I have multiple chickens around the world, Germany (DE), Netherland (NL), Atlanta (US), Japan (JP).

Install Wireguard

I want to make all of them connected in a private network with software called Wireguard. First thing to do is, install wireguard on each VPS.

sudo apt update
sudo apt install wireguard -y

On each VPS, generate private key and public key and save it to the private network plan.

wg genkey | tee privatekey | wg pubkey > publickey

To check what's private key and public key code, you can try

cat /etc/wireguard/private.key
cat /etc/wireguard/public.key

Configure Wireguard

Start configure wireguard by create wg0.conf in /etc/wireguard

nano /etc/wireguard/wg0.conf

Take a look on this wg0.conf template. This is wg0.conf in VPS1.

The [Interface] part is configured on each VPS, and you can copy-paste the [Peer] part to VPS 2, VPS3, VPS4.

[Interface]
PrivateKey = <VPS1_PRIVATE_KEY>
Address = 192.168.1.1/24
ListenPort = 51820

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS2 /etc/wireguard/wg0.conf, the [Interface] part is VPS2's private key while the [Peer] rest is VPS1, VPS3, VPS4 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS2_PRIVATE_KEY>
Address = 192.168.1.2/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS3 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS4 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS3_PRIVATE_KEY>
Address = 192.168.1.3/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS4 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS3 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS4_PRIVATE_KEY>
Address = 192.168.1.4/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

Enable IP Forwarding

IP forwarding is needed in WireGuard for routing network traffic between different networks. Each VPS needed to enable IP forwarding to make sure Wireguard can forward packet from one network interface to another.

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start, Enable and Verify

On each VPS, you can start wireguard and enable it

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Ping each peer in VPS1-4

ping 192.168.1.1
ping 192.168.1.2
ping 192.168.1.3
ping 192.168.1.4

Verify connection with wg command:

root@dev1:~# wg
interface: wg0
  public key: XhKt0cj8i08RH6(hidden)1RlanzvPpLUbF2tEuGi42Y=
  private key: (hidden)
  listening port: 51820

peer: b8Z4BW7(hidden)mewbixy9BBUiFCfXT5bAOJOGegCk=
  endpoint: <VPS2_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.2/32
  latest handshake: 32 seconds ago
  transfer: 771.45 KiB received, 511.61 KiB sent
  persistent keepalive: every 25 seconds

peer: rxrjgABUZL5Run(hidden)3DOwYk28L0jeoNyWFc=
  endpoint: <VPS4_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.4/32
  latest handshake: 1 minute, 47 seconds ago
  transfer: 1.25 MiB received, 452.12 KiB sent
  persistent keepalive: every 25 seconds

peer: w8leUHPQwxt6u(hidden)2eNVqBZSledcCwzTZ+g7VU=
  endpoint: <VPS3_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.3/32
  latest handshake: 2 minutes, 2 seconds ago
  transfer: 2.10 MiB received, 1.28 MiB sent
  persistent keepalive: every 25 seconds

Congrats, now you have full mesh private network connectivity with Wireguard.

You can also setup this quickly by add each VPS in Private Network connectivity with Tailscale, its free~

Several months have passed since my last post on March 2023: 100DaystoOffload, and now I'm going to write this September 2023 before I forget.

In this month, September 2023, I watched the legendary series: Breaking Bad. I watch this series season 1 to eps Felina (end of season 5) from the beginning of September, till the end of September this month.

Congratulations if you already have watched this series too! Yes, it should be called the Legendary series because it's 2010-2013. Oh man, it's A decade ago!

It all makes sense to me now, why the short videos and the memes of Breaking Bad are everywhere. Very popular and long last forever exists on the Internet.

via GIPHY

The story plot is good ⭐⭐⭐⭐⭐ (five-star for me), never makes me bored at all.

I loved the way the main character transforms way over the seasons, which is Walter White a.k.a Heisenberg from a lame bullyable chemist teacher to a Heisenberg, a man with a full ego, and arrogance; like he wants to be better than everyone else.

Despite his criminal mastermind, the reason he did it for the family, until on Season 5 last episode, he said that all of it, it was for him. He is being alive "alive" with the name of Heisenberg, because on his cancer that he have and he liked it very much.

and the other main character Jesse Pinkman with his well-known quote

• This ain't chemistry, this is art, cooking is an art and the s*** I cook is the bomb
• YESSSS, HELL YEAH
• “You don’t need a criminal lawyer. You need a criminal lawyer.”

and so on, you can check his line on other site.

Well, I can find other interesting characters too, like Hank, Saul Goodman, Gus Fring, Mike, Hector Salamanca, and Salamanca siblings. All actor has their own strong character. No wonder it's rated 9.5/10 in IMDB.

My favorite character is Gus Fring. A professional chicken man "Colonel Sanders" in the Breaking Bad series has side job (a big side job) which he always monitors and instructs the employees, including main characters to make baby-blue with his superlab.

See the way Gus Fring instruct and smiling to hide plain sight via GIPHY

I can describe a few words for him:

• a gentleman
• a professional businessman
• a good customer services, always serve with his smile "what can i do for you :) "
• a philanthrope
• an iconic actor
• wise choice of words
• even if he chose to not talk at all, his eyes said it all
• always maintain eye contact to overcome to everyone
• always 10 steps ahead of main character (until being trapped with hector salamanca)
• a good negotiator

um, maybe I guess I should continue watching Better Call Saul series to see his appearance again.

