#fail2ban — Public Fediverse posts

🚀 How to Deploy #Phanpy on #AlmaLinux #VPS This article provides a guide demonstrating how to deploy Phanpy on AlmaLinux VPS. What is Phanpy? Phanpy is a modern alternative web frontend for #Mastodon and ... Continued 👉 #selfhosted #selfhosting #firewalld #letsencrypt #fail2ban #npm

🚀 How to Deploy #Phanpy on #AlmaLinux #VPS

This article provides a guide demonstrating how to deploy Phanpy on AlmaLinux VPS.
What is Phanpy?
Phanpy is a modern alternative web frontend for #Mastodon and compatible #Fediverse platforms. It is designed as a minimalistic, ultra-fast, privacy-conscious #social client that lets users browse, post, reply, boost, and manage Mastodon accounts ...
Continued 👉 https://blog.radwebhosting.com/deploy-phanpy-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #fail2ban #selfhosting #letsencrypt #firewalld #npm #selfhosted

Un scan suspect ? Un pays banni ? BIM !

Voici l'artillerie lourde en action dans ce petit extrait. Pour l'installer sur votre serveur, suivez le guide 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#LXC #Proxmox #Nginx #Fail2ban #CyberSec

Un scan suspect ? Un pays banni ? BIM !

Voici l'artillerie lourde en action dans ce petit extrait. Pour l'installer sur votre serveur, suivez le guide 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#LXC #Proxmox #Nginx #Fail2ban #CyberSec

Un scan suspect ? Un pays banni ? BIM !

Voici l'artillerie lourde en action dans ce petit extrait. Pour l'installer sur votre serveur, suivez le guide 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#LXC #Proxmox #Nginx #Fail2ban #CyberSec

Un scan suspect ? Un pays banni ? BIM !

Voici l'artillerie lourde en action dans ce petit extrait. Pour l'installer sur votre serveur, suivez le guide 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#LXC #Proxmox #Nginx #Fail2ban #CyberSec

Marre des bots qui sniffent vos conteneurs ?
J’ai sorti l’artillerie lourde ! Nginx Proxy Manager + Fail2Ban + GeoIP2.

Résultat ? Une seule tentative depuis un pays banni et... BIM, banni au niveau du pare-feu !

La démo en vidéo par ici 👉 https://peertube.blablalinux.be/w/3GvZh3PoGqYeRcDHq58ENz
Et pour les gourmands qui veulent copier ma config aux petits oignons, tout est sur le Wiki 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#Nginx #Fail2ban #GeoIP #Sécurité #Proxmox #LXC #Docker

Marre des bots qui sniffent vos conteneurs ?
J’ai sorti l’artillerie lourde ! Nginx Proxy Manager + Fail2Ban + GeoIP2.

Résultat ? Une seule tentative depuis un pays banni et... BIM, banni au niveau du pare-feu !

La démo en vidéo par ici 👉 https://peertube.blablalinux.be/w/3GvZh3PoGqYeRcDHq58ENz
Et pour les gourmands qui veulent copier ma config aux petits oignons, tout est sur le Wiki 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#Nginx #Fail2ban #GeoIP #Sécurité #Proxmox #LXC #Docker

Marre des bots qui sniffent vos conteneurs ?
J’ai sorti l’artillerie lourde ! Nginx Proxy Manager + Fail2Ban + GeoIP2.

Résultat ? Une seule tentative depuis un pays banni et... BIM, banni au niveau du pare-feu !

La démo en vidéo par ici 👉 https://peertube.blablalinux.be/w/3GvZh3PoGqYeRcDHq58ENz
Et pour les gourmands qui veulent copier ma config aux petits oignons, tout est sur le Wiki 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#Nginx #Fail2ban #GeoIP #Sécurité #Proxmox #LXC #Docker

Marre des bots qui sniffent vos conteneurs ?
J’ai sorti l’artillerie lourde ! Nginx Proxy Manager + Fail2Ban + GeoIP2.

Résultat ? Une seule tentative depuis un pays banni et... BIM, banni au niveau du pare-feu !

