I often need to compress archives in Linux. is there a simpler way instead of always building such complicated commands?
tar zcvf /tmp/mybackup.tar.gz /home/important
I have not found any reference to this in the RFCs and hope to find a reliable answer here.
Domain mail.example.com runs a mail server. I want to set the MX record for the domain awesomeexample.com pointing to mail.example.com. Can I use the FQDN or do I have to use the static IP address?
I want to configure Postfix to work with SpamAssassin. I have the issue, that the Mail will be bounced internally between Postfix and SpamAssassin until I recieve the Error of "Too many Hops".
Postfix Version:
postconf -d | grep mail_version
mail_version = 3.5.6
milter_macro_v = $mail_name $mail_version
SpamAssassin Version:
spamassassin -V
SpamAssassin version 3.4.6
running on Perl version 5.32.1
That's my X-Spam-Status Header:
X-Spam-Status: No, score=0.6 required=2.0 tests=HTML_MESSAGE,
RCVD_IN_ZEN_BLOCKED_OPENDNS,SPF_HELO_NONE,TVD_SPACE_RATIO,
TVD_SPACE_RATIO_MINFP,T_SCC_BODY_TEXT_LINE autolearn=no
autolearn_force=no version=3.4.6
Received: by example.com (Postfix, from userid 109)
id EA88EA716D; Mon, 28 Feb 2022 12:38:12 +0100 (CET)
Received: by example.com (Postfix, from userid 109)
id 04220A716E; Mon, 28 Feb 2022 12:37:59 +0100 (CET)
Received: by example.com (Postfix, from userid 109)
id B583DA716D; Mon, 28 Feb 2022 12:37:58 +0100 (CET)
...
main.cf
myorigin = localhost
mydestination = $myhostname localhost.$mydomain localhost
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
message_size_limit = 15000000
broken_sasl_auth_clients = yes
smtp_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_loglevel = 1
smtpd_banner = $myhostname ESMTP $mail_name
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = yes
smtpd_tls_loglevel = 1
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/letsencrypt/live/mail2.brocksieper.de-0001/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail2.brocksieper.de-0001/privkey.pem
smtpd_client_connection_count_limit = 25
smtpd_tls_received_header = yes
smtpd_tls_eecdh_grade = strong
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = LOW, EXP, aNULL, RC4, DSS, SEED, IDEA, MD5, PSK, DES, SRP, CAMELLIA, SHA1, SHA256, SHA384
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unauth_pipelining,reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client bl.spamcop.net,reject_rbl_client dul.dnsbl.sorbs.net,check_policy_service inet:127.0.0.1:10023
tls_preempt_cipherlist = yes
tls_ssl_options = NO_RENEGOTIATION
compatibility_level = 2
content_filter=spamassassin:[127.0.0.1]:783
mailbox_command = /usr/sbin/sendmail
Please note the line content_filter=spamassassin:[127.0.0.1]:783. If I comment out this line, Postfix works fine, but the mails do not go through the filter.
and finally my master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
Snort comes by default (Debian) with a bunch of Rules. The are all configured as „Alert“. When I want to block suspicious traffic (IPS-Mode), do I need to change all Rules from Alert to Block or is there another mechanism?
What is best practice?
I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode).
eth0= my network card to the WANeth1= my internal (virtual) NIC for Snort.
My current Run-Command:
snort -u snort -g snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth1 -l /var/log/snort -Q
How I enable the PROMISC-Mode:
tee /etc/rc.local <<EOF
#!/bin/sh -e
ifconfig eth0 promisc
ifconfig eth1 promisc
exit 0
EOF
chmod +x /etc/rc.local
systemctl start rc-local
Which of the two card do i need to put in promiscuous mode? eth0, eth1 or even both?
Do I have to enter the public IP of eth0 as HOME_NET in the suricata.yaml?
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
My understanding is that only private addresses belong in the variable HOME_NET
Nginx can be configured via various configuration files:
*.conf-Files inside/etc/ngninx/conf.d*.conf-Files inside/etc/nginx/sites-available- Last but not least:
/etc/nginx/sites-available/default
Can anyone shed some light on when to use which file correctly for which application scenario? The documentation only says how config files should look like, but not how to store them where.
