Category Archives: administration

Why is useful documentation hard to find?

I just finished reading The Linux Journal’s “Geek’s Guide to Enterprise Monitoring Success“. It was good, talking about how to leverage the monitoring to work for the IT department in an organization. This also talked about some business problems you can face, which I’ve seen first hand. I’ve been in the “metrics from another group’s monitoring tools” meeting before. Trust me, you need to be sure of yourself and what you’re doing for the company before that happens. I’ve also seen monitoring systems destroyed because the wrong people had too much access and trying to  tune the system for their needs only.

For what it was, this was a good guide. From the title though, I expected something different.

Continue reading

Yet more with Fail2Ban

So yesterday, I thought I was all good on Fail2Ban today’s logcheck emails show there were still problems with Dovecot.

Continue reading

More Fail2Ban fun with Debian Stretch

Yesterday, going through email yesterday, mostly logcheck emails, I found that Apache wasn’t blocking the attackers. It was seeing them, but not adding the ip address to iptables block list.

The fix was setting up the maxretry it was set rather high, I moved it down to 1 like I had it in the past. I also adjusted the search time to 1 hour and the ban time to 7 days. I thought I was good, and didn’t give it a second thought.

Today, looking at the logcheck emails (really it’s a great IDS for system admins to get a view into their box), there are a lot of automated attacks on the mail server NOT BEING BLOCKED!!! It worked yesterday, there were even banned ip addresses in the chain.

After lots of digging, and several changes that didn’t work, I decided to go for the bad option.

Really the real reason was that Fail2Ban had been around for a while. Things changed, and I had a weird mishmash of configuration files. After the install I removed the files in the package that were not debian related, not sure why bsd; osx; or fedora are in the Debian package to start with.

Followed the local customization file directions creating jail.d/server-defaults.conf with apache-auth and dovecot in them. ssh is handled by defaults-debian.conf. Why the new file, in case the Debian one gets over-written by new stuff later.

Restart the service and…

Still not working for dovecot.!? (tailing the log and watching iptables).

Turns out, it’s where Fail2Ban was set for default to watch for login errors for Dovecot (also noted through the logs). It’s looking in /var/log/mail.warn. I don’t know if I changed it, or it’s legacy left over, or what, but my box it’s /var/log/auth.log where Dovecot login failures go. So I added the logpath to jail.d/server-defaults.conf, restarted Fail2Ban and it worked.

Fail2Ban problems with Debian Stretch

This week The Debian project released “Jessie” (Debian 8.0) as stable. I like to keep my servers a little more ahead of the curve than that, so I upgraded to the new testing branch “Stretch”.

While going through my logs from yesterday and this morning, log checker is awesome, I saw someone hitting my mail server. Normally you only get 1 chance to log in as a non-existent account before Fail2ban kicks in and adds the ip address to my Netfilter iptables jail. This address kept showing up, hour after hour in the logs, and multiple user names.

Looking, I found out that while running, it wasn’t catching all the rules for Fail2ban. I checked the configuration files, and things checked out OK. So I fell back on the old restart the service and see what errors pop.

Continue reading

Home Lab – Changes

I’ve made changes to the layout of my home lab. This is the current plan, because I can’t afford the Cisco switch I want right now. I also don’t think it’s worth getting a second line to the house, since I plan on moving by October.

The new design is to have my home network and the lab network mixed. I do have one more wireless router I could put in place to isolate the lab, but not going to for right now. If I need to limit things for something, I can always change. It’s also split between 2 floors, which is why there are 2 switches.

Lab Design v2

 

 

 

 

 

 

 

The Single Board Farm is 6 Raspberry Pi B, 4 Raspberry Pi B+, 2 Raspberry Pi 2, and once I can get them, Odroid C1 (probably 2).

apt-get upgrade spamassassin error

I’m sure I’ll forget about this again. Trying to upgrade spamassassin, I kept getting the following error. I fixed this a couple of months ago, but forgot what the

dpkg: error processing package spamassassin (–configure):
subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of sa-compile:
sa-compile depends on spamassassin (>= 3.3.2-8); however:
Package spamassassin is not configured yet.

dpkg: error processing package sa-compile (–configure):
dependency problems – leaving unconfigured
Errors were encountered while processing:
spamassassin
sa-compile
E: Sub-process /usr/bin/dpkg returned an error code (1)

The cause has to do with the hardening I’ve done on my linux box. If the entry in /etc/password is a service account, the shell gets set to /bin/false. To fix the errors above, I need to change it to /bin/bash, and then change it again after the upgrade.

However I’m sure I’ll forget about this again, and forget that I wrote a blog entry for it.

vmware problem trying to share bridged interface

I’ve spent the last 2 days trying to get Vmware Player on a Windows 7 host, to provide internet to any of the guests  using bridged mode.  I have 2 firewalls installed. Windows firewall, and Avast’s Firewall (part of the Internet Security Suite). I had both installed previously before I rebuilt my laptop in September, and didn’t have a problem or had to do anything.

If I turned off one of the firewalls it worked fine, for bridged interfaces. But with both on, it didn’t work. Even though there are rules in place for avast to allow vmware.

After digging I finally found a thread dealing with the same issue on VirtualBox. The fix is to turn on Internet Connection Sharing in Avast. This doesn’t turn it on for Windows but just Avast from what I can tell.

Designing a new home lab

I used to have a home lab of 3 cisco routers, and 3 cisco switches. That was for my CCNA training. Problem was, they were so old, they were not worth it. The lab also had 2 Intel 32-bit PC towers and a Sun Ultra 10. The Sun box was to get the Sun certification, but never got around to it. That isn’t to say that the lab wasn’t used. Just not used for the reasons I originally bought the components for.

Now, since I graduated and I have money to spend on building a new lab, I’m looking at getting something new set up. After watching Johnny X(m4s) and Eve Adams recorded talk from Derbycon. I decided on the following design.

Lab Design v1

So this will be on a separate internet connection from my home network. That means getting a second line to the house, but it doesn’t have to be the fastest line in the world.

The hope is to have the PFSense box, the Security Onion Box, and the Vmware ESXi box all running on Micorservers. The price for the Lenovo ones are decent.

I want a Cisco 3560g switch for Gig out all the ports, plus the layer 2 / 3 routing. Again the price isn’t too bad, about the same as the Microsevers. Lastly if I decide to go for the CCNA again, it should be useful.

The wireless access point was chosen from the Offensive Security WiFu class hardware list. I could use my old Linksys WRT54GL with dd-rwt on it. But it cant’ do N. Granted it looks like the Off-Sec recommended ones are only half N.

Lastly, it would be nice to have a peg board with all my Raspberry Pi devices attached to it. Requires being easy to remove them, but not a big issue. This would give me a place to have them while working and store them when not in use. If I can get POE on the 3560g, that means I can get a POE splitter and adapter for each Raspberry Pi, and don’t have to worry about power there either.

The laptop would be as needed device. I could use my current one or buy one to dedicate to the lab. Mainly it’s there for user interface purposes than anything else.

The only downside, even though I’m not paying for college classes out of pocket any more, is that it will take a while to build this lab. I’m going to have to piece it together a little at a time.