La démo en vidéo par ici 👉 https://peertube.blablalinux.be/w/3GvZh3PoGqYeRcDHq58ENz
Et pour les gourmands qui veulent copier ma config aux petits oignons, tout est sur le Wiki 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#Nginx #Fail2ban #GeoIP #Sécurité #Proxmox #LXC #Docker

Marre des bots qui sniffent vos conteneurs ?
J’ai sorti l’artillerie lourde ! Nginx Proxy Manager + Fail2Ban + GeoIP2.

Résultat ? Une seule tentative depuis un pays banni et... BIM, banni au niveau du pare-feu !

La démo en vidéo par ici 👉 https://peertube.blablalinux.be/w/3GvZh3PoGqYeRcDHq58ENz
Et pour les gourmands qui veulent copier ma config aux petits oignons, tout est sur le Wiki 👉 https://wiki.blablalinux.be/fr/securisation-npm-fail2ban-geoip2

#Nginx #Fail2ban #GeoIP #Sécurité #Proxmox #LXC #Docker

On ne passe pas ! 🛡️

Quand #Nginx #Proxy Manager et #Fail2Ban font équipe sur mon serveur, c'est du sérieux. Voici le combo qui calme tout le monde...

Géo-IP ultra-stricte - Si tu n'es pas dans un pays autorisé, c'est 403 direct.

Anti-VPN & Forçage - Même si tu passes par un #VPN pour "tricher" sur ta localisation, mon réglage maxretry te surveille. Trop de tentatives ? C'est le bannissement immédiat au niveau du pare-feu !

:nextcloud: #Nextcloud Installationsanleitung für Ubuntu 26 :nextcloud:
Die Nextcloud-Installationsanleitung wurde nach ersten erfolgreichen Tests für Ubuntu 26.04 LTS veröffentlicht:
- #Ubuntu2604
- #Nextcloud latest (oder 32.x)
- #nginx
- #PHP 8.5
- #MariaDB 11.8
- #Redis - Server
- #fail2ban
- #crowdsec
- #ufw
- #hpb

👉 https://www.c-rieger.de/nextcloud-installationsanleitung-fuer-ubuntu-26-04-lts/

Wir freuen uns auf Eure Rückmeldungen.
Viel Spaß!

Today's problem: #Debian on a LAN address, had been using it for a few weeks with Zoneminder and slskd running, attempted to install Nextcloud, so added Apache2 and php-fpm, the only mucking about I did, only today it triggers Fail2Ban on my proxy/dns server. On reboot, gets banned even before login is offered! clear the ban, it's back again within a minute.

nstreams shows six of these in a row, all to different 5-digit ports:
Unknown tcp traffic between 0.0.0.0:0 and 192.168.0.13:54320

whatever it is, however I triggered it, it is offensive to #fail2ban and #ufw.
to be fair, I was trying something funky with Nextcloud accessed directly within the lan, proxied by the dnsmasq server for outside, not as simple as I'd expected, but with all that turned off and no login, it still happens.

oh, wait: the proxy host has vhost forwarding config, which yes, was broken, and when I dissite'd that, I have not been banned since! I wonder if I will ever know why 😅

#ontothenextmystery

:nextcloud: #Nextcloud Installationsskript / Ubuntu 26 :nextcloud:
Das Nextcloud-Installationsskript wurde nach ersten erfolgreichen Tests für Ubuntu 26.04 LTS veröffentlicht:
- #Ubuntu2604
- #Nextcloud latest (oder 32.x)
- #nginx
- #PHP 8.5
- #MariaDB 11.8
- #Redis - Server
- #fail2ban
- #crowdsec

👉 https://www.c-rieger.de/nextcloud-installationsskript/#v_ubuntu26

Wir empfehlen Ubuntu 26 derzeit noch *nicht* für den produktiven Einsatz für Nextcloud-Systeme - bitte verwendet vorerst noch Ubuntu 24.

Wir freuen uns auf Eure Rückmeldungen.
Viel Spaß!