I have a Custom ISO inside a Blob Storage-Account and want to convert this file into a VHD to create a Azure-VM. Is there a official tutorial for it? Google is not a big help.
For security reasons I have to restrict/disable file transfer via RDP (port 3389) from and to Remote Machines (Windows 10). Is the file transfer tunneled through port 3389, or can I safely prevent a file transfer by blocking port 139/445 SMB? A GPO would be too uncertain for me at this point.
I want to configure open ports for a firewall (3rd Party Product) to allow communication between a Domain Controller (DC) and a client (and vice versa). OS: Windows 2016/2019. The documentation from Microsoft describes which ports are required for basic services:
Unfortunately, it is silent about the direction in which port sharing must be done. The firewall is stateful. If I configure the port sharing unidirectional, only the client should initiate the connection and answer the DC. But not the other way around.
I use Postfix in combination with Lets Encrypt to transmit TLS encrypted e-mails.
The following parameters in /etc/postfix/main.cf are relevant:
smtp_tls_key_file = /etc/letsencrypt/live/foo.bar/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/foo.bar/fullchain.pem
smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem
I can send e-mails without problems, but I get the warning message that Postfix cannot verify the certificate of the receiving site:
postfix/smtp[10736]: Untrusted TLS connection established to example.com[xxx.xxx.xxx.xxx]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I suspect this is because Postfix is not able to access its certificate store with this parameter:
smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem
A change to smtp_tls_CAfile = /etc/ssl/certs will break my entire TLS-Configuration.
What do I have to configure so that Postfix is able to send encrypted messages via Lets Encrypt and to check the certificate on the recipient side?
Any ideas how to get Pritunl listing on IPv4 and IPv6?
systemctl status pritunl.service
● pritunl.service - Pritunl Daemon
Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-09-29 12:47:03 UTC; 4min 2s ago
Main PID: 2409 (pritunl)
Tasks: 19 (limit: 544)
Memory: 109.3M
CGroup: /system.slice/pritunl.service
├─2409 /usr/lib/pritunl/bin/python /usr/lib/pritunl/bin/pritunl start
└─2430 pritunl-web
sudo netstat -tulpn | grep pritunl
tcp6 0 0 :::443 :::* LISTEN 1055/pritunl-web
cat /etc/pritunl.conf
{
"debug": true,
"bind_addr": "0.0.0.0",
"port": 443,
"log_path": "/var/log/pritunl.log",
"temp_path": "/tmp/pritunl_%r",
"local_address_interface": "auto",
"mongodb_uri": ""
}
cat /var/log/pritunl.log
[undefined][2020-09-29 12:47:07,431][INFO] Starting setup server
[undefined][2020-09-29 12:47:07,432][INFO] Generating setup server ssl cert
This error drives me crazy: Running nginx on Debian Buster. ipv4 works fine, but testing with ipv6 throws:
Unable to connect to the server
AAAA Record is available and valid. Connection with http://ipv6-test.com and with Powershell (Test-NetConnection) from a DualStack Host was not successful.
Version check with nginx -V:
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-Cjs4TR/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-subs-filter
/etc/nginx/sites-available/default looks like
server {
listen 80 default_server;
listen [::]:80 default_server;
}
netstat -tulpn says
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 656/nginx: master p
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 656/nginx: master p
tcp6 0 0 :::80 :::* LISTEN 656/nginx: master p
tcp6 0 0 :::443 :::* LISTEN 656/nginx: master p
Firewall is open ufw status:
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Assistance very appreachiated!
I want to enable SASL authentication under Debian Buster. For this I follow these instructions: https://wiki.debian.org/PostfixAndSASL
This all works fine, but after each restart Debian "forgets" the symlink...
ln -s /var/spool/postfix/var/run/saslauthd /run/saslauthd
which leads to an error message.
