Protect your Nginx powered ClassicPress / Wordpress login page against brute-force password attacks using fail2ban on Debian based Linux

Heyo!

So I looked into my blog stats and noticed something interesting…

There are some very curious people out there… Some of them visited my page thousands of times. I wonder what they were looking at…

Oh…? Why would my He-bro friend looking at my wp-login.php page? Interesting…

The fact is that there are bots / malicious actors out there trying to brute-force your login and password. Why? Because they can. Because they want to. Because reasons.

Anyway. I use strong passwords but I don’t want to tempt the faith so… HOW do I stop those password brute-forcing attempts? What to do? How to live?!

There’s this piece of code called fail2ban and it will do exactly what it says. It will ban anyone that fails to log into your system.

So how do I get it and how to set it up?

Well here is how.

You open a terminal window on your https server and you gain root.

su -

Then you install fail2ban (and midnight commander):

apt install -y fail2ban mc

Next thing is to configure this bugger…

Let’s start with jail.local file

mcedit /etc/fail2ban/jail.local

And paste this into the file (Shift + Insert) and edit the file accordingly:


[DEFAULT]
ignoreip = 127.0.0.1/8
mta = mail
# Replace YourGmailRelay@gmail.com with Your Gmail Relay Email
sender = YourGmailRelay@gmail.com
sendername = Fail2ban
banaction = iptables-allports
# Replace YourGmailRelay@gmail.com with Your Gmail Relay Email
# Set up 2FA and APP Password on your Gmail relay and replace
# YourGmailRelayAppPassword with your APP Password for GMail
# Replace the TheEmailYouWantToReceiveInfoTo@YourDomain.You with your Email address
# where you want your fail2ban reports to be delivered
action = %(action_mw)s[from=YourGmailRelay@gmail.com, password=YourGmailRelayAppPassword, destination=TheEmailYouWantToReceiveInfoTo@YourDomain.You, sendername=Fail2Ban]
# IF I catch this mofo 3 times
maxretry = 3
# During 36000 seconds (10 hours)
findtime = 36000
# I'll ban his ass for 36000 seconds (10 hours)

bantime = 36000

[sshd]
# Change this to true if you want to protect your ssh logins with fail2ban too
enabled = false


[wordpress-wplogin]
enabled = true
filter = wordpress-wplogin
# IF you're not using nginx or the log is located somewhere else - edit the line below
logpath = /var/log/nginx/*_access.log
port = http,https


Save the file (F2) close the file (F10).

Next edit wordpress-wplogin.conf file:

mcedit /etc/fail2ban/filter.d/wordpress-wplogin.conf

Paste this into the file (Shift + Insert):

[Definition]
failregex = ^<HOST> .* "(GET|POST) /+wp-login.php
            ^<HOST> .* "(GET|POST) /+xmlrpc.php

Save the file (F2) close the file (F10).

Next run those two commands:

Replace the TheEmailYouWantToReceiveInfoTo@YourDomain.You with your Email address where you want your fail2ban reports to be delivered

sed -i 's/root@localhost/TheEmailYouWantToReceiveInfoTo@YourDomain.You/g' /etc/fail2ban/jail.conf

Replace YourGmailRelay@gmail.com with Your Gmail Relay Email

sed -i 's/root@<fq-hostname>/YourGmailRelay@gmail.com/g' /etc/fail2ban/jail.conf

Next enable and restart fail2ban

systemctl enable fail2ban && systemctl restart fail2ban

and now check if it’s running:

systemctl status fail2ban

Active: active (running) since Sat 2022-10-29 22:12:35 IST; 1s ago

How to check what jails is fail2ban running?

fail2ban-client status

Status
|- Number of jail: 1
`- Jail list: wordpress-wplogin

How to check status of a specific jail?

fail2ban-client status wordpress-wplogin

Status for the jail: wordpress-wplogin
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/some_ssl_access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

How to unban specific IP from a specific jail?

fail2ban-client set JAILNAME unbanip IPADDRESS

fail2ban-client set wordpress-wplogin unbanip 356.567.789.890

That’s all folks…

Cheers.

Andrzej

Edit: I have asked SloniuPL if he is using or will be using Fail2Ban. He said “No and No” and when asked why he said “I am using wordfence and jetpack, free versions”. IF you don’t want to use fail2ban – there’s an alternative however fail2ban in my opinion gives you more options as it will protect more than just you ClassicPress / Wordpress.

Set up GMail SMTP relay script

Hi, this script will install and configure a mail server on your Debian based Linux using GMail SMTP as a relay server.