Update:

You should watch this series man, it's on Netflix!

JESSE : WE NEED TO COOK

this is my first attempt to create an english blog.

And I made it! I posted 100 posts in english on this blog about my hobbies, my work, and my journey. Let's wrap this up.

2 Reason

Around 2021, I read flaviocopes medium about "Every developer should have a blog. Here’s why, and how to stick with it."

Every developer should have a blog. Here’s why, and how to stick with it.

Interested in learning JavaScript? Get my JavaScript Handbook

We’ve moved to freeCodeCamp.org/newsFlavio Copes

He said that a developer's blog can "learn much faster and Kick start your career", and I believe it.

Giri Kuncoro (a CNCF ambassador) said on the webinar that contributing to Open Source can be a way to improve existing skills, meet people with similar interests, grow our reputation. [my blog post about it]

Perhaps it's similar to the path I choose, I tried to make a little contribution to the Internet with my blog post 🤩

and in December 2021 I found this 100 Days To Offload challenge, so I decided to begin to write starting 2022.

Tell us about your dog, your cat, your fish tank, or whatever hobbies you have. Someone will find it interesting. [100DaysToOffload]

Just. Write.

So, there are 2 reasons: Flaviocopes and 100DaysToOffload.

Popular Posts

Since I talk a lot about my hobbies and my work. I made my several posts into number one on specific keyword ranking on Google, such as:

• OR-CBAT-15 [Solving OR-CBAT-15 GCP free trial problem]
• Install RF Online on Windows Server [Install RF Online Private Server on Windows Server]

Some people trying to contact me on Instagram and Twitter directly about the post.

and my post [NFS and Tailscale] was featured in April 2022 Tailscale newsletter. Alhamdulillah (All praises due to Allah )

It's not through our own efforts alone but due to the abilities and talents given to us by Allah. ¹

Backlink never hurts

As time goes by, I run out of ideas as to what should I post. So I check nearby neighbors on the Internet to make me inspired to write again.

To appreciate them, I will put their link on my blog post (Yes it's a dofollow link, not nofollow) maybe can boost their SEO a bit.

To be continued

Anyway, I am confident enough to post about my hobbies or my work in english on this blog. (because with the help of Grammarly of course 🤣)

And Insya Allah, I will try to post again especially How To: Series but I don't know if it will be #100DaysToOffload part 2 like lazybear did.

Last but not least, thank you Kev for this challenge, and thank you guys on the Internet for reading my blog!

Notification is an essential part of setting up Fail2ban and setting up email notifications in Fail2ban requires a mail server to send emails.

I've tried to configure sendmail (following this tutorial) to send an email with smtp port but it requires many steps to be performed to start using it. And then I found out about sSMTP, it works but Archwiki said:

sSMTP is unmaintained. Consider using something like msmtp or OpenSMTPD instead. [Archwiki/ssmtp]

So I decided to use msmtp to make my ubuntu server send email easily.

Step 1: Installation of msmtp

I use Ubuntu (a Debian-based system), install msmtp with the following command:

sudo apt-get install msmtp msmtp-mta

The configuration file is as follows:

sudo nano /etc/msmtprc

and then use the following settings for smtp account:

defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        ~/.msmtp.log
account        myprofile
host           changeme.hostname.com
port           587
from           email@mydomain.com
user           email@mydomain.com
password       password
account default : myprofile
domain mydomain.com

Save the file, and change permission with chmod 600 /etc/msmtprc because the file contains the user and password in plain text.

Chmod 600 means that
(U)ser / owner can read, can write and can't execute.
(G)roup can't read, can't write and can't execute.
(O)thers can't read, can't write and can't execute.

next step is to configure Fail2ban

Step 2: Configure Fail2ban

Create a new action.d with the name msmtp-whois.conf

nano /etc/fail2ban/action.d/msmtp-whois.conf

and add the following code below:

# Fail2Ban configuration file
#
# MSMTP

[Definition]

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#

actionban =   printf %%b "Subject: [Fail2Ban] <name>: BANNED IP <ip>!
              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
              From: <sendername> <<sender>>
              To: <destination>\n
              Hi,\n
              The jail <name> has banned ip <ip> after <failures> attempts against <name>.\n
              Here is some info about the IP: https://db-ip.com/<ip> \n
              Regards,\n
              Fail2Ban" | <mailcmd> <destination>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = printf %%b "Subject: [Fail2Ban] <name>: UNBANNED IP <ip>
              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
              From: <sendername> <<sender>>
              To: <destination>\n
              Hi,\n
              Fail2ban has unbanned ip https://db-ip.com/<ip> successfully. \n
              Regards,\n
              Fail2Ban" | <mailcmd> <destination>

[Init]

# Your system mail command
#
mailcmd = /usr/bin/msmtp -a default

This fail2ban action will send an email notification whenever IPs get banned or unbanned.

Open your /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

add the following in the [DEFAULT] section, if you want to send email notifications to all jails:

[DEFAULT]
...
mta = msmtp
action = %(action_mw)s[from=noreply@mydomain.com, sender=noreply@mydomain.com, destination=myother@otherdomain.com, sendername=Fail2Ban]

But if you want to send email notifications in only one specific jail, add action to the [jail] section.

