[DIY] - SmallNetworks - Learning by Doing

[sfx2000]

if you've already installed ntpdate, it's easy enough to remove

sudo apt purge ntpdate

and it'll expunge the binary and configuration files.

to check if ntp is running

ntpq -p

if you get connection refused - start the daemon back up

sudo service ntp restart

and you should be good to go

 

[oletuv]

**Setup SUDOERS**

We create the ADMIN group - only they can act as ADMINS, other accounts cannot - they will not have sudo access

test@testbox:~$ sudo groupadd admin
test@testbox:~$ sudo usermod -a -G admin test

Sfx,

Is there a difference between the "admin" group and the built-in "sudo" group?

I found this on superuser.com:

You can then add a user to the sudo group with with the command:

sudo adduser <username> sudo

Note that versions of Ubuntu until 11.10 will use admin as group instead of sudo:

Until Ubuntu 11.10, the Unix group for administrators with root privileges through sudo had been admin. Starting with Ubuntu 12.04 LTS, it is now sudo, for compatibility with Debian and sudo itself. However, for backwards compatibility, admin group members are still recognized as administrators

When I execute "sudo groups ole" I get the following list of groups:

ole : ole adm cdrom sudo dip plugdev lpadmin sambashare admin

The adm, sudo and admin groups seem to be ADMIN groups, can any of them be used to give users sudo rights?

When exploring the administrator stuff I noticed that the "adduser" command created the home directory by default (without an explicit option):


And here is Frida Tuv


Ole

 

[sfx2000]

The Admin group is the same as the Sudo group - I just use the group name admin as it's consistent across different platforms and distributions - thing is that members of that group have the special powers, and the extra trust needed as such.

With any platform - it's a security thing - granting access at the appropriate level (or not)

 

[sfx2000]

When exploring the administrator stuff I noticed that the "adduser" command created the home directory by default (without an explicit option):

useradd just adds an account - useful for samba users (or email would be another good reason to have an account, but not a home directory)

adduser does the same thing as useradd -m, with some extra items that are sometimes useful if one is hooking PAM up to an LDAP server (think many boxes in a big environment).

Every system admin will have their own subtle ways of doing things - it's mostly out of habits and best practices - consistency is good for security and stability of the platforms they maintain.

There are few wrong answers out there and admins that are consistently wrong will sooner or later find other opportunities in life

BTW - cute doggie

 

[oletuv]

If you get to the point where DokuWiki is installed, here's a table of contents that you can use to create your own copy - all of these how-to's are in dokuwiki markup...

==== Table of Contents ====

  * [[SNB Basics - HW and SW Requirements]]
  * [[SNB Basics - Linux Install]]
  * [[SNB Basics - Managing Users]]
  * [[SNB Basics - Network Management]]
  * [[SNB Basics - Network Services]]
  * [[SNB Basics - Remote Access]]
  * [[SNB Basics - LAMP Server Install]]
  * [[SNB Basics - WebApps]]
  * [[SNB Basics - Network Monitoring]]
  * [[SNB Basics - Monitoring]]
  * [[SNB Basics - Storage]]
  * [[SNB Basics - Simple NAS Server]]
  * [[SNB Basics - Security]]
  * [[SNB Basics - Security Extras]]

Thanks, Sfx, you´re doing a great jobb creating these how-to's!

Will all the how-to's reappear in this thread or will they be accessible from another location?

Ole

 

[HardCat]

bonus points for today - this is draft, and likely will change... it does depend on the LAMP install - we're install phpmyadmin to manage mysql, a lightweight Wiki, and a cute little network benchmark - speedtest.mini...

====== Web Apps ======

This is a quick walk-thru on apps delivered via HTTP.

Apache sees things two ways - docs on in ''/var/www'', and apps via CGI are in ''/usr/share''

And then PHP kind of gets in the middle of things...

===== phpmyadmin - mysql gui admin =====

Prerequisites - LAMP Install

**install phpmyadmin**

  sudo apt install phpmyadmin

When prompted - select apache as the web server, and say <yes> when asked for db-common - you'll be prompted for a password for phpmyadmin - this is the user account for phpmyadmin, and the password is for the database, as well as the weblogin for phpmyadmin - so make a note of it.

