In order to establish a network connection, you need to open a port on your Linux system. There are several methods for doing this, including using the built-in firewall programs FirewallD, UFW, and iptables. Each of these methods has its own set of advantages and disadvantages, and in this article, we will discuss how to open a port in Linux using each of these methods.

Check Listening Ports on Your System

You can use `ss` or `netstat` command line utility to list all the ports listening on your local system.

ss -tuln 

This command will list all the ports listening on your machine along with the socket connected to that ports. You can filter the listening port with the following command.

ss -tuln | grep "LISTEN" 

You will see output like below:

Output
tcp   LISTEN  0       5             127.0.0.1:631          0.0.0.0:*
tcp   LISTEN  0       100             0.0.0.0:25           0.0.0.0:*
tcp   LISTEN  0       100             0.0.0.0:143          0.0.0.0:*
tcp   LISTEN  0       4096            0.0.0.0:111          0.0.0.0:*
tcp   LISTEN  0       4096      127.0.0.53%lo:53           0.0.0.0:*
tcp   LISTEN  0       128             0.0.0.0:22           0.0.0.0:*
tcp   LISTEN  0       5                 [::1]:631             [::]:*
tcp   LISTEN  0       100                [::]:25              [::]:*
tcp   LISTEN  0       511                   *:443                *:*
tcp   LISTEN  0       70                    *:33060              *:*
tcp   LISTEN  0       151                   *:3306               *:*
tcp   LISTEN  0       511                   *:80                 *:*
tcp   LISTEN  0       128                [::]:22              [::]:*

Opening a Port with FirewallD:

FirewallD is a firewall management tool that is included in many popular Linux distributions, including CentOS, Fedora, and Red Hat Enterprise Linux. It provides a simple and easy-to-use interface for configuring the firewall rules on your system.

• List Services: To open a port with FirewallD, you first need to check if the service you want to allow is listed in the predefined service list. You can do this by running the following command:

  firewall-cmd --get-services 
  

  This will display a list of all the predefined services that are supported by FirewallD.

• Open Port by Service Name: If the service you want to allow is listed, you can open the port by running the following command:

  # Syntax
  firewall-cmd --permanent --add-service=service_name

  Replace “service_name” with the name of the service you want to allow. For example, to open port 80 for HTTP traffic, you would run the following command:

  firewall-cmd --permanent --add-service=http 
  

• Open Port by Number: If the service you want to allow is not listed in the predefined service list, you can open a specific port by running the following command:

  # Syntax
  firewall-cmd --permanent --add-port=port_number/protocol

  Replace “port_number” with the number of the port you want to open, and “protocol” with the protocol used by the service (either “tcp” or “udp”). For example, to open port 8080 for HTTP traffic using the TCP protocol, you would run the following command:

  firewall-cmd --permanent --add-port=8080/tcp 
  

Save the firewall rules: Once you have added the necessary firewall rule, you need to reload the firewall to apply the changes. You can do this by running the following command:

firewall-cmd --reload 

Opening a Port with UFW:

UFW (Uncomplicated Firewall) is a firewall management tool that is included in many popular Linux distributions, including Ubuntu and Linux Mint. It provides a simple and easy-to-use interface for configuring the firewall rules on your system.

• List Services: To open a port with UFW, you first need to check if the service you want to allow is listed in the predefined service list. You can do this by running the following command:

  ufw app list 
  

  This will display a list of all the predefined services that are supported by UFW.

• Open Port by Service name: If the service you want to allow is listed, you can open the port by running the following command:

  # Syntax
  ufw allow service_name

  Replace “service_name” with the name of the service you want to allow. For example, to open port 80 for HTTP traffic, you would run the following command:

  ufw allow http 
  

• Open port by number: If the service you want to allow is not listed in the predefined service list, you can open a specific port by running the following command:

  # Syntax
  ufw allow port_number/protocol

  Replace “port_number” with the number of the port you want to open, and “protocol” with the protocol used by the service (either “tcp” or “udp”). For example, to open port 8080 for HTTP traffic using the TCP protocol, you would run the following command:

  ufw allow 8080/tcp 
  

• Check firewall status: Once you have added the necessary firewall rule, you can check the status of the UFW firewall by running the following command:

  ufw status 
  

  This will display a list of all the active firewall rules, along with their status (either “enabled” or “disabled”).