Step 3: Let's try it out

I use this cf-wplogin jail from Fail2ban with Cloudflare tutorial to test.

Email result

Fail2ban successfully sends email notifications, and the email result will look like this:

problem:
- At this time I posted (20/03/2023) Gmail not receiving any my msmtp email, I am still this figuring out
- Resolved. Domain dkim, spf txt must been validated before sent mail.

Reference:

• technicalramblings.com
• sylvaindurand.org
• wiki.archlinux.org/title/msmtp

If you guys are interested more about configuring fail2ban notifications, you may read fail2ban notifications to pushover, telegram, or even to discord!

Thank you for reading!

And I found Pocket (getpocket.com) and realize it's already integrated with Firefox all this time (the web browser that I use).

To start saving links, just click the "Save to Pocket" button on the right of the current URL.

There are some open-source versions of "read it later" apps like wallabag and omnivore, maybe I'll try to deploy it in my spare time.

Thanks for reading!

In this case, I want to protect an app in Docker container with Fail2ban which uses Cloudflare CDN.

Prerequisites

This tutorial was adapted from my other fail2ban guide (Protect Wordpress Login in Docker container with Fail2Ban) and enables Cloudflare CDN "the orange cloud" on the subdomain. So, in order to follow these steps (Step 1, Step 2 and so on), you may adapt your jail config or deploy the same WP container first:

• Install Docker Engine (docs)
• A docker-compose wordpress-mysql (gists)
• Nginx proxy, if you deployed WP on a different port
• Install curl package with apt install curl

Protect Wordpress Login in Docker container with Fail2Ban

Protect Wordpress Login in Docker container with Fail2Ban - compose.yaml

Gist262588213843476

Step 1: Add a New Fail2ban Jail

Edit jail.local file:

sudo nano /etc/fail2ban/jail.local

Add a new jail named "cf-wplogin":

[cf-wplogin]

enabled = true
port = http,https
filter = wplogin
chain = DOCKER-USER
logpath = /var/lib/docker/containers/*/*-json.log
banaction = cloudflare-apiv4
            iptables-allports

Step 2: Create a Custom Fail2ban Filter

Create a new filter file : nano /etc/fail2ban/filter.d/wplogin.conf

[Definition]
failregex = {"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =

Step 3: Create a Fail2ban action

Create a new action file: nano /etc/fail2ban/action.d/cloudflare-apiv4.conf

#
# Author: Gilbn from https://technicalramblings.com
# Adapted Source: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf and https://guides.wp-bullet.com/integrate-fail2ban-cloudflare-api-v4-guide/
#
# To get your Cloudflare API key: https://dash.cloudflare.com/profile use the Global API Key
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:      IP address
#            number of failures
#            unix timestamp of the ban time
# Values:  CMD

actionban = curl -s -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
            -H "X-Auth-Email: <cfuser>" \
            -H "X-Auth-Key: <cftoken>" \
            -H "Content-Type: application/json" \
            --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2ban <name>"}'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:      IP address
#            number of failures
#            unix timestamp of the ban time
# Values:  CMD
#

actionunban = curl -s -X DELETE "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$( \
              curl -s -X GET "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&match=all" \
             -H "X-Auth-Email: <cfuser>" \
             -H "X-Auth-Key: <cftoken>" \
             -H "Content-Type: application/json" | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1);}}}' | tr -d '"' | sed -e 's/^[ \t]*//' | head -n 1)" \
             -H "X-Auth-Email: <cfuser>" \
             -H "X-Auth-Key: <cftoken>" \
             -H "Content-Type: application/json"

[Init]

# Name of the jail in your jail.local file. default = [jail name]
name = default

# Option: cfuser
# Notes.: Replaces <cfuser> in actionban and actionunban with cfuser value below
# Values: Your CloudFlare user account

cfuser = [email protected]

# Option: cftoken (Global API Key)
# Notes.: Replaces <cftoken> in actionban and actionunban with cftoken value below
# Values: Your CloudFlare API key 
cftoken = YOUR-API-KEY

As you can notice, the actionban and actionunban is curl command to cloudflare restapi.

You can get your cloudflare api key from your profile page. Use the "Global Api Key"

After adding a new jail, filter, and action, Fail2ban should be restarted. Restart fail2ban with:

sudo systemctl stop fail2ban
sudo systemctl start fail2ban

Step 4: Nginx

As I mentioned earlier, these steps adapted from (Protect Wordpress Login in Docker container with Fail2Ban) which a wordpress container running on 127.0.0.1 port 8080 and proxied to 80 with NGINX.

Next step is configuring nginx so that it won't just ban the Cloudflare CDN IP but the actual IP of the visitor. Create a file named cf-realip.conf in /etc/nginx/conf.d directory and add the following:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

These IPs are Cloudflare's IPs, you can get the list at https://www.cloudflare.com/ips

And edit your main nginx.conf:

nano /etc/nginx/nginx.conf

Add the following code:

##
# CF Real IP
##
include /etc/nginx/conf.d/cf-realip.conf;
real_ip_header X-Forwarded-For;

restart your nginx with:

service nginx restart

Step 5: Let's try it out!

Check the jail status with the following command:

fail2ban-client status cf-wplogin

Output:
root@server:~# fail2ban-client status cf-wplogin
Status for the jail: cf-wplogin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/lib/docker/containers/599f2f26530ec5b26cbd5d542a3034ef6f54fdd78b32587ef7e33f8518e2493d/599f2f26530ec5b26cbd5d542a3034ef6f54fdd78b32587ef7e33f8518e2493d-json.log
 /var/lib/docker/containers/d1dbe55aed91c1f2e4095eb05a5a14dd0750e13b88e49b9786623e5903c22dc6/d1dbe55aed91c1f2e4095eb05a5a14dd0750e13b88e49b9786623e5903c22dc6-json.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

And the last step, let's try creating an error to trigger fail2ban jail with open your wordpress login in your web browser:

If you are trying to access other subdomain, cloudflare will display this error 1006 Access Denied, because your IP has been banned entirely.

List Blocked IP

To get a list of blocked IPs in your server, run the following command:

fail2ban-client status cf-wplogin

Output:
root@server:~# fail2ban-client status cf-wplogin
Status for the jail: cf-wplogin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- File list:        /var/lib/docker/containers/599f2f26530ec5b26cbd5d542a3034ef6f54fdd78b32587ef7e33f8518e2493d/599f2f26530ec5b26cbd5d542a3034ef6f54fdd78b32587ef7e33f8518e2493d-json.log
 /var/lib/docker/containers/d1dbe55aed91c1f2e4095eb05a5a14dd0750e13b88e49b9786623e5903c22dc6/d1dbe55aed91c1f2e4095eb05a5a14dd0750e13b88e49b9786623e5903c22dc6-json.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list: 192.168.0.6

You can also check the list of banned IP on Cloudflare dashboard -> Your domain -> Security -> WAF (Web Application Firewall) -> Tools

Unblock IP

To unblock banned IPs, run the following command:

fail2ban-client set cf-wplogin unbanip 192.168.0.6

Reference:

• technicalramblings.com

Thank you for reading!

Step 1: Add a New Fail2ban Jail

Edit jail.local file:

sudo nano /etc/fail2ban/jail.local

Add a new jail "wplogin" if it doesn't exist:

[wplogin]

enabled = true
port = http,https
filter = wplogin
chain = DOCKER-USER
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action

Step 2: Create a Custom Fail2ban Filter

Create a new filter file on /etc/fail2ban/filter.d/wplogin.conf

[Definition]
failregex = {"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =

Step 3: Create a Fail2ban action

Create a new action file: nano /etc/fail2ban/action.d/docker-action.conf

[Definition]

actionstart = iptables -N f2b-wplogin
              iptables -A f2b-wplogin -j RETURN
              iptables -I INPUT -p tcp -m multiport --dports 80,443 -j f2b-wplogin

actionstop = iptables -D INPUT -p tcp -m multiport --dports 80,443 -j f2b-wplogin
             iptables -F f2b-wplogin
             iptables -X f2b-wplogin

actioncheck = iptables -n -L INPUT | grep -q 'f2b-wplogin[ \t]'

actionban = iptables -I f2b-wplogin 1 -s <ip> -j DROP

actionunban = iptables -D f2b-wplogin -s <ip> -j DROP

After adding a new jail, filter, and action, Fail2ban should be restarted. Restart fail2ban with:

sudo systemctl stop fail2ban
sudo systemctl start fail2ban

Step 4: Let's try it out!

Like the other tutorials [nginx-auth, and mysql-auth], we need to test Fail2ban policies to ensure they block traffic as expected.

In order to test it, you need to:

• Install Docker Engine (docs)
• A docker-compose wordpress-mysql (gists)
• Nginx proxy, if you deployed WP on a different port

Protect Wordpress Login in Docker container with Fail2Ban

Protect Wordpress Login in Docker container with Fail2Ban - compose.yaml

Gist262588213843476

After the container was deployed, we can check the list of docker containers using:

root@server:~/wp# docker ps -a
CONTAINER ID   IMAGE                  COMMAND                  CREATED          STATUS          PORTS                                   NAMES
9c269ebb7a16   wordpress:latest       "docker-entrypoint.s…"   12 minutes ago   Up 12 minutes   0.0.0.0:8080->80/tcp, :::8080->80/tcp   wp-wordpress-1
5ece75d940d0   mariadb:10.6.4-focal   "docker-entrypoint.s…"   12 minutes ago   Up 12 minutes   3306/tcp, 33060/tcp                     wp-db-1

You can see my WP container ID is 9c269ebb7a16

Now, check the jail status with the following command:

root@server:~/wp#  fail2ban-client status wplogin
Status for the jail: wplogin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/lib/docker/containers/9c269ebb7a16e891383c388b7eeb21f6cdb01e803c33508ba39d6153991e9a5f/9c269ebb7a16e891383c388b7eeb21f6cdb01e803c33508ba39d6153991e9a5f-json.log
 /var/lib/docker/containers/5ece75d940d06a39b0e7de6b65548080735982b1276bca19f802bbbea9851b2c/5ece75d940d06a39b0e7de6b65548080735982b1276bca19f802bbbea9851b2c-json.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

My Fail2ban log path/file list matches with my wp and mysql container.

Now open your wordpress site, and install wordpress as usual (like http://yourdomain.com/wp-admin/install.php) until you can log in on wp-login.php.

And the last step, let's try creating an error to trigger fail2ban jail.

List Blocked IP

To get a list of blocked IPs in your server, run the following command:

fail2ban-client status wplogin

Output
root@server:~/wp# fail2ban-client status wplogin
Status for the jail: wplogin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     6
|  `- File list:        /var/lib/docker/containers/6390d681392a6a38830f51e8fb5ea7e9c8c3a2fedc57383de3fe816f2d8838d6/6390d681392a6a38830f51e8fb5ea7e9c8c3a2fedc57383de3fe816f2d8838d6-json.log /var/lib/docker/containers/b344eed0327b7645da323249b8d44c5d19e403f87a441840d8da9301734dab13/b344eed0327b7645da323249b8d44c5d19e403f87a441840d8da9301734dab13-json.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.0.6

Unblock IP

To unblock banned IPs, run the following command

fail2ban-client set wplogin unbanip 192.168.0.6

Thanks for reading!

Reference:

• https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ (a bit inaccurate, fixed by fail2ban wiki)

NGINX does not provide a compiled brotli module for their open-source version. This means that you will need to compile the NGINX brotli module from the source. But on this article, you can easily install nginx with brotli without compiling from source.

Install NGINX with Brotli

To install NGINX with Brotli easily without compiling as an advanced user does, I recommend installing it with ppa: sury.

add-apt-repository ppa:ondrej/nginx
apt update

Install nginx as usual with:

apt install nginx

Your ubuntu machine should be installed nginx with latest stable version, check it with:

nginx -V

Output:

nginx -V
nginx version: nginx/1.26.2
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/nginx-do1QBJ/nginx-1.26.2=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/nginx-do1QBJ/nginx-1.26.2=/usr/src/nginx-1.26.2-1+ubuntu24.04.1+deb.sury.org+1 -fPIC -Wdate-time -D_FORTIFY_SOURCE=3' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_v3_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic

Install libnginx-mod-brotli

apt install libnginx-mod-brotli

If you found an error E: Package 'libnginx-mod-brotli' has no installation candidate, you can try to install

apt install libnginx-mod-http-brotli-filter libnginx-mod-http-brotli-static

on main configuration file nginx.conf http block { ... } , copy and paste the following contents into the editor:

nano /etc/nginx/nginx.conf

# Enable brotli
brotli on;
brotli_static on;
brotli_comp_level 6;

# File types to compress
brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

Test nginx with:

nginx -t

Output:
root@server:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx with

service nginx restart

Testing

I need to test this nginx to confirm that brotli compressing is working as i expected. So, on this testing section, i will create a new simple nginx host, issue Let's encrypt SSL on it, and check with curl if brotli enabled or not.

Create a new nginx host conf in /etc/nginx/conf.d

nano /etc/nginx/conf.d/newhost.conf

server {
    listen 80;
    server_name brotli.ns2.my.id;

root /var/www/html;
index index.nginx-debian.html;
location / {
                try_files $uri $uri/ =404;
        }
}

• Replace my server_name brotli.ns2.my.id to your domain name.

After added a new simple nginx host with listen port 80 (http port), install certbot-nginx to easy issue SSL with Let's encrypt SSL and rewrite it to https enabled nginx host config.

sudo apt-add-repository -r ppa:certbot/certbot
sudo apt install -y certbot python3-certbot-nginx

Issue SSL with:

certbot --nginx -d brotli.ns2.my.id

• Replace brotli.ns2.my.id to your domain name

Output
root@server:# certbot --nginx -d brotli.ns2.my.id
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for brotli.ns2.my.id

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/brotli.ns2.my.id/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/brotli.ns2.my.id/privkey.pem
This certificate expires on 2025-04-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in t                        he background.

Deploying certificate
Successfully deployed certificate for brotli.ns2.my.id to /etc/nginx/conf.d/newhost.conf
Congratulations! You have successfully enabled HTTPS on https://brotli.ns2.my.id

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

SSL has been deployed by certbot, and the previous nginx host config has been rewrited to redirect HTTP to HTTPS, and only use HTTPS.

root@server:# cat brotli.conf
server {
    server_name brotli.ns2.my.id;

root /var/www/html;
index index.nginx-debian.html;
location / {
                try_files $uri $uri/ =404;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/brotli.ns2.my.id/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/brotli.ns2.my.id/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = brotli.ns2.my.id) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name brotli.ns2.my.id;
    return 404; # managed by Certbot

We'll use curl to make tell the server that we want brotli compression -H 'Accept-Encoding: br' and then to only print the connection headers -I of the server’s response:

root@server:# curl -H 'Accept-Encoding: br' -I https://brotli.ns2.my.id
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Mon, 20 Jan 2025 08:15:57 GMT
Content-Type: text/html
Last-Modified: Tue, 17 Dec 2024 06:17:12 GMT
Connection: keep-alive
ETag: W/"67611768-267"
Content-Encoding: br

If Content-Encoding: br printed, your nginx has successfully enabled brotli compression. That's it!

Thank you for reading!

Example yabs result:

root@us:~# curl -sL yabs.sh | bash
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
Yet-Another-Bench-Script
v2023-02-27
https://github.com/masonr/yet-another-bench-script
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##

Fri Mar 10 04:30:37 UTC 2023
Basic System Information:

Uptime : 0 days, 15 hours, 30 minutes
Processor : AMD EPYC 7551P 32-Core Processor
CPU cores : 1 @ 1999.999 MHz
AES-NI : ✔ Enabled
VM-x/AMD-V : ❌ Disabled
RAM : 969.5 MiB
Swap : 0.0 KiB
Disk : 902.3 GiB
Distro : Ubuntu 22.04.1 LTS
Kernel : 5.15.0-46-generic
VM Type : KVM
Basic Network Information:

Protocol : IPv6
ISP : HostHatch
ASN : AS63473 HostHatch, LLC
Host : HostHatch LLC
Location : Los Angeles, California (CA)
Country : United States
fio Disk Speed Tests (Mixed R/W 50/50):
Block Size 	4k (IOPS) 	64k (IOPS)
Read 	6.88 MB/s (1.7k) 	68.66 MB/s (1.0k)
Write 	6.90 MB/s (1.7k) 	69.07 MB/s (1.0k)
Total 	13.79 MB/s (3.4k) 	137.74 MB/s (2.1k)
		
Block Size 	512k (IOPS) 	1m (IOPS)
------ 	--- ---- 	---- ----
Read 	192.32 MB/s (375) 	181.73 MB/s (177)
Write 	202.54 MB/s (395) 	193.83 MB/s (189)
Total 	394.86 MB/s (770) 	375.56 MB/s (366)
iperf3 Network Speed Tests (IPv4):
Provider 	Location (Link) 	Send Speed 	Recv Speed 	Ping
Clouvider 	London, UK (10G) 	1.26 Gbits/sec 	1.40 Gbits/sec 	
Scaleway 	Paris, FR (10G) 	1.19 Gbits/sec 	busy 	145 ms
NovoServe 	North Holland, NL (40G) 	1.31 Gbits/sec 	busy 	148 ms
Uztelecom 	Tashkent, UZ (10G) 	845 Mbits/sec 	675 Mbits/sec 	240 ms
Clouvider 	NYC, NY, US (10G) 	1.94 Gbits/sec 	busy 	59.5 ms
Clouvider 	Dallas, TX, US (10G) 	3.19 Gbits/sec 	4.62 Gbits/sec 	29.2 ms
Clouvider 	Los Angeles, CA, US (10G) 	3.66 Gbits/sec 	4.84 Gbits/sec 	0.791 ms
iperf3 Network Speed Tests (IPv6):
Provider 	Location (Link) 	Send Speed 	Recv Speed 	Ping
^PClouvider 	London, UK (10G) 	busy 	busy 	
Scaleway 	Paris, FR (10G) 	1.43 Gbits/sec 	1.16 Gbits/sec 	152 ms
NovoServe 	North Holland, NL (40G) 	1.17 Gbits/sec 	1.20 Gbits/sec 	151 ms
Uztelecom 	Tashkent, UZ (10G) 	782 Mbits/sec 	669 Mbits/sec 	238 ms
Clouvider 	NYC, NY, US (10G) 	2.38 Gbits/sec 	2.90 Gbits/sec 	59.0 ms
Clouvider 	Dallas, TX, US (10G) 	3.97 Gbits/sec 	3.79 Gbits/sec 	29.0 ms
Clouvider 	Los Angeles, CA, US (10G) 	6.62 Gbits/sec 	4.78 Gbits/sec 	0.531 ms

Geekbench test failed and low memory was detected. Add at least 1GB of SWAP or use GB4 instead (higher compatibility with low memory systems).

YABS completed in 11 min 29 sec
root@usbackup:~# curl -sL yabs.sh | bash

How to fix

As we can see on my benchmark result, my ubuntu template didn't come with a swap (0.0 KiB). So to fix this error, add at least 1 GB of swap. Add swap with this method:

First, create a file that will be used as a swap:

sudo fallocate -l 2G /swapfile

Set the file permissions to 600 to prevent regular users to write and read the file:

sudo chmod 600 /swapfile

Create a Linux swap area on the file:

sudo mkswap /swapfile

Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=fde7d2c8-06ea-400a-9027-fd731d8ab4c8

Activate the swap file by running the following command:

sudo swapon /swapfile

Verify that the swap is active by using either the swapon or the freecommand, as shown below:

sudo swapon --show

Output
root@us:~# sudo swapon --show
NAME      TYPE SIZE USED PRIO
/swapfile file   2G  44M   -2

As we can see, I added a 2GB Swap while my ram is 1GB.

However, if we reboot, the server will not retain the swap settings automatically. To make it permanent, add the swap file to our /etc/fstab file.

