月度归档： 2021 年 2 月

系统使用一段时间后，莫名其妙出现卡顿现象。发现硬盘灯闪个不停。

经查，是snapd进程持续不停的往硬盘写入数据，同时也会占用CPU。

写入量不大，但是磁盘占用率出奇的高。

导致系统出现卡顿，这个问题从ubuntu18.04到20.04实测都有，更老的版本没有实测不妄加批评。

解决办法网上找了N圈也没有找到解决办法。所以，只好……

干掉它！

$ sudo apt purge snapd

卸载后系统丝般顺滑。。

因为我暂时snap用的不多，加上也没别的办法，毕竟已经影响到系统的正常使用了，只好选择卸载。

有人说不能卸载，可以试试下面的命令：

$ sudo apt autoremove --purge snapd

卸载之后，继续重装一下，貌似也不再出现问题。

参考链接

---

• snapd进程持续写盘导致系统卡顿
• snapd持续运行，引起jbd2/sda2-8持续访问硬盘，占用大量io

• 安装配置为数据同步进行准备

$ sudo apt-get install rsync

# ubuntu 16.04/18.04默认源中都存在rssh ,但是 ubuntu 20.04开始，已经没办法从系统源中安装了。
# 原因在于 rssh 存在安全漏洞，并且长时间没有修复，并且已经没人维护了，我们使用rrsync替代 

$ export RSH_RSYNC_USER=rsh_backup

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

# 如果需要备份/var/log 目录，建议把用户组设置成 adm 用户组，否则很多日志没办法读取
# sudo useradd -s "" $RSH_RSYNC_USER -g users -G adm
# 后期也可以通过 sudo usermod -g users -G adm $RSH_RSYNC_USER 更改用户组

# 不配置任何登陆默认shell，以便于 rrsync 接管
$ sudo useradd -s "" $RSH_RSYNC_USER

$ echo $RSH_RSYNC_USER:$RSH_RSYNC_USER_PASSWORD | sudo chpasswd

# 创建配置文件目录，增加配置信息
$ sudo mkdir /home/$RSH_RSYNC_USER

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER

$ sudo mkdir /home/$RSH_RSYNC_USER/.ssh

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh

$ sudo touch /home/$RSH_RSYNC_USER/.ssh/authorized_keys

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh/authorized_keys

# 配置许可访问的目录
$ echo 'command="/usr/bin/rrsync -ro /var/www /data/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding' | sudo tee /home/$RSH_RSYNC_USER/.ssh/authorized_keys

• 客户端同步,测试是否正常工作

$ export RSH_RSYNC_USER=rsh_backup 

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

$ export RSH_RSYNC_PORT=22

$ export REMOTE_SERVER=www.mobibrw.com

$ export SYNC_DIR=/var/www

# 测试是否可以正常工作，另一个方面是许可ssh的登录key否则我们后续没办法使用sshpass
# 可以使用 --exclude 参数忽略指定的目录,相对路径，不是绝对路径
$ sudo rsync -avzP --delete -e 'ssh -p $RSH_RSYNC_PORT' $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR

• 转化为定时任务，自动同步

# 安装密码自动填写软件
$ sudo apt-get install sshpass

$ cd ~

$ touch backup_rsync.sh

$ chmod +x backup_rsync.sh

$ echo -e '#!'"/bin/bash\n" >> backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER=rsh_backup' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER_PASSWORD=rsh_password' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_PORT=22' backup_rsync.sh

$ sed -i '$a\export REMOTE_SERVER=www.mobibrw.com' backup_rsync.sh

# 此处注意最后的分隔符/如果没有这个分隔符，会导致目标目录多一个名为www的父目录
$ sed -i '$a\export SYNC_DIR=/var/www/' backup_rsync.sh

# 可以使用 --exclude 参数忽略指定的目录，相对路径，不是绝对路径
$ sed -i '$a\sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e \"ssh -p $RSH_RSYNC_PORT\" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR' backup_rsync.sh

# 打开计划任务的日志，默认不开
$ sudo sed -i -r "s/#cron\.\*[ \t]*\/var\/log\/cron.log/cron.*                         \/var\/log\/cron.log/g" /etc/rsyslog.d/50-default.conf

#write out current crontab
$ sudo crontab -l > addcron

#echo new cron into cron file ,每隔30分钟我们调度一次任务,前面是文件锁，防止并发冲突
#如果需要每小时执行一次，则修改为 "* */1 * * * flock ...."
#如果需要凌晨2点执行，则修改为 "* 2 * * * flock ...."
$ echo "30 * * * * flock -x -w 10 /dev/shm/backup_rsync_corn.lock -c \"bash `echo ~`/backup_rsync.sh\"" >> addcron

