Fail2ban configuration for ProFTPd with Plesk on RHEL CentOS Fedora Redhat-based Linux

~ tadmin ~ 2 Comments

I am using the following fail2ban configuration for ProFTPd with Plesk on RHEL CentOS Fedora Redhat-based Linux (because default one is not working for me properly).

File /etc/fail2ban/jail.local or /etc/fail2ban/jail.conf if you have not installed fail2ban using yum package manager which will overwrite your custom configuration files each time you update the package.

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=serveradmin@shkodenko.com]
logpath  = /var/log/secure
maxretry = 7

Filter configuration file: /etc/fail2ban/filter.d/proftpd.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
#             \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
#             \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
#             \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
#
# default failregex does not work @see http://www.howtoforge.com/forums/showthread.php?t=35089
#

failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
            ^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
            ^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
            ^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

To check new ban regex use command:

# /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf

Restarted fail2ban using command:

# /sbin/service fail2ban restart

Reconfigure vhost in Plesk 10.4.4 add custom web server configuration file

~ tadmin

Plesk Control Panel version 10.4.4 does not allow to create aliases for subdomains.

To fix it I have created two custom configuration files:

[root@shkodenko ~]# more /var/www/vhosts/dev.shkodenko.com/conf/vhost*conf
::::::::::::::
/var/www/vhosts/dev.shkodenko.com/conf/vhost.conf
::::::::::::::
ServerAlias dev.shkodenko1.com
ServerAlias dev.shkodenko2.com
::::::::::::::
/var/www/vhosts/dev.shkodenko.com/conf/vhost_ssl.conf
::::::::::::::
ServerAlias dev.shkodenko1.com
ServerAlias dev.shkodenko2.com
[root@shkodenko ~]#

and reconfigured subdomain using command:

[root@shkodenko ~]# /usr/local/psa/admin/sbin/httpdmng --reconfigure-domain dev.shkodenko.com

I have checked web server Apache configuration

[root@shkodenko ~]# /sbin/service httpd configtest

and restarted it:

[root@shkodenko ~]# /sbin/service httpd graceful

PHP Warning: Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0

~ tadmin

To fix error message:

PHP Warning: Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0

Change/add PHP ini configuration directive max_input_vars default value in main configuration file /etc/php.ini and restart web server Apache using command:

# /sbin/service httpd graceful

Shell script to remove Plesk health monitor package for RPM-based Linux RHEL CentOS Fedora etc

~ tadmin

Because I have tired from annoying e-mail messages with subject alarm level changed which are killing me.

I can`t find how to disable them in Plesk control panel.

I have developed simple script to remove Plesk health monitor package for RPM-based Linux: RHEL, CentOS, Fedora etc.

#!/bin/sh

RPM_NAME="`rpm -qa |grep -i psa-health-monitor`"

if [ -z "$RPM_NAME" ];
then
        echo "Plesk health monitor package has not found"
else
        echo "Found Plesk health monitor package: $RPM_NAME"
        rpm -e $RPM_NAME
fi

ERROR 2003 (HY000): Can’t connect to MySQL server on ‘server IP’ (10061)

~ tadmin

If you see error messages below:

  • Can’t connect to MySQL server on ‘Server IP’ (10061):
  • ERROR 2003 (HY000): Can’t connect to MySQL server on ‘Server IP’ (110)
    Server did not respond within the specified timeout interval

And checking port using telnet utility
$ telnet ‘Server IP’ 3306

Gives error message:
Trying ‘Server IP’…
telnet: connect to address ‘Server IP’: Connection timed out

It is possible because MySQL server TCP port 3306 is closed on server in firewall.

Courier imap connections limit error

~ tadmin

To fix courier-imap connections limit errors like shown below:

e-mail client imap connection error

Thunderbird
Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server. If so, use the Advanced IMAP Server Settings dialog to reduce the number of cached connections.

Edit configuration file /etc/courier-imap/imapd parameters:

  • MAXDAEMONS=40
  • MAXPERIP=4

Restart courier-imap service.

Use fail2ban to protect your server with plesk panel from zero day exploit

~ tadmin ~ 4 Comments

To protect your server with Plesk control panel from zero day exploit the following fail2ban configuration can be added:

1. Added custom config with the following regex:
# more /etc/fail2ban/filter.d/apache-plesk-vulnerability.conf
# Fail2Ban configuration file
#
# Author: Taras Shkodenko
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = ^ -.*”POST /%%70%%68%%70%%70%%61%%74%%68/%%70%%68%%70?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#

2. Added these lines to fail2ban configuration file: /etc/fail2ban/jail.conf
#
#
# Ban attackers that try to use Plesk zero day vulnerability
#

[apache-plesk-vulnerability]
enabled = true
filter = apache-plesk-vulnerability
action = iptables-multiport[name=apachePleskVulner, port=”http,https”, protocol=tcp]
sendmail-whois[name=apachePleskVulner, dest=serveradmin@shkodenko.com]
logpath = /var/log/httpd/access_log
maxretry = 1
#

3. To check new ban regex use command:
# /usr/bin/fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-plesk-vulnerability.conf

4. Restarted fail2ban using command:
# /sbin/service fail2ban restart

Find files and fix permissions bash script example

~ tadmin ~ 2 Comments

To find files and fix permissions example bash script below can be used:

$ ./find_fix_permissions.sh

#!/bin/bash

CORRECT_PERMISSIONS=644
SEARCH_FOLDER="./images/"

if [ "$(find $SEARCH_FOLDER -type f ! -perm $CORRECT_PERMISSIONS -print)" ]; then
    find $SEARCH_FOLDER -type f ! -perm $CORRECT_PERMISSIONS -print0 |xargs -0 chmod -fv $CORRECT_PERMISSIONS
fi

$

It searches all files in folder SEARCH_FOLDER including sub-folders and if these files found correct permissions set in variable CORRECT_PERMISSIONS