimit --connlimit-above 15 -j DROP
-p tcp --syn --dport 50000 -m connlimit --connlimit-above 15 -j LOG --log-prefix "BLfwsyn50000"
-p tcp --syn --dport 10000 -m connlimit --connlimit-above 15 -j DROP
-p tcp --syn --dport 10000 -m connlimit --connlimit-above 15 -j LOG --log-prefix "BLfwsyn10000"
-p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 25 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn25"
-p tcp --syn --dport 20 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 20 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn20"
-p tcp --syn --dport 21 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 21 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn21"
-p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 110 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn110"
-p tcp --syn --dport 143 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 143 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn143"
-p tcp --syn --dport 53 -m connlimit --connlimit-above 10 -j DROP
-p tcp --syn --dport 53 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLfwsyn53"
-i eth0 -p tcp --tcp-flags ALL ALL -j DROP
-i eth0 -p tcp --tcp-flags ALL ALL -j LOG --log-level 4 --log-prefix "FLAAfw"
-i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level 4 --log-prefix "FINGfw"
-i eth0 -f -j DROP
-i eth0 -f -m limit --limit 6/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FRAGfw"
-i eth0 -p tcp --tcp-flags ALL NONE -j DROP
-i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULLfw"
-i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMASfw"
-i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 4 --log-prefix "SYNRTSfw"
-i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level 4 --log-prefix "SYNRTSACKfw"
-i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level 4 --log-prefix "SYNRTSYNSfw"
-i eth0 -p tcp ! --syn -m state --state NEW -j DROP
-i eth0 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "DROSYNCfw"

Edit reloadfail2ban:

nano reloadfail2ban

Paste the following:

#!/bin/bash

/etc/init.d/fail2ban restart
sleep 2
/root/scripts/unloadfw
sleep 2
/root/scripts/loadfw

Keep in mind that the reloadfail2ban script just unloads the custom rules in fwrules, restarts fail2ban and loads the rules in fwrules again. It doesn't do a full firewall restart. So before you edit the rules in this file (or IPs file), unload them with unloadfw. The role of reloadfail2ban is to test the functionality of fail2ban

Finally execute:

chmod 700 reloadfail2ban
chmod 700 unloadfw
chmod 700 loadfw
/root/scripts/reloadfail2ban

If you want the custom rules to load after every reboot paste the line: /root/scripts/loadfw in the end of /etc/init.d/rc.local:

nano /etc/init.d/rc.local

and append:

[...]
/root/scripts/loadfw

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It creates a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). To install (D)DoS Deflate:

cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Edit /usr/local/ddos/ddos.conf and apply the follow changes that will disable APF firewall and use plain iptables, email events to root and block IP with more than 100 connections per minute.

[...]
APF_BAN=0
EMAIL_TO="root"
NO_OF_CONNECTIONS=100
[...]

The above are just a bunch of suggestions. You can extend them as you like.

The implementation is just one approach of many. You can use a firewall solution like APF, Shorewall etc. I would be gland to include more different approaches in companion with this one.

Share this page:

32 Comment(s)

Add comment

Comments

From: at: 2011-03-22 19:50:03


There is a small typo in download of the webmin


 


cd /tmp
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb


 


should actually be 


 cd /tmp



wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb


From: teddy at: 2011-08-19 18:28:47

Hi, I've followed the perfect debian server with ispconfig3 tutorial, then the SSL post on faqforge, and everything went ok on my virtualized server and on the online one. Once it gets to changing default port for webmin, activating it on ispconfig firewall, restarting webmin and apache, and no way, the page I get on the browser (url is https://x.x.x.x:1888) is (Chrome in this case, but the timeout is consistent for all browsers.

 Error 118 (net::ERR_CONNECTION_TIMED_OUT)

 I've checked with a netstat, but the port is listening

 tcp        0      0 0.0.0.0:18888           0.0.0.0:*               LISTEN      32521/perl

udp        0      0 0.0.0.0:18888           0.0.0.0:*                           32521/perl

an iptables list gives this response
 
  <code>

 Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       tcp  --  anywhere             loopback/8

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  base-address.mcast.net/4  anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

DROP       all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere


Chain INT_IN (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain INT_OUT (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere


Chain PAROLE (15 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere


Chain PUB_IN (4 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:8000

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:18888

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql

DROP       icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere

...

 </code>

 So, everything seems in order, what could it be stopping me from accessing webmin from alternative port? Please consider that default port works, and all other services work, since I've followed letter by letter you instructions...