You can also use the UFW command line interface to enable or disable specific rules, or to delete them altogether.

Opening a Port with Iptables:

Iptables is a powerful firewall management tool that is included in most Linux distributions. It provides a wide range of options for configuring the firewall rules on your system, but it can be more complex to use than FirewallD and UFW.

• Open Port by Number: To open a port with iptables, you need to use the “iptables” command followed by the appropriate options and arguments. For example, to open port 80 for HTTP traffic using the TCP protocol, you would run the following command:

  iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
  

  This command adds a new firewall rule that allows incoming traffic on port 80 using the TCP protocol. The “-A” option specifies that the rule should be appended to the end of the INPUT chain, and the “-j” option specifies the action to be taken (in this case, ACCEPT).

• Open Port Range: If you want to open a range of ports, you can use the “-m multiport” module and specify the range of ports separated by a comma. For example, to open ports 80 to 90 for HTTP traffic using the TCP protocol, you would run the following command:

  iptables -A INPUT -p tcp -m multiport --dports 80:90 -j ACCEPT 
  

• Save firewall rules: Once you have added the necessary firewall rule, you can save the iptables configuration by running the following command:

  service iptables save 
  

  This will save the current firewall configuration to the appropriate configuration file so that the rules are applied every time the system is restarted.

Conclusion

In this article, we explored three different tools that can be used to open a port in Linux: FirewallD, UFW, and iptables. FirewallD is a firewall management tool that provides a front-end interface for iptables. It is a user-friendly tool that allows you to easily manage your firewall rules. UFW is another user-friendly firewall tool that allows you to easily open and close ports. Finally, we looked at iptables, which is a more advanced tool that gives you greater control over your firewall. All three of these tools can be used to open a port in Linux and allow network traffic to flow through to specific programs or services. In conclusion, the choice of which tool to use will depend on your level of familiarity with Linux firewalls and your personal preference.

The post How to Open Port in Linux appeared first on TecAdmin.

Fail2ban is a tool that is used to protect Linux-based machines from automated attacks by improving their security. It monitors the logs for any malicious activity and allows the user to temporarily or permanently block remote IP addresses

This how-to guide will explain how to install, configure and set up Fail2ban on a Debian 11 based system.

How to install Fail2ban on Debian 11

Fail2ban is available in the default repository of Debian 11, so it can easily be installed by using the default package manager of Debian:

sudo apt install fail2ban -y  

After successful installation, the Fail2ban service should start automatically. You can verify this by running the command:

sudo systemctl status fail2ban 

If the service is not active on your system, then you can use the following commands to starts and enable it:

sudo systemctl start fail2ban 
ssudo systemctl enable fail2ban 

How to configure Fail2ban on Debian 11

Fail2ban comes with two different configuration files which are located in the /etc/fail2ban directory. These config files have a basic configuration that should not be modified as these files may be overwritten when a package update arrives.

We can use a separate .local file as a configuration file to avoid any future hassle. So we will make a local config file by copying the jail.conf file:

sudo cp /etc/fail2ban/jail.{conf,local} 

Now, open the newly created file in a text editor:

sudo nano /etc/fail2ban/jail.local 

Here you can update the settings according to your needs. You can add an ignoreip directive to ignore/whitelist IP addresses from ban. Here I have listed two different IP addresses as examples. You can put any IP address that you want to whitelist:

ignoreip = 127.0.0.15/8  192.168.1.2/24

The bantime directive can be used to set a duration of time for which an IP address will remain banned. We can use a suffix like m,d to specify the unit of time which by default is in seconds.

bantime = 120m

The findtime directive specifies the duration of time for the number of failures before a ban is placed. If Fail2ban is going to ban an IP after 4 failed attempts, the findtime directive defines the time interval in which the failures must occur.

findtime = 2m

The maxretry is used to define the number of failed attempts before an IP gets blacklisted.

maxretry = 5

After making all the necessary changes, you can simply just save and save the config file.