How to Deploy Cosmos Cloud on #Ubuntu #VPS

This article provides a guide to deploy Cosmos Cloud on Ubuntu VPS.
What is Cosmos Cloud?
Cosmos Cloud is a self-hosted platform-as-a-service (PaaS) that lets you deploy, manage, and monitor applications (especially Docker-based apps) through a clean web UI. Think of it as a lightweight alternative to tools like Portainer or ...
Continued 👉 https://blog.radwebhosting.com/how-to-deploy-cosmos-cloud-on-ubuntu-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #selfhosting #ufw #nginx #selfhosted #docker #reverseproxy #cosmoscloud #fail2ban

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

Recientemente cambié el mecanismo por el cual el firewall bloquea IPs maliciosas, que me estaban medio que acalambrando todos los días. Ahora el sistema cada 1h, carga una lista de IPs bloqueadas por fail2ban que es publicada por el servidor principal. El cambio requirió que eliminara los bloqueos cumulativos anteriores, que eran de unas 1500 - 1800 IPs y dejar que ahora fail2ban las incorpore solo a la lista (independiente de las que pfSense ya bloquea y que baja de blocklists conocidas, que son otro tanto). Vamos 2 días de este sistema y en promedio el servidor está bloqueando unas 100 IPs por día, en forma lineal, hasta que se estabilice, calculo yo, cuando lleguemos a eso de 1000 IPs, porque supongo que algunas que las 1500 que estaban bloqueadas de antes, ya no eran maliciosas. Ahora todas las IP que bloqueaba fail2ban, eran bloqueadas por el servidor que está expuesto, ahora también están bloqueadas para toda la red de Undernet. Veremos como sigue...

Edit: Agregué bloquear todos los bot/scrappers IA Googlebot, SummalyBot, GPTBot, Amazonbot, ClaudeBot y la cosa aumentó dramáticamente...

Seguimos transmitiendo desde el bunker...

#seguridad #undernet #pfsense #fail2ban

Recientemente cambié el mecanismo por el cual el firewall bloquea IPs maliciosas, que me estaban medio que acalambrando todos los días. Ahora el sistema cada 1h, carga una lista de IPs bloqueadas por fail2ban que es publicada por el servidor principal. El cambio requirió que eliminara los bloqueos cumulativos anteriores, que eran de unas 1500 - 1800 IPs y dejar que ahora fail2ban las incorpore solo a la lista (independiente de las que pfSense ya bloquea y que baja de blocklists conocidas, que son otro tanto). Vamos 2 días de este sistema y en promedio el servidor está bloqueando unas 100 IPs por día, en forma lineal, hasta que se estabilice, calculo yo, cuando lleguemos a eso de 1000 IPs, porque supongo que algunas que las 1500 que estaban bloqueadas de antes, ya no eran maliciosas. Ahora todas las IP que bloqueaba fail2ban, eran bloqueadas por el servidor que está expuesto, ahora también están bloqueadas para toda la red de Undernet. Veremos como sigue...

Edit: Agregué bloquear todos los bot/scrappers IA Googlebot, SummalyBot, GPTBot, Amazonbot, ClaudeBot y la cosa aumentó dramáticamente...

Seguimos transmitiendo desde el bunker...

#seguridad #undernet #pfsense #fail2ban

Recientemente cambié el mecanismo por el cual el firewall bloquea IPs maliciosas, que me estaban medio que acalambrando todos los días. Ahora el sistema cada 1h, carga una lista de IPs bloqueadas por fail2ban que es publicada por el servidor principal. El cambio requirió que eliminara los bloqueos cumulativos anteriores, que eran de unas 1500 - 1800 IPs y dejar que ahora fail2ban las incorpore solo a la lista (independiente de las que pfSense ya bloquea y que baja de blocklists conocidas, que son otro tanto). Vamos 2 días de este sistema y en promedio el servidor está bloqueando unas 100 IPs por día, en forma lineal, hasta que se estabilice, calculo yo, cuando lleguemos a eso de 1000 IPs, porque supongo que algunas que las 1500 que estaban bloqueadas de antes, ya no eran maliciosas. Ahora todas las IP que bloqueaba fail2ban, eran bloqueadas por el servidor que está expuesto, ahora también están bloqueadas para toda la red de Undernet. Veremos como sigue...

Edit: Agregué bloquear todos los bot/scrappers IA Googlebot, SummalyBot, GPTBot, Amazonbot, ClaudeBot y la cosa aumentó dramáticamente...

Seguimos transmitiendo desde el bunker...