 Did I forget anything? Where could I look?

 

From: at: 2011-12-17 14:30:14

Good tutorial, I just want to thank you for taking the time to write it.

From: Frank at: 2012-05-31 10:56:40

hi,
it is possible to coexist squirrelmail and roundcube?

thanks!

From: Frederik at: 2011-06-01 14:07:54

Hy!

 

There is a typo in 4. FAIL2BAN.

 nano /etc/fail2ban/jail.local -> nano /etc/fail2ban/jail.conf

 

 

 

my regards

From: at: 2011-06-26 17:16:23

This is not a typo.

The jain.local will not be overwritten in a future update.

From: Maurizio Marini at: 2011-08-07 15:30:40


file /var/lib/roundcube/config/main.inc.php line 60 is already:


$rcmail_config['auto_create_user'] = TRUE;


i think that your

auto_create_user = TRUE;

is relative to older versions
...

or should we change:

$rcmail_config['auto_create_user'] = TRUE;

with

auto_create_user = TRUE;

?


From: at: 2011-08-04 15:13:00

Hi,

I found that if I added 0.05 to the sleep command I would end up with errors in the fail2ban.log that I also found here http://oschgan.com/drupal/node/52 and when I changed it to 0.1 it worked perfectly.

Regards,

Steve

 

From: Anonymous at: 2012-01-13 02:01:27

I'm using BIND + Dovecot and extending with roundcube and following line

failregex = FAILED login for .*. from <host>

 in /etc/fail2ban/filter.d/roundcube.conf give me an error:
fail2ban.filter : ERROR  No 'host' group in 'FAILED login for .*. from <host>'
So i think it's only a typo, if i write <HOST> with uppercase, then all seems to be great.
 THX

From: michael at: 2012-04-02 09:16:59

Hi, first, thanks for the useful info!

 In step 8:

 

"If you want to install Drupal (or other cms) you will propably need
uploadprogress and json. To accomplish their installation, do:




apt-get install php5-dev php-services-json

pecl install uploadprogress

touch /etc/php5/apache2/conf.d/uploadprogress.ini

nano /etc/php5/apache2/conf.d/uploadprogress.ini"

The sites gave 500-errors all around. I ran apt-get remove php5-dev and the sites came up again. Will that have an effect on the other things or is there a work-around for the 500-errors? 

From: Benoit Lallemand at: 2011-04-21 15:53:22


I think the parameter -p in command, here after, is wrong !


#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
/usr/bin/php -p /root/scripts/mycron.php

From: Web Worlds at: 2011-05-05 08:56:45

I agree, also with me it was not working with the '-p' in the PHP command.

From: lenz at: 2011-06-07 09:49:06

there is a typo

wget http://mysqltuner.com/mysqltuner.pl

From: at: 2012-05-19 20:27:36

I really like this tutorial, so that is why i wish to improve it by posting this error that i have found with the email the cron job mycron.php sends.

I have gone through this tutorial twice, both starting from the perfect server here.

Both times i keep getting this error email from mycron.php.

HERE IS THE ERROR:

Email Subject:    Cron <root@node1> test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

Email Message:  /usr/lib/tiger/config: line 360: /config: No such file or directory


How can i fix this error. I followed the tutorial to a 'T' so i dont think it was an error on my part.

From: at: 2012-09-05 11:07:11

Did you install tigercron?

(Please use the forums for questions)

From: at: 2011-04-22 15:56:50

unloadfw and loadfw are exactly the same... it is an error, please can be those lines corrected?

Thanks in advance, awesome tutorial ;)

From: Benoit Lallemand at: 2011-04-21 19:01:14

On the top of this pages : 

mkdir /root/scripts
touch /root/scripts/loadfw
touch /root/scripts/unloadfw
touch /root/scripts/IPs

touch /root/scripts/fwrules  --> fwrules with "s"

touch /root/scripts/reloadfail2ban
cd /root/scripts
nano loadfw

 and in the script, here after, you read "fwrule" without "s"

# Simple iptables IP/subnet unload script
# ---------------------------------------------------------


cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -D INPUT $fwrule

done < /root/scripts/fwrules

From: Frederik at: 2011-06-01 14:25:40

No they are different.

The one script calls the flag -I to init a rule, the other one -D to delete a rule.

 

:)

From: Frederik at: 2011-06-01 14:59:17

Hy, I applyed this tutorial to my Debian 6 Server.

