How to send fail2ban notification with Telegram (telegram-cli)

This is a a guide to integrate Telegram messaging service Fail2Ban. With this integration, Fail2Ban notification will be sent through Telegram services.

t_logo

Requirements

  1. You need to have Fail2ban installed in your systems.
  2. Install or compile “telegram-cli”, refer to this guide to compile telegram-cli or install it from *.deb (Ubuntu LTS) AMD64

Setting Up Fail2Ban with Telegram

After installing ‘telegram-cli’ and its requirements, you should proceed to add ‘telegram.conf’ config in /etc/fail2ban/action.d

The content of telegram.conf is as follows.

#
# /etc/fail2ban/action.d/telegram.conf
#
# Author: Toon Ketels
# Modified by: Mohammad Hafiz bin Ismail [mypapit @gmail.com]
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = /usr/share/fail2ban/fail2ban-telegram.sh start

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = /usr/share/fail2ban/fail2ban-telegram.sh stop

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    [ip]  IP address
#          [failures]  number of failures
#          [time]  unix timestamp of the ban time
# Values:  CMD
#
actionban = /usr/share/fail2ban/fail2ban-telegram.sh ban [ip]

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    [ip]  IP address
#          [failures]  number of failures
#          [time]  unix timestamp of the ban time
# Values:  CMD
#
actionunban = /usr/share/fail2ban/fail2ban-telegram.sh unban [ip]

[Init]

init = 'Fail2Ban Telegram plugins activated"


Then, you need to create a script file in /usr/share/fail2ban/fail2ban-telegram.sh.

#!/bin/bash
# /usr/share/fail2ban/fail2ban-telegram.sh
#
# Sends text messages using telegram api
# to alert server administrator of ip banning.
#
# Requires one argument, one of the following:
#  start
#  stop
#  ban
#  unban
#
# Optional second argument: IP for ban/unban




#replace this with your own telegram contact

to=Telegram_peer_replace_this

# Display usage information
function show_usage {
  echo "Usage: $0 action [ip]"
  echo "Where action is start, stop, ban, unban"
  echo "and ip is optional passed to ban, unban"
  exit
}



# Actually send telegram messages
# Expects the telegram content (body) to be passed
# as argument.
function send_telegram {

  msg="[`date -Iminutes`] - `hostname`:  Notice: $1 "
  echo "$msg" >> /var/log/fail2ban-telegram.log
 (echo "contact_list";sleep 30;echo "msg $to $msg"; echo "safe_quit") | telegram-cli
  exit
}



# Check for script arguments
if [ $# -lt 1 ]
then
  show_usage
fi



# Take action depending on argument
if [ "$1" = 'start' ]
then
  message="Fail2ban just started."
  send_telegram "$message"
elif [ "$1" = 'stop' ]
then
  message="Fail2ban just stopped."
  send_telegram "$message"
elif [ "$1" = 'ban' ]
then
  message=$([ "$2" != '' ] && echo "Fail2ban just banned $2" || echo 'Fail2ban just banned an ip.' )
  send_telegram "$message"
elif [ "$1" = 'unban' ]
then
  message=$([ "$2" != '' ] && echo "Fail2ban just unbanned $2" || echo "Fail2ban just unbanned an ip." )
  send_telegram "$message"
else
  show_usage
fi

After that, you need to ensure that the script is executable, by running.

sudo chmod a+rwx /usr/share/fail2ban/fail2ban-telegram.sh

Then, you need to edit “/etc/fail2ban/jail.conf” file to hook the action plugin with events. In this case, I choose the ssh and sshd events.

sudo nano -c /etc/fail2ban/jail.conf

Then proceed to find the [ssh] and [ssh-ddos] part. Add ‘telegram’ config in the file. Replace the “webmaster@example.com” email address with your email address.

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
action = mail-whois[name=SSH, dest=webmaster@example.com]
         telegram

Now go to the “ssh-ddos” section, repeat the same step.

