Installing a home server - any advice?

daniel.m.tripp · April 21, 2024, 1:07am

Sorry for the confusion…

Ubuntu 22.04 is less restrictive - by default - it allows 5 attempts before banning, on Stretch it’s 3 - and once I got it working on Bookworm - also 3…

Of my steps - to get it working on Bookworm :

Copied the default conf (exactly the same as what @Rosika did). My only jail is called “sshd”.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then I had to run fail2ban-client to get it work.
sudo fail2ban-client -vv start

Then I restarted fail2ban (systemd daemon) and it worked.
sudo systemctl start fail2ban

I tested banning my IP address on both the Pi4 running bunty 22, and Pi5 running bookworm… allows 5 failed attempts on bunty, and 3 failed attempts on bookworm, before banning… easy enough to unban :
sudo fail2ban-client set sshd unbanip x.x.x.x

Tech_JA · April 21, 2024, 4:48am

Hi Dan,
Thank you very much for your reply
I’m going to try again to install fsil2ban, because I literally fell asleep on the keyboard when I was writing posts here on the forum.

To all users: I hope you understand my posts from last night. I have to revise what I wrote…

Thank you all

Jorge

Rosika · April 21, 2024, 11:54am

Hi László,

thanks a lot for yor reply.

Yes, you´re right, of course:

filter   = sshd

Thanks for pointing it out, László.
You really took advantage of the fact you´re able to name it anything you like.

I appreciate your providing the config. Thanks a lot.

It makes me wonder.
The settings which I took over from jail.conf came this way as per default:

# [sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
# mode   = normal
# port    = ssh
# logpath = %(sshd_log)s
# backend = %(sshd_backend)s

O.K., I have to uncomment the entries to make them work, but there was no filter = provided.

Can/should I add it manually
Will it work this way?

Thanks again and many greetings from Rosika

kovacslt · April 23, 2024, 7:17am

I think the name of the section is used as default for the filter, so no need to do that.
In other words, if you name a jail [abcde] and there’s a filter named the same, you don’t need to specify it. If you name the jail that way, but use a different named fiter, then do specify it.
My configs are historically based
I mean, once I got something to work the way I like it, I like to keep that config, and upon updating, I better look for the needed modification to keep my original config, than start over from scratch.
Probably this is why I have a jail named [ssh] rather than [sshd], but I cannot really remember…

See maxretry = magic_number

Anyway, I did not have to fiddle with fail2ban-client to start it, it just started.
I tried it on 2 different (desktop like) computers which never had fail2ban installed before.
It’s true, I did try both times on amd64 computers, the need to do that magical first time startup maybe something specific with the RPi port.

Rosika · April 23, 2024, 1:47pm

Hi László,

thanks for your feedback.

I see. Well, that´s good to know.

That´s a great approach, László, and it makes a lot of sense.

Now that I´ve got fail2ban running the way I like in my Archlinux vm I think I can move on to installing it on my main system Linux Lite.
After all, this is the one I´d like to harden to a certain extent.

Thanks a lot for your kind help.

Many greetings from Rosika

Rosika · April 23, 2024, 4:24pm

Hi again,

I was just in the middle of collecting some information regarding the installation of fail2ban on my Linux Lite system.

Until now fail2ban is running fine on my Archlinux vm, but the scenario is different there.
On Archlinux there´s no firewall installed and running, at least not with me.
But iptables is present, and that´s a good thing.

Before installing and configuring fail2ban on Linux Lite (which has firewalld up and running, I checked for any possible compatibilty issues.

I found something here, which seems a bit disheartening:

Fail2ban works with iptables by default.
[…]
You can configure your fail2ban instance to specify which banning action it would use, thereby native net-filters are recommended (so firewalld is not advisable).
[…]
there is little to no information on using firewalld with fail2ban and related configuration issues.

(bold by me)

I´m a bit confused now.
It seems fail2ban and firewalld should NOT be used together on the same system

Hmm, I wonder what to do… .

Cheers from Rosika

Rosika · April 24, 2024, 11:15am

Hi again,

doing some more research on the matter seems to get me even more confused.

