Booservers - All about dedicated servers

Using fail2ban to ban abusive IP's for SSH and Apache

Thu, 15 Dec 2005 21:24:21 +0000

How to automatically ban abusive ip's using fail2ban

Originally from Ensim 4.0; similar steps had to be taken after the upgrade to 4.0.2; I would assume the same follows until python 2.3 is included [it may already be; corrections welcome].

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

http://fail2ban.sourceforge.net/

RPM version can be obtained from here;

http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

For those of you / us who do not have python2.3; it is required.
You can snag an rpm for your system here:

http://www.python.org/2.3.5/rpms.html
I used the following version for Red Hat EL3.

python2.3-2.3.5-4pydotorg.i386.rpm

Python will require db4. The following url has satisfactory versions for different systems.

http://rpm.pbone.net/index.php3?sta...h=db4&srodzaj=3
I used the following version for Red Hat EL3.

db4-4.2.52-6.i386.rpm

# The following would then be performed as root

1) cd /root; mkdir fail2ban

2) do you have python 2.3?
'which python' or if you have tab completion enabled type in 'pyth' and hit tab two or three times, it should pop up as 'python2.3'.

3) wget http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

4) rpm -i fail2ban-0.6.0-ljik.noarch.rpm

5) nano -w /etc/fail2ban.conf

6) change the following items

----------------------------

[DEFAULT]
# Option: background
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
# Values: [true | false] Default: false
#
background = true

----------------------------

change :: background = true
# This is so we can start it as a service when the machine comes up

6a) You can also have email sent to you by changing

----------------------------

[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = true

----------------------------

change :: enabled = true
And then inputting an email address below. Most of the configuration is dead simple for a machine you haven't change the logging facilities on.

You may also wish to add this to the end of the failregex.

|Did not receive identification

----------------------------

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user|Did not receive identification

----------------------------

7) Start the service

----------------------------

# service fail2ban start

----------------------------

8) Make sure it comes up with the system

----------------------------

# chkconfig --level 2345 fail2ban on

----------------------------

9) Test it from a spare ip (if you have one, if not the ban is lifted after the time set in the conf file [600 seconds standard]).

9a) Use screen to 'tail -f /var/log/fail2ban.log'
9b) Use bad logins from an untrusted ip to test for actual banning, email output.
9c) If this fails, use the debug option in /etc/fail2ban.conf

10) Enjoy not one, but two less headaches as apache / ssh scanners, spammers and crackers are locked out of your box. With out too much work you could append a script that would either dump the logs and make repeat offenders banned permenantly, or roll some other solution for your own needs up. Enjoy, and please post any corrections.

Install/Upgrade Apache 2.0

Thu, 15 Dec 2005 20:58:01 +0000

FRESH INSTALL

This part of the how-to is for a clean install only, for upgrades please scroll down.

Make a copy of your current httpd.conf incase you need to roll-back

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf_back

Download The Apache Tar.Gz File
wget http://www.tux.org/pub/net/apache/d...d-2.0.47.tar.gz

Extract The File To Your Server
tar -xz -f httpd*

Move Into The Extracted Folder
cd httpd*

Run The Configuration File, (The bits following ./configure were custom wrote by me, you may customise these how you wish)
./configure --prefix=/usr/local/apache --with-php --with-mysql --with-susexec --enable-mods-shared=all --disable-info

Run The Make File
make

Run The Install Make File
make install

-----------------------------------
Apache 2.0 is now installed on your system. The four lines below are certain security measures that can be taken to hide the identity of apache. *These are optional*

Edit The http.conf File
pico -w /usr/local/apache/conf/httpd.conf

Disable Apache Signatures (Security)
Locate ServerSignature and change to off

Add the line below, after ServerSignature off
ServerTokens ProductOnly

Save httpd.conf
CTRL + X then "Y" then "enter" without the "'s

-----------------------------------

Start Your New Apache
/usr/local/apache/bin/apachectl start

Your sites should now be working.

Please scroll down to the bottom of the page, after performing the commands above

------------------------------------------------------------------------------------

UPGRADE

Make a copy of your current httpd.conf incase you need to roll-back
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf_back

Download The Apache Tar.Gz File
wget http://www.tux.org/pub/net/apache/d...d-2.0.47.tar.gz

Extract The File To Your Server
tar -xz -f httpd*

Move Into The Extracted Folder
cd httpd*

Run The Configuration File
./config.nice

Run The Make File
make

Run The Install Make File
make install

Start Apache
/usr/local/apache/bin/apachectl restart

------------------------------------------------------------------------------------

All done, you should now have a successfully upgraded/installed apache configuration.

Credits: http://www.serveguard.com

Forward domain.com to www.domain.com

Thu, 15 Dec 2005 20:54:10 +0000

For getting my domain.com to forward to www.domain.com automatically.

<keywords>
Here is how to get domain.com to auto automatically forward to www.domain.com add www to my url rewrite my url from mydomain.com to www.mydomain.com httpd.conf configure redirect url to 'www.'
</keywords>

edit: /usr/local/apache/conf/httpd.conf

(ignore my line numbers)
Make a backup of your original httpd.conf file in case you screw it up. You'll be able to swap em back out and get things live again in a hurry.