#seguridad #undernet #pfsense #fail2ban

Recientemente cambié el mecanismo por el cual el firewall bloquea IPs maliciosas, que me estaban medio que acalambrando todos los días. Ahora el sistema cada 1h, carga una lista de IPs bloqueadas por fail2ban que es publicada por el servidor principal. El cambio requirió que eliminara los bloqueos cumulativos anteriores, que eran de unas 1500 - 1800 IPs y dejar que ahora fail2ban las incorpore solo a la lista (independiente de las que pfSense ya bloquea y que baja de blocklists conocidas, que son otro tanto). Vamos 2 días de este sistema y en promedio el servidor está bloqueando unas 100 IPs por día, en forma lineal, hasta que se estabilice, calculo yo, cuando lleguemos a eso de 1000 IPs, porque supongo que algunas que las 1500 que estaban bloqueadas de antes, ya no eran maliciosas. Ahora todas las IP que bloqueaba fail2ban, eran bloqueadas por el servidor que está expuesto, ahora también están bloqueadas para toda la red de Undernet. Veremos como sigue...

Edit: Agregué bloquear todos los bot/scrappers IA Googlebot, SummalyBot, GPTBot, Amazonbot, ClaudeBot y la cosa aumentó dramáticamente...

Seguimos transmitiendo desde el bunker...

#seguridad #undernet #pfsense #fail2ban

Recientemente cambié el mecanismo por el cual el firewall bloquea IPs maliciosas, que me estaban medio que acalambrando todos los días. Ahora el sistema cada 1h, carga una lista de IPs bloqueadas por fail2ban que es publicada por el servidor principal. El cambio requirió que eliminara los bloqueos cumulativos anteriores, que eran de unas 1500 - 1800 IPs y dejar que ahora fail2ban las incorpore solo a la lista (independiente de las que pfSense ya bloquea y que baja de blocklists conocidas, que son otro tanto). Vamos 2 días de este sistema y en promedio el servidor está bloqueando unas 100 IPs por día, en forma lineal, hasta que se estabilice, calculo yo, cuando lleguemos a eso de 1000 IPs, porque supongo que algunas que las 1500 que estaban bloqueadas de antes, ya no eran maliciosas. Ahora todas las IP que bloqueaba fail2ban, eran bloqueadas por el servidor que está expuesto, ahora también están bloqueadas para toda la red de Undernet. Veremos como sigue...

Edit: Agregué bloquear todos los bot/scrappers IA Googlebot, SummalyBot, GPTBot, Amazonbot, ClaudeBot y la cosa aumentó dramáticamente...

Seguimos transmitiendo desde el bunker...

#seguridad #undernet #pfsense #fail2ban

Backing up things is pretty standard / low stakes.

But I just noticed that virtually ALL the apps on my #YunoHost system have available updates, which means... the hair-raising, palpitations-inducing, let's say a little prayer practice of creating a snapshot of my VPS (easy peasy) and clicking on "Upgrade" by order of importance.

#Fail2Ban and #LinkStack were pretty low stakes - done, no sweat. Plus I love how YunoHost creates backups before upgrading, so you can always revert back if something goes wrong.

Anyway, Pixelfed now and then my sacred triad of GoToSocial, NextCloud and PeerTube.

Wish me luck! 🥵​

EDIT: newbie me is more advanced than even I would think so... I'm checking out GitHub's YunoHost page for each app I want to upgrade. Apparently the Pixelfed package has issues so I'm not touching that 😅​

Reference: https://github.com/YunoHost-Apps/pixelfed_ynh/issues

Now checking out the other apps...

#MySoCalledSudoLife #SelfHosting

Good morning Fedi friends!

Monday mornings mean: my weekly ritual of manually backing up my #YunoHost installation (my VPS does automatic daily backups of the whole VPS, but I say: better safe than sorry).

This latest backup is pretty big, because of my increased use of #NextCloud. So in reverse order, from biggest to smallest we have:

1) #GoToSocial : 5.8 GB
2) #PeerTube : 4.3 GB
3) #NextCloud: 3.7 GB
4) #Pixelfed : 1.6 GB
5) #LinkStack : 92 MB
6) #Fail2Ban : 362kb

Happy #selfhosting everyone! And in case you missed it, my self-hosting guide for newbies via YunoHost is available here: https://blog.elenarossini.com/a-newbies-guide-to-self-hosting-with-yunohost/ (with 4 articles so far).

Have a great week everyone!

#MySoCalledSudoLife

Editando! Se vienen cositas en #JuncoTIC!