Back up the /etc/fstab file in case anything goes wrong:

sudo cp /etc/fstab /etc/fstab.bak

Add the swap file information to the end of your /etc/fstab file by typing:

/swapfile swap swap defaults 0 0

Re-run yabs script

Ran yabs script to benchmark again with:

curl -sL yabs.sh | bash

root@usbackup:~# curl -sL yabs.sh | bash
# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #
#              Yet-Another-Bench-Script              #
#                     v2023-02-27                    #
# https://github.com/masonr/yet-another-bench-script #
# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #

Sat Mar 11 12:52:04 UTC 2023

Basic System Information:
---------------------------------
Uptime     : 1 days, 5 hours, 24 minutes
Processor  : AMD EPYC 7551P 32-Core Processor
CPU cores  : 1 @ 1999.999 MHz
AES-NI     : ✔ Enabled
VM-x/AMD-V : ❌ Disabled
RAM        : 981.2 MiB
Swap       : 2.0 GiB
Disk       : 902.3 GiB
Distro     : Ubuntu 20.04.3 LTS
Kernel     : 5.4.0-91-generic
VM Type    : KVM

Basic Network Information:
---------------------------------
Protocol   : IPv6
ISP        : HostHatch
ASN        : AS63473 HostHatch, LLC
Host       : HostHatch LLC
Location   : Los Angeles, California (CA)
Country    : United States

fio Disk Speed Tests (Mixed R/W 50/50):
---------------------------------
Block Size | 4k            (IOPS) | 64k           (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 6.35 MB/s     (1.5k) | 55.53 MB/s     (867)
Write      | 6.35 MB/s     (1.5k) | 56.09 MB/s     (876)
Total      | 12.71 MB/s    (3.1k) | 111.62 MB/s   (1.7k)
           |                      |
Block Size | 512k          (IOPS) | 1m            (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 173.30 MB/s    (338) | 230.71 MB/s    (225)
Write      | 182.50 MB/s    (356) | 246.07 MB/s    (240)
Total      | 355.81 MB/s    (694) | 476.78 MB/s    (465)

iperf3 Network Speed Tests (IPv4):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed      | Ping
-----           | -----                     | ----            | ----            | ----
Clouvider       | London, UK (10G)          | 1.00 Gbits/sec  | 1.41 Gbits/sec  |
Scaleway        | Paris, FR (10G)           | 1.52 Gbits/sec  | busy            | 144 ms
NovoServe       | North Holland, NL (40G)   | 1.33 Gbits/sec  | 1.10 Gbits/sec  | 148 ms
Uztelecom       | Tashkent, UZ (10G)        | 638 Mbits/sec   | 468 Mbits/sec   | 243 ms
Clouvider       | NYC, NY, US (10G)         | busy            | busy            | 58.2 ms
Clouvider       | Dallas, TX, US (10G)      | 3.25 Gbits/sec  | 4.79 Gbits/sec  | 29.2 ms
Clouvider       | Los Angeles, CA, US (10G) | 3.54 Gbits/sec  | busy            | 0.994 ms

iperf3 Network Speed Tests (IPv6):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed      | Ping
-----           | -----                     | ----            | ----            | ----
Clouvider       | London, UK (10G)          | busy            | busy            |
Scaleway        | Paris, FR (10G)           | busy            | busy            | 152 ms
NovoServe       | North Holland, NL (40G)   | 1.17 Gbits/sec  | 1.12 Gbits/sec  | 148 ms
Uztelecom       | Tashkent, UZ (10G)        | busy            | 589 Mbits/sec   | 243 ms
Clouvider       | NYC, NY, US (10G)         | busy            | busy            | 58.1 ms
Clouvider       | Dallas, TX, US (10G)      | 3.42 Gbits/sec  | 3.52 Gbits/sec  | 28.8 ms
Clouvider       | Los Angeles, CA, US (10G) | 7.18 Gbits/sec  | 6.23 Gbits/sec  | 0.686 ms

Geekbench 6 Benchmark Test:
---------------------------------
Test            | Value
                |
Single Core     | 486
Multi Core      | 276
Full Test       | https://browser.geekbench.com/v6/cpu/495970

Thanks for reading!

Step 1: Add a New Fail2ban Jail

Edit jail.local file:

sudo nano /etc/fail2ban/jail.local

Add a new jail "nginx-http-auth" if it doesn't exist:

[nginx-http-auth]

enabled  = true
port     = http,https
logpath = %(nginx_error_log)s

After saving jail.local file, restart fail2ban with:

sudo systemctl restart fail2ban

Step 2: Create a htpasswd

To start out with nginx authentication, you need to install apache2-utils package which serves the htpasswd utility.

Install the apache2-utils package on your server by typing:

sudo apt update
sudo apt install apache2-utils

Now, you have access to the htpasswd command. Specify a username at the end of the command to create a new entry within the file:

sudo htpasswd -c /etc/nginx/.htpasswd ariq

You will be asked to supply and confirm a password for the user.

To add additional users on the same .htpasswd file, leave out the -c :

sudo htpasswd /etc/nginx/.htpasswd admin

Let's see the contents of the file with cat:

cat /etc/nginx/.htpasswd

Output:

root@server:~# cat /etc/nginx/.htpasswd
ariq:$apr1$x98Xk7n4$3wl.6fw6zpdHUUSfzYdv7/
admin:$apr1$mdVddE52$v5H7E9GEENz0NgWxEAjah1

To begin setting up nginx authentication, add auth_basic and auth_basic_user_file on your active nginx virtual host. For example, I added on /etc/nginx/conf.d/default.conf :

server {
  server_name pma.ns2.my.id;
  root /var/www/html/;
  index index.php index.html;

  auth_basic "Restricted Content";
   auth_basic_user_file /etc/nginx/.htpasswd;

  location / {
    try_files $uri $uri/ /index.php;
  }

Step 3: Let's try it out!

