You are in a maze of twisty little passages, all alike...
A Month of Bans: A Cybersecurity Review
November 7, 2024 Reading time: 33 minutes
If you've ever maintained a public internet server, either as a hobby or as a job, you're no stranger to random probes and port-scans from evildoers looking for trouble. You've seen brute force attempts to log in to servers or email accounts, probes for vulnerable web services, SYN floods, spammers checking for open relays, and many other attacks. If your server is on the internet, it's a target. Many hobbyist and small business systems administrators use Fail2Ban to respond to these threats. Fail2Ban is an always-vigilant process that monitors system logs and responds to perceived attacks by temporarily blocking the attacker's IP address at the firewall level.
Fail2Ban has served me well, but I wanted to gain some additional insight into the origins and behaviors of the villains behind the attacks. During the month of October, I used a custom Fail2Ban script to collect geolocation and other data about each IP address that Fail2Ban identified as malicious on three hosts, including 2 web servers and a mail server. Here are the results.
Read more
A 3-2-1(-1-0) Backup Plan for Your Synology NAS
November 3, 2024 Reading time: 43 minutes
It’s late at night and Raul is frantic. He’s desperately searching for an important electronic document he needs for work. He knows it’s on his NAS somewhere, but he can’t remember where he saved it. His frown deepens as he opens folder after folder, not finding what he needs. Then his blood runs cold as he remembers deleting a swath of “unneeded” files last week as part of his annual Spring cleaning. And he has no recent backup. He’d been meaning to back up his NAS, but he kept telling himself he’d do it later.
Raul wakes in a cold sweat. It was all a bad dream. Whew! To reassure himself, and vowing to back up his data right now, Raul gets up and boots his computer. But he realizes all is not well as the computer finishes booting:
Read more
I Won 9.8 Million Dollars from PCH?
October 15, 2024 Reading time: 17 minutes
I don't live in the US, but I do have a US-based phone number for business. The number gets a never-ending stream of spam SMS (text messages) from area codes far and wide warning me about cash due on packages I never ordered, inviting me to "spicy parties," and alerting me that members of my HOTLIST (whatever that is) are active now. Occasionally I'll get a call from a number I don't recognize and I just let it go to voice mail. Recently, I learned just how lucky I am when I got this message:
"Hello. My name is "David Green" and I'm calling from the Publishers Clearing House in regards to you being the second place lucky winner. Of 9.8 million dollars. Please give me a call back at 810-204-8927. Thank you."
Read more
Updating nftables with DDNS
October 9, 2024 Reading time: 18 minutes
Hobbyist admins and home-labbers sometimes want to make services on a remote host available to machines on a home network. Unfortunately, many residential ISP customers are stuck with dynamic IP addresses, even when they're not behind a CGNAT. This makes securing the remote host difficult. You'd like to configure the remote firewall to allow traffic only from friendly IP addresses, but if one or more of your addresses might change at any time, what can you do? One option is to buy a fixed IP address from your ISP, but that can be costly.
This article describes how you can configure a remote server using nftables to automatically update its firewall rules so that dynamic IP traffic is allowed with minimal downtime when the IP address changes. The solution requires making a small change to your nftables configuration and a short script that runs periodically as a cron job.
Read more
Fail2Ban Demystified: Custom Fail2Ban Actions
October 1, 2024 Reading time: 33 minutes
Fail2Ban is a powerful security tool that bridges your public-facing network services (ssh, mail server, web server, etc.) and your firewall. The Fail2Ban daemon constantly monitors your server logs, looking for troublemakers. When an intruder or suspicious activity is detected, it takes action! By default, Fail2Ban writes a temporary firewall rule that blocks the offender’s IP address on selected ports for a short period of time.
The real power in Fail2Ban, though, lies in its customizability. Using custom action scripts, admins can configure how Fail2Ban responds to threats, extending its abilities far beyond simply interfacing with the firewall. For example, you can define actions that will send an email or notification, write to a log file or database, invoke a web API, react differently in different contexts, and so on. The possibilities are unlimited!
This article explains how actions in Fail2Ban are defined and customized so that you can get the most out of Fail2Ban.
Read morePostfix Demystified: Incoming Mail Restrictions
September 24, 2024 Reading time: 40 minutes
There was a time in the early days of the internet when spam, phishing, CEO impersonation, email trojans, and other forms of email abuse were not a thing. Mail servers would happily accept mail from any domain and forward it along to any other domain with no worry of being an unwitting accomplice in evildoing. Alas, those blissful days are long gone and, today, a mail server’s incoming mail policy is a critical early line of defense against these threats.
In this article, you will learn how to configure Postfix to enforce a simple mail acceptance policy for your domain(s). Your policy is determined by the role(s) your server will play (relay, destination, send-only, etc.), where your users typically connect from, and your tolerance for spam and misbehaving mail clients, among other considerations.
Read more
The door opens, and nineteen demons, each a cross between a carrot and a sledge hammer, march out from behind it, knock you senseless, and return, the last closing the door behind it.