Block unauthorized OpenVPN logins using fail2ban

fail2ban.pngMonitoring a server can be a lot of work, but thankfully handy tools like fail2ban or logwatch make the task a lot easier. Fail2ban, for example, monitors the log files of services running on your system and blocks incoming connections when it detects a break-in attempt (using iptables or hosts.deny). These need to be defined using a regex filter, and while a great number of templates are already available for the most-used services (Apache, SSH, etc.), OpenVPN thus far has not been included. Setting this up isn’t too difficult, though.

Create a file openvpn.conf in /etc/fail2ban/filter.d/with the following content:

[Definition]
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*

Set up a local configuration file for fail2ban by running cp -ivra /etc/fail2ban/jail.conf /etc/fail2ban/jail.local and open /etc/fail2ban/jail.local and add the following at the end of the file:

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/syslog
maxretry = 3

Finally, run /etc/init.d/fail2ban restart to restart fail2ban and make the changes take effect. Note that this set-up assumes that your OpenVPN server logs go to syslog. Also note that, in case you want to modify the filter rules, each failregex line must contain the <HOST> tag, otherwise even valid regex rules will not work, since fail2ban won’t know which address to block (use the fail2ban-regex tool to check if your detection rules are working: fail2ban-regex logfile.log /etc/fail2ban/filter.d/openvpn.conf).

You can set up fail2ban to email you each time there has been a break-in attempt by further editing the parameters in jail.local. Personally, however, I prefer a less intrusive solution based on logwatch. Logwatch is another programme that monitors log files on your system, but its job is to email you daily (or weekly, monthly, etc.) summaries of them. A simple way to make this set-up both convenient and secure is by setting up logwatch to monitor fail2ban logs, deliver summaries to a local inbox and run a little batch script via a cron-job to fetch these messages, encrypt them and send them to your actual email address.

Links

You may also want to check out refiddle to help you with those regular expressions.

LyX CJK set-up based on XeTeX and xeCJK

lyx.pngI have recently been playing around with LyX and XeTeX, a Unicode extension for TeX, to find a set-up that allows me to switch easily between various East Asian languages without entering LaTeX code. With the help of a few friends, the xeCJK manual and Richard Heck over at the LyX Mailing List, I was able to define LyX Text Styles for Chinese (Simplified and Traditional text), Japanese and Korean that can be selected via the context menu right from within LyX itself, allowing me to focus on the content of my writing and leaving the worrying about Unihan issues to someone else :-)

I decided to leave the file as it is and not go through the settings step-by-step, since this would make a rather lengthy post. Interested users can study the file depending on their familiarity with LyX and LaTeX, e.g. novice users may use it as a template for their own documents, whereas more experienced users may find if useful to study CJK set-ups for LaTeX or LyX Local Layouts. In any case, here are the files:

Note that this document uses the Microsoft default serif CJK fonts (SimSun and PMingLiU, MS Mincho and Batang), so make sure you have them installed before compiling. Depending on your needs, you may prefer a free alternative (e.g. AR PL UMing CN and AR PL UMing TW, Kochi Mincho, Unbatang), or the more modern-looking sans-serif Windows 7/Vista default fonts: Microsoft YaHei, Microsoft JhengHei, Meiryo, Malgun Gothic. Fonts are defined in the Document Preamble (Document -> Settings -> Preamble).

Open XMPP Alternatives to Google Talk

xmpp.pngAfter Google’s much-publicised decision to replace Google Talk with Hangouts and drop XMPP support in the process, many people have been looking for alternative XMPP servers that allow connecting through standards-based clients and support federation with other servers. Here are a few servers I recommend:

  • Jabber.org – Jabber.org is the first XMPP server and has been in continuous operation since 1999. It originally hosted much of the community and development of the XMPP protocol. I’ve used this server on and off over the last couple of years, but have found it somewhat prone to errors. But in the ever-changing world of XMPP services, Jabber.org has remained a constant, which deserves credit.
  • DuckGo.com – Released only a few days ago by the folks at DuckDuckGo, this public XMPP server is relatively new, so there is not much that can be said about their quality of service yet. Given DuckDuckGo’s active community of developers and commitment to the principles of free software, they have the potential to become one of the most popular servers out there.
  • Jabber.ccc.de — Hosted by the German hackers association Chaos Computer Club, this is one of the most popular XMPP servers in Germany. The server is well-maintend and uptime is excellent, so there are generally very few issues. Although their website is available in German only, account registration works the same as on any other XMPP server, so there shouldn’t be any problems for international users. Highly recommended.
  • Jabber.fsfe.org — Of course, I’d be negligent not to point out our own XMPP server, which is available to all Fellows of the FSFE. Next to an @fsfe.org email alias, an OpenPGP smart card and access to the FSFE blogging platform, this is one of the goodies you get as a fellow of the FSFE.
  • Gultsch.de server compliance ranking — (added 2017-04-14) A great overview of different XMPP servers and their features.
  • Conversations.im — (added 2017-04-14) The people behind the great Android XMPP messenger app Conversations.

