I've had some issues with getting attack detector to work but today I made some changes that finally got the postfix-sasl going and banning problem IPs. I'm not sure if the cyrus-imap and openvpn jails are working correctly as it hasn't blocked anything yet.
Getting this running properly leads me to doing something about the https messages in the daily logwatch email.
Everyday I get "A total of "x" sites probed the server". Some days it is quite a list.
I am running two very basic brochure website using the built in webserver.
I'm trying to figure out how to set up the jails for this. The examples I've found don't look similar to our jail.conf or "clear" specific jails.
1) Where are these https probed the server messages found in the logs? Are they httpd/error_log , httpd/site1_com_error_log , httpd/site2_com_error_log ?
Couple of questions to the following example from the web.
2) The action below doesn't look anything in our jails. Is the "action = iptables-multiport[name=auth, port="http,https"]" valid?
3) If we have multiple sites and multiple error_log to search, can they be added in the logpath line or are jails required for each website?
4) When our logs rotate, are the fail2ban IPs automatically cleared?
Thanks in advance.
Nick Howitt wrote:
OK. "Windows Domain Logons" was renamed to "Force SMB1 Protocol". You have it enabled so you have to force SMB1 in the mount.cifs command but we can see virtually no good reason to have "Force SMB1 Protocol" enabled any more, but were too scared to remove it when we renamed it in case there was an edge case which was important. I suggest you remove it at which point it will disappear from the webconfig. It can be added back at the command line if necessary.
Nick Howitt wrote:If you have a space in your file path, try quoting the full pathr try everything:Another reference I bumped into said to change the " " to "\040"
I have tried all sorts of different combinations of options but no luck so far. I have to take a break today.
I've tried all the vers options and only vers=2.0 seems to do anything better. Together with sec=ntmlv2 I get So I think I've made some progress. :-(
Oh frig. When I turned the nas log to debug, it said
I reset the password when I started this challenge because I couldn't remember the original password. Apparently the change didn't work because when I removed the password (ie. blank) it connected. Put back the original password and all is OK.
Now I'll try the automount.
@Nick, thanks for your patience on this. How incredibly stupid on my side. I should have tried to reset the password a few iterations earlier.
Couple of questions if you don't mind.
Nick Howitt wrote:
Some time ago I had to update the command on my Pi to:Note the addition of the domain and vers parameters.Vers is the smb protocol and you may now find smb1 is being rejected for security reasons, but please make sure you have disabled "Windows 10 Domain Logons" in the Windows Networking Webconfig as it is no longer needed but will stop you using protocols above SMB1. I also had to add the domain - in my case the workgroup.
I was trying to get the basic mount command to work before I started on the automount as it looks like it would be more challenging to debug as a first step.
I can't find that setting in Windows Networking.
I have following settings:
Server Name: myServerName
Home Directories: enabled
Force SMB1 Protocol: enabled
WINS Support: disabled
WINS Server: blank
Mode: Simple Server
WINDOWS domain: COS
I have only 1 windows PC and that is from work. I rarely connect to the server.
I enabled Windows Networking so I could connect using a bunch of Macs. They have no problem connecting to the NAS using SMB, CIFS or AFP. I run TimeMachine backups to the server and for that I've been using CIFS on the Macs.
I haven't enabled NFS on the NAS as I hear it was slower than SMB, AFP or CIFS.
Note I think you have an error in your command:should be:
Thanks for the suggestion. I may have gotten it wrong but there is a space between the two words "Media" and "Share" ie. "//192.168.102.22/Media Share/Movies" The spaces always mess me up. Should it be or or ? I'm using BASH.
Thanks for your help.
So I ended up using the mount command in a script to mount the external NAS drives. Then removed Plex and removed mount commands.
With some time now to try to get Plex DNLA going again now, I decided to pick up from where I left off.
I wanted to test using the mount command before finally getting the automount to work. But, now I can't mount any of the drives. The NAS hasn't been updated. The NAS is running Freebsd 18.104.22.168 - Sandstorm (revision 775). I have SMB 2.0 enabled on the NAS.
From the command line I've been trying to mount CIFS. I get
mount error(22): Invalid argument
The command I've been trying (multiple variants, ver=2.1, sec=ntlm, etc etc)
I can't tell from the man page what I'm doing wrong.
I've spent a few hours reading many posts and stackexchange but nothing is working.
Is there something that I'm missing?
Thank you Nick for this. I spent an hour trying to figure this out before I chanced upon this note. I completely forgot (or didn't realize) that the check mark on a completely other setup screen (WAN) had this Automatic DNS checkbox.
I think that there should be a note on the IP Settings > Network about the Temporary DNS vs Automatic and where to find it. Can I log an improvement suggestion somewhere?
As of two days ago, I started to get the following message via anacron.
I am running the Content Filter and Proxy in tranparent mode on Community 7.x
I have Reset the Cache on the Proxy and will see if that restarts/finds whatever is missing.
Am I missing something else?
Thank you all for your help.
I thought I should give you an update.
Given some of the posts here and found through Google, I decided to try to rule out the replacement Access Point. I exchanged the new with the old Access Point to see if that might fix things.
As of the past 4 days, I've only had 1 changed ethernet connection and 1 flip flop. So I'm leaning towards the Access Point being the culprit.
I've contacted the Access Point supplier to see if by chance the box is sending out DHCP connections even when it is supposed to be turned off.
Will report back as I learn more.
Thank you Nick. Appreciate your help as always!
Is there a way to find what the "your_LAN_interface" is being used from the command?
Before I mess with the command, I should know what "your_LAN_interface" is being executed in the default state.
As I have 2 network segments perhaps I need to add the second segment using the -n option?? Maybe the default is our wired segment but not the wifi segment?
In the man for arpwatch. It says:
I would like to keep arpwatch sending info when it really should and if I turn of the emails then I won't get something when I really should look at it. So I'd really like to continue to try to figure out why this is happening.
Over the past week, I've started getting a lot of emails from arpwatch. I'm not sure how to figure out what has changed that this is now happening.
Typically I'm getting the following messages but also a few "changed ethernet address". The "changed ethernet" are not very often though.
Interestingly enough this is only happening with an replacement wifi router in assess mode, one Macbook, an iMac and 3 iphones. They are all using the WIFI network segment to connect. But we have other devices (Android, Chromecast) using WIFI on our network and they aren't having this problem. There are no issues on the wired segment of the network.
The access point has the same settings as the one it replaced. It had no problems like this before. I'm not 100% sure if this started happening after the replacement router was installed or if it started when arpwatch was updated in the 7.5 upgrade. The earliest arpwatch emails are from May 15th.
I've done a bunch of Googling and can't find anything relevant to my network or situation that might cause this. I am wondering if the Access Point is running a DHCP server despite it being disabled but I don't know how to check.
I would appreciate any suggestions on how to debug as the 20+ emails per day from arpwatch are getting very tedious.
Thanks in advance.