Here I saw the topic “How to Install Fail2ban with Firewalld on Rocky Linux 8” is discussed.

Apparently running fail2ban and systemd isn´t mutually exclusive after all.

Fail2Ban will automatically block the IP address using the iptables of Firewalld

and…
(tutorial):

First, rename the Firewalld configuration file for Fail2Ban using the following command:
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

Next, edit the jail.local file:

Here comes the crucial part:

Find the following lines:

banaction = iptables-multiport
banaction_allports = iptables-allports

And replace them with the following lines:

banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

Save and close the file, then restart the Fail2Ban to apply the changes:
systemctl restart fail2ban

The rest should be clear, I think:

Find the [sshd] section and enable it by adding the following lines:

[sshd]

enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
bantime = 10m
findtime = 10m
maxretry = 5

systemctl restart fail2ban

O.K, according to this tutorial fail2ban should work well together with a running firewall, firewalld in my case.

What should I believe now
Issue or nor issue?

@kovacslt:

How´s the situation with your machine, if I may ask?
Do you have a firewall running along with fail2ban

Many thanks in advance …
… and cheers from Rosika

P.S.:

Hi all,

Update:

In the meantime I discussed the “problem” with ChatGPT.
Seems running fail2ban together with firewalld should be no issue at all.

Atlantic Tutorial:

This tutorial provides instructions for configuring Fail2ban to work with firewalld on Rocky Linux 8. It suggests renaming the Fail2ban configuration file for firewalld and modifying the banaction settings in the Fail2ban configuration to use firewallcmd-rich-rules.

The tutorial demonstrates that it’s possible to use Fail2ban alongside firewalld by making the appropriate configuration changes.

In summary, while there might be some ambiguity or lack of documentation regarding using Fail2ban with firewalld, it is indeed possible to configure them to work together effectively. The Atlantic tutorial demonstrates one approach to achieve this on Rocky Linux 8.

You can proceed with configuring Fail2ban to work alongside firewalld on your Linux Lite 6.2 system. Follow the steps provided in the tutorial, adapt them as necessary for your distribution, and test to ensure that Fail2ban is effectively banning malicious IP addresses while working alongside firewalld.

These were the relavant steps:

1a.)

sudo apt update
sudo apt install fail2ban

1b.)

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

2.)

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3.)

sudo nano /etc/fail2ban/jail.local

Here:

4.)

Find the [sshd] section and ensure that it is enabled and configured as follows:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
bantime = 10m
findtime = 10m
maxretry = 5

5.)

Find the following lines:

banaction = iptables-multiport
banaction_allports = iptables-all

and replace them with the following lines:

banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset

6.)

sudo systemctl restart fail2ban
sudo systemctl restart firewalld

O.K., everything appears to be working alright:

rosika@rosika-Lenovo-H520e ~> systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres>
     Active: active (running) since Wed 2024-04-24 15:37:26 CEST; 20s ago
       Docs: man:fail2ban(1)
   Main PID: 29361 (fail2ban-server)
      Tasks: 5 (limit: 4431)
     Memory: 12.2M
        CPU: 197ms
     CGroup: /system.slice/fail2ban.service
             └─29361 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Apr 24 15:37:26 rosika-Lenovo-H520e systemd[1]: Started Fail2Ban Service.
Apr 24 15:37:26 rosika-Lenovo-H520e fail2ban-server[29361]: Server ready
rosika@rosika-Lenovo-H520e ~> sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd
rosika@rosika-Lenovo-H520e ~> sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

Many greetings to all of you.
Rosika

Tech_JA · April 30, 2024, 5:43am

Well, the Mini PC arrived last week, but it’s much better than my wife’s old PC and I decided she should have the Mini PC.
It wasn’t fair to have a PC just to “play” with as a server, better than one that is used daily.

Last week I installed everything necessary for my wife to use on a day-to-day basis, with Windows 11, but he agreed to test Thunderbird and OnlyOffice instead of Microsoft Office and Outlook, which is what she has always used.
I hope that in the next installation she’ll agree to try Linux Mint… But, quite frankly, I no longer have the patience to install and configure Windows (it was already installed), but during the updates, it gave an error and from then on it was like a black desktop all the time. I couldn’t even get it to work properly in recovery mode and had to reinstall it again.

