Postfix: Automatic UFW Firewall Updates

If you use a Mail Server with Postfix you got daily Spam Attacks by Scripts:

How to fix?

  • Install ufw Firewall
  • Run a Scanner Script as  cronjob

On Debian/Ubuntu:

Install ufw:


sudo apt-get update && sudo apt-get install ufw && sudo ufw enable && sudo  ufw logging off

Scan Script:
sudo nano /home/user/firewall-update.sh:


#!/bin/bash
# scan rejected
cat /var/log/mail.log | grep rejected | cut -d"[" -f3 | cut -d"]" -f1|grep -v '^$' > /tmp/firewall.txt
# insert to Firewall
while read line; do sudo ufw insert 1 deny from $line to any; done < /tmp/firewall.txt
# scan "denied"
cat /var/log/mail.log | grep denied | cut -d"[" -f3 | cut -d"]" -f1|grep -v '^$' > /tmp/firewall2.txt
# insert to Firewall
while read line; do sudo ufw insert 1 deny from $line to any; done < /tmp/firewall2.txt
service ufw restart
exit 0

Remark:

  • add to root’s crontab run hourly
  • add lines cat..+ while.. replace rejected by other failed commands login etc..!

Test:


sudo ufw status numbered

Should echo list of banned IP’s! Screenshot of one DAY!

Status: active

To Action From
— —— —-
Anywhere DENY 87.98.131.120
Anywhere DENY 187.178.174.1
Anywhere DENY 46.148.88.115
Anywhere DENY 31.28.86.59
Anywhere DENY 200.6.213.125
Anywhere DENY 200.35.185.180
Anywhere DENY 37.49.227.221
Anywhere DENY 203.60.1.21
Anywhere DENY 78.110.2.2
Anywhere DENY 192.140.8.21
Anywhere DENY 66.240.219.146
Anywhere DENY 171.49.178.169
Anywhere DENY 186.179.219.145
Anywhere DENY 119.235.53.122
Anywhere DENY 95.177.213.224
Anywhere DENY 14.161.43.66
Anywhere DENY 203.143.23.69
Anywhere DENY 104.215.8.206
Anywhere DENY 191.96.249.84
Anywhere DENY 190.190.167.206
Anywhere DENY 95.97.176.158
Anywhere DENY 200.77.219.250
Anywhere DENY 191.248.224.38
Anywhere DENY 91.237.124.222
Anywhere DENY 31.27.32.18
Anywhere DENY 122.174.172.246
Anywhere DENY 208.92.136.194
Anywhere DENY 39.52.234.157
Anywhere DENY 202.188.23.209
Anywhere DENY 154.72.169.179
Anywhere DENY 88.247.177.95
Anywhere DENY 98.116.114.130
Anywhere DENY 203.45.1.236
Anywhere DENY 115.74.190.217
Anywhere DENY 183.129.160.229
Anywhere DENY 203.143.23.66
Anywhere DENY 201.187.101.222
Anywhere DENY 46.13.150.215
Anywhere DENY 104.215.11.242
Anywhere DENY 77.119.247.86
Anywhere DENY 94.46.187.190
Anywhere DENY 78.89.186.118
Anywhere DENY 185.218.184.95
Anywhere DENY 103.10.44.223
Anywhere DENY 167.114.226.176
Anywhere DENY 185.38.154.18
Anywhere DENY 85.105.58.91
Anywhere DENY 149.135.117.174
Anywhere DENY 104.236.166.245
Anywhere DENY 27.115.124.2
Anywhere DENY 181.60.254.53
Anywhere DENY 196.22.248.246
Anywhere DENY 165.49.18.249
Anywhere DENY 159.147.100.63
Anywhere DENY 192.95.17.132
Anywhere DENY 137.74.89.35
Anywhere DENY 193.70.87.209
Anywhere DENY 216.36.187.97
Anywhere DENY 101.187.124.125
Anywhere DENY 2.42.219.63
Anywhere DENY 185.109.169.71
Anywhere DENY 201.26.128.167
Anywhere DENY 133.130.74.177
Anywhere DENY 2.139.229.39
Anywhere DENY 177.1.7.49
Anywhere DENY 103.227.88.130
Anywhere DENY 46.102.196.66
Anywhere DENY 109.230.219.194
Anywhere DENY 180.94.114.47
Anywhere DENY 212.170.109.162
Anywhere DENY 190.24.136.122
Anywhere DENY 82.152.228.49
Anywhere DENY 181.49.39.70
Anywhere DENY 103.240.181.210
Anywhere DENY 189.51.83.246
Anywhere DENY 61.19.16.144
Anywhere DENY 45.76.95.222
Anywhere DENY 178.90.55.176
Anywhere DENY 87.139.234.44
Anywhere DENY 200.116.164.5
Anywhere DENY 24.222.140.202
Anywhere DENY 103.100.209.234
Anywhere DENY 82.201.54.152
Anywhere DENY 84.241.1.21
Anywhere DENY 110.145.123.120
Anywhere DENY 185.32.183.141
Anywhere DENY 200.49.145.161
Anywhere DENY 213.156.120.22
Anywhere DENY 95.59.137.196
Anywhere DENY 185.229.227.5
Anywhere DENY 188.225.171.58
Anywhere DENY 211.24.107.177
Anywhere DENY 186.233.80.51
Anywhere DENY 187.178.242.154
Anywhere DENY 190.223.59.18
Anywhere DENY 202.181.207.212
Anywhere DENY 41.87.95.33
Anywhere DENY 52.175.252.79
Anywhere DENY 103.252.220.20
Anywhere DENY 212.230.98.37
Anywhere DENY 41.180.72.44
Anywhere DENY 196.191.131.50
Anywhere DENY 120.150.227.127
Anywhere DENY 181.211.10.202
Anywhere DENY 218.255.233.114
Anywhere DENY 181.143.94.74
Anywhere DENY 196.38.89.85
Anywhere DENY 190.187.134.246
Anywhere DENY 76.65.196.40
Anywhere DENY 222.102.154.172
Anywhere DENY 221.121.148.77
Anywhere DENY 203.191.174.55
Anywhere DENY 190.25.46.42
Anywhere DENY 169.55.213.44
Anywhere DENY 86.16.10.224
Anywhere DENY 89.96.222.27
Anywhere DENY 202.131.203.163
Anywhere DENY 200.85.52.74
Anywhere DENY 94.23.73.132
Anywhere DENY 41.193.16.218
Anywhere DENY 175.136.232.97
Anywhere DENY 118.219.45.141
Anywhere DENY 205.151.252.203
Anywhere DENY 82.113.59.26
Anywhere DENY 178.33.107.200
Anywhere DENY 82.185.149.169
Anywhere DENY 220.130.186.101
Anywhere DENY 201.33.193.166
Anywhere DENY 178.159.36.60
Anywhere DENY 74.125.82.65
Anywhere DENY 74.125.82.67
Anywhere DENY 209.85.128.193
Anywhere DENY 209.85.128.195
Anywhere DENY 178.32.217.0/24
Anywhere DENY 74.125.82.66
Anywhere DENY 209.85.128.194
Anywhere DENY 209.85.128.196
Anywhere DENY 74.125.82.68
Anywhere DENY 104.236.142.81
Anywhere DENY 60.191.38.77
Anywhere DENY 5.101.0.34
Anywhere DENY 209.126.136.5
Anywhere DENY 145.249.104.109
Anywhere DENY 37.49.226.113
Anywhere DENY 189.112.109.185
Anywhere DENY 172.104.155.22
Anywhere DENY 23.227.207.153
Anywhere DENY 142.4.196.32
Anywhere DENY 210.72.142.7
Anywhere DENY 46.21.174.130
Anywhere DENY 13.91.5.211
Anywhere DENY 212.53.206.58
Anywhere DENY 167.114.60.66
Anywhere DENY 144.217.126.187
Anywhere DENY 144.217.210.228
Anywhere DENY 104.236.163.154
Anywhere DENY 61.236.111.38