 When i execute /root/scripts/reloadfail2ban my console tells me:

 

  • root@lvpsXXXXXXXXX:~/scripts# /root/scripts/reloadfail2ban
  • Restarting authentication failure monitor: fail2ban.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.

 

 

 Is this okay or is this an error?

 

 

my regards.

From: at: 2011-06-26 17:32:08

fwrule is the variable.

At the end of the while is the file (/root/scripts/fwrules):

 while read fwrule
do
  $IPT -D INPUT $fwrule

done < /root/scripts/fwrules

 

From: at: 2011-06-26 17:39:53

It's OK.

You probably changed the rules before you unload the previous rules.

So the script tries to unload the new rules, but the old ones are still loaded.

Please first unload everything, after this make your changes and finally reload the rules.

The above include the part of IP addresses

To be sure that everything is ok:

Do a full restart. Unload the rules, Make the changes. Reload the rules.

Keep in mind that this is not a fully featured firewall. It's just a script with basic rules.

From: at: 2011-12-12 20:44:31

hey i get this email from cron:

 /usr/lib/tiger/config: line 360: /config: No such file or directory

 how can i fix this?

 

From: at: 2011-12-12 20:51:04

just wanted to add the subject line for the cron email:

 test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

From: at: 2013-03-30 22:29:51

Copy the default config from




/usr/lib/tiger/systems/default/config

or

/usr/lib/tiger/systems/Linux/2/config

to

/usr/lib/tiger/

From: Stefkom at: 2013-08-25 11:11:24

very simple :)



1. sudo ln -s /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3



or



2. sudo cp -a /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3

From: at: 2011-04-14 13:07:54

I followed the client backup tutorial, however I'm getting a error after running it as root.

The backups seems to run fine but i receive te following error and this keeps repeating in the console:

 /bin/tar: ./tmp/sess_5jrh2r2d5m8lhtaq7sf04mo3n7: Cannot open: Permission denied


From: at: 2011-05-05 05:17:55

After downloading the file, you must:

chmod +x /usr/share/roundcube/plugins/fail2ban.php
touch /var/log/roundcube/userlogins
chown www-data:www.data /var/log/roundcube/userlogins

 

I don't know if chmod +x is necesary for fail2ban.php (i was traying to make it work, I am too tired to test it lol xD) but, you MUST chown userlogins, if not, apache2 (or roundcube through apache2) will not be able to write inside the file (access denied).

 Regards

 

PD: Perfect howto xD

From: at: 2011-06-26 18:04:25


You just need the following command:


 chown www-data:www-data /var/log/roundcube/userlogins



I updated the tutorial. Thx


From: webmaster eddie at: 2011-12-17 06:50:16

I tried following your instructions - just to harden the server using ipTables and the ddos - and the backup scripts - and I could no longer ftp - i only have a dynamic ip wifi public connection to the net and it was blocking me disconnecting me from ftping files after 1 second it seems... so I reversed every single thing I did following your instructions, and now cannot ftp with any program at all - I can connect but not a single file is allowed to be transferred - i get a permission denied 553 error. Can you help me ? I have checked everything - the ports in IPSCongif 3 panel are fine, etc.


 


Also I never got the backup scripts to work at all - so I removed them. I do thank you for the 2 mysql tuning scripts which work and seem to help

From: at: 2012-01-21 01:19:17

At backup script mysqldump '--all' option is deprecated and restor from backup won't work ! Use '--create-options' instead.

From: Jonas Lateur at: 2012-04-23 14:51:53

when i run /root/scripts/mybackup.sh, i get follow error


       Site: server.ttb-ltd.eu
-------------------------------------------------------------
Backing Up site:  /var/www/clients/client1/web1/ in : /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz
tar (child): /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
/bin/tar: /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot write: Broken pipe
/bin/tar: Error is not recoverable: exiting now
cp: cannot stat `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chown: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chmod: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
-------------------------------------------------------------

From: at: 2013-04-07 14:35:47

Hi,

at first: thnx. for this wonderfull tutorial!!!

The only problem I've got at this point is that when I execute the mybackup.sh file I get this error:

ERROR 1054 (42S22) at line 1: Unknown column 'web_database.database_user' in 'field list'

I looked into the database and there really is missing the database_user field... Is this a never version of ispConfig3 I'm using? Can you adapt the script to the newer version?

Thnx. again for your good work.

Best regards, Ingmar