[ssh-ddos]

enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 4
action = mail-whois[name=SSH, dest=webmaster@example.com]
         telegram

Finishing up: Restart Fail2Ban

Finish up by restarting fail2ban server, and if you done it correctly you will be receiving both telegram messages and email notification regarding fail2ban startup!

sudo service fail2ban restart

Sample Screenshot

telegram-fail2ban

Congratulations!!

How to build and use telegram-cli client for Linux

You can actually send Telegram message from command-line interface / bash in Linux using an unofficial telegram-cli client by Vitali Valtman (vysheng)

Obtaining and Compiling telegram-cli

But first, before sending telegram messages, you need to build the client. You may start by installing its dependencies

 sudo git apt-get install libreadline-dev libconfig-dev libssl-dev lua5.2 liblua5.2-dev libevent-dev libjansson-dev libpython-dev make 

Then, you can get the latest telegram-cli client from vysheng GitHub

 git clone --recursive https://github.com/vysheng/tg.git && cd tg

Afterwards, you may configure ‘telegram-cli’ and compile it

./configure
make

Alternative Download
Alternatively, you can download Telegram source code from my server:

  1. https://mypapit.net/pub/telegram-cli/tg.tar.bz2
  2. https://mypapit.net/pub/telegram-cli/tg.tar.xz

 

Running telegram-cli

After finished compiling telegram-cli, you may try and start using telegram.

bin/telegram-cli -k tg-server.pub

For first time use, you may need to key in the authorization code, the code will be sent to your mobile device to allow ‘telegram-cli’ to log as your username.

bin/telegram-cli -u  -k tg-server.pub

In my experience you may need to replace the +[country_code] phone-number with ’00’. so if your phone number includes country code is +60123456789, then you must replace it with 0060123456789 (however, your mileage may vary.

bin/telegram-cli -u 00123456789 -k tg-server.pub

Once the authorization CODE has been entered, you are free to use telegram. Telegram use the concept of ‘peer’ (contact) to send messages instead of phone number. So in order to get a list of your peer, you need to run “contact_list” command.

telegram-cli-contact-list

> contact_list
John_T_Doe
Jane_doe_2
Warrick_Brown
Mark_Nelson

To send message to a peer/contact (for example to Warrick Brown), just type

> msg Warrick_Brown "wassup, dude? want to hang out today?"

To quit, you can type

#telegram-client
> safe_quit

NOTE: IF YOU FAIL TO COMPILE TELEGRAM FROM GITHUB
If you find it difficult or failed to compile telegram-cli from GitHub, then you can download this telegram-cli source code from my server which is tested to compile under Raspbian Jessie, Debian Jessie, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.

Alternative Telegram source code:

  1. https://mypapit.net/pub/telegram-cli/tg.tar.bz2
  2. https://mypapit.net/pub/telegram-cli/tg.tar.xz

How to quickly become firewall expert with UFW !

Uncomplicated Firewall (UFW) is a helper tool which allows you to quickly setup iptables firewall in any Ubuntu server. It is installed by default and it allows you to secure your server at no time!

Basic UFW

Basic UFW: Check Status
You can check UFW by running this command. The verbose argument prints additional information such as UFW profiles, logging settings.

The ‘numbered’ argument prints the list of rules with line number. I’ll explain later on the use of this feature.

sudo ufw status
sudo ufw status verbose
sudo ufw status  numbered

Basic UFW: Enable and Disable Firewall
You can easily enable and disable firewall by specifying ‘disable’ and ‘enable’ argument.

Warning : Please do not enable UFW if you’re connecting using SSH connection to your Ubuntu box, you might be disconnected.

sudo ufw disable
sudo ufw enable

Basic UFW: Setting up default rule and Enabling SSH
A lot of you might be connecting to Ubuntu box using SSH connections, so the first step is to setup a default rule and enabling SSH connection.