Sep 6 15:51:31 postfix/smtpd[1519]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 6 15:51:31 postfix/smtpd[1519]: warning: SASL authentication failure: Password verification failed
Sep 6 15:51:31 postfix/smtpd[1519]: warning: unknown[xxx]: SASL PLAIN authentication failed: generic failure
Sep 6 15:51:31 postfix/smtpd[1519]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
I use the .htaccess file on my Apache to display custom error documents. This all works fine too.
But I still see lots of this error in the log:
[Thu Aug 13 10:38:31 2020] [notice] [client AH00113: /home/www/.htaccess:6 cannot use a full URL in a 401 ErrorDocument directive --- ignoring!
Line 6 of my .htacess looks straight forward:
ErrorDocument 401 http://error.foo.bar/401.html
Why can't a full URL in a 401 ErrorDocument directive be used? Bug or Feature?
Since fail2ban Version 0.10 IPv6 is supported. I used fail2ban in conjunction with ufw. I found that only IPv4 addresses are blocked. This is unfavorable.
Failed to execute ban jail 'nginx-noscript' action 'ufw' info 'ActionInfo({'ip': '2400:xx:xx:xx::xx', 'family': 'inet6', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fbe026ee820>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fbe026eeee0>})': Error banning '2400:xx:xx:xx::xx'
According to the fail2ban changelog it says that not all banactions have been extended to IPv6 yet. Does anyone know a reliable way to get fail2ban to block IPv4 and IPv6?
I have successfully installed Wireguard on Debian Buster. Now I wanted to configure IPv6 afterwards. I have done that. But the settings inside the [Peer]-Section of wg0.conf do not seem to be persistent.
systemctl stop [email protected]
nano /etc/wireguard/wg0.conf
Result:
[Peer]
PublicKey = xxxxx
AllowedIPs = 10.200.200.2/32, xxx:xxxx:xx:xxx:100::2/72
After saving and restarting the service systemctl start [email protected] the wg0.conf looks fine.
When I restart the VM or the Service again, all my additional settings are lost.
[Peer]
PublicKey = xxxxx
AllowedIPs = 10.200.200.2/32
Any idea?
Thats how my wg0.conf should look like
[Interface]
Address = 10.200.200.1/24
Address = xxxx:xxx:xx:xxx::1/72
DNS = 10.200.200.1
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROU$
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTR$
ListenPort = 51820
PrivateKey = xxx
[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.2/32, xxx:xxxx:xx:xxx:100::2/72
[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.3/32, xxx:xxxx:xx:xxx:100::3/72
[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.4/32, xxx:xxxx:xx:xxx:100::4/72
My VPS provider supports IPv6. So I want to use it with Debian Buster.
I cannot ping the VM from Outside. IPv4 works fine, but IPv6 fail.
My /etc/network/interfaces looks like this:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet dhcp
# dns-nameservers 0.0.0.0
iface eth0 inet6 auto
# dns-nameservers ::1
The result of ifconfig looks like this:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 5.xxx.xx.xx netmask 255.255.252.0 broadcast 5.xxx.xx.xxx
inet6 fe80::xxx:9ff:xxxx:xxx prefixlen 64 scopeid 0x20<link>
inet6 2a03:xxxx:3f:28e:xxx:9ff:fe35:b164 prefixlen 64 scopeid 0x0<global>
ether 66:90:09:35:b1:64 txqueuelen 1000 (Ethernet)
RX packets 15477 bytes 945788 (923.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 258 bytes 39387 (38.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 80 bytes 6480 (6.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80 bytes 6480 (6.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Outbound Pinging works fine:
ping6 ipv6.google.com
Result:
PING ipv6.google.com(fra15s46-in-x0e.1e100.net (2a00:1450:4001:808::200e)) 56 data bytes
64 bytes from fra15s46-in-x0e.1e100.net (2a00:1450:4001:808::200e): icmp_seq=1 ttl=57 time=3.70 ms
I cannot reach the VM from Outside when I use their static IPv6 Address. Any ideas?