HINT - This screen trips folks up - pay attention! apache2 is highlighted, but not selected

Warning: When the first prompt appears, apache2 is highlighted, but not selected. If you do not hit Space to select Apache, the installer will not move the necessary files during installation. Hit Space, Tab, and then Enter to select Apache.

So I think I've hinted enough here

<code>

┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│ Please choose the web server that should be automatically configured to   │
│ run phpMyAdmin.                                                           │
│                                                                           │
│ Web server to reconfigure automatically:                                  │
│                                                                           │
│    [*] apache2                                                            │
│    [ ] lighttpd                                                           │
│                                                                           │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
</code>

Don't forget to hit the spacebar on apache2 to select...

<code>
┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│                                                                           │
│ The phpmyadmin package must have a database installed and configured      │
│ before it can be used. This can be optionally handled with                │
│ dbconfig-common.                                                          │
│                                                                           │
│ If you are an advanced database administrator and know that you want to   │
│ perform this configuration manually, or if your database has already      │
│ been installed and configured, you should refuse this option. Details on  │
│ what needs to be done should most likely be provided in                   │
│ /usr/share/doc/phpmyadmin.                                                │
│                                                                           │
│ Otherwise, you should probably choose this option.                        │
│                                                                           │
│ Configure database for phpmyadmin with dbconfig-common?                   │
│                                                                           │
│                    <Yes>                       <No>                       │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
</code>

Just say yes here if a fresh install (which we are)

It'll prompt you for a password - this will be the phpmyadmin password to login to the phpmyadmin page...

NOTE - if you go down the db-common config path, any existing databases with phpmyadmin or information-schema will be dropped and replaced with new databases - if you're migrating an old install, just be aware - check phpmyadmin's documents for more info on migrating old installs.

Installing the missing php modules

  sudo apt install php-mbstring php-gettext

and enable them - yes, one can hotpatch php without reloading/restarting apache2 - scary thought, eh?

  sudo phpenmod mcrypt
  sudo phpenmod mbstring

See that they're hot - http://testbox.local/lbd/phpinfo.php

**Login to phpmyadmin**

Go to http://testbox.local/phpmyadmin, and you should see the webapp running - login as phpmyadmin with the password you set in the previous step

**TIP** - Now here's where things get a bit tricky if you're an old hand at LAMP - MySQL 5.7 changed the security model, not allowing MySQL root user login without sudo (while the password can be blank).

So things will likely go odd - one can login to the phpmyadmin, but that user can't make changes as the phpmyadmin user doesn't have the global privileges or grant options

Here's the fix

  sudo mysql --user=root mysql
  GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost' WITH GRANT OPTION;
  FLUSH PRIVILEGES;
  quit

Logout of phpmyadmin, and log back in, and you'll be right as rain...

Here - have a [[http://www.oracle.com|cookie]] - just kidding ;)

Now to make these services persistent = they should be, but let's make sure...

  sudo systemctl enable apache2
  sudo systemctl enable mysql

===== dokuWiki - taking notes =====

This is an example - while DokuWiki is in the Debian/Ubuntu repos - if you don't believe me you can check - apt list dokiwiki

Don't take the easy way out - let's do it the real way... This is a good walkthru on how to hand install software

DokuWiki is chosen as it's lightweight enough to run on Raspberry Pi, and still be easy to install and use. All of these documents/walkthru's have been composed with DokuWIki

So hold on to your shorts, we're not in Kansas anymore...

Enable Apache Rewrite module and restart apache2

  sudo a2enmod rewrite
  sudo service apache2 restart

Download and uncompress the latest stable release.

  cd /var/www/html
  sudo wget http://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
  sudo tar xvf dokuwiki-stable.tgz
  sudo mv dokuwiki-*/ dokuwiki

Change permissions

  sudo chown -R www-data:www-data /var/www/html/dokuwiki

Change AllowOverrides setting in Apache2 to use .htaccess files for security

  sudo nano /etc/apache2/apache2.conf

For directory ''/var/www/'' replace\\ ''AllowOverride None''\\ with\\ ''AllowOverride All''

Restart Apache2 service

  sudo service apache2 restart

Visit ''http://testbox.local/dokuwiki/install.php'' to initially configure your DokuWiki. It's going to ask for a few things - but now this is your app, you can make your choices...