Find the domain.com VirtualHost entry you want to fix:

----------------------

1301 <VirtualHost xx.xx.xx.xx>
1302 ServerAlias www.domain.com domain.com
1303 ServerAdmin webmaster@domain.com
1304 DocumentRoot /home/myuser/public_html
1305 BytesLog domlogs/domain.com-bytes_log
1306 ServerName www.domain.com
1307 ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
1309 User myuser
1310 Group myuser
1311 CustomLog domlogs/domain.com combined
1312 </VirtualHost>

----------------------

Double it by copying/pasting the block and modify as detailed below:

----------------------

1301 <VirtualHost xx.xx.xx.xx>
1302 #ServerAlias www.domain.com domain.com
1303 ServerAdmin webmaster@domain.com
1304 DocumentRoot /home/myuser/public_html
1305 BytesLog domlogs/domain.com-bytes_log
1306 ServerName www.domain.com
1307 ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
1309 User myuser
1310 Group myuser
1311 CustomLog domlogs/domain.com combined
1312 </VirtualHost>
1313
1314 <VirtualHost xx.xx.xx.xx>
1315 #ServerAlias www.domain.com domain.com
1316 ServerAdmin webmaster@domain.com
1317 DocumentRoot /home/myuser/public_html
1318 BytesLog domlogs/domain.com-bytes_log
1319 ServerName domain.com
1320 ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
1321 Redirect / http://www.domain.com
1322 User myuser
1323 Group myuser
1324 CustomLog domlogs/domain.com combined
1325 </VirtualHost>

----------------------

What to do:
- comment out (or delete) the 'ServerAlias' lines of each since there aren't any needs for aliases now.
- change the line: "ServerName www.domain.com" to "ServerName domain.com" so it can be forwarded.
- added the whole line: "Redirect / http://www.domain.com" to the domain.com VirtualHost to do the fowarding.

HOW-TO: Apache + (phpsuexec, not required) + php4 (mod_php4 or cgi) + php5 (cgi)

Wed, 30 Nov 2005 21:18:31 +0000

HOW-TO updated to reflect 5.0.4 update to 5.0.5

Finally I have confirmed that this setup works!

I'm using Apache 1.3.33 (1.3.34 out, but it will not broke anything) + phpsuexec coming with cPanel + custom php 4.3.11 compiled as cgi (actually you may use the Apache Update via WHM to compile working php4 in cgi mode/phpsuexec) + custom php 5.0.5 compiled as cgi (it is easy to do as well, I will explain)

php5 works the same as php4 and it saves the permissions and etc. E.g. no problems with nobody as well.

1. Make sure you has Apache installed and workind with php4. It doesn't matter if you run mod_php4 or php4/phpsuexec, but I recommend to have phpsuexec based install (Warning: if you are running mod_php4 and would like to switch to phpsuexec, read the threads in this forum or you may end up with numerous broken scripts!);

2. You would need to compile php 5. To do this use the SSH sessing logged as root.
Then execute preparation commands (based on cPanel for better compatibility):
---------------------------

/scripts/checkccompiler
rm -rf /home/cpphpbuild
mkdir /home/cpphpbuild
cd /home/cpphpbuild
wget http://layer1.cpanel.net/buildapache/1/php-5.0.5.tar.gz
tar xfzv php-5.0.5.tar.gz
cd php-5.0.5

---------------------------

Make sure that we do enabled Sendmail support:

---------------------------

echo "#define HAVE_SENDMAIL 1" >> /home/cpphpbuild/php-5.0.5/main/php_config.h

---------------------------

It is recommended to apply the mail-header patch which allows to track the script which sent an email. You may skip this step.

---------------------------

wget http://choon.net/opensource/php/php-5.0.5-mail-header.patch
patch -p1 < /home/cpphpbuild/php-5.0.5/php-5.0.5-mail-header.patch

---------------------------

Then one of the most important steps. It is the configuring of the php. It would be better if you undestand these options. You may use the configure from your existing php. To get them type the following:

---------------------------

php -i | grep configure | sed "s/'//g"

---------------------------

You will get the almost clean configure you are currently using. The several important hints on this.
a) REMOVE the "--with-apxs=/usr/local/apache/bin/apxs" from the line. We are going to compile CGI version and it WILL broke the Apache!

b) Make sure you have the following prefixes and suffixes to install to the proper directories - otherwise currently installed php could be broken:
--prefix=/usr/local/php5 --exec-prefix=/usr/local/php5 --program-suffix=5

c) Add the necessary options for proper CGI redirects from Apache:
--enable-force-cgi-redirect --enable-discard-path

The result line will looks like this (please, do not use it - it has no CURL and PostgreSQL support - you better to follow steps above):