ip6tables -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
105 24367 ufw6-before-logging-input all * * ::/0 ::/0
105 24367 ufw6-before-input all * * ::/0 ::/0
0 0 ufw6-after-input all * * ::/0 ::/0
0 0 ufw6-after-logging-input all * * ::/0 ::/0
0 0 ufw6-reject-input all * * ::/0 ::/0
0 0 ufw6-track-input all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw6-before-logging-forward all * * ::/0 ::/0
0 0 ufw6-before-forward all * * ::/0 ::/0
0 0 ufw6-after-forward all * * ::/0 ::/0
0 0 ufw6-after-logging-forward all * * ::/0 ::/0
0 0 ufw6-reject-forward all * * ::/0 ::/0
0 0 ufw6-track-forward all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 5 packets, 440 bytes)
pkts bytes target prot opt in out source destination
120 19258 ufw6-before-logging-output all * * ::/0 ::/0
120 19258 ufw6-before-output all * * ::/0 ::/0
17 1610 ufw6-after-output all * * ::/0 ::/0
17 1610 ufw6-after-logging-output all * * ::/0 ::/0
17 1610 ufw6-reject-output all * * ::/0 ::/0
17 1610 ufw6-track-output all * * ::/0 ::/0
Chain ufw6-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-before-input (1 references)
pkts bytes target prot opt in out source destination
25 2470 ACCEPT all lo * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0
66 20913 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
2 120 ufw6-logging-deny all * * ::/0 ::/0 ctstate INVALID
2 120 DROP all * * ::/0 ::/0 ctstate INVALID
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
2 144 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
6 400 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546
0 0 ACCEPT udp * * ::/0 ff02::fb udp dpt:5353
0 0 ACCEPT udp * * ::/0 ff02::f udp dpt:1900
4 320 ufw6-user-input all * * ::/0 ::/0
Chain ufw6-before-output (1 references)
pkts bytes target prot opt in out source destination
25 2470 ACCEPT all * lo ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0
54 13450 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
1 104 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
4 224 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
2 128 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
15 1080 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
2 192 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
17 1610 ufw6-user-output all * * ::/0 ::/0
Chain ufw6-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 ufw6-user-forward all * * ::/0 ::/0
Chain ufw6-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:137
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:138
0 0 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:139
0 0 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:445
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:546
0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:547
Chain ufw6-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-track-output (1 references)
pkts bytes target prot opt in out source destination
1 80 ACCEPT tcp * * ::/0 ::/0 ctstate NEW
11 1090 ACCEPT udp * * ::/0 ::/0 ctstate NEW
Chain ufw6-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-logging-deny (1 references)
pkts bytes target prot opt in out source destination
2 120 RETURN all * * ::/0 ::/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw6-skip-to-policy-input (6 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain ufw6-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
4 320 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:500
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:4500
0 0 ACCEPT tcp * * 2a02:908:f84:9f60::/59 ::/0 tcp dpt:53
0 0 ACCEPT udp * * 2a02:908:f84:9f60::/59 ::/0 udp dpt:53
Chain ufw6-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw6-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
On a Debian Machine Squid and Apache is running. HTTPs is enabled with Certbot (Lets Encrypt).
I have several Domains (Vhosts) and I am using one IP-Address for all Domains.
Apache is listening on Port 81 (HTTP) and 444 (HTTPS)
My squid.conf looks like this:
# Incoming Connections
http_port 80 accel
cache_peer localhost parent 81 0 no-query originserver
https_port 443 acceldefaultsite=yourwebserver vhost
cache_peer localhost parent 444 0 no-query originserver
# ACL
http_access allow all
# Allowed Ports
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
My Problem: Squid asks for Certificates to enable HTTPS when I start the service with the config above.
But for every Domain I use different Certificates. How can I force Squid just to redirect 443 to 444 localhost?
Fail2ban can be configured in so many places.
$ fail2ban-client -i
Fail2Ban v0.10.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
On Debian Buster I can edit my settings in several config files:
/etc/fail2ban/jail.d/defaults-debian.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/action.d/
And - last but not least - some tutorials recommend:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The Documentation of fail2ban says:
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there.
Does that mean, that every .conf File I want to edit should exist as a .local file?
I am confused! Can someone shed some light on this please?