Steps:

– Create a GMail account.
– Set up 2 factor authentication on GMail account
– Set up and write down an App Password for GMail account
– Download the script:

wget -c https://andrzejl.eu/files/gmail_relay.sh

– Use GMail details to replace some data in the script below in your fav text editor
– Use GMail App Password to replace some data in the script below in your fav text editor
– Use the e-mail that’s suppose to receive the e-mails to replace some data in the script below in your fav text editor

mcedit ./gmail_relay.sh

OR

nano ./gmail_relay.sh

OR

vi ./gmail_relay.sh

– Save the script
– Make sure gmail_relay.sh is executable

chmod +x ./gmail_relay.sh

– Run the script as root twice

sudo ./gmail_relay.sh
sudo ./gmail_relay.sh

Here’s the code you’re downloading:


# Script written by AndrzejL and downloaded from https://andrzejl.eu/files/gmail_relay.sh
# Please do not remove or edit the first three lines. https://blog.andrzejl.eu/2022/10/25/set-up-gmail-smtp-relay-script/
# Please do not use this script for anything illegal. I cannot stop you but I hope you will respect my request.
# Replace all instances of e-mail_address_of_the_relay@gmail.com with actual gmail relay email address
# Make sure you have 2 factor authentication enabled on gmail
# Make sure you have a app password setup on gmail
# Replace all instances of YOURGMAILAPPPASSWORD with gmail app password
# Replace all instances of YourDifferent@Email.address with your recipient e-mail address
# Run this script twice and you're golden.
# IF asked - chose NO CONFIGURATION during the setup
# Check Your receipient e-mail after the script is ran
apt-get --reinstall -y install libsasl2-modules postfix bsd-mailx dialog &&
cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf &&
date > /etc/postfix/main.cf &&
echo 'alias_maps = hash:/etc/aliases' > /etc/postfix/main.cf &&
echo 'alias_database = hash:/etc/aliases' >> /etc/postfix/main.cf &&
echo 'mynetworks = 127.0.0.0/8' >> /etc/postfix/main.cf &&
echo 'inet_interfaces = loopback-only' >> /etc/postfix/main.cf &&
echo 'inet_protocols = ipv4' >> /etc/postfix/main.cf &&
echo 'recipient_delimiter = +' >> /etc/postfix/main.cf &&
echo 'compatibility_level = 2' >> /etc/postfix/main.cf &&
echo 'relayhost = [smtp.gmail.com]:587' >> /etc/postfix/main.cf &&
echo 'smtp_use_tls = yes' >> /etc/postfix/main.cf &&
echo 'smtp_sasl_auth_enable = yes' >> /etc/postfix/main.cf &&
echo 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' >> /etc/postfix/main.cf &&
echo 'smtp_tls_CApath = /etc/ssl/certs' >> /etc/postfix/main.cf &&
echo 'smtp_sasl_security_options = noanonymous, noplaintext' >> /etc/postfix/main.cf &&
echo 'smtp_sasl_tls_security_options = noanonymous' >> /etc/postfix/main.cf &&
echo 'sender_canonical_classes = envelope_sender,header_sender' >> /etc/postfix/main.cf &&
echo 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps' >> /etc/postfix/main.cf &&
echo 'smtp_header_checks = regexp:/etc/postfix/header_check' >> /etc/postfix/main.cf &&
echo '[smtp.gmail.com]:587 e-mail_address_of_the_relay@gmail.com:YOURGMAILAPPPASSWORD' > /etc/postfix/sasl_passwd &&
echo '/.+/ e-mail_address_of_the_relay@gmail.com' > /etc/postfix/sender_canonical_maps &&
echo '/From:.*/ REPLACE From: e-mail_address_of_the_relay@gmail.com' > /etc/postfix/header_check &&
/usr/sbin/postmap /etc/postfix/sasl_passwd &&
/usr/sbin/postmap /etc/postfix/sender_canonical_maps &&
/usr/sbin/postmap /etc/postfix/header_check &&
/usr/sbin/postalias /etc/aliases &&
postfix reload &&
systemctl restart postfix &&
echo $HOSTNAME | mail -s "test email" YourDifferent@Email.address -a "FROM:e-mail_address_of_the_relay@gmail.com" &&
echo "Test message" | mail -s "test email" YourDifferent@Email.address -a "FROM:e-mail_address_of_the_relay@gmail.com" &&
echo MAILTO="YourDifferent@Email.address" &&
echo $HOSTNAME


Cheers.

Andrzej

Piwigo photo gallery + VideoJS = Error: File too large

I’ve installed and configured VideoJS plugin on my self-hosted Piwigo gallery and when I tried to upload a video I got an error:

Error: File too large

To fix this issue I’ve edited the file

[your_piwigo_install]/admin/themes/default/template/photos_add_direct.tpl

and change the line:

max_file_size : '1000mb',

by adding few extra zeros

max_file_size : '10000000mb',

That fixed my issue. YMMV depending on your php.ini file config etc.

Kind regards.

Andrzej

Installation of Google Chrome on any apt / *.deb based distro.

Task is very simple:

Open terminal and type in commands:

wget -c https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb

This will download the latest Google Chrome deb file which You will install it using this command:

sudo apt install -y ./google-chrome-stable_current_amd64.deb

From now on you can update your system the way you normally would. Chrome adds a repository to your apt sources.list which will keep your browser updated.

Cheers.

Andrzej

Valheim BepinEX InSlimVML BuildShare Mods Installation 11.07.2022

Hello

I am not great at making videos but I was annoyed by the fact that I could not find a video that would give me a 100% working solution. Also the mods config file location was a PITA to find. Necessity forced me to create this monstrosity you’re watching / about to watch ;-).