Nuevo contenido en:

☑️ El canal de YouTube [*]
☑️ El curso de SSH
☑️ El (futuro) curso de Hardening GNU/Linux (roadmap de ciberseguridad)

[*] https://www.youtube.com/juncotic?sub_confirmation=1

#gnu #linux #fail2ban #hardening #infosec #ciberseguridad #cybersecurity

Se viene contenido nuevo en los cursos de SSH, en el de Hardening GNU/Linux (próximamente) y en el canal de YouTube de #JuncoTIC! 🎉

A pedido de seguidores y alumnos: fail2ban.

Guía paso a paso de configuraciones fundamentales bloquear ataques de fuerza bruta a nuestro servidor de SSH.

Los invito a suscribirse al canal para enterarse cuando salga el video! 👇

https://www.youtube.com/juncotic?sub_confirmation=1

#gnu #linux #fail2ban #ciberseguridad #hacking #ssh #hardening #infosec #seguridadinformatica #juncotic

[Перевод] Прощай, Fail2Ban: усиливаем защиту Netbird и Caddy с CrowdSec

Fail2Ban долго был про «поставил и забыл», но сейчас он всё чаще работает как сигнализация, которая орёт уже после того, как дверь подёргали десятки раз — и каждый рывок остаётся в логах. Мы перевели сервер управления Netbird с Fail2Ban на CrowdSec и собрали это в практический разбор: как читать JSON-логи Caddy без плясок с регулярками, как вешать блокировки на nftables, и почему community threat intel позволяет отрезать часть сканеров ещё до того, как они успевают что-то «прощупать». По ходу рассмотрим конфиги, команды и наблюдения, что именно меняется в шуме, банах и нагрузке.

https://habr.com/ru/companies/otus/articles/995272/

#CrowdSec #Fail2Ban #защита_сервера #блокировка_IP #сканирование_HTTP #nftables #Caddy #DevSecOps

找了个时间优化了服务器便利性和“安全性”

1. Termius访问
Termius生成三个密钥分配给三台服务器
export到~/.ssh/authorized_keys
检查authorized_keys内容正确
测试密钥&无密码登录

2. 配置ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 特殊端口/tcp
sudo ufw enable
sudo ufw status verbose

3. 配置fail2ban
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
ignoreip = 127.0.0.1/8 ::1 X Y Z
[sshd]
enabled = true
port = 特殊端口
backend = systemd

sudo apt update && sudo apt install python3-systemd -y
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

3. 配置sshd_config
sudo nano /etc/ssh/sshd_config
Port 特殊端口
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

sudo sshd -t
sudo systemctl restart ssh

4. 更改hostname
sudo hostnamectl set-hostname xxx
sudo nano /etc/hosts
修改127.0.1.1 后主机名为xxx
hostnamectl status

5. 配置互通
ssh-keygen -t ed25519 -C "from_$(hostname)" -N "" -f ~/.ssh/id_ed25519
cat id_ed25519.pub
nano ~/.ssh/authorized_keys
一共三行，Termius pub、其他两台服务器的pub

6. 配置Alias
nano ~/.bashrc
alias nc='ssh -p 特殊端口 jay@ipX'
alias cc='ssh -p 特殊端口 jay@ipY'
alias hd='ssh -p 特殊端口 jay@ipZ'
source ~/.bashrc
nc (netcup)
cc (clawcloud)
hd (hostdzire)
或者
nano ~/.ssh/config
Host nc
HostName X
Port 特殊端口
User jay
Host cc
HostName Y
Port 特殊端口
User jay
Host hd
HostName Z
Port 特殊端口
User jay
ssh nc
ssh cc
ssh hd
还可以加上“ProxyJump cc”连 xxx 之前先跳到 cc

#ssh #sshd #pub #alias #ProxyJump #authorized_keys #termius #ufw #fail2ban

找了个时间优化了服务器便利性和“安全性”

1. Termius访问
Termius生成三个密钥分配给三台服务器
export到~/.ssh/authorized_keys
检查authorized_keys内容正确
测试密钥&无密码登录

2. 配置ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 特殊端口/tcp
sudo ufw enable
sudo ufw status verbose

3. 配置fail2ban
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
ignoreip = 127.0.0.1/8 ::1 X Y Z
[sshd]
enabled = true
port = 特殊端口
backend = systemd

sudo apt update && sudo apt install python3-systemd -y
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

