Adding Cloudflare support to fail2ban

0
3 days
by in Linux

I use a few open source packages to help automate some defensive responses against hackers to my server. One is fail2ban. fail2ban can be configured to monitor pretty much any system daemon that produces a log file.

I also use CloudFlare, which is a CDN and DNS service that amongst its many features is automatic protection against malicious attacks (DDoS, SQL injections, comment spamming, etc). In addition, if there are IPs that slip through their detection, you can add them manually to your CloudFlare blacklist. Automatically detecting these additional IPs, and adding them to CloudFlare, is where fail2ban comes in.

So on to my scenario: I noticed some very specific, recurring HTTP requests on my server that served no purpose other than to probe for a vulnerability or to attack my server, a perfect scenario for creating a fail2ban “jail.” A fail2ban jail is a combination of a fail2ban filter and action. Typically you have a jail configured to block an IP at the iptables level, but I wanted it to be blocked at the CloudFlare level as well.

Setting up a fail2ban jail is pretty straightforward. The jail contains all the information that fail2ban needs to detect and act upon a matched condition. In a typical fail2ban install, you’ll find the jail.conf file, where all the jails are defined, at /etc/fail2ban/jail.conf

Creating a new fail2ban jail

Creating a new jail is as simple as adding something like so to jail.conf:

[some-jail-name]
enabled  = true
filter   = my-filter-name
action   = iptables-allports[name=some-jail-name, protocol=tcp]
           cloudflare-blacklist
           sendmail-whois[name=some-jail-name, dest=me@example.com]
logpath  = /var/log/some/log
maxretry = 0
bantime  = 604800

This creates a fail2ban filter called “some-jail-name”, scanning the log “/var/log/some/log” defined by “logpath,” applying the filter “my-filter-name” defined by “filter” on said log, and acting upon a match with the action(s) defined by “action” by doing the following: 1) block the IP in iptables, 2) block the IP at CloudFlare, and 3) send me a notification email. (Consult the fail2ban manual on jail options to see what they all mean)

Creating the fail2ban filter

The filter “my-filter-name” would then be defined at /etc/fail2ban/filter.d/my-filter-name.conf. Make sure to modify the failregex regex string to match what you are looking for in the log file. Be sure to consult the section on testing your filters in the fail2ban manual to confirm your filter works correctly.

[Definition]

# Option:  failregex
# Notes.:  regex to match the suspicious attemps in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^<HOST> -.*POST /tmp.*$ 

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Creating the fail2ban action

And finally, the action “cloudflare-blacklist” is defined at /etc/fail2ban/action.d/cloudflare-blacklist.conf. It will call CloudFlare’s client API to add/remove an IP from your blacklist. 

In order to configure your action properly:

  1. Go to your CloudFlare account settings page to get your API key (it should be near the bottom of the page)
  2. In the actionban and actionunban sections, replace CLOUDFLARE_API_TOKEN with your API key
  3. In the actionban and actionunban sections,replace CLOUDFLARE_LOGIN with your CloudFlare login email
# Fail2Ban configuration file
#
# Author: Norman Yee
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=CLOUDFLARE_LOGIN&tkn=CLOUDFLARE_API_TOKEN"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=CLOUDFLARE_LOGIN&tkn=CLOUDFLARE_API_TOKEN"

Once you have the jail, filter, and action set up and configured in fail2ban, you should be all set, with an additional layer of security courtesy of CloudFlare!

Xcode freezing up or hanging, using 100% CPU for no apparent reason?

0
55 days
by in iPhone, Objective-C

If you have an iOS 5 device that is configured to use iOS 5′s new WiFi sync feature, and you’re experiencing high CPU when using Xcode or it becomes non-responsive (eg. Xcode gets pegged at 100% or higher for not apparent reason on an otherwise idle machine), disable WiFi sync. Once I disabled WiFi sync, the high CPU usage went away. I’m guessing that perhaps my older version of Xcode (3.2.6) is trying to sync with the device over WiFi but doesn’t quite know how to do that.

CloudFlare, Apache, WordPress and IP address logging

0
122 days
by in Linux, PHP, webdev

If like me, you use the very useful CloudFlare service to speed up & protect your site(s), you may have noticed that since using CloudFlare, your access logs may seem to have a ton of visits from a very narrow range of IP addresses. This is because CloudFlare acts as a reverse proxy and the IPs you are seeing are from CloudFlare’s network.

This is a bit sucky for analytics since those IPs are not of the actual visitors to your site(s). The original IP is still in the HTTP request headers when CloudFlare is enabled, though, and looks something like this sample request header:

GET /blog/feed/ HTTP/1.0
Host: www.normyee.net
Accept-Encoding: gzip
CF-Connecting-IP: 66.249.71.111
CF-IPCountry: US
X-Forwarded-For: 66.249.71.111
Connection: close
Set-Keepalive: 0
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

CloudFlare inserts a CF-Connecting-IP header containing the original requester’s IP. In this case, the IP 66.249.71.111 is google’s web crawler paying me a visit, although the request was logged as coming from 199.27.128.71 — one of CloudFlare’s IPs. We of course want the original IP logged, and not CloudFlare’s. Fortunately there are quick solutions for both Apache and WordPress.

For Apache, CloudFlare has an Apache module, mod_cloudflare, which you’ll need to compile from source for your system. You can get more info and instructions here & view the source on github here (it’s linked to from the previous link as well). It’s pretty straightforward, assuming you have shell access and the ability to run apxs (the APache eXtenSion tool).

For WordPress, you can just simply download the CloudFlare WordPress plugin at wordpress.org to get the correct IPs back in WordPress. CloudFlare has a wiki page for the plugin as well, but the WordPress.org plugin page has all the info you need.

