In part 1 of this tutorial we looked at installing fail2ban and configuring some of the default jails. In this second part we shall look at some further jails, and configure filters and jails for applications not covered by the default installation.
Continue reading “Configuring fail2ban on Debian – Part 2”Category: Security
Using a Yubikey for 2-factor authentication
For those of you who have not yet encountered a Yubikey, it is a physically small security key which empowers passwordless or 2-factor authentication in a number of different scenarios. They now support a huge number of protocols including One Time Passwords, NFC, FIDO2, U2F, Smart card, and OpenPGP.
Mine has been living on my keyring for several years now, and has proved invaluable for me accessing both my physical and electronic world.
Continue reading “Using a Yubikey for 2-factor authentication”Configuring fail2ban on Debian – Part 1
If you are administering a Linux server on a publicly accessible IP address then you have no-doubt already noticed your log files filling up with repeated failed login attempts against all common protocols. While it may be possible to protected services to some extent with firewalls, nothing is going to protect you from weak password policies and software vulnerabilities.
There is, however, a great Open Source product that can do away with some of the noise and frustrate the spammers; fail2ban.
Continue reading “Configuring fail2ban on Debian – Part 1”UFW Cheat Sheet
Since the introduction by Ubuntu of UFW (Uncomplicated FireWall) back in 2008 it has been my tool of choice for simple firewall configuration. Whilst it may lack the depth and sophistication of an enterprise level product, its simplicity makes it straight-forward and quick to secure servers in simple use-cases.
Continue reading “UFW Cheat Sheet”Securing nginx with Letsencrypt
For several years now users have been taught to look for the green padlock in the address bar to ensure the site they are using is secure. But certificates are expensive due to the efforts that go in to proving your identity.
Letsencrypt are trying to help secure the web by issuing short term (90 day) certificates to users who can demonstrate through a simple challenge and response that they are in control of a host.
Continue reading “Securing nginx with Letsencrypt”Postfix and DKIM
openDKIM and Postfix on Ubuntu Server 12.04LTS
You probably found this post because you already know what DKIM is and want to implement it, but for those of you who need more information Wikipedia has a good entry on the subject;
This little walkthrough has been based upon a Ubuntu 12.04LTS server with Postfix; your mileage may very depending on your setup. At a minimum you will need:
- Root access to your mail server
- Access to update the dns records for your domain
Firstly, install opendkim from the repositories. There is some good information available there too.
sudo apt-get install opendkim
You must decide on what “selector” you wish to use. The selector is essentially a word to describe the key you wish to use. Here I am going to use the selector 201204 as the key became valid in April 2012 (cunning eh?). Obviously, my domain will be brabeum.com.
Setup
So onward. Generate the keys in your home directory, using your chosen selector and domain.
opendkim-genkey -s 201204 -d brabeum.com
This will create two files, 201204.txt and 201204.private containing the public and private keys respectively. You must publish the content of the public key to your authoritative DNS server. Three things to note;
- openDKIM 2.5.2 on Ubuntu omits the k= after v=DKIM1;
- you should add the t=y flag to indicate to receiving servers that you are testing DKIM but not actively using it yet.
- You should use a short TTL (time to live) so that you can change the key without waiting ages for it to propagate though DNS.
DNS implementations vary, but you should end up with an entry something like this (I’ve shortened the key because of line breaks);
201204._domainkey IN TXT v=DKIM1; k=rsa; t=y; p=MIGfM..[snip]..QIDAQAB
Remember to reload your DNS configuration after addition.
Now, test the key…
opendkim-testkey -d brabeum.com -s 201204 -k 201204.private -vvv
And you should get output similar to below.
opendkim-testkey: key loaded from 201204.private opendkim-testkey: checking key '201204._domainkey.brabeum.com' opendkim-testkey: key not secure opendkim-testkey: key OK
Note that opendkim is reporting that the key is not secure. This relates to the fact that DNSSEC is not implemented on my DNS server and theoretically somebody could intercept the DNS lookup and replace it with their own key.
Once we are happy with the key test, move the private key to /etc/mail
cd /etc/mail sudo mv /home/basil/201204.private .
Setup openDKIM by editing /etc/default/opendkim with your favourite editor and add the following line to the end.
SOCKET="inet:8891@localhost"
Then edit /etc/opendkim.conf and add the following lines
Domain brabeum.com KeyFile /etc/mail/201204.private Selector 201204
And restart opendkim
sudo service opendkim restart
Lastly we configure postfix. Edit /etc/postfix/main.cf and add the lines to the end
smtpd_milters=inet:localhost:8891 non_smtpd_milters=inet:localhost:8891
And restart
sudo service postfix restart
Testing
So now you need to send some test messages through your newly configured postfix server. At the receiving end you should see some new headers, one of which will show similar to below (note that Google recognize it as test mode as we still have the t=y flag applied).
Once you are happy that all is well, you can remove the testing flag and increase TTL.
Done!
Securing Apache for free with SSL and StartSSL
So you have a web-server and you want to serve content by SSL? If you have found you way to here, you have probably discovered that browsers such as Firefox do not make it easy to use self-signed certificates; large scary error messages do not inspire confidence in most users. But there is an easy answer – StartSSL.
Continue reading “Securing Apache for free with SSL and StartSSL”