3. 配置sshd_config
sudo nano /etc/ssh/sshd_config
Port 特殊端口
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

sudo sshd -t
sudo systemctl restart ssh

4. 更改hostname
sudo hostnamectl set-hostname xxx
sudo nano /etc/hosts
修改127.0.1.1 后主机名为xxx
hostnamectl status

5. 配置互通
ssh-keygen -t ed25519 -C "from_$(hostname)" -N "" -f ~/.ssh/id_ed25519
cat id_ed25519.pub
nano ~/.ssh/authorized_keys
一共三行，Termius pub、其他两台服务器的pub

6. 配置Alias
nano ~/.bashrc
alias nc='ssh -p 特殊端口 jay@ipX'
alias cc='ssh -p 特殊端口 jay@ipY'
alias hd='ssh -p 特殊端口 jay@ipZ'
source ~/.bashrc
nc (netcup)
cc (clawcloud)
hd (hostdzire)
或者
nano ~/.ssh/config
Host nc
HostName X
Port 特殊端口
User jay
Host cc
HostName Y
Port 特殊端口
User jay
Host hd
HostName Z
Port 特殊端口
User jay
ssh nc
ssh cc
ssh hd
还可以加上“ProxyJump cc”连 xxx 之前先跳到 cc

#ssh #sshd #pub #alias #ProxyJump #authorized_keys #termius #ufw #fail2ban

So, habe gerade mit den letzten Restarbeiten mein großangelegtes #EDV #Server #Infrastruktur Umzugsprojekt beendet:

Bei den #BlackWeekDeals von #Netcup günstig ein leistungsfähigeres #Webhosting für die #Domains, #Mailpostfächer und #Joomla #Webseiten mit 4,5x so viel #Speicherplatz wie bisher sowie einen #Rootserver mit dedizierten Ressourcen und ebenfalls 3,5 mal mehr Speicherplatz als der bisherige #VPS geschossen ✅

Alle Domains umgezogen ✅

Alle Mailkonten umgezogen ✅

Alle Mailaliase wieder angelegt ✅

Mailkonten in #Thunderbird und #Fairmail eingerichtet ✅

Alle Webseiten umgezogen und Backup neu eingerichtet ✅

Rootserver mit #LUKS verschlüsseltem #Ubuntu installiert ✅

#UFW, #Fail2Ban, #Apache2, #PHP, #MariaDB, #Redis, #Postfix, #LetsEncrypt (#Certbot) und #DockerCompose installiert ✅

Alle Configs vom VPS auf den Rootserver übertragen ✅

#Nextcloud vom VPS auf den Rootserver umgezogen ✅

Alle #Docker Configs und Datenverzeichnisse für diese #Sharkey #Fediverse #Instanz, #Peertube, #Collabora, #Matrix und Testumgebungen vom VPS auf den Rootserver umgezogen ✅

Backup neu eingerichtet ✅

i have nothing against the vast majority of chinese but the botnets are really crazy - 80% of my traffic is from china #asn #cidr #ipset #fail2ban

Knock, Knock: How to Shield Your VPS From Port Scanning with Port Knocking https://lowendbox.com/blog/knock-knock-how-to-shield-your-vps-from-port-scanning-with-port-knocking/ #Tutorials #fail2ban #Security #knockd #knock #ssh

🔐 Password Hygiene: Rotating the Wardrobe of Digital Defense #PasswordHygiene #PasswordRotation #SmallBusinessSecurity #Cybersecurity #OpenSource #FreeTools #PasswordManager #KeePassXC #Bitwarden #Passbolt #TwoFactorAuthentication #2FA #Fail2ban #Yubikey #TOTP #OpenSourceSoftware #PasswordStrength #BusinessSecurity #DigitalDefense #SecurityPractices #PasswordPolicy #PasswordManagement #CybersecurityTips #SecurePasswords #BusinessCybersecurity #ITSecurity #OnlineSecurity

http://tomsitcafe.com/2025/04/10/%f0%9f%94%90-password-hygiene-rotating-the-wardrobe-of-digital-defense/

Server Hardening: Ubuntu 22.04
How to secure an ubuntu server
https://blindlystupid.com/server-hardening-ubuntu-22-04/
#CyberSecurity #ITWorld #Server #2204 #cybersecurity #drop #fail2ban #IpSecurity #Linux #null #security #ssh #syn

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh