Friday, December 25, 2015

Fail2ban BAN-Forever!

OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...

So, I came across this blog and set my systems as per following:

Modify fail2ban config:

vi /etc/fail2ban/fail2ban.conf
Make sure

log level = 3
logtarget = /var/log/fail2ban.log
Modify Logrotate config:

vi /etc/logrotate.d/fail2ban
Make sure

rotate 13
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
Add Repeat Offender rule:

vi /etc/fail2ban/jail.local
Add the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever

# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1
Create fail2ban Filter:

vi /etc/fail2ban/filter.d/repeatoffender.conf
Add the following to the file:

# Fail2ban configuration file
# this filter monitors the fail2ban log file and permanently bans the IP
# only works with iptables

_jailname = repeatoffender
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+
Create fail2ban Action:

vi /etc/fail2ban/action.d/repeatoffender.conf
Add the following to the file:

# Fail2Ban configuration File


before = iptables-blocktype.conf


# Option: actionstart
# Notes.: command executed once at the start of fail2ban
# Values: CMD

actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I  -p  -j fail2ban-
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I  -p  -j fail2ban-ip-blocklist 
              cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = iptables -D  -p  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D  -p  -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = VERIFY="*"
            ADD="        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-  1 -s  -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.repeatoffender


# Default name of the chain
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
that's it. to check the iptables, to show which IP is blocked there, just run:

iptables -L -n

Sunday, November 22, 2015

Bigpond SMTP Fails

That's right! my Bigpond Internet service fails to deliver!

Fail 1
It does not allow outbound SMTP from my network to anywhere else except their own SMTP server

Fail 2
It has got limited number email relay allowed per day or month

I understand this to block their customers become spammer. However, their solution is stereotyping every single one of their customers as spammers.

To avoid this I use gmail to relay my email, bypassing bigpond all together.
So what I did:

Create a new gmail account - specifically used for relaying only, which a very strong password


Install required software

sudo apt-get install mailutils libsasl2-2 ca-certificates libsasl2-modules
Create Gmail credential file

vi /etc/postfix/sasl_passwd
add the following content

Modify the credential file permissions

sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
Copy the CA certificate

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
Modify main.conf and add the following line

relayhost = []:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

sudo /etc/init.d/postfix reload
Now my outbound SMTP relay is going through Gmail SMTP server authenticated.

Sunday, October 25, 2015

OpenVPN + VPN Gate + Squid

OK, so I need a VPN tunnel for my Internet connection at home. I don't want client-to-site VPN as it will isolate all my traffic (e.g. not only HTTP/S) to the Internet. I want only my HTTP/S traffic to go to the VPN tunnel.

So I setup Ubuntu server with OpenVPN client and Squid Proxy. This server has got 2 vNICs. One is facing the Internet and the other want is facing the internal network. The goal is to have this server establishes OpenVPN connection to VPN Gate from its primary interface and listen to the proxy connection on the secondary interface.

This way, I can use my browser to use Squid proxy and my Internet traffic is going through the VPN tunnel

Install OpenVPN client
Install OpenVPN with the following command

#> sudo apt-get install openvpn curl unzip dnsmasq-base wget

Download VPN Gate .ovpn file
Go to and download OpenVPN Config File. This can be TCP or UDP. Save this file to /etc/openvpn/ and change its extension from .ovpn to be .conf

Install Squid
Install Squid3 with the following command

#> sudo apt-get install squid3

Modify Squid.Conf
This modification is to set Squid to use google DNS servers for its resolution instead of using OpenVPN Client auto configuration

#> sudo vi /etc/squid3/squid.conf

find dns_nameservers and change it to:

Restart Squid
Restart Squid daemon to make the change

#> sudo service squid3 restart

Launch OpenVPN Client
Start VPN client connection to VPN Gate using the file downloaded earlier

#> sudo openvpn /etc/openvpn/vpngate.conf

The reason changing the .ovpn to .conf, is because by default if you put any file in the /etc/openvpn/ folder with .conf, it will be treated as configuration file by OpenVPN and it will launch itself every time the server is restarted

Browser Proxy
Now you can set your browser proxy to us the internal IP address of this server and port number 3128 as the proxy server and the traffic will be tunnelled to the VPN tunnel


Saturday, September 26, 2015

XenDesktop 7.6 Multiple Screen with Desktop Viewer

By default when Desktop Viewer is enabled, it does not span on multiple screen. When it is maximizes, it only maximizes on one screen. To have it utilizes multiple screen, do:

Enable Desktop Viewer
Login to your StoreFront Server
Navigate to C:\inetpub\wwwroot\Citrix\<your store or receiver web>\
Edit web.config
Find showDesktopViewer="true" and make sure the value is true, not false

Enable Force Full Screen
Login to your StoreFront Server
Navigate to C:\inetpub\wwwroot\Citrix\<your store>\App_Data\
Edit default.ica
Find [Application] 
Add DesktopViewer-ForceFullScreenStartup=true under that tag

Propagate your change across your  Server Group

Tuesday, September 15, 2015

NetScaler 10.1 Custom Theme

Custom theme for NetScaler is a quick win to maximum appearance on the Access Gateway login page. With custom theme, the changes you made will persist on NetScaler reboot.

To edit/create a new theme, using winscp or filezilla connect to NetScaler and take a backup of:


on your local backup copy, start making changes:

put your pictures in /media
put your css changes in /css
put you html adjustment in index.html
put localised string in /resource/en.xml

Once the adjustment is done, upload the files back to /netscaler/ns_gui

To record the changes as a custom theme do the following:

mkdir /var/ns_gui_custom
cd /netscaler
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

this creates customtheme.tar.gz in the /var/ns_gui_custom folder

Now you can login to NetScaler, navigate to Global Settings and change the theme to custom
all done!

To make adjustment to this custom theme, you do:

edit /var/ns_gui_custom/ns_gui
rm /var/ns_gui_custom/customtheme.tar.gz
cd /var/ns_gui_custom
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

that's it

Wednesday, August 26, 2015

Google Authenticator for Ubuntu

I am running SSH on Ubuntu and publish this service on my firewall so that I can remotely login. I used fail2ban to block IP address that is trying to brute-force his way in to my SSH server. I also setup notification so that I get email notification whenever someone is either successful login or not.

I think I need more than that, so today decided to dual-factor my SSH entrance :)

Running Ubuntu, I just need to run:

sudo apt-get install libpam-google-authenticator

This will install the lib for google authenticator
Then login to to system as the user who I want to be dual-factor authenticated, I run:


this will prompt me a lot of question and I answered accordingly.
this also give me a QR code that I can add to my Google Authenticator apps.

Next is to edit /etc/pam.d/sshd and add the following line:

auth required

Next is to edit /etc/ssh/sshd_config, and find the following line and change it:

ChallengeResponseAuthentication yes

Next is to restart the SSH service:

sudo service ssh restart

Then test it!!

Thursday, July 30, 2015

Hello Windows 10!

Today, I installed Windows 10 Enterprise x64 Edition, and it looks great!!

Look at that, how slick does it look? I like it! 
More to come on this blog about Windows 10.. stay tune.

Saturday, June 27, 2015

SCCM 2007 R2 Software Updates Diagram

My SCCM 2007 R2 Software Update relationship diagram.

Search Folder
This contains all the updates metadata that meets the criteria, e.g. superseded: no, expired:no, etc

Update List
This is the list of updates that are selected from search folder. I use this update list per month basis, e.g. Jan 2015, Feb 2015. This way, a compliance report can be run agains a specific update list. 

Deployment Packages
This is the deployment package that gets deploy to the Distribution Point. I use the same deployment package for a specific product, for example I have "Windows Server 2012 R2" deployment package for all updates of Windows Server 2012 R2, respectively of their month.

Deployment Management
This is the deployment task that is created for a specific collection.

A collection of computers that is targeted for software updates

What to do every month to patch machines?
  • Go to the search folder, select all the updates for this month for a specific product 
  • Right click and select Download Software Updates, target the deployment packages for that product. Don't forget to update Distribution Point
  • Right click and select Update List, create a new Update list for this month.
  • From the newly created Update List, select all the updates and click-and-drag them to the Deployment Task for a specific collection that you want to install the updates on
  • Check the software available and installation deadline for that Deployment task

Tuesday, May 12, 2015

PowerShell List Volumes

Just a quick PowerShell to get the list of volumes on your server

Get-wmiobject Win32_volume | Select Name, @{n="Capacity (GB)";e={$_.Capacity/1GB}},@{n="Freespace (GB)";e={$_.Freespace/1GB}}

Sunday, April 26, 2015


OK, So I have a requirement to host one of my domains internally. The reason for this is because I would like to be able to learn more about BIND9 as well as having flexibility to do Dynamic DNS.

I spawned a VM and install Ubuntu on it. During the installation, I selected DNS server as part of the feature to be installed.

Here are the steps I took to set it up:

Step #1 - Edit /etc/bind/named.conf.local

key "" {
        algorithm hmac-md5;
        secret "w81WcwhateverhereGnCQ==";

zone "" {
        type master;
        allow-update { key ""; };
        journal "/var/cache/bind/";
        file "/etc/bind/master/";


The key section is used for the automatic update using nsupdate tool which is part of BIND installation package. the secret value is generated by using the following:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST

This tool generates 2 files = .key and .private
open the .key file and copy the key, e.g. w81WcwhateverhereGnCQ==, and put it in the key section above. 