Links below. Including a link to “Open Source Bug” video explaining how to open RAR file in 7z File Manage. He did a great job, no need for me to reinvent the wheel.

If you found this video useful consider buying me a cup of java?

https://www.paypal.com/paypalme/AndrzejLski

Once you have installed everything like instructed in the video those will be the paths to your main folders:

In Steam Library, right click on Valheim and choose Manage – Browse local files

Once inside the Valheim main game folder you have have:

BepinEX mods folder located in:

\BepInEx\plugins

BepinEX mods configs folder located in:

\BepInEx\config

InSlim mods folder located in:

\InSlimVML\Mods

Vbuild storage folder located in:

\BuildShare\Builds

Cheers.

AndrzejL

Links:

7z download link:
https://www.7-zip.org/
Use 7zip to open RAR file | DOWNLOAD LINK
https://youtu.be/G5MVjaaPXuU?t=63
BepinEX:
https://valheim.thunderstore.io/package/denikson/BepInExPack_Valheim/
InSlimVML:
https://www.nexusmods.com/valheim/mods/21
Buildshare Mod Download:
https://www.nexusmods.com/valheim/mods/5/
Comunity Builds Library:
https://www.nexusmods.com/valheim/mods/categories/10/

SOLVED! The frustration is real… Acer One 10 S1002 64 bit Atom CPU but 32 EFI bootloader plus ElementaryOS Linux 6.x equals EFI shell after installation.

I own Acer S1002 “laptop”. Its one of those 2 in 1 tableto-laptop devices running on Atom CPU. It will only install Windows in 32 bit version because it has a dumb**s 32 bit EFI bootloader.

When installing ElementaryOS 5.1 everything (almost) is peachy. It installs it boots – few minor issues.

When installing ElementaryOS 6 it installs but after a reboot I get an EFI shell.

Upon closer look the EFI partition on 5 contains:

BOOTIA32.EFI

ubuntu (folder)

grub.efi

grubia32.efi

While ElementaryOS 6 only shows 64 bit files.

I tried copying files listed above to the EFI partition of the ElementaryOS 6 installation – that did not fix anything.

Machine’s bios does not allow to disable UEFI / enable legacy boot.

Chrooting into installation and installing refind does not help…

Tell me Gandalf, what I must do now?

Please do not leave me with Windows 10 32 bits as my only option 🙂

Kind regards.

Andrzej

Updated 18 June 2022

Solution below. Warning, beyond here there be dragons.

Ok I am sorted… I will show you how but do so at your own risk. You need to know at least basics and I am not taking any responsibility if you fubar…

First what I did was I’ve installed ElementaryOS 6 BUT I chose a custom partition setup

1st 512 mb partition ext4 /boot
2nd 512 mb partition efi /boot/efi
3rd 4 gb swap
4th rest of space ext4 /

I chose not to encrypt the drive. After install I rebooted.

I rebooted into ElementaryOS 6 LiveUSB.

Next I’ve connected to wifi and then followed a prompt and went into the “Demo” mode. You can connect to wifi after going into Demo mode too.

Then I’ve opened a terminal and ran:

sudo su

mount /dev/mmcblk2p4 /mnt

(mmcblk2p4 is my / this could be mmcblk1p4 – check fdisk -l)

mount -t proc none /mnt/proc/

mount -o bind /dev /mnt/dev/

mount -o bind /sys /mnt/sys/

mount -o bind /run /mnt/run/

mount /dev/mmcblk2p1 /mnt/boot/

(mmcblk2p1 is my /boot this could be mmcblk1p1 – check fdisk -l)

mount /dev/mmcblk2p2 /mnt/boot/efi/

(mmcblk2p2 is my /boot/efi this could be mmcblk1p2 – check fdisk -l)

chroot /mnt

apt update && apt upgrade && apt dist-upgrade && apt full-upgrade && apt autoremove --purge

(ignore messages about not being able to write the log)

apt install efibootmgr grub-common grub-efi-ia32 grub-efi-ia32-bin grub-pc-bin grub2-common mokutil secureboot-db && apt autoremove --purge

(You will be asked to type in a phrase to continue the installation)

Type it in exactly as you see it and confirm with enter.

grub-install /dev/mmcblk2

(this could be mmcblk1 – check it with fdisk -l)

update-grub

exit

reboot

After reboot I was finally able to boot 🙂

Kind regards.

Andrzej

Disable “Early Access Build” message in ElementaryOS 6 Beta

So I’ve installed Elementary 6 Beta for testing purposes. Cool.

On every single boot I was greeted with this…

I wanted to get rid of it so I’ve decided to track what application was starting this pop-up.

To figure it out I’ve installed xdotool


sudo apt install xdotool

and then ran this command and clicked on the “Welcome message” box to focus it:


sleep 5 && cat "/proc/$(xdotool getwindowpid "$(xdotool getwindowfocus)")/comm"

Turns out that the culprit was:

So I started killing off all the io.elementary.* processes that were running with my user permissions and the window was gone after I’ve killed:

io.elementary.onboarding

So I ran:


sudo apt purge io.elementary.onboarding

And after a reboot the message was no longer appearing.

Have a great day.

Andrzej