Raspberry Pi: Raspian disadvantages of embedded OS

The last 12 month have been a „golden“ time of the upcomming embedded linux devices, but the custom OS’s offers some problems, you should know for projects:

  • embedded PC’s like the ARM based pi2 / pi3 uses a own compiled OS
  • not every known debian package is available
  • not all compile scripts to rebuild are available on git
  • slow performance can let you run into unuseable problems (heat, load, I/O), correct written scripts run into freezes without any error made by you!
  • you should take time for a closer look at buying them
  • calc the costs of non-x86 systems, later you cant often upgrade, cause embedded systems are not made for
  • dealers take too much money for less performance!
  • embedded devices can’t be grown up for additional precs like compression based on chips!
  • embedded devices need less energy, but can hangup by load over 65%, cause no cooling
  • the are made for learning and small control jobs
  • for NAS / Server jobs take x86 m-atx / micro-atx, cause you can access easy full debian packages
  • not all python + libs packages are available to run projects (example: acd_cli amazon cloud nas backup)
  • current embedded pc livetime at multimedia usage may be 24month cause to much and faster changes

May be that the arm os package trees may grow up, then we can talk again, but current x86 is the cheapest way to build systems without stress! And you have always the reserve to buildin new things of hardware..

Security: Webserver HTTPS with Self Signed Certificate Do it yourself in 5 Minutes!!

Today the Point of Security and encrypted Webserver Communication is rolling over every User who hosts own Websites on the Internet. Last decades HTTPS was only used by Online Login Pages like Shops and Banks to verify the Communication between a User PC and the Website. But after January 2015 the most Search Engines like google decides to force index of Websites with HTTPS Protocol. The Background is that a TLS encrypted Connection isn’t easy to track and to force „drive-by-load-Viruses“ to the Website Visitors.