#install new cron file
$ sudo crontab addcron

$ rm addcron

$ sudo service cron restart

目前我的阿里云，腾讯云服务器之间的同步脚本如下：

#!/bin/bash

export RSH_RSYNC_USER=user
export RSH_RSYNC_USER_PASSWORD=password
export RSH_RSYNC_PORT=22
export REMOTE_SERVER=121.199.27.227

export SYNC_WWW_DIR=/var/www/

sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_WWW_DIR $SYNC_WWW_DIR --exclude "wordpress/wp-content/cache/" --exclude "wordpress/wp-content/plugins/crayon-syntax-highlighter/log.txt"

export SYNC_DATA_DIR=/data/
 
# 此处注意，如果使用 --exclude "/root/" 则忽略最顶部的root目录
# 如果使用 --exclude "root/" 则忽略所有路径中包含 root 的目录
# 主要 rsync 的 top-directroty 部分的规则
sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DATA_DIR $RSYNC_DATA_DIR --exclude "/root/"

参考链接

---

• 只允许rsync同步的中心机器
• ubuntu 16.04使用rssh配置rsync服务通过ssh同步

I have a Ubuntu 18.04/20.04 server running ufw (Uncomplicated Firewall) and Docker. Docker relies on iptables-persistent, which is an interface to a much more powerful and complicated firewall that many people would rather avoid.

The problem here is that ufw and iptables-persistent are both ways for creating the same firewall. On my server, only one service would ever run at startup negating the other.

After a reboot ufw would always be disabled.

$ sudo ufw status

Status: inactive

Even though the ufw service is enabled, if you look closely, the active service has exited.

$ sudo systemctl status ufw 

● ufw.service - Uncomplicated firewall
    Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
    Active: active (exited)

If I check the server services, both ufw and netfilter-persistent are enabled. netfilter-persistent is a means for managing iptables on Debian and Ubuntu systems.

$ sudo service --status-all

 [ + ]  netfilter-persistent
 [ + ]  ufw

The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent.

Find and backup the ufw service.

$ ls -l /lib/systemd/system/ufw.service

-rw-r--r-- 1 root root  266 Aug 15  2017  ufw.service

$ cd /lib/systemd/system/

$ sudo cp ufw.service ufw.service.original

$ cat /lib/systemd/system/ufw.service

 [Unit]
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
 Before=network.target

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/lib/ufw/ufw-init start quiet
 ExecStop=/lib/ufw/ufw-init stop

 [Install]
 WantedBy=multi-user.target

Update and save the modified service by appending `After=netfilter-persistent.service` to the `[Unit]` block.

$ sudo nano /lib/systemd/system/ufw.service

 [Unit]
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
 Before=network.target
 After=netfilter-persistent.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/lib/ufw/ufw-init start quiet
 ExecStop=/lib/ufw/ufw-init stop

 [Install]
 WantedBy=multi-user.target

Reboot and test.

$ sudo reboot

$ sudo ufw status

Status: active
 To                         Action      From
 --                         ------      ----
 OpenSSH                    ALLOW       Anywhere
 Nginx Full                 ALLOW       Anywhere

参考链接

---

• • Fix ufw service not loading after a reboot
  • Ubuntu - ufw status shows inactive after reboot

Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account.

Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.

This article describes how to install and configure Fail2ban on Ubuntu 20.04. 

低于 ubuntu 20.04 的系统，可以参考 ubuntu 16.04防止SSH暴力登录攻击 。

Installing Fail2ban on Ubuntu

The Fail2ban package is included in the default Ubuntu 20.04 repositories. To install it, enter the following command as root or user with sudo privileges :

$ sudo apt update

$ sudo apt install fail2ban

Once the installation is completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:

$ sudo systemctl status fail2ban

The output will look like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

That’s it. At this point, you have Fail2Ban running on your Ubuntu server.

Fail2ban Configuration

The default Fail2ban installation comes with two configuration files, `/etc/fail2ban/jail.conf` and `/etc/fail2ban/jail.d/defaults-debian.conf`. It is not recommended to modify these files as they may be overwritten when the package is updated.

Fail2ban reads the configuration files in the following order. Each `.local` file overrides the settings from the `.conf` file:

• `/etc/fail2ban/jail.conf`
• `/etc/fail2ban/jail.d/*.conf`
• `/etc/fail2ban/jail.local`
• `/etc/fail2ban/jail.d/*.local`

For most users, the easiest way to configure Fail2ban is to copy the `jail.conf` to `jail.local` and modify the `.local` file. More advanced users can build a `.local`configuration file from scratch. The `.local` file doesn’t have to include all settings from the corresponding `.conf` file, only those you want to override.

Create a `.local` configuration file from the default `jail.conf` file:

$ sudo cp /etc/fail2ban/jail.{conf,local}

To start configuring the Fail2ban server open, the `jail.local` file with your text editor :

$ sudo nano /etc/fail2ban/jail.local

The file includes comments describing what each configuration option does. In this example, we’ll change the basic settings.

Whitelist IP Addresses

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the `ignoreip` directive. Here you should add your local PC IP address and all other machines that you want to whitelist.