It’s been running test after test without any problems or slowdowns, and now I can touch her old PC to run tests.
I’m going to test this old PC to see if it consumes less power than the old PC I was using to test the server, but this time I’m going to test it with Debian.
I took two steps back again, but it was for a good cause.

I’ll keep you posted on the server installation

Jorge

nevj · April 30, 2024, 12:29pm

Great decision.

kovacslt · May 1, 2024, 8:07am

I was quite a bit busy recently, but looking at your solution which you found yourself, looks the right one. Namely, instruct (configure) fail2ban to use firewalld instead of iptables.

kovacslt · May 1, 2024, 8:10am

It’s time to place another order for a mini PC that’s going to be your server

An energy-wasting old PC cannot be your server!

Rosika · May 1, 2024, 12:15pm

Hi László,

thanks a lot for your feedback and evaluation.
It´s highly appreciated.

Have a nice day and many greetings from Rosika

Tech_JA · May 2, 2024, 2:12pm

Hi László,
Once again, you’re right.
At the moment, I’ll have to use the old PC as a server. When it’s possible again, I’ll order one for myself

Jorge

daniel.m.tripp · September 11, 2024, 4:18am

PEZZO DI MERDA!

I can’t get it to work this time around! Doh!

And I really can’t be arsed trying to figure it - WHY would you make something that used to work well, “out of the box” now completely broken “out of the box”?

I’ve disabled SSH (to the Pi5 running bookworm) from outside now because of this… I don’t need it…

Found the answer here :

github.com/fail2ban/fail2ban

[BR]: fail2ban does not start on some debian/ubuntu systems - backend should probably be set to systemd on all systemd-based distros

opened 05:45PM - 31 May 22 UTC

closed 12:27AM - 26 Apr 24 UTC

tobixen

bug

### Environment: - Fail2Ban master branch, as well as version 0.11.1 on Ubunt…u Focal and many others - OS, including release name/version : Ubuntu Focal. Allegedly, Ubuntu Xenial is also affected, as well as some Debian installations. - [x] Fail2Ban installed via OS/distribution mechanisms - [x] You have not applied any additional foreign patches to the codebase - [x] Some customizations were done to the configuration (provide details below is so) ### The issue: On modern systemd-based distros, like newer releases of Ubuntu, Debian, Archlinux, RHEL, Fedora, etc, services like sshd logs to the systemd journal. Optionally rsyslog or syslog can be installed and run, and logs will *also* be available i.e. in `/var/log/auth.log` or `/var/log/secure.log`. In the files `/etc/fail2ban/paths-{arch|fedora|opensuse}` there is a section like this: ``` syslog_backend = systemd sshd_backend = systemd dropbear_backend = systemd proftpd_backend = systemd pureftpd_backend = systemd wuftpd_backend = systemd postfix_backend = systemd dovecot_backend = systemd ``` ... and because of this, fail2ban works on arch, fedora (with derivatives) and opensuse. However, it fails on debian and ubuntu, unless the syslog package is installed and the service is running. Apparently this was reported as early as 2014 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 and it's also reported for Ubuntu 16.04 at https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1696591 ... we're running Ubuntu and EL. On our baseimages with Ubuntu 16.04, fail2ban installs and runs because we have syslog running there, on Ubuntu 20.04 we've had to hand-tune configuration to get fail2ban run on the services above. On EL it also works due to the `paths-fedora.conf`-file. #### Steps to reproduce * Install Ubuntu 20.04 * Observe that the OS installation comes without any rsyslog/syslog package installed (I suppose YMMV, dependent on how it's installed) * Install fail2ban (`sudo apt-get install fail2ban`) * Enable the sshd jail: `echo -e "[sshd]\nenabled=true" | sudo tee /etc/fail2ban/jail.local` * Start up fail2ban: `sudo systemctl start fail2ban` * Observe that it's not running: `sudo systemctl status fail2ban` - the error message looks like `ERROR Failed during configuration: Have not found any log file for sshd jail`. #### Suggestion I suggest creating a `/etc/fail2ban/paths-systemd` containing only the lines `*_backend = systemd`, and make sure it's run from any operating system having systemd installed. ### Configuration, dump and another helpful excerpts #### Any customizations done to /etc/fail2ban/ configuration ``` $ sudo cat /etc/fail2ban/jail.local [sshd] enabled=true ```