Don't forget to delete the install.php file after finished installing.

  sudo rm /var/www/html/dokuwiki/install.php

Note - SMTP daemon is needed for sending email (e.g. user registration), see postfix section if you skipped it earlier

Enjoy your own DokuWiki server.

===== SpeedTest.mini =====

People want to see how fast their connections are - here's a simple in-network way to support this on your LAN

Downloading Speedtest.Net mini... go to http://www.speedtest.net/mini.php

Sign up for an account - once done, you will be offered a link to download mini.zip

Once done - upload/copy it to /var/www/html/

unpack the file into a directory - you should have /var/html/www/mini

  sudo unzip /var/www/html/mini.zip

rename /var/www/html.miniindex-php.html to index.html

  sudo mv /var/www/html/mini/index-php.html /var/www/html/mini/index.html
do a change owner, as the apache needs to access this...

  chown -R www-data:www-data /var/www/html/mini

and give it the right perms

  chmod -R 755 /var/www/html/mini

and point your browser to http://testbox.local/mini

This little webapp does require a current flash plugin for your browser

In the section for SpeedTest Mini sudo is required in the commands to get the proper permissions as follows:

sudo chown -R www-data:www-data /var/www/html/mini

sudo chmod -R 755 /var/www/html/mini

 

[oletuv]

Create a local jail file - we do this as it will override the jail.conf file, and if updated, it will preserve our changes

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Set some basic items in jail.local
<code>
# ignoreip = 127.0.0.1/8
ignoreip = 127.0.0.1/8 192.168.1.0/24
# bantime = 600
bantime = 7200
# finditime = 600
findtime = 300
# maxretry = 6
</code>

How does the mechanism of creating local versions of conf/def files to preserve changes work? Is adding ".local" to the service name like "jail.local" enough or should ".local" be added to the name of the conf/def file e.g. "jail.conf.local"?

Shall the local jail file be edited with the changes above and the rest of the file be left as is, or shall the local jail file only include the code above?

Ole

 

[sfx2000]

jail.local if you review the comments in jail.conf

 

[oletuv]

jail.local if you review the comments in jail.conf

Yes, I see that now, sorry.

Ok, I edited the following lines in jail.local section [DEFAULT] as follows:

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.10.0/24
bantime  = 7200
findtime  = 300
# maxretry = 5

Hope I´ve understood the how-to correctly now?

Ole

 

[sfx2000]

Want to uncomment the maxretry line...

rest looks good - can tune the findtime - the value is in seconds, the default is 600 (10 minutes) to catch those folks that space out the attempts, but generally I've found that 5 minutes is sufficient for most small installs...

 

[oletuv]

Want to uncomment the maxretry line...

rest looks good - can tune the findtime - the value is in seconds, the default is 600 (10 minutes) to catch those folks that space out the attempts, but generally I've found that 5 minutes is sufficient for most small installs...

Thanks for the clarification. I commented the maxretry line because the same line in the how-to was commented. You might want to edit the "# maxretry = 6" line in the how-to.

Ole

 

[sfx2000]

In the section for SpeedTest Mini sudo is required in the commands to get the proper permissions as follows:

fixed - thanks

 

[oletuv]

==== Running NMAP ====


NMAP is pretty easy to run, many options - go overboard, and that target host might crash - here's a quick command line example

  sudo nmap -v -A 192.168.1.1
We're targeting that consumer grade Router/AP that is our WAN/LAN gateway - might be surprised at what you find... might need to power cycle it afterwards...