Now, just to be clear, this is only a small subset of XMPP servers. There is a large number of public XMPP servers with different features (see this list for example), some even allow you to connect to your ICQ or Yahoo Messenger accounts, or to send SMS or email. Which server is best for you pretty much depends on what you want and what you need — as usual :-)

GnuPG-encrypted mail forwarding for remote systems

Ever since I started using Fail2ban and Logwatch to monitor unauthorized login attempts and system logs on my server, I have been looking for an easy way to regularly receive encrypted status reports from both programmes by email. After playing around with gpg-mailgate for some time (useful tutorial here), I decided to opt for a simpler solution and told both programmes to send their reports to a specific user on my system. These messages are then retrieved by a simple cron script and emailed to me at regular intervals. Here is how I did it:

Import your gpg public key on the remote system via gpg --import <your key file>, and create a directory /var/mailbackup for backups. Then create a script /etc/cron.hourly/00mailencrypt with the following content (don’t forget to replace the placeholders with the correct values for your set-up) and mark it executable.

#!/bin/bash
if [ -s /var/mail/<user name> ]
then #file has data
cp /var/mail/<user name> /var/mailbackup/mailbackup`date +%y%m%d-%H%M`
gpg -ea -r <email address> -o - /var/mail/<user name> | mail -s "mail report" <email address>
echo -n "" > /var/mail/<user name>
fi

Cron will now regularly check /var/mail/<user name> for new messages, encrypt and send them to you.

Clamassassin Wrapper script for Evolution and Sylpheed

While viruses on Linux are rare, I have always found it a sensible precaution to scan incoming messages for malware. It helps me weed out the occasional Windows virus that gets sent my way and keeps me from forwarding malicious attachments to friends. A common feature to most antivirus software for Windows, email scanning can be easily set up for most email clients on Linux. Plugins for ClamAV are available for Thunderbird (here) and Claws Mail (here), so set-up is fairly straightforward here, but the same functionality can be added to Evolution and Sylpheed by use of a simple bash script. Note that you will need to have the necessary packages installed (sudo apt-get install clamtk clamassassin clamav-daemon clamav-testfiles clamav-docs) in all cases. Experts may also want to configure the ClamAV daemon (sudo dpkg-reconfigure clamav-base) for faster access to ClamAV, but this is beyond the scope of this post. Note that you can test the filter by sending yourself a ClamAV test file, which can be found in /usr/share/clamav-testfiles.

Evolution

Create a file clamassassin-wrapper.sh with the following content in your home directory and make it executable:

#!/bin/sh
RESULT=$(clamassassin - | grep "X-Virus-Status")
if [ "$RESULT" = "X-Virus-Status: Yes" ]
then
  zenity --warning --title="Threat detected" --text="Threat detected:\n$RESULT"
  exit 1 #return 1
fi
exit 0 #return 0

Open Evolution and set up the filter: Edit -> Message Filters -> Incoming: Add

Name: clamassassin-wrapper
If all conditions are met: Pipe to programme: ~/clamassassin-wrapper.sh   does not return: 0
Then: <define what you want to do with an infected message here, e.g. move it to the Trash>

Sylpheed

Things work pretty much the same with Sylpheed. Create a file clamassassin-wrapper.sh in your home directory with the following content and make it executable:

#!/bin/sh
if [ $# -eq 1 ]
then
  RESULT=$(clamassassin < $1 | grep "X-Virus-Status")
  if [ "$RESULT" = "X-Virus-Status: Yes" ]
  then
    zenity --warning --title="Threat detected" --text="Threat detected:\n$RESULT"
    exec false #return 1
  fi
fi
exec true #return 0

Open Sylpheed and set up a new filter: Configuration -> Filters, choose to add a new filter with the following parameters:

Name: clamassassin-wrapper
If all of the following conditions match: Result of command: /home/<your user name>/clamassassin-wrapper.sh
Perform the following actions: <define what you want to do with an infected message>