Deny incoming connection

sudo ufw default deny incoming

Allow incoming SSH connection

sudo ufw allow ssh

Alternatively you can write:

sudo ufw allow 22/tcp

Finally, enable firewall

sudo ufw enable

You can check the firewall rules by running

sudo ufw status

Basic UFW: Enabling other service: HTTP, HTTPS

Enabling web server port and https is as easy as running

sudo ufw allow http
sudo ufw allow https

Basic UFW: Deleting rule
You can delete UFW rule by running

sudo ufw delete allow https

or by specifying its port and protocol

sudo ufw delete allow 443/tcp

Additionally you could also delete rule using its number by running “ufw status numbered” first

sudo ufw status numbered
ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22/tcp                     ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)

Then pick a firewall rule based on its number to delete, I picked number 3 and 6, because I want to delete https rule

sudo ufw delete 3
sudo ufw delete 6

UFW will print a confirmation prompt and you can continue deleting the firewall rules

/home/mypapit# ufw delete 6
Deleting:
 allow 443
Proceed with operation (y|n)? y   
Rule deleted (v6)

/home/mypapit# ufw delete 3
Deleting:
 allow 443
Proceed with operation (y|n)? y
Rule deleted

Intermediate UFW

Intermediate UFW: Deny access from ip address or ip block
You can prevent certain ip address or ip blocks / subnets from reaching your server by running:

sudo ufw deny from 172.18.44.12

Deny an ip address subnet

sudo ufw deny from 172.18.44.0/24

Deny an ip address subnet, example #2

sudo ufw deny from 172.16.0.0/16

Intermediate UFW: Allow services to be connected from certain ip address or subnet
In this case, I will only allow certain ip address to connect to my SSH port.

First we delete the old – “allow all” SSH rule

sudo ufw disable
sudo ufw delete allow ssh

Then we add ip address to be allowed to connect to SSH port

sudo ufw allow from 192.168.20.40 to any port ssh

Alternatively, you could also specify port number and protocol

sudo ufw allow from 192.168.20.40 to any port 22 proto tcp

Only allow SSH connections from certain subnets

sudo ufw allow from 192.168.20.0/24 to any port 22 proto tcp

Note: Adding firewall rules to only allow SSH connection from certain subnets would increase the server security, further reducing brute-force attack.

Further Reading: Ubuntu Server Administrator Reference

Python code: List most popular URL from Apache/NGINX ‘access.log’ file

Found a great Python code snippet for listing the most popular URL from Apache / NGINX ‘access.log’ file. Very practical!

import collections

logfile = open("access.log", "r")

clean_log=[]

for line in logfile:
    try:
        # copy the URLS to an empty list.
        # We get the part between GET and HTTP
        clean_log.append(line[line.index("GET")+4:line.index("HTTP")])
    except:
        pass

counter = collections.Counter(clean_log)

# get the Top 50 most popular URLs
for count in counter.most_common(50):
    print(str(count[1]) + "\t" + str(count[0]))

logfile.close()

The code is very handy if you want to find out the most popular URL or pages in your website, crucial information for optimization, IMHO.

How to install NGINX with PageSpeed module in Ubuntu LTS / Debian

UPDATE: You can now install NGINX with PageSpeed in Ubuntu LTS with deb package: https://blog.mypapit.net/2015/08/install-nginx-with-pagespeed-using-deb-for-ubuntu-lts-amd64.html

INSTALLING NGINX USING UBUNTU APT-GET SOURCE
PageSpeed modules are open source modules developed by Google Inc that can perform website optimization to ensure faster site delivery, automatically.

PageSpeed module is not included in NGINX installation in Ubuntu or Debian. So you need to recompile NGINX together with PageSpeed module, to enable its functionality.

You can install NGINX 1.8.0 with PageSpeed for Ubuntu 14.04 LTS here, using dpkg:
or you can compile it from source code using apt-get.

