Protect public Linux servers with fail2ban

Do you have public facing Linux servers?

Of course you do. Who doesn’t!?!? Or why would you be here if you wouldn’t?

I’m not a big fan of security through obscurity, so I need, or we all need, a way to protect our known public ports.

I know, iptables or any of it’s derivatives are always there, but, what about that one port that must stay opened and accessible? After all, if you didn’t need a public facing service, you wouldn’t need to to make it public, would you?

fail2ban to the rescue

fail2ban is a very useful utility that creates rules on your firewall to block failed authentication attempts. It can be used with any service that generates log files. As an example I will use SSH.

How To

Installation

Installation of fail2ban is as easy as it gets. Just make sure you have your repositories up to date and to a yum install fail2ban or apt-get install fail2ban.

Configuration

First step to configure fail2ban is to copy it’s config file to a .local file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

fail2ban configuration should be done only on the new .local file

In the jail.local file, let’s search for the area [ssh] or [ssh-iptables] depending if you use a Debian base or red hat base distro.

Make sure that it is enabled and the log file is pointing to the right location.

We can also set the ban duration and the number of tries before banning. I like to ban for 1 hour (value in seconds) and after 5 retries.

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-allports ; ban retrys on any port
bantime = 3600 ; ip address is banned for 10 minutes
maxretry = 5 ; allow the ip address retry a max of 10 times

After the configuration done, let’s start the service and see it in action.

Seeing it all come together

If you have anyone testing your defences you should see fail2ban in action very fast. Just to a word count of the number of lines in auth.log with failed attempts like so:
less /var/log/auth.log | grep ‘sshd.*Failed’ | wc -l
The follow up with a listing of your iptables rules with iptables -L.

Wrap up

Very useful tool this fail2ban. There are many more configuration possible, for other services, for e-mail notifications, for different actions, etc.

This is just a very basic starting point.
Now go explore and stay safe.

Move hidden Window

Dear reader,
Recent events made me get this tip way from my old days. When I was young and Windows 3.1 was the most amazing thing i had ever seen.
Ahh the good old days!
Anyway, have you ever struggled with a window that opens outside the visible screen? Or even the ones that stays just ever so slightly off that your mouse pointer just can’t move them?
Mostly the cause is simple different screen resolutions, removing an additional screen, going from a remote session in Full HD to a lame laptop screen… who cares.
It just happens.
Well at least now you’ll know what to do, with a few simple steps, and a working keyboard:
1.     Alt-tab to the misbehaving window;
2.     Press Alt+Space;
3.     Press M;
4.     Press any Arrow keys to bring the window back to full visibility or just once and then move the mouse. The window position should now follow the mouse cursor.
There you go.
No more plugging screens and rebooting or any other time wasting trickery.
Enjoy.
Bonus tip: Since Windows 7, you can do it even faster, by using the snap window function. Just select the window with Alt + tab and use Windows Key + Arrow key to snap to one of the sides.

Duplicate folder tree in Linux

Quick tip.

This can be very handy when you need to frequently create a folder structure without files (Ex. Project folders or multiple versions of a development area)


Just run:

find <directory> -type d -maxdepth n -exec mkdir /where/you/want/{} ;


This is a quick way of doing it and can even be automated.


Software installation asks for reboot even after reboot

Sometimes you’re installing a software and you get an error stating that you need to reboot before installing.

So far, so good, but, occasionally you get that error again after the reboot. In that case, follow this procedure:

  1. Open Regedit
  2. Find the key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager”
  3. Rename the “PendingFileRenameOperations” value to “PendingFileRenameOperations2”
  4. Try again.

 

 

Change last logon user

Sometimes, as a sysadmin, you need to access a workstation to do some maintenance, and you don’t want the user to be asking you why he has to type is username again the next day.
Well, here’s a sollution.
Before shutting down the workstation just open the registry editor and navigate to:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAuthenticationLogonUILastLoggedOnUser
Edit the LastLoggedOnUser key and type the username you want to see on the next reboot.

Ctrl + Alt + Del in RDP

I’m sure this has happened before to many people. And I’m sure it will happen again.

For some reason, explorer blocks in your RDP session, and you want to open task manager, and you can’t do Ctrl + Alt+ Del because it will open the computers Task Manager menu and not the RDP session menu. So how do you get there? Simple. Microsoft has another keyboard shortcut for that. Just press Ctrl + Alt + End and that’s it.

Quickly open a program in administrator mode in Windows 7

We all need to use the “Run As Administrator” option in Windows 7, Vista or Server 2008, at some point.

The obvious way is to right click and select the “Run As Administrator” option, but, there’s another way.

Use the shortcut Ctrl + Shift + Click to open any software in administrator mode.

 

Cleanup Windows devices

Hello reader.

 

We all know that Windows stores a lot of information about devices we plug-in. That might lead to performance problems and even device connectivity issues.

But how do we get rid of that friend’s USB drive that we plugged-in once to copy some pictures.

How about a server recently virtualized, showing you network warnings when setting up the static IP address?

Reinstall the system? No.

Here’s how:

 

Open a command line (use Administrator mode in Vista/7/Server 2008) and type:

set devmgr_show_nonpresent_devices=1

and then type:

devmgmt.msc

After that, just select the option “Show Hidden Devices” under the View menu.

And you can see all the devices no longer available in your computer.

You just have to select the device, one by one, and uninstall it.

Note: The command line should be open during the whole process.

 

 

How to Identify missing Devices in Windows

Nowadays, Windows identifies the majority of devices, but there are always devices harder to identify. When that happens you don’t need to get your tools and start unscrewing.

Just open Device Manager and identify the unknown devices.

Then open the device, select the Details tab and look for Hardware Ids property.

There you can get the Device ID and the Vendor ID, which we can look for in PCIDatabase website (http://www.pcidatabase.com/)

The result should be something like this:

Now you can look for the device driver knowing what you’re looking for.