Self Signed Certificate Sample
Self Signed Certificate Sample

But a lot of Webmasters of the Opensource Community were angry about this handling. Thats is not real problem if you won’t buy a SSL/TLS Certificate. Every Webmaster can create a self signed Certificate on his Webserver if he is able to login via ssh and to config the Webserver like Apache. Self signed Certificates are warned by the Webbrowsers at the only first view, but if the User wants to install the Certificate the Browser isn’t warning next visits!

The Search Engines like Google don’t check the trust of the Certificates by the robots and so your Site will be good placed on the Index like the last decades. The ONLY thing is that you MUST move all Files,Images, Internal Links and Bookmarks to „https://“  that the „LOCK“ of the Browser Dialog is „CLOSED“  and „GREEN“ like on the Picture .

Of course if you want, you can buy and install „Domain Name Trusted“ Certificates, but if you only host private Websites/Blogs you won’t really pay over 100$ per Year for the Certificates.

Advantages:

  • Secure Login to your Site/Blog
  • Encrypted Transfer of Data
  • Security for your Visitors
  • No Drive-BY-Loads
  • Less Content Stealing

You will remark next years that the internet will be moved to HTTPS!

To create a Certificate use „OPENSSL“ with this command,answere the Questions of the Script, later put the Certificates .crt and .key to /etc/ssl/.. and tell Apache to pull them there!

$sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

Hardware Tip: „Null Euro“ entkoppelte Festplatte („Zero Dollar“ Hard Drive acoustic decoupling)

Problem:

  • Festplatten brummen in PC Gehaeuse, Schwingungen werden uebertragen.
  • Harddrive rotations transmitted by case parts and acousitc boosted up
  • Professionelle Produkte zum entkoppeln kosten bis 30 Euro.
  • Professional Parts must be paid up to 40 Dollars/Drive

Lösung:  „Null Euro“ Lösung – „Zero Dollar“ Solution

  • Festplatten im 5.25 Zoll Laufwerk auf Einmachgummis haengen
  • Harddrives mounted on grommets of old botteling jars

archive raid harddrives

Linux FreeBSD: Protect your Disc Data against power loss

Problem: If you use IDE or SATA Disc Drives inside your Workstation or Server without a additional uninterruppted power supply after a power loss your Disc Drives can lose data, do not boot clean up agian or damage the drive headers and sectors.

Background: SATA or IDE Drives uses „Disc Cached Controllers“, the count of this disc cache reach from 8 to 64 megabytes. In case of data write to disc, the disc controllers do cache some data who are often used. A Raid 1 Disc Mirror is affected too by this problem. SCSI od SAS are not using Cache by default.

Solution:

Install the software tool called hdparm to set the cache parameters to disabled, cause most of operating systems have enabled by default.

  1. at Debian/ubuntu do : # sudo aptitude install hdparm
  2. at Centos/Redhat do:  #sudo yum install hdparm

now lets show discs which are installed:

  1. at Debian/ubuntu do: # sudo fdisk -l
  2. at Centos/Redhat do: #sudo  /sbin/sfdisk -l
  3. at FreeBSD do: # fdisk -l

yet lets take settings to disable the cache on every boot:

  1. at all linux do: sudo nano /etc/rc.local
  2. insert for every drive
    hdarm -W 0 /dev/sdX
    (X is for a to …)
  3. at FreeBSD  do : #vi /etc/loader.conf
  4. insert once for all drives 
    hw.ata.wc="0"

Remarks:

  1. If you have two drives with same physical size inside your PC config a mdadm Software Raid 1 additional on your System.
  2. Set the PC Bios Settings to auto boot ofter power failure and plug off the power on you testing System, check the results. There should not be needed a check disk called fsck after the Test, but its better to do it.
  3. Hardware Raid Controllers do often have RAM Cache too, size 128MB up to 2GB, at power loss these Data lost, this can only be surpressed by a addtition RAM Cache Backup Battery connected to the Hardware Raid Controller

 

Security Bug smeserver-phpmyadmin-multiuser-2.11.3-3.el4.sme.noarch.rpm

If you use:
smeserver-phpmyadmin-multiuser-2.11.3-3.el4.sme.noarch.rpm
and run db configuration setprop access private
the Login Interfaces is public !!!
Please take newer version:
smeserver-phpmyadmin-multiuser-2.11.9-XX.el4.sme.noarch.rpm

Sun Cobalt Linux „Bluequartz“ renamed to „Blueonyx“ (old Nuonce)

http://www.blueonyx.it

See site above the old known Sun Cobalt Linux (Bluequartz-Webinterface + Sun Cobalt Linux) was redesigned last years by Nuonce, Strongbolt.uk, Solarspeed.net and is now made with:

  1. Centos 5.2
  2. Blueonyx for new Servers x86 and AMD64

For Classic View the old nice Sun Theme is still available and easy to switch at user settings.

To CHANGE the Login Pictures Blueonyx to your loved old View of Sun Cobalt Themes download here the Theme Pictures of old SUN Cobalt and copy it at the folder sausalito see info.txt

http://www.blueonyx.it Free Distribution for your Webservers