Let's try creating an error to trigger fail2ban jail.

Open phpmyadmin url on a web browser, and then fill wrong input on username and password twice.

List Blocked IP

To get a list of blocked IPs in your server, run the following command:

fail2ban-client status nginx-http-auth

Unblock IP

To unblock banned IPs, run the following command

fail2ban-client set nginx-http-auth unbanip 111.222.333.444

Thanks for reading!

I used Unsplash as a cover on a post a long time ago, and sometimes scroll to see the best work of experts.

So I decided to upload some photos with my device, but I didn't know the photos I uploaded should be reviewed first by the Unsplash team.

The recently uploaded photos are tagged as "In Review". It takes around 24 hours to review, as stated by their community staff:

Photos are usually assessed for curation and discoverability by the Editorial Team within 24 hours, however this time may be slightly longer if there’s a higher than average number of submissions. https://medium.com/unsplash/unsplash-submissions-101-b06b59a640d

Most of my photos were accepted while 2 of them were flagged and can't be published in Unsplash.

Your recent photo submission

Hey Ariq,

Thanks for submitting to Unsplash!

We wanted to let you know that unfortunately our system flagged your recent submission since it didn’t meet the guidelines - specifically the image quality and/or editing.

Due to the high volume of submissions, we are unable to give specific critique or feedback on individual photos, however here's a list of the most common reasons that may apply in this case:

    Unclear photos
    Photos containing excess pixelation or spotting
    Selfies
    Extreme angles
    Excessive sun glare, ‘Blown out’ sky
    Under or overexposed images
    Heavy vignetting
    Excessive grain
    Excessive use of filters
    Over-sharpened
    Over-saturated
    Picking single colors out on black and white photos
    Noise from over-editing
    Over-smoothing

You can read all submission guidelines here.

Discover handy resources.

Thanks for your understanding,

— The Unsplash Team 

Check out my Unsplash page here:

Ariq Naufal (@naufdotal) | Unsplash Photo Community

See 6 of the best free to download photos, images, and wallpapers by Ariq Naufal on Unsplash.

UnsplashUnsplash

Thank you for reading.

Since I have a remote mysql server that the public (Internet) can connect to, I've been wondering how to protect mysql auth with Fail2ban.

We have discussed Protect SSH with Fail2Ban in the previous post.

I have crawled google about this too and found this one [Setup mysqld-auth jail di fail2ban], but it's not relevant to my latest mariadb (mariadb 10.6), the default log still on /var/log/syslog.  

So, I am writing this one, maybe it could help someone (and for a note to myself):

Add a New Fail2ban Jail

Edit jail.local file:

sudo nano /etc/fail2ban/jail.local

Add a new jail if it doesn't exist:

[mysqld-auth]
enabled = true
port     = 3306
log-error = /var/log/syslog
logpath = /var/log/syslog
backend  = %(mysql_backend)s

I found out why my mariadb 10.6 is still using var/log/syslog to log rather than /var/log/mysql/error.log on /etc/mysql/mariadb.conf.d file, there is a comment:

# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log

After save jail.local, restart fail2ban with:

sudo systemctl restart fail2ban

It is important to test your Fail2ban policies to ensure they block traffic as expected. So I tested it.

root@sql2:~# fail2ban-client status mysqld-auth
Status for the jail: mysqld-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- File list:        /var/log/syslog
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.0.6

The banned IP list can't connect the remote database server with port 3306 but still can connect to other normal ports like ssh, or http/https ports.

Unblock IP

To unblock banned IPs, run the following command

fail2ban-client set mysqld-auth unbanip 192.168.0.6

Thanks for reading!

And this guide will help you to enable remote access MySQL, so in case you want to build a dedicated database server and make it another server (for example web server) to connect your database server.

Step 1: Create a Remote MySQL User

We need to create a remote mysql user to allow connect it to our database server, open mysql root session with:

mysql -u root

and execute the following query:

CREATE USER 'newremoteuser'@'%' IDENTIFIED BY 'remote_password';

Step 2: Remote Access MariaDB

After we installed the latest MariaDB server (I've posted this tutorial here), open the configuration of your mariadb (my version MariaDB 10.6) with your favorite editor:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Scroll until you find bind-address, replace it with:

bind-address            = 0.0.0.0

save it with CTRL+X and Y.

Restart your mysql / mariadb server with the following command:

service mysql restart

Step 3: Check Remote Access

To start to check remote access of your database server is successfully configured or not, first log in to another server (for example web server). Install mariadb-client if you don't install it before, use the following command in the ssh session:

mysql -u newremoteuser -p -h 47.44.44.44 -P 3306

Optional: Check Firewall

If you are using default firewall Uncomplicated Firewall (UFW), use the following command to allow IP to connect remote mysql your database server:

sudo ufw allow from 192.168.0.6 to any port 3306

If you are using Config Server Firewall (CSF), make sure to add port 3306 on an incoming connection (TCP_IN)  (UDP_IN) to allow everyone on the Internet to connect remotely mysql your database server.

Or, you can add whitelisted IP on /etc/csf/csf.allow file:

tcp|in|d=3306|s=192.168.0.6
udp|in|d=3306|s=192.168.0.6

Restart CSF with csf -r command to apply the configuration.

Thanks for reading!