Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 5

7.2.7 Installing fail2ban

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

[roundcube]
enabled = true
port = http
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

Restart fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n

 

7.2.8 Installing mod_evasive With fail2ban Support

mod_evasive is an Apache module for handling DDoS attacks. We will install it and configure fail2ban to auto ban/unban reported attacks.

apt-get install libapache2-mod-evasive
mkdir /var/lock/mod-evasive
chown www-data /var/lock/mod-evasive
ln -s /etc/alternatives/mail /bin/mail
nano /etc/apache2/mods-available/mod-evasive.conf

and paste:

<IfModule  mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 3
   DOSSiteCount 60
   DOSPageInterval 1
   DOSSiteInterval 2
   DOSBlockingPeriod 15
   DOSEmailNotify [email protected]
   DOSLogDir "/var/lock/mod_evasive"
</IfModule>

Afterwards we activate the module and restart apache

a2enmod mod-evasive
/etc/init.d/apache2 restart

mod_evasive will not detect DDoS attacks. To ban them by IPTables, we have to create the file: /etc/fail2ban/filter.d/apache-dosevasive.conf:

# Fail2Ban configuration file
#
# Author: Xela
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#
failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and to /etc/fail2ban/jail.local we add:

[apache-dosevasive]

enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache*/*error.log
bantime = 600
maxretry = 10

 

7.3 Extending the Mail Server

7.3.1 Enhanced e-mail SPAM protection

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart

 

7.3.2 Installing Postgrey

Postgrey will eliminate 99% of all spam emails you receive. To install it, run these commands:

apt-get install postgrey
/etc/init.d/postgrey start

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:60000 to the smtpd_recipient_restrictions.

Then reload postfix's configuration:

postfix reload

 

7.4 Securing The Servers Using SSL

Last but not least you should follow this tutorial: http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl. Don't forget to execute the commands on the right server!

 

8 Maintaining Our Servers

You should regulary run this to keep your servers up-to-date:

apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

 

9 Links/Credits/Sources

Since most is not from me, here are all the links used for this tutorial:

Share this page:

5 Comment(s)

Add comment

Comments

From: Yaroslav Halchenko

Issue was fixed in 0.8.6 IIRC and present also in version in Debian stable 0.8.4-3+squeeze1: http://packages.debian.org/changelogs/pool/main/f/fail2ban/fail2ban_0.8.4-3+squeeze1/changelog

as of few days back

 

Enjoy

From:

It should be said that its not a good idea to run both nameservers:

  • on the same server
  • in the same datacenter
  • in the same network

Outages will lead to severe issues. A DNS server doesn't eat up much resources so it can be put on a cheap VPS somewhere else.

From: lol

Hi, May I suggest to you to correct the failregex: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s As following: failregex = ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s Because without it cause error in fail2ban: 2012-05-28 07:22:55,553 fail2ban.filter : ERROR No 'host' group in '^\[[^\]]*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s'

From:

Thanks for the hint, I fixed the typo.

 @Yaroslav thx too, removed that part :)

From: Alexandre

First thing: Thank you for this guide, seems i get everything working!!! I wanna know if would be possible you add on this guide how to setup the horde mail, i followed this: http://www.howtoforge.com/install-horde-4-webmail-for-ispconfig-on-debian-squeeze-through-pear But only work if a do an second apache install on mailserver.... or if i join mailserver and webserver in one... I`m willing keep the setup of this guide with only one webserver, one mailserver, etc... Thanks in advice.