Fedora

This is a list of tips I’m using while running Fedora in my Raspberry Pi 2.

I’ve recently discovered modoboa, a mail hosting and management platform which looks very promising. It uses Django and can be a frontend of postfix, amavisd-new, radicale, etc.

I’ve submitted some RPM packages based on the previous work of Didier, and will begin to do some tests in a couple of days to see how everything plays together.

Any help/suggestion is welcomed.

After clearing the CMOS in a computer, the EFI boot entry of my Fedora installation disappeared. To restore it, I booted a Live CD and registered it again:

# efibootmgr -c -w -d /dev/sda -l 'EFIfedorashim.efi' -L "Fedora"

With the recent release of fail2ban 0.9 there are very important improvements to the journal and firewalld integration. With these simple configurations, I get fail2ban working in Fedora 20 without a syslog daemon and avoiding being DOSed  by a local user.

/etc/fail2ban/fail2ban.local

[Definition]
loglevel = INFO
logtarget = SYSLOG

In /etc/fail2ban/jail.local we set the backend to systemd, so we monitor directly the journal, we also choose as default action firewallcmd-ipset, so the rules are inserted with firewall-cmd and use the ipset facility. Finally, all the jails needed are enabled.

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600

[sshd]
enabled = true

[postfix]
enabled = true

[dovecot]
enabled = true

Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.

fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.

Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.

First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.

Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.

First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms: $ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm # yum install /var/lib/mock/fedora-19-x86_64/result/*rpm

The configuration of bind as authoritative name server /etc/named.conf:

Because the recent revelations about PRISM, it feels that everybody is revisiting their security infrastructure.

After testing during many hours the available ciphers in the Apache web server, I realized that it’s impossible to get Perfect Forward Secrecy with Red Hat and its derivatives. See bug #319901

I have decided to recompile openssl and apache for the servers I manage, I have uploaded the scripts I use to this repository: https://github.com/jorti/fedora-compile-with-ecc