Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 5
7.2.7 Installing fail2ban
Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
You have to append or edit the following:
[roundcube]
enabled = true
port = http
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5
Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.
nano /etc/fail2ban/filter.d/roundcube.conf
with the following contents:
[Definition] failregex = FAILED login for .*. from <HOST> ignoreregex =
Restart fail2ban:
/etc/init.d/fail2ban restart
You can check that all jails are active with the command:
iptables -L -n
7.2.8 Installing mod_evasive With fail2ban Support
mod_evasive is an Apache module for handling DDoS attacks. We will install it and configure fail2ban to auto ban/unban reported attacks.
apt-get install libapache2-mod-evasive
mkdir /var/lock/mod-evasive
chown www-data /var/lock/mod-evasive
ln -s /etc/alternatives/mail /bin/mail
nano /etc/apache2/mods-available/mod-evasive.conf
and paste:
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 3 DOSSiteCount 60 DOSPageInterval 1 DOSSiteInterval 2 DOSBlockingPeriod 15 DOSEmailNotify [email protected] DOSLogDir "/var/lock/mod_evasive" </IfModule>
Afterwards we activate the module and restart apache
a2enmod mod-evasive
/etc/init.d/apache2 restart
mod_evasive will not detect DDoS attacks. To ban them by IPTables, we have to create the file: /etc/fail2ban/filter.d/apache-dosevasive.conf:
# Fail2Ban configuration file # # Author: Xela # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the Forbidden log entrys in apache error.log # maybe (but not only) provided by mod_evasive # # Values: TEXT # failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
and to /etc/fail2ban/jail.local we add:
[apache-dosevasive] enabled = true filter = apache-dosevasive action = iptables-allports[name=dos] logpath = /var/log/apache*/*error.log bantime = 600 maxretry = 10
7.3 Extending the Mail Server
7.3.1 Enhanced e-mail SPAM protection
The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'
Then restart postfix:
/etc/init.d/postfix restart
7.3.2 Installing Postgrey
Postgrey will eliminate 99% of all spam emails you receive. To install it, run these commands:
apt-get install postgrey
/etc/init.d/postgrey start
The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:60000 to the smtpd_recipient_restrictions.
Then reload postfix's configuration:
postfix reload
7.4 Securing The Servers Using SSL
Last but not least you should follow this tutorial: https://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl. Don't forget to execute the commands on the right server!
8 Maintaining Our Servers
You should regulary run this to keep your servers up-to-date:
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
9 Links/Credits/Sources
Since most is not from me, here are all the links used for this tutorial:
- http://www.faqforge.com/linux/enhanced-e-mail-spam-protection-in-ispconfig-3/
- https://www.howtoforge.com/greylisting_postfix_postgrey
- https://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3-p4
- http://spielwiese.la-evento.com/xelasblog/archives/56-Apache-DOS-Attacken-erschweren-mit-mod_evasive.html
- http://www.faqforge.com/linux/apache-mod-security-installation-on-debian-6-0-squeeze/
- http://forum.whmcs.com/showpost.php?s=f876c3e3a7d56bd2f325685a80d746cf&p=16768&postcount=4
- https://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3-p3
- http://debian.nimmervoll.eu/tag/debian-logwatch-einrichten/
- http://www.debian-administration.org/articles/530
- https://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl
- https://www.howtoforge.com/multiserver-setup-with-dedicated-web-email-dns-and-mysql-database-servers-on-debian-squeeze-with-ispconfig-3
- http://debian.nimmervoll.eu/archey-debian-installation/
- http://ajenti.org/
- http://code.google.com/p/ovz-web-panel/wiki/Installation
- https://www.howtoforge.com/installing-and-using-openvz-on-debian-squeeze-amd64