Note: That is NOT my KEY -

Then you need to save the .private file and keep is safe to be used later with nsupdate

The zone section is where my DNS zone is configured

Step #2 - Create Zone File

Create a master folder within /etc/bind
Copy /etc/bind/db.local to /etc/bind/master/
Change permission on the folder

chown -R bind:bind /etc/bind/master
chmod 775 -R /etc/bind/master

Step #3 - Edit /etc/bind/master/

Edit the file and adjust the content to suit your need
Restart the BIND process:

sudo /etc/init.d/bind9 restart

Have a look the syslog file to make sure everything is OK

tail -f /var/log/syslog

Step #4 - Create Dynamic DNS Script File

Create file with the following content:

# This script fetches the current external IP Address, writes out an nsupdate file
# Then performs an nsupdate to our remote server of choice
# This script should be placed on a 10 minute crontab

WGET=$(which wget)
ECHO=$(which echo)
NSUPDATE=$(which nsupdate)

IP=$($WGET -q -O -|sed -e 's/.*Current IP Address: //' -e 's/<.*$//')


if [ -f $IP_FILE ]
        #Get file content
        $ECHO "File IP exists with the content: $IP_OLD"
        $ECHO "Old IP: $IP_OLD"

        if [ "$IP_OLD" == "$IP" ]
                $ECHO "IP is not changing: $IP"
                $ECHO "IP changes. OLD IP: $IP_OLD, NEW IP: $IP"
                $ECHO "$IP" > $IP_FILE
        $ECHO "File IP does not exist, creating one..."
        $ECHO "$IP" > $IP_FILE

$ECHO "server" > /tmp/nsupdate
$ECHO "debug yes" >> /tmp/nsupdate
$ECHO "zone" >> /tmp/nsupdate
$ECHO "update delete A" >> /tmp/nsupdate
$ECHO "update add 600 A $IP" >> /tmp/nsupdate
$ECHO "update delete A" >> /tmp/nsupdate
$ECHO "update add 600 A $IP" >> /tmp/nsupdate
$ECHO "send" >> /tmp/nsupdate

$ECHO "Is Update: $IS_UPDATE"

if [ "$IS_UPDATE" == "yes" ]
        $NSUPDATE -k /home/ddns/ -v /tmp/nsupdate 2>&1
        $ECHO "Updating..."

The script does the following:
  • Get the Public IP address from
  • Check whether or not the IP has changed from the previous pooling. This is done by storing the IP to a file and compare it on the next query
  • If the IP has changed, run nsupdate
Notice the .private key is used here.

Then you can do cronjob to run regularly

Wednesday, March 25, 2015

VMware VCAP5-DCA Passed

Today I sat on the exam for VCAP5-DCA. Before the exam, I was googling the Internet for the experience and everyone says time management is the main issue. You know what? They all are right! It was 23 questions for 180 minutes.

I was struggling to answer the questions to the last seconds!

I was skipping the questions that I thought was going to take a while and marked the question number on the plastic paper provided and went back to them later. I did the easy one first until the end and got back to the question numbers I marked on the paper.

The blueprint spots on, I was asked about:

  • Distributed vSwitch, Static vSwitch
  • vCO
  • PowerCLI
  • HA
  • DRS
  • SNMP
  • SATP
  • SSL Certificate
  • Traffic Blocking
  • SSO
  • Users, Groups and Roles
  • Performance Graphs
  • vSphere Replication
  • and much more :)
To be honest, it was stressing exam. You were given scenario and you need to follow the instruction. The stress bit for me is that after you do it, you are not sure whether or not you did it correctly. 

I finished the test at 4PM and was told that it is going to take 15 business days to get the result. I got the email result at 4:30PM! and I PASSED!!! with the score 403

Sunday, February 01, 2015

VCAP5-DCA Study Guide

I have been studying for this VMware VCAP5-DCA exam for the last 2 months. This exam is for vSphere 5.5.

One of the best study guides is to watch Jason Nash's VMware vSphere Optimize & Scale

Then I read the VCAP5-DCA Official Cert Guide:

The last one is to do the VMware Hands On Lab which is the best for you to use it for lab and try some of practice concepts.

Thursday, January 29, 2015

VMware vCenter Operations Manager

Just been trained on VMware vCOPS recently and below is the "OO" style of objects relationship

Wednesday, January 07, 2015

QNAP Reset Permissions

To reset QNAP file share permissions

SSH login to it

[#] set_volume_mode <Share Name>

For example

[#] set_volume_mode Public
Volume: news
Path: /share/MD0_DATA/news

this will Set directory mode to 0777 and file mode to 0666(keep execute permission)