   -v: Increase verbosity level (use -vv or more for greater effect)
   -A, to enable OS and version detection, script scanning, and traceroute

Many, many more options are available - check the well documented man page for more details
  man nmap

==== NMAP audit results of the SNB Basics Server config ====


Below is an NMAP audit of the SNB Basics configuration - I'm not too worried about things, as we know what services we've built, and we've done our best to secure them - the NETBIOS (Samba) is as good as we can make it, and if you don't need the SAMBA, you can turn it off...

Let's analyze this from a security perspective

  * **SSH** - we have access control, and it is crypto secure
  * **SMTP** - access control again, and while port 25 is open, only the gmailuser@gmail.com can use it (cryto again thru SASL), and we have it firewalled
  * **HTTP/PHP** - runs as www-data, and is limited only to the document root in the apache2 configuration and security directives
  * **NETBIOS/Samba** - runs as it's own user, and only has access to /var/share and /var/media - Samba only users cannot log in to unix if they don't have a Unix password (useradd vs. adduser)

<code>
Nmap scan report for 192.168.1.6
Host is up (0.00042s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: testbox, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=testbox
| Issuer: commonName=testbox
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-20T22:55:38
| Not valid after:  2026-05-18T22:55:38
| MD5:   aabb 1122 4ab4 4c4f 3f7d 60a2 7f3a b7c9
|_SHA-1: ccdd 3344 6b46 4974 59b7 e5c1 016b b042 2c3e 619c
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http        Apache httpd
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache
|_http-title: the bluepill
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
5901/tcp open  vnc         VNC (protocol 3.8)
| vnc-info:
|   Protocol version: 3.8
|   Security types:
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes:
|_    STDV VNCAUTH_ (2)
6001/tcp open  X11         (access denied)
Service Info: Host:  testbox

Host script results:
| nbstat: NetBIOS name: TESTBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   TESTBOX<00>          Flags: <unique><active>
|   TESTBOX<03>          Flags: <unique><active>
|   TESTBOX<20>          Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: testbox
|   NetBIOS computer name: TESTBOX
|   Domain name:
|   FQDN: testbox
|_  System time: 2016-05-22T14:39:58-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds

Sfx,

I installed Nmap according to your how-to and ran "sudo nmap -v -A 192.168.10.1". The output was as follows:

Nmap scan report for 192.168.10.1
Host is up (0.0037s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain dnsmasq 2.49
| dns-nsid:
| id.server: dns2-no-srv1.lysetele.net
|_ bind.version: dnsmasq-2.49
80/tcp filtered http
443/tcp filtered https
10000/tcp filtered snet-sensor-mgmt
10001/tcp filtered scp-config
MAC Address: XX:XX:XX:XX:XX:XX (ZyXEL Communications)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.19 - 2.6.36
Uptime guess: 14.901 days (since Mon May 16 14:27:15 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT ADDRESS
1 3.73 ms 192.168.10.1

NSE: Script Post-scanning.
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.89 seconds

I was expecting to see an entry for the samba service which was running on Ubuntu with a connection established from my MacBook Pro. What am I missing?

Ole

 

[sfx2000]

Going to 192.168.10.1, and looking at the results - you scanned your router/ap/gateway device (Zyxel) - interesting to note that it's running quite a few services that you may or may not be running..

PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain dnsmasq 2.49
| dns-nsid:
| id.server: dns2-no-srv1.lysetele.net
|_ bind.version: dnsmasq-2.49
80/tcp filtered http
443/tcp filtered https
10000/tcp filtered snet-sensor-mgmt
10001/tcp filtered scp-config

 

[oletuv]

Going to 192.168.10.1, and looking at the results - you scanned your router/ap/gateway device (Zyxel) - interesting to note that it's running quite a few services that you may or may not be running..

PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain dnsmasq 2.49
| dns-nsid:
| id.server: dns2-no-srv1.lysetele.net
|_ bind.version: dnsmasq-2.49
80/tcp filtered http
443/tcp filtered https
10000/tcp filtered snet-sensor-mgmt
10001/tcp filtered scp-config

Yes, I scanned the router installed by my ISP who has configured the router.