Xcode 3.2.5 Organizer hangs while importing iOS 5 debug symbols

0
123 days
by in iPhone, Objective-C

I installed the iOS 5 GM seed onto my iPhone 4 and, as usual, I fire up Xcode & go to the Organizer window so that it can download the debug symbols for the newest iOS from my device onto my Mac. This usually takes 15 minutes or so, but this time, Xcode just hung for some reason, with the Organizer indicating that it was waiting for another symbol copy process to complete first.

organizer-waiting

After some investigating, I got the symbols downloaded and all was good again. Following is a summary of the issues I ran into and solutions:

1) The “waiting on other symbol copying…” message in the Xcode Organizer.

I’m not sure what happened for me to have more than one symbol import going on, but I believe the message was triggered by the existence of a “.copying_lock” file in the directory of the iOS version that Xcode was importing symbols for.

The symbols are all stored under /Developer/Platforms/iPhoneOS.platform/DeviceSupport and looks something like this:

total 24
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.0
lrwxr-xr-x  1 root  admin    3 Mar 14  2011 3.0.1 -> 3.0
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.1
lrwxr-xr-x  1 root  admin    3 Mar 14  2011 3.1.1 -> 3.1
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.1.2
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.1.3
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.2
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.2.1
drwxrwxr-x  5 root  admin  170 Mar 14  2011 3.2.2
drwxrwxr-x  5 root  admin  170 Mar 14  2011 4.0
drwxrwxr-x  5 root  admin  170 Mar 14  2011 4.0.1
drwxrwxr-x  5 root  admin  170 Mar 14  2011 4.0.2
drwxrwxr-x  5 root  admin  170 Mar 14  2011 4.1
drwxrwxr-x  5 root  admin  170 Mar 14  2011 4.2 (8C134)
drwxr-xr-x  3 root  admin  102 Aug 15 11:16 4.2.1 (8C148)
drwxr-xr-x  4 root  admin  136 Mar 14  2011 4.3 (8F190)
drwxr-xr-x  3 root  admin  102 Mar 28  2011 4.3.1 (8G4)
drwxr-xr-x  3 root  admin  102 Apr 20 15:24 4.3.2 (8H7)
drwxr-xr-x  3 root  admin  102 Jul 25 13:55 4.3.4 (8K2)
drwxr-xr-x  3 root  admin  102 Aug  8 11:14 4.3.5 (8L1)
drwxr-xr-x  3 root  admin  102 Oct  5 13:05 5.0 (9A334)
lrwxr-xr-x  1 root  admin   11 Mar 14  2011 Latest -> 4.2 (8C134)

In my case, I was trying to import iOS 5 symbols, and the contents of the 5.0 (9A334) directory were:

$ ls -la 5.0\ \(9A334\)/
total 0
drwxr-xr-x   3 root  admin  102 Oct  5 11:14 .
drwxrwxr-x  24 root  admin  816 Oct  5 11:14 ..
-rw-r--r--   1 root  admin    0 Oct  5 11:14 .copying_lock

Solution

  1. Quit out of Xcode,
  2. Delete /Developer/Platforms/iPhoneOS.platform/DeviceSupport/5.0 (9A334)
  3. Restarting Xcode to start the symbol import again. “Waiting” message should no longer appear when you import the symbols

2) The symbols import progress bar in the Xcode Organizer sits @ 0% progress

After fixing #1, I tried the symbol import again and no longer got the “waiting” message, but the progress bar in the Organizer stayed stuck at 0% for several minutes, which is not normal. Looking at my running processes, there were two copies of DTDKSymbolHelper running, one idle and one consuming 90% CPU. I ended up killing both, quitting out of Xcode and trying once again, and the symbols finally imported correctly.

Note that when you try to quit out of Xcode during the symbol import process, you’ll get a warning message along the lines of leaving your iPhone in some busted intermediate state (or something along those lines). I just ignored them and things progressed fine — if you are experiencing the same symptoms that I did, you should be able to quit without issues.

More robust Postfix anti-spam configuration

0
184 days
by in Linux

My last post included an updated Postfix main.cf that was better at blocking spam and minimizing false positives through the use of DNS white lists (DNSWLs), but after a few days it was still letting in more spam than I wanted. I did additional tweaking and the following seems to work better, while still preventing false positives.

The main changes included specifying the following additional Postfix restrictions:

  • smtpd_sender_restrictions
  • smtpd_helo_restrictions
  • smtpd_data_restrictions
smtpd_helo_restrictions =
	reject_unknown_helo_hostname

smtpd_data_restrictions =
	reject_unauth_pipelining

smtpd_client_restrictions =
	permit_dnswl_client list.dnswl.org,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,

smtpd_sender_restrictions =
	reject_unknown_sender_domain,
	reject_unknown_address,
	reject_rhsbl_sender dsn.rfc-ignorant.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rbl_client b.barracudacentral.org,

smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unauth_destination,
	permit_dnswl_client list.dnswl.org,

	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh15.spameatingmonkey.net,
	reject_rhsbl_client fresh15.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rhsbl_client hostkarma.junkemailfilter.com=127.0.0.2,

	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client dnsbl.njabl.org,
	reject_rbl_client bl.tiopan.com,
	reject_rbl_client spamsources.fabel.dk,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client ubl.unsubscore.com,
	reject_rbl_client aspews.ext.sorbs.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client backscatter.spameatingmonkey.net,
	reject_rbl_client bl.spameatingmonkey.net,

	permit
Page 1 of 1612345...10...Last »
Go to Top