There are several steps to this method, first you need to get the latest nginx stable (or mainline) from PPA (optional)

#this step is optional, only if you want to get the latest Ubuntu version of nginx

sudo apt-get -y install software-properties-common

sudo -s

nginx=stable # use nginx=development for latest development version
add-apt-repository ppa:nginx/$nginx

apt-get update 

apt-get -y upgrade

Then, you’ve to install dpkg-dev, unzip utility and nginx source from apt repository

apt-get -y install dpkg-dev unzip

apt-get install nginx

apt-get source nginx

After that, you need to download PageSpeed module, this instruction is adapted from

https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source

**note replace ${NGINX_VERSION} with the version of NGINX available from apt-get, in my case – its “1.8.0”

cd
export NPS_VERSION=1.9.32.4
export NGINX_VERSION=1.8.0

wget -c https://github.com/pagespeed/ngx_pagespeed/archive/release-${NPS_VERSION}-beta.zip

unzip release-${NPS_VERSION}-beta.zip

cd ngx_pagespeed-release-${NPS_VERSION}-beta/

wget -c https://dl.google.com/dl/page-speed/psol/${NPS_VERSION}.tar.gz

tar -xzvf ${NPS_VERSION}.tar.gz

cd nginx-${NGINX_VERSION}

Install all build dependencies (your configuration may varies, but i keep it within default Ubuntu configuration.

apt-get -y install libpcre3-dev libssl-dev libxslt1-dev libgd-dev libgeoip-dev geoip-bin geoip-database libpam0g-dev zlib1g-dev memcached

Then configure nginx, remember to replace ${NGINX_VERSION} with your current version of NGINX. In my case, its “1.8.0”

cd nginx-${NGINX_VERSION}

./configure  --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=debian/modules/nginx-auth-pam --add-module=debian/modules/nginx-dav-ext-module --add-module=debian/modules/nginx-echo --add-module=debian/modules/nginx-upstream-fair --add-module=debian/modules/ngx_http_substitutions_filter_module --sbin-path=/usr/local/sbin --add-module=$HOME/ngx_pagespeed-release-${NPS_VERSION}-beta

After that, run make and make install

make

make install

The newly compiled nginx will be installed in “/usr/local/bin” without overwriting the original binary file.

Create nginx-pagespeed /etc/init.d file

Optionally you may duplicate nginx in init.d, and rename it to nginx-pagespeed, and stop the original nginx server

cp /etc/init.d/nginx /etc/init.d/nginx-pagespeed

sed -i 's|/usr/sbin/nginx|/usr/local/sbin/nginx|g' /etc/init.d/nginx-pagespeed

service nginx stop

You may also enable basic PageSpeed config in /etc/nginx/conf.d/

nano /etc/nginx/conf.d/pagespeed.conf

And add these basic PageSpeed config

#file /etc/nginx/conf.d/pagespeed.conf
        pagespeed on;
        pagespeed FetchWithGzip on;

        pagespeed FileCachePath /run/shm/pagespeed_cache;
        pagespeed RewriteLevel CoreFilters;

Save the file, and test nginx config, after that, start nginx-pagespeed service.

/usr/local/sbin/nginx -t

service nginx-pagespeed start

**Note: This instruction has been tested under Ubuntu 14.04 LTS with nginx 1.8.0 from ppa:nginx/stable respository. The LTS is chosen because it has much longer support for server, and nginx 1.8.0 supports both spdy 3.1 and latest PageSpeed.

***Please share any thoughts or opinion or suggested correction if this guide didn’t work for you. Thanks!!

Recommended Reading

Check public IP address with checkip.mypapit.net

You can now check your public IP Address by visiting checkip.mypapit.net.

The website will display your public IP Address (or your anonymous proxy IP Address). As usual, this service is provided without any warranty.

Additionally, you can also check IP Address from bash command line using this curl/wget trick.

wget -qO - checkip.mypapit.net
curl -o - checkip.mypapit.net

Connecting blog with IFTTT !

I’ve managed to connect this blog with IFTTT! However due to certain security restriction that I’ve enforced on this blog to curb spammers and unauthorized access (aka crackers), I’ve decided against connecting my blog directly through XMLRPC endpoint. So I’ve use RSS/ATOM feeds instead.

IFTTT is a wonderful service which allows you to connect various services to perform automated task on another web service. Very convenient for busy people!

ifttt

*IFTTT stands for “If this, then that” which is a programming metaphor in basic automatic decision making or branching.