I understand now, when I scan my Ubuntu Desktop IP address (which is what I should have done in the first place) I get the expected result:

NSE: Script scanning 192.168.10.15.
Initiating NSE at 15:22
Completed NSE at 15:22, 0.74s elapsed
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Nmap scan report for 192.168.10.15
Host is up (0.000043s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ce:fd:35:94:c2:8a:fc:42:8b:e7:15:f0:22:8e:48:81 (RSA)
|_ 256 fe:84:a6:40:70:54:c7:60:0a:6f:89:2e:79:2e:64:d0 (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: Parallels-Ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: HOMEGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: HOMEGROUP)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.19 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.19, Linux 3.8 - 4.4
Uptime guess: 0.153 days (since Tue May 31 11:41:55 2016)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: Parallels-Ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: MACBOOKPRO-2C5D, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| MACBOOKPRO-2C5D<00> Flags: <unique><active>
| MACBOOKPRO-2C5D<03> Flags: <unique><active>
| MACBOOKPRO-2C5D<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| HOMEGROUP<00> Flags: <group><active>
| HOMEGROUP<1d> Flags: <unique><active>
|_ HOMEGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: parallels-ubuntu
| NetBIOS computer name: MACBOOKPRO-2C5D
| Domain name:
| FQDN: parallels-ubuntu
|_ System time: 2016-05-31T15:22:03+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

NSE: Script Post-scanning.
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds

There is a lot to learn, but I enjoy it so much.

Ole

 

[sfx2000]

Once you have your small server up and running - might want to review this series of articles on the main site... this is something better for dedicated HW vs. running on a VM.

http://www.smallnetbuilder.com/wire...p-freeradius-for-wpa-a-wpa2-enterprise-part-1

 

[sfx2000]

Did a small tweak to the UFW section.... adding the insert 1 to the rule pops it to the top of the list - this is helpful if you have a really persistent IP that is constantly trying to connect...

**Block an IP Address**

To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command :- and this will pop that IP to the top of the list and block all traffic from it
 
    sudo ufw insert 1 deny from 15.15.15.51
 
In this example, from 15.15.15.51 specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.

 

[sfx2000]

fail2ban - i do run openssh facing the WAN, so I do get quite a few pokes at my instance - to see fail2ban in action, you can tail -f /var/log/fail2ban.log and see it working... real world example below;

2016-05-30 18:16:13,774 fail2ban.jail           [1146]: INFO    Creating new jail 'sshd'
2016-05-30 18:16:13,808 fail2ban.jail           [1146]: INFO    Jail 'sshd' uses pyinotify
2016-05-30 18:16:13,837 fail2ban.filter         [1146]: INFO    Set jail log file encoding to UTF-8
2016-05-30 18:16:13,844 fail2ban.jail           [1146]: INFO    Initiated 'pyinotify' backend
2016-05-30 18:16:13,904 fail2ban.filter         [1146]: INFO    Set maxRetry = 3
2016-05-30 18:16:13,965 fail2ban.filter         [1146]: INFO    Added logfile = /var/log/auth.log
2016-05-30 18:16:14,021 fail2ban.filter         [1146]: INFO    Set findtime = 600
2016-05-30 18:16:14,022 fail2ban.actions        [1146]: INFO    Set banTime = 43200
2016-05-30 18:16:14,022 fail2ban.filter         [1146]: INFO    Set jail log file encoding to UTF-8
2016-05-30 18:16:14,023 fail2ban.filter         [1146]: INFO    Set maxlines = 10
2016-05-30 18:16:14,168 fail2ban.server         [1146]: INFO    Jail sshd is not a JournalFilter instance
2016-05-30 18:16:14,175 fail2ban.jail           [1146]: INFO    Jail 'sshd' started
2016-05-30 18:16:15,175 fail2ban.actions        [1146]: NOTICE  [sshd] Ban 221.232.129.51
2016-05-31 01:04:39,303 fail2ban.filter         [1146]: INFO    [sshd] Found 121.156.122.97
2016-05-31 01:04:39,318 fail2ban.filter         [1146]: INFO    [sshd] Found 121.156.122.97
2016-05-31 01:04:42,086 fail2ban.filter         [1146]: INFO    [sshd] Found 121.156.122.97
2016-05-31 01:04:42,433 fail2ban.actions        [1146]: NOTICE  [sshd] Ban 121.156.122.97
2016-05-31 04:51:33,958 fail2ban.filter         [1146]: INFO    [sshd] Found 208.39.114.154
2016-05-31 04:51:33,984 fail2ban.filter         [1146]: INFO    [sshd] Found 208.39.114.154
2016-05-31 04:51:35,722 fail2ban.filter         [1146]: INFO    [sshd] Found 208.39.114.154
2016-05-31 04:51:35,971 fail2ban.actions        [1146]: NOTICE  [sshd] Ban 208.39.114.154
2016-05-31 04:56:57,896 fail2ban.filter         [1146]: INFO    [sshd] Found 124.224.177.182
2016-05-31 04:56:57,907 fail2ban.filter         [1146]: INFO    [sshd] Found 124.224.177.182
2016-05-31 04:56:59,784 fail2ban.filter         [1146]: INFO    [sshd] Found 124.224.177.182
2016-05-31 04:57:00,827 fail2ban.actions        [1146]: NOTICE  [sshd] Ban 124.224.177.182
2016-05-31 06:16:15,255 fail2ban.actions        [1146]: NOTICE  [sshd] Unban 221.232.129.51