Now restart the service to let the changes take effect:

sudo systemctl restart fail2ban.service  

Conclusion

Fail2ban allows us to configure our system in a way that it becomes more secure against brute attacks as well as other malicious activities. It protects our system by checking the logs and blacklisting IP addresses that are suspicious. These security measures are essential, especially for systems that are accessible on public networks. In this article, we learned to install, configure and set up Fail2ban on Debian 11.

The post How to Install and Configure Fail2ban on Debian 11 appeared first on TecAdmin.

With advancements in the technology world, hackers are becoming more sophisticated every day. Even your SSH connection is not secure if you are using the traditional or default installation settings. Therefore, it has become necessary to secure your SSH server from unwanted data breaches and malicious attacks by taking some crucial precautions.

In this article, we will introduce you to some important security practices which will help you in considerably increasing the level of SSH server security.

1. Use Strong Usernames and Passwords

If you are using an SSH exposed to the outside world then there are chances that you will face some login attempts from hackers. They use different advanced techniques to crack your SSH username and password. A strong password and username combination will help you in securing your server.

You can use a password generator to create a strong and random password. Also, do not use any common password sequence like asdf, 12345678, etc.

2. Avoid Using Port 22

Port 22 is a default port for SSH connections and every hacker trying to access your SSH server will first attack this port. Therefore changing the port will add an extra security layer to your SSH Connection and it will prevent automated attacks on the SSH server. Changing the port will also keep you off from hacking radars.

How to change the SSH port?

Follow the below steps to change the default 22 port:

1. Open your /etc/ssh/sshd_config file.
2. Add the following line to your file. Set any non standard port.

   Port 20125
   

3. Restart your SSHD service with the following command:

   sudo systemctl restart sshd 
   

Now the SSH server is listening on a new port.

3. Disable the Root Logins

Allowing direct login to root through SSH is one of the most common and dangerous security breaches. Hackers, with access to your root password, can damage your machine. Therefore it is recommended to disable root user login and use non-root user access instead for security purposes. You can use the ‘su-’ command to access the root privileges after disabling root logins.

How to disable the root user login?

Again you need to edit the sshd_config file or /etc/ssh/sshd_config file as all of your server settings are stored therein that file.

1. Login as a root and open the sshd_config file.
2. Look for #PermitRootLogin or PermitRootLogin yes in that file and change it to:

   PermitRootLogin no
   

3. Then add a user account that you’re gonna use to log in by writing ‘AllowUsers your_username’.
4. Save the changes.
5. Restart your SSHD without closing the current root session.

   sudo systemctl restart sshd 
   

6. Then open a new terminal and check whether you can log in as the new user you added or not.
7. After that, you can close the root session.
8. You can now login as the user you added to have all the root privileges or you can use the ‘su’ command.

4. Use SSH Keys Instead of Passwords

You will use a strong password to secure your server but in some cases, passwords can be cracked or brute-forced. Therefore using an SSH Key login will add an extra layer to your server security.

In SSH key login, you create two keys one public and one private. The private key is associated with your main machine and the public key is installed on the server that you want to access remotely. You can make a connection between the source and destination server with the SSH key pair without using passwords. Once the SSH key pair is configured, you can disable the password login.

Use another tutorial to configure Key-based SSH on Linux.

How does SSH key login work?

Once you initiate a connection request, the server will create an encrypted message by using the public key stored on it. This message will be transmitted to your primary device and the private key will unencrypt the message. Once the message is unencrypted, the primary device will send a confirmation message to the remote server to establish the connection.

5. Disable Empty Passwords

Linux allows users to create empty passwords and allowing empty password login to the server will expose your server to vulnerable cyber attacks. So make sure you disable empty passwords.

How to disable Empty Passwords?