---------------------------

./configure --prefix=/usr/local/php5 --exec-prefix=/usr/local/php5 --program-suffix=5 --with-xml --enable-bcmath --enable-calendar --enable-ftp --with-gd --enable-exif --with-jpeg-dir=/usr --with-png-dir=/usr --with-xpm-dir=/usr/X11R6 --with-imap --with-imap-ssl --with-kerberos --enable-mbstring --with-mbstring=all --enable-mbstr-enc-trans --with-mcrypt --with-mhash --enable-magic-quotes --with-mysql=/usr --with-openssl --enable-discard-path --with-pear --enable-sockets --enable-track-vars --with-ttf --with-freetype-dir=/usr --enable-versioning --with-zlib --with-pspell --with-gettext --enable-inline-optimization --disable-debug --enable-force-cgi-redirect --enable-discard-path

---------------------------

So, we are ready to start the compiling. Execute "make install" and it starts...
If the process fails for any reason, carefully read the errors - usually they are self-explaining. In MOST cases errors are because of the inproper configure params.

Then run the cPanel script to complete:
/scripts/findphpversion

The compiled version of php should be copied to the cPanel cgi-sys:

---------------------------

cp -f /usr/local/php5/bin/php5 /usr/local/cpanel/cgi-sys/php5
chown root:wheel /usr/local/cpanel/cgi-sys/php5

---------------------------

Our installation has no php.ini file yet. On MOST systems Zend Optimizer installed. In this case you may just create the symlink:

---------------------------

ln -s /usr/local/Zend/etc/php.ini /usr/local/php5/lib/php.ini

---------------------------

Otherwise copy the default php.ini and edit it if needed:

---------------------------

cp -p /home/cpphpbuild/php-5.0.5/php.ini-recommended /usr/local/php5/lib/php.ini
chown root.root /usr/local/php5/lib/php.ini
chmod 644 /usr/local/php5/lib/php.ini

---------------------------

It is recommended to add the following line to the php.ini at the bottom (it is a MUST if you compile php4 instead php5!):

---------------------------

cgi.fix_pathinfo = 1 ; needed for CGI/FastCGI mode

---------------------------

We are almost done. Now we need to add several lines to Apache.

Run editor (you may use "vi" or "pico -w"):
pico -w /usr/local/apache/conf/httpd.conf

Scroll down (better use the built-in search) to the "<IfModule mod_dir.c>"
There we should to add index.php5 after index.jp, but before index.php4. Result would looks like this:

---------------------------

<IfModule mod_dir.c>
DirectoryIndex index.html index.wml index.cgi index.shtml index.jsp index.js index.jp index.php5 iindex.php4 index.php3 index.php index.phtml ndex.htm default.htm default.html home.htm
</IfModule>

---------------------------

This to allow index.php5 as index file.

Continue editing. Find the "AddType application/x-httpd-php .phtml" and after it add this:

---------------------------

Action application/x-httpd-php5 "/cgi-sys/php5"
AddType application/x-httpd-php5 .php5

---------------------------

This is the directives for Apache to use own php5 for files with extensions .php5

Check if we could find this line "ScriptAlias /cgi-sys/ /usr/local/cpanel/cgi-sys/"
If not - add it or our directive will not work. By default cPanel add this line. Just to warn you.

Save the file and quit.

Verify that you not broke the Apache config by running:

---------------------------

service httpd configtest

---------------------------

You SHOULD to get "Syntax OK" at the end and possible some minor warnings about "NameVirtualHost directive" - it is OK.
Warning: if you get ERROR - DO NOT RESTART APACHE AND LOCATE THE ISSUE. Otherwise Apache will not start at all!

When you make sure it is OK restart the Apache:

---------------------------

service httpd stop
service httpd startssl

---------------------------

Check that Apache come ok:

---------------------------

lynx --dump http://localhost/whm-server-status;

---------------------------

It will show you the Apache status.

Well, I should congratulate you - you have done it!

To test php5 upload the simple php file with the following content to any of your sites and name this file phpinfo.php AND ANOTHER COPY phpinfo.php5:

---------------------------

<?php
phpinfo();
?>

---------------------------

Then launch browser and point to phpinfo.php file first to see that php4 still OK, then open phpinfo.php5 to see that php5 is OK.

DONE!

ADDON:
If you need to use php5 for applications hardcoded with .php extensions you could to add the magic line to the VirtualHost directive of this account:
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml
(.php5 already using php5, but you may add it if you wish)

This will redirect all php, php3, php4 and php5 (as it set default globally) to the php5.

If you need to leave the option of running php4 on .php4 files do this:
AddHandler application/x-httpd-php5 .php .php3 .phtml .php5

But for those lazy folks there are an option to have these AddHandlers in the .htaccess files!
Just add the respective line (example, with no quotes: "AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml") to the .htaccess and this directory and all its subdirectories would be able to use the php5 for chosen files!

This is awesome when you need to test some scripts. In this way create two directories:
/public_html/directory1
/public_html/directory2
And in the directory2 place .htaccess with:
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml

As a result you run php4 on .php in the directory1 and run php5 on .php in the directory2!

So it is very flexible and it all depends on how you would like to process php.

Credits: ISProHosting.com