 

[sfx2000]

Here's the Postfix SMTP Agent Section....

It's optional, but if you are running items that send alerts, it's strongly recommended - Logwatch, Apticron. and some of the other items can alert you when the server needs some attention

This will eventually go into the SNB Basics - Postfix SMTP Agent chapter/section

====== postfix SMTP Agent ======

**Postfix** - notification scripts need to send mail for alerts/reports/etc...

Note - this is not an exhaustive discussion on postfix, and it's very much focused on gmail - there are many ways to configure a SMTP agent, depending on the use case, environment, and needs/requirements.

//GMAIL note - there are sections where email is needed - GMAIL works well, it's tested, and the instructions in this series will be focused on that service - you may use a primary GMail account if you wish, or my recommendation is to set up a dedicated GMAIL account specific to monitor your SNB Basics Server.//

**Install Postfix**

  sudo apt install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

We want postfix in this case to be a "smarthost" as it will be sending mail to another SMTP host
<code>
  ┌────────────────────────┤ Postfix Configuration ├────────────────────────┐
  │                                                                         │ 
  │ Please select the mail server configuration type that best meets your    
  │ needs.                                                                    
  │                                                                          
  │  No configuration:                                                        
  │   Should be chosen to leave the current configuration unchanged.          
  │  Internet site:                                                          
  │   Mail is sent and received directly using SMTP.                          
  │  Internet with smarthost:                                                
  │   Mail is received directly using SMTP or by running a utility such      
  │   as fetchmail. Outgoing mail is sent using a smarthost.                  
  │  Satellite system:                                                        
  │   All mail is sent to another machine, called a 'smarthost', for          
  │ delivery.                                                                
  │  Local only:                                                              
  │                                                                          
  │                                 <Ok>                                      
  │                                                                         │ 
  └─────────────────────────────────────────────────────────────────────────┘ 
</code>

Select Internet with smarthost

<code>
                    ┌──────┤ Postfix Configuration ├───────┐
                    │ General type of mail configuration:  │ 
                    │                                      │ 
                    │       No configuration               │ 
                    │       Internet Site                  │ 
                    │       Internet with smarthost        │ 
                    │       Satellite system               │ 
                    │       Local only                     │ 
                    │                                      │ 
                    │                                      │ 
                    │       <Ok>           <Cancel>        │ 
                    │                                      │ 
                    └──────────────────────────────────────┘ 
</code>