1. Open the sshd_config file.
2. Find PermitEmptyPasswords and replace the ‘no’ value with ‘yes’.

PermitEmptyPasswords  no

3. Restart the sshd.

This will disable Empty Password login to your server.

Conclusion

Cyber attacks are increasing at an alarming rate and it is a strong security practice to add security layers to your IT environment no matter you are working on a virtual machine or building a server. Implementing the above practices will robust your working environment and it will help you in preventing potential cyberthreats.

The post How To Secure SSH Server appeared first on TecAdmin.

This tutorial will help you to secure Gitlab service with Let’s Encrypt SSL certificate with enabling the auto renew feature. If you are going with a fresh installation have a look at below guides.

• Install and Configure Gitlab on Ubuntu 20.04
• Install and Configure Gitlab on CentOS 8

Prerequisites

Login to your Gitlab system with a sudo privileged account.

Also make sure to create an A Record points your domain/subdomain to the public IP address of your Gitab server. It is recommended to complete the let’s encrypt validation for issuing a new certification. For example, You need to configure your Gitlab server to access with https://gitlab.tecadmin.net. So make A record in DNS for gitlab.tecadmin.net pointing to server ip address.

Configure Let’s Encrypt SSL with Gitlab

Gitlab keeps the configuration files under /etc/gitlab directory. You can edit the main configuration file /etc/gitlab/gitlab.rb in a text editor of your choice.

sudo vim /etc/gitlab/gitlab.rb 

Make the following changes:

• First change the external_url setting with domain start with https.

  external_url "https://gitlab.tecadmin.net"

• Add or update the following entries to the configuration file. Set letsencrypt[‘enable’] to true, this will request a SSL certificate and configure to the Gitlab instance. You can also provide an optional contact email used by lets encrypt authority to send alerts for the ssl certificates.

  # Enable the Let's encrypt SSL
  letsencrypt['enable'] = true
  
  # This is optional to get SSL related alerts
  letsencrypt['contact_emails'] = ['email@your-domain.com']

• Also configure Gitlab to renew SSL certificate automatically on a regular interval.

  # Enable the auto renew feature
  letsencrypt['auto_renew'] = true
  
  # This example renews every 7th day at 12:30
  letsencrypt['auto_renew_hour'] = "12"
  letsencrypt['auto_renew_minute'] = "30"
  letsencrypt['auto_renew_day_of_month'] = "*/7"

Save the configuration file and exit from editor.

Next, run the reconfigure command to apply changes to Gitlab server.

sudo gitlab-ctl reconfigure 

This will take some time to complete the installation. At the end, you will see a message “gitlab Reconfigured!” on your screen.

Verify SSL

Access the Gitlab web interface in a web browser. This will automatically redirects you to secure URL.

That’s it. You have successfully configured let’s encrypt SSL on Gitlab.

Conclusion

In this tutorial, you have learned to configure Let’s Encrypt SSL certificate on Gitlab instance. Also enable to auto renew certificate on a regular interval.

The post How to Secure GitLab Server with Let’s Encrypt SSL appeared first on TecAdmin.

Secure Apache from Cross-Site Scripting

You can set the X-XSS-Protection settings on your Apache web server to prevent cross-site scripting attacks.

To enable the X-XSS-Protection edit Apache configuration file (For eg: /etc/httpd/conf/httpd.conf or /etc/apache2/conf-enabled/security.conf) and add the below configuration.

Header always set X-XSS-Protection "1;  mode=block"

Save file and close it.

The above settings enables the XSS Filter. If the cross-site scripting attack is detected, the browser will sanitize the page and also prevent rendering of the page.

Next, Restart Apache service to apply changes

Text XSS Protection Settings

Open your website in a web browser. Press F11 to open browsers inspect element window. Then view the header values for the request, You will find the header value as shown in below image.

Conclusion

In this tutorial, you have learned basics about Cross-Site scripting attacks. Also, helped you to secure Apache server from XSS attacks.

The post X-XSS-Protection – Secure Apache from Cross-Site Scripting appeared first on TecAdmin.

In this tutorial, all the commands are written for MySQL port 3306. You can use the same command for any other ports as per your requirements.

