Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 5

7.2.7 Installing fail2ban

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

[roundcube]
enabled = true
port = http
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

Restart fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n

 

7.2.8 Installing mod_evasive With fail2ban Support

mod_evasive is an Apache module for handling DDoS attacks. We will install it and configure fail2ban to auto ban/unban reported attacks.

apt-get install libapache2-mod-evasive
mkdir /var/lock/mod-evasive
chown www-data /var/lock/mod-evasive
ln -s /etc/alternatives/mail /bin/mail
nano /etc/apache2/mods-available/mod-evasive.conf

and paste:

<IfModule  mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 3
   DOSSiteCount 60
   DOSPageInterval 1
   DOSSiteInterval 2
   DOSBlockingPeriod 15
   DOSEmailNotify username@example.tld
   DOSLogDir "/var/lock/mod_evasive"
</IfModule>

Afterwards we activate the module and restart apache

a2enmod mod-evasive
/etc/init.d/apache2 restart

mod_evasive will not detect DDoS attacks. To ban them by IPTables, we have to create the file: /etc/fail2ban/filter.d/apache-dosevasive.conf:

# Fail2Ban configuration file
#
# Author: Xela
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and to /etc/fail2ban/jail.local we add:

[apache-dosevasive]

enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache*/*error.log
bantime = 600
maxretry = 10

 

7.3 Extending the Mail Server

7.3.1 Enhanced e-mail SPAM protection

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart

 

7.3.2 Installing Postgrey

Postgrey will eliminate 99% of all spam emails you receive. To install it, run these commands:

apt-get install postgrey
/etc/init.d/postgrey start

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:60000 to the smtpd_recipient_restrictions.

Then reload postfix's configuration:

postfix reload

 

7.4 Securing The Servers Using SSL

Last but not least you should follow this tutorial: http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl. Don't forget to execute the commands on the right server!

 

8 Maintaining Our Servers

You should regulary run this to keep your servers up-to-date:

apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

 

9 Links/Credits/Sources

Since most is not from me, here are all the links used for this tutorial:

Share this page:

12 Comment(s)

Add comment

Comments

From: Anonymous at: 2012-05-22 03:13:15

thank you very much!

From: trambinux at: 2012-07-23 01:57:27


Hi thanks for your howto, a little error here : /etc/vz/vz.conf :

  IPTABLES=".....iptable__mangle.....

 

must be

 IPTABLES="....iptable_mangle... 

 

From: at: 2012-08-03 21:28:38

Oh, what an ugly typo. Fixed now - thanks :)

From: at: 2013-07-06 18:34:56

You will need to install these two gems to add another server  to the mix in OpenVZ Web Panel, Just an fyi 

gem install net-ssh
gem install net-sftp 

From: at: 2013-07-09 21:09:18

Do you have any reference confirming that (e.g. an OVZ issue ticket)? The installer should handle everything itself and I never had to install additional gems to get things up and running. 
 
Please let me know so I can recheck. Thanks!
 
 edit: found this// https://code.google.com/p/ovz-web-panel/issues/detail?id=282#c5 -> no need to install the gems...if you need to, therefor something really wrong.

From: Jorge Quiterio at: 2014-05-22 01:52:51

On the 

http://ovz-web-panel.googlecode.com/svn/installer/ai.sh

Alter from ruby to ruby1.8 for ap-get -y install on the line 88

From: jokajinx@gmail.com at: 2014-08-05 12:27:52

  ************If you get ************ Setting up g++ (4:4.7.2-1) ...update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto modeSetting up build-essential (11.5) ...Setting up libstdc++6-4.7-dev (4.7.2-5) ...Checking presence of the command: ruby Fatal error: Panel requires Ruby 1.8 (Ruby 1.9 is not supported).************Check version ************ruby -vruby 1.9.3p194 (2012-04-20 revision 35410) [i486-linux] dpkg -l | grep "ruby1.8"ii  libruby1.8                           1.8.7.358-7.1+deb7u1          i386         Libraries necessary to run Ruby 1.8ii  ruby1.8                              1.8.7.358-7.1+deb7u1          i386         Interpreter of object-oriented scripting language Ruby 1.8ii  ruby1.8-dev                          1.8.7.358-7.1+deb7u1          i386         Header files for compiling extension modules for the Ruby 1.8************You Fixed it with  ************ update-alternatives --config rubyThere are 2 choices for the alternative ruby (providing /usr/bin/ruby).  Selection    Path                Priority   Status------------------------------------------------------------* 0            /usr/bin/ruby1.9.1   51        auto mode  1            /usr/bin/ruby1.8     50        manual mode  2            /usr/bin/ruby1.9.1   51        manual modePress enter to keep the current choice[*], or type selection number: 1update-alternatives: using /usr/bin/ruby1.8 to provide /usr/bin/ruby (ruby) in manual mode

From: Yaroslav Halchenko at: 2012-05-22 02:56:45

Issue was fixed in 0.8.6 IIRC and present also in version in Debian stable 0.8.4-3+squeeze1: http://packages.debian.org/changelogs/pool/main/f/fail2ban/fail2ban_0.8.4-3+squeeze1/changelog

as of few days back

 

Enjoy

From: at: 2012-05-22 17:26:39

It should be said that its not a good idea to run both nameservers:

  • on the same server
  • in the same datacenter
  • in the same network

Outages will lead to severe issues. A DNS server doesn't eat up much resources so it can be put on a cheap VPS somewhere else.

From: lol at: 2012-05-28 13:41:23

Hi, May I suggest to you to correct the failregex: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s As following: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s Because without it cause error in fail2ban: 2012-05-28 07:22:55,553 fail2ban.filter : ERROR No 'host' group in '^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s'

From: at: 2012-06-23 10:20:40

Thanks for the hint, I fixed the typo.

 @Yaroslav thx too, removed that part :)

From: Alexandre at: 2012-07-19 01:49:00

First thing: Thank you for this guide, seems i get everything working!!! I wanna know if would be possible you add on this guide how to setup the horde mail, i followed this: http://www.howtoforge.com/install-horde-4-webmail-for-ispconfig-on-debian-squeeze-through-pear But only work if a do an second apache install on mailserver.... or if i join mailserver and webserver in one... I`m willing keep the setup of this guide with only one webserver, one mailserver, etc... Thanks in advice.