Put in the system name - **testbox**

<code>
 ┌─────────────────────────┤ Postfix Configuration ├─────────────────────────┐
 │ The "mail name" is the domain name used to "qualify" _ALL_ mail           │ 
 │ addresses without a domain name. This includes mail to and from <root>:   │ 
 │ please do not make your machine send out mail from root@example.org       │ 
 │ unless root@example.org has told you to.                                  │ 
 │                                                                           │ 
 │ This name will also be used by other programs. It should be the single,   │ 
 │ fully qualified domain name (FQDN).                                       │ 
 │                                                                           │ 
 │ Thus, if a mail address on the local host is foo@example.org, the         │ 
 │ correct value for this option would be example.org.                       │ 
 │                                                                           │ 
 │ System mail name:                                                         │ 
 │                                                                           │ 
 │ testbox__________________________________________________________________ │ 
 │                                                                           │ 
 │                    <Ok>                        <Cancel>                   │ 
 │                                                                           │ 
 └───────────────────────────────────────────────────────────────────────────┘ 
</code>

specify the relay host - **smtp.gmail.com**

<code>
 ┌─────────────────────────┤ Postfix Configuration ├─────────────────────────┐
 │ Please specify a domain, host, host:port, [address] or [address]:port.    │ 
 │ Use the form [destination] to turn off MX lookups. Leave this blank for   │ 
 │ no relay host.                                                            │ 
 │                                                                           │ 
 │ Do not specify more than one host.                                        │ 
 │                                                                           │ 
 │ The relayhost parameter specifies the default host to send mail to when   │ 
 │ no entry is matched in the optional transport(5) table. When no relay     │ 
 │ host is given, mail is routed directly to the destination.                │ 
 │                                                                           │ 
 │ SMTP relay host (blank for none):                                         │ 
 │                                                                           │ 
 │ smtp.gmail.com___________________________________________________________ │ 
 │                                                                           │ 
 │                    <Ok>                        <Cancel>                   │ 
 │                                                                           │ 
 └───────────────────────────────────────────────────────────────────────────┘ 
</code>

**Finish the configuration of Postfix**

Now we go an manually edit the main config file for postfix... make a backup of the original first...

  sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.bak

Now here's what's needed inside that file for gmail as a relay

  sudo nano /etc/postfix/main.cf

only these items need to be changed/verified - add/edit/modify as needed...
<code>
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# TLS parameters
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

myhostname = testbox
relayhost = [smtp.gmail.com]:587

# SASL Parameters
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
</code>

Again, we're using Gmail, so note that the username/pass aren't in main.cf, they'll be in another file...

  sudo nano /etc/postfix/sasl_passwd

add the following line

  [smtp.gmail.com]:587    gmailuser@gmail.com:gmailpassword 

gmailuser/gmailpassword is the userid/pass for the gmail account that we're using

Now we fix perms and update the postfix config to use the sasl_passwd file

  sudo chmod 400 /etc/postfix/sasl_passwd
  sudo postmap /etc/postfix/sasl_passwd

And we then reload postfix

  sudo service postfix reload

To test - the following should generate an email from your server to your gmail inbox - yes, this <line> is deliberately <broken> for a <reason> - if you don't remove the <brackets> - you'll get an error

  echo "Test mail from postfix" | mail -s "Test Postfix" <gmailuser>@gmail.com

**Debug** - fire up another terminal session and tail the mail.log

  tail -f /var/log/mail.log

It'll normally suggest where things might have gone wrong...

Debug hints - couple of things that generally go wrong...

1. No TLS

  status=bounced (host smtp.gmail.com[74.125.65.109] said: 530 5.7.0 Must issue a STARTTLS command first. s9sm727762ybm.8 (in reply to MAIL FROM command))

You’re missing smtp_use_tls=yes in main.cf

2. Unknown CA

  certificate verification failed for smtp.gmail.com[74.125.47.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You’re missing smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt in main.cf

 

[sfx2000]

Here's one that'll get you into trouble, lol... but a good walk-thru on how to obtain code, build, and install software that isn't in the repo's for the linux platform.

If you decide to build up NMAP, there's been an update to that guide - small change to include extra dependencies if you want to use the Zenmap GUI - you don't need to redo everything, but adding the three packages below should allow Zenmap to work

sudo apt install build-essential subversion libssl-dev autoconf pwgen python-gtk2 python2.7-dev gksu