Allow Port for All Traffic

Use the following commands to allow incoming traffic on port 3306 to all traffic coming from public network.

firewall-cmd --zone=public --add-port=3306/tcp

To add rule for permanent use --permanent option with command.

firewall-cmd --permanent --zone=public --add-port=3306/tcp

Allow Port for Specific IP

You can also restrict access on any port based on source address. To open port access based on source address needed to add firewall rich rule.

Run the below command to allow access for port 4567 to 192.168.0.0/24 network.

firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="192.168.0.0/24"
  port protocol="tcp" port="3306" accept'

Reload the firewall rules to apply changes.

firewall-cmd --reload

Verify Rules

After adding the rules in firewalld, You can verify the by the running following command.

firewall-cmd --list-all

Output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/24" port port="3306" protocol="tcp" accept

The last line of output shows the rich rules added the firewalld.

Remove Rules from Firewalld

If you don’t need to keep the ports open, you can remove/deny the above ports from the firewalld using the –remove-port option:

firewall-cmd --permanent --zone=public --remove-port=3306/tcp

Next, run the following command to apply the changes:

firewall-cmd --reload

Conclusion

In this tutorial, you have learned to open port access to all traffic or specific IP address/network using firewalld on Linux operating systems.

The post How to Open Specific Port in FirewallD appeared first on TecAdmin.

Prerequisites

• Running CentOS 8 machine with shell access
• Follow initial server setup steps for newly installed machine
• A domain/sub domain pointed to server IP address via public DNS server. For this tutorial, we use webhost.tecadmin.net.

Step 1 – Install Apache

First of all, Install the Apache server on your CentOS 8 machine. The Apache packages are available under the default repositories.

sudo dnf install httpd httpd-tools mod_ssl

• How to Install Apache on CentOS 8
• How to Install Apache/PHP-FPM on CentOS 8

Step 2 – Create VirtualHost with Port 80

For this tutorial, I have created a index.html file under the default document root. Similarly, you can place your application under the document root of your domain.

sudo echo "<h2>Welcome to Secure TecAdmin.net</h2>" > /var/www/html/index.html

After that, create a VirtualHost configuration file binding with port 80.

sudo vim /etc/httpd/conf.d/webhost.tecadmin.net.conf

<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName webhost.tecadmin.net
    DocumentRoot /var/www/html
</VirtualHost>

Save and close the file. Restart Apache service to reload the configuration.

sudo systemctl restart httpd.service

Step 3 – Setup Let’s Encrypt (Certbot) Client

The Certbot ACME is a client application recommended by the Let’s Encrypt for systems with shell access. It provides hassle-free automation of the certificate issuance, installation, and renewal.

You can download the certbot-auto script from the official download page and put it under /usr/sbin directory. Use the following command to do it.

sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto
sudo chmod a+x /usr/sbin/certbot-auto

You also need to installed all dependency for the certbot to make it work. The below command will install it dependencies on your system.

sudo certbot-auto --os-packages-only

Step 4 – Create Let’s Encrypt Certificate

Now, you can request Lets encrypt to issue a SSL certificate for you domain. You need to run the certbot-auto command for Apache server as following:

sudo certbot-auto --apache

This will list all the virtual hosts configured with Apache on current server. Select the appropriate number with the comma separated. See below screenshot:

The Let’s encrypt will start the verification process for your domain. Make sure the domain you selected is pointed to this server via the public DNS server.

On successful verification, SSL will be issued for your domain. A separate SSL VirtualHost configuration file will be created for your domain.

Please choose whether or not to redirect HTTP traffic to HTTPS:

• 1: No redirect – Make no further changes to the webserver configuration.
• 2: Redirect – Make all requests redirect to secure HTTPS access.

Enter a number of your choice and press enter. You can also change it latest by directly editing configuration files.

Once the SSL configuration completed successfully, you will see a congratulations message on your screen.

Step 5 – Verify Certificate

The Let’s Encrypt SSL has been successfully configured for your domain. This certificate is issued for 3 months only, You can renew it before expiration.