/etc/fail2ban/jail.local :

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
# backend = %(sshd_backend)s
backend=systemd
enabled=true

Commented "backend = %(sshd_backend)s and uncommented “enabled=true” and then :

╭─x@frambo ~  
╰─➤ sudo fail2ban-client -vv start

╭─x@frambo ~  
╰─➤ sudo systemctl restart fail2ban

╭─x@frambo ~  
╰─➤  sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-09-11 12:22:33 AWST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 1401 (fail2ban-server)
      Tasks: 0 (limit: 9259)
        CPU: 81ms
     CGroup: /system.slice/fail2ban.service
             ‣ 1401 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.>

Sep 11 12:22:33 frambo systemd[1]: Started fail2ban.service - Fail2Ban Service.
Sep 11 12:22:33 frambo fail2ban-server[1415]: 2024-09-11 12:22:33,666 fail2ban                [1415]: ERROR   Server already running
Sep 11 12:22:33 frambo fail2ban-server[1415]: 2024-09-11 12:22:33,666 fail2ban                [1415]: ERROR   Async configuration of serve

So enabling my NAT rule (doesn’t listen on port 22!).

don.karon · September 12, 2024, 10:52pm

My goal in setting up a server was simply to get it working. I took the minimalist approach. You don’t need to install Ubuntu Server, ordinary Ubuntu works fine. Install OpenSSH, configure it to use public key/private key authentication, and you will have it working.
https://ubuntu.com/server/docs/openssh-server

For many years I left the SSH port as 22, the default. I was getting login attempts at a rate of about one per minute, around the clock, for 10 years. Literally millions of tries. Not one ever got into my system. I changed to a non-standard port and the attempts dropped to two or three per day. None of them got in either.

The only firewall I use is the default one in the router. No fail2ban, no tar-pits.

Yes, a mini computer that draws just a few watts is a great idea. I finally switched to one in June.

daniel.m.tripp · September 13, 2024, 12:24am

I just noticed - fail2ban hasn’t logged a SINGLE attempt on the Pi5 in 3-4 days…

I’m forwarding two different 4 digit TCP ports to either the Pi4 or Pi5 on my LAN (it’s port number dependant).

The Pi4 had lots of fail2ban log entries from even this morning…

I’ve changed the NAT rule for the Pi4 to a different port…

I also have root account disabled on BOTH - so they can dictionary attack as much as they like but will never get in as “root”…

Tech_JA · September 24, 2024, 11:28am

Hi Don Karon,
Thank you for your information.
My Mini PC has arrived and this time I’ve installed Debian instead of Ubuntu Server, but I haven’t had time to do more yet
I haven’t done any consumption tests yet, but I’ll let you know here on the forum how the PC consumes.

Hi Daniel,
I also deactivated the root account. From everything I’ve read, they always advise you to deactivate the account.
I still have to install fail2ban and change the ssh port, which I think should be the next steps.

Jorge

daniel.m.tripp · June 3, 2025, 3:51am

By “disable root account” - I never do this… and I usually go in and set a root password… The default on Ubuntu servers is that you don’t know or ever set, the root password - you have to do it manually…

Why? What happens if somehow sudo breaks? I can no longer run “sudo -i”? If I know root’s password - I can always use “su -”… And - I only recently had to resort to this last week!

This was on a testbed / sandpit server - got SSSD (AD authentication working) then setup which AD users are allowed to SSH (AllowGroups in /etc/ssh/sshd_config) - but didn’t get around to setting up which AD users allowed to run sudo. And in the process of enabling AD users via SSH - it stopped allowing a local user account (default user on one of the big cloud companies linux systems) - so I could run “su -” because I knew the root password and I could then set AD groups up in sudoers!

Enabling users to run “su -” is maybe a bit lax, I guess - but it’s not the same of allowing them to directly SSH to a Linux server…