Uncomment the line starting with `ignoreip` and add your IP addresses separated by space:

/etc/fail2ban/jail.local

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Ban Settings

The values of `bantime`, `findtime`, and `maxretry` options define the ban time and ban conditions.

`bantime` is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the `bantime` value is set to 10 minutes. Generally, most users will want to set a longer ban time. Change the value to your liking:

/etc/fail2ban/jail.local

bantime = 1d

To permanently ban the IP use a negative number.

`findtime` is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (`maxretry`, see below), those failures must occur within the `findtime` duration.

/etc/fail2ban/jail.local

# 这个时间段内超过规定次数会被ban掉
findtime = 10m

`maxretry` is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

/etc/fail2ban/jail.local

maxretry = 5

Email Notifications

Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action, which only bans the IP to `%(action_mw)s`, as shown below:

/etc/fail2ban/jail.local

action = %(action_mw)s

`%(action_mw)s` bans the offending IP and sends an email with a whois report. If you want to include the relevant logs in the email, set the action to `%(action_mwl)s`.

You can also adjust the sending and receiving email addresses:

/etc/fail2ban/jail.local

destemail = admin@linuxize.com 
sender = root@linuxize.com

Fail2ban Jails

Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.

Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.

By default, only the ssh jail is enabled. To enable a jail, you need to add `enabled = true` after the jail title. The following example shows how to enable the proftpd jail:

/etc/fail2ban/jail.local

[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The settings we discussed in the previous section, can be set per jail. Here is an example:

/etc/fail2ban/jail.local

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

The filters are located in the `/etc/fail2ban/filter.d` directory, stored in a file with same name as the jail. If you have custom setup and experience with regular expressions you can fine tune the filters.

Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:

$ sudo systemctl restart fail2ban

Fail2ban Client

Fail2ban ships with a command-line tool named `fail2ban-client` that you can use to interact with the Fail2ban service.

To view all available options, invoke the command with the `-h` option:

$ fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

• Check the jail status:

  $ sudo fail2ban-client status sshd

• Unban an IP:

  $ sudo fail2ban-client set sshd unbanip 23.34.45.56

• Ban an IP:

  $ sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

We’ve shown you how to install and configure Fail2ban on Ubuntu 20.04.

For more information on this topic, visit the Fail2ban documentation .

If you have questions, feel free to leave a comment below.

注意：如果服务器上启用了 UFW 防火墙，则几乎必然出现 Fail2ban 无法阻止攻击者 IP 的情况。

尽管 Fail2ban 已经提示阻止用户访问。但是由于 iptables 的顺序问题，根本不起作用，依旧在 /var/log/auth.log 中观察到不断的访问尝试。

解决方法如下：

$ sudo vim /etc/fail2ban/jail.local

将

banaction = iptables-multiport
banaction_allports = iptables-allports

更改为

banaction = ufw
banaction_allports = ufw

防火墙规则要求通过 UFW 进行设置。

重新载修改后的配置信息

$ sudo fail2ban-client reload

默认情况下，执行如下命令后：

$ sudo systemctl enable ufw

$ sudo ufw enable

UFW 服务器应该随着服务器重启自动启动，但是却经常没有启动，尤其是 ubuntu 20.04 。

参考 Fix ufw service not loading after a reboot 调整。

默认情况下，`Fail2ban`的配置是没办法阻止用户名尝试的，因此，我们需要新增如下配置才能解决问题。

First, define the filter for invalid users in `/etc/fail2ban/filter.d/sshd-invaliduser.conf`:

[INCLUDES]
before = common.conf

[Definition]
_daemon = sshd

failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in `/etc/fail2ban/jail.local`:

[sshd-invaliduser]
enabled = true
maxretry = 1
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

默认情况下，`Fail2ban`的配置是没办法阻止root登陆尝试的，因此，我们需要新增如下配置才能解决问题。

[INCLUDES]
 
before = common.conf
 
[Definition]
 
_daemon = sshd
 
failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$
 
ignoreregex =
 
[Init]
 
maxlines = 10
 
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in `/etc/fail2ban/jail.local`:

[sshd-ban-root]
enabled = true
maxretry = 1
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

移除被禁止访问的IP

我们自己操作的时候，可能会把自己给禁止访问，此时需要手工从禁止列表中移除某些特定的IP

$ sudo fail2ban-client unban xx.xx.xx.xx

参考链接

---

• How to Install and Configure Fail2ban on Ubuntu 20.04
• ubuntu 16.04防止SSH暴力登录攻击
• Ubuntu:使用Fail2ban防止暴力破解SSH等服务
• UFW与fail2ban结合使用时的设置以及fail2ban的过滤器设置
• lightdm通过systemd控制开机自启动
• Fix ufw service not loading after a reboot
• Fix ufw service not loading after a reboot
• Fail2ban MANUAL 0 8
• Fail2Ban or DenyHosts to block invalid username SSH login attempts
• Fail2Ban: ban every root login attempt
• How to Unban an IP properly with Fail2Ban