Let’s check the certificate by accessing your site in a web browser.

Conclusion

You have successfully secured your website with free Let’s Encrypt SSL certificate. Follow our next tutorial to setup Let’s Encrypt Auto SSL renewal with crontab. The CentOS 8 systems will have default TLS 1.2 and TLS 1.3 enabled.

The post How to Setup Let’s Encrypt SSL with Apache on CentOS 8 appeared first on TecAdmin.

Whitelist IP in Fail2ban

First of all, Make a local copy of jail.conf and edit it. In Debian based systems fail2ban configuration files are stored under /etc/fail2ban directory.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Now, add your IP address under ignoreip option inside the DEFAULT section. The multiple IPs must be seprated with a white space. For example:

[DEFAULT]

ignoreip = 192.168.10.100 192.168.2.0/32

After adding your IP, save the file and restart fail2ban service:

systemctl restart fail2ban

All done!

The post How to Whitelist an IP in fail2ban on Ubuntu & Debian appeared first on TecAdmin.

This tutorial will help you to auto-renew Let’s Encrypt SSL certificates automatically. The certbot script will take care of certificate renewal before expiration.

How to Renew Let’s Encrypt SSL

Certbot command-line utility provides users the option to renew SSL certificates before expiration.

Before running the actual renewal process, you can do a dry run to verify that certbot is working properly. Run the following command on the terminal to verify:

sudo certbot renew --dry-run 

On successful execution of the above command. You can run the following command to renew all the certificates by running the following command.

sudo certbot renew 

The above command will renew all the SSL certificates pending renewal.

Configure Auto-Renew Let’s Encrypt Certificates

In the previous step, you can verify that certbot is working properly.

Now, you can configure the same command in the crontab, to run it periodically. You can configure this script once a day. Edit crontab with the following command:

crontab -e 

Append the following command at end of the file:

# Auto-renew let's encrypt SSL certificates
0     *     *     *     *      sudo certbot renew

Save the file and close it.

All done.

Wrap Up

You have successfully scheduled the certbot to auto-renew Let’s Encrypt SSL certificates before expiration. Remember that the renewal process also performs domain validations. So take care of it also.

The post Auto Renew Let’s Encrypt Certificates using Certbot appeared first on TecAdmin.

• Apache with Let’s Encrypt SSL
• Manual Setup Let’s Encrypt SSL on Ubuntu

Step 1 – Prerequisites

Before starting work on this task, I assume you already have:

• Running Ubuntu system with sudo privileges shell access.
• A domain name registered and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com, which is pointed to our server.
• Running Nginx web server with VirtualHost configured for example.com and www.example.com for Port 80.

Step 2 – Install Let’s Encrypt Client

You can download the certbot-auto Let’s Encrypt client and save it in /usr/sbin directory. Use the following command to do it.

sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto
sudo chmod a+x /usr/sbin/certbot-auto

Step 3 – Issue SSL for Nginx

Let’s Encrypt performs Domain Validation (DV) automatically with multiple challenges. Once the Certificate Authority (CA) verified the authenticity of your domain, SSL certificate will be issued.

You don’t need to create VirtualHost for SSL/HTTPS, Let’s encrypt will create it. You only need to create VirtualHost for port 80 only.

sudo certbot-auto --nginx -d example.com  -d www.example.com

Above command will prompt for an email address, which is used for sending email alerts related to SSL renewal and expiration. Also, asks a few more questions. After completion, it will issue an SSL certificate and will also create a new VirtualHost configuration file on your system.

Step 4 – Configure SSL Auto Renew

At the end, configure the following job on your server crontab to auto-renew SSL certificate if required.

0 2 * * * sudo /usr/sbin/certbot-auto -q renew

You may like:

• Nginx – Redirect to HTTPS

The post How to Secure Nginx with Let’s Encrypt on Ubuntu 18.04 & 16.04 LTS appeared first on TecAdmin.

]]> https://tecadmin.net/nginx-lets-encrypt-ssl-ubuntu/feed/ 0