Hestia 1.2.0 RC - WE NEED YOU!

arktex54 · June 23, 2020, 11:27pm

It’s a symlink I use for keyboarding. Typing /usr/local/vesta/bin/ for years is natural. putty_2020-06-23_18-26-19

kpv · June 23, 2020, 11:27pm

Btw the “ipset” pkg should probably be added to the installer (as should the user-space “apparmor” pkg).

I find the combination of ipsets and certain iptables modules (e.g. hashlimit) to be invaluable in production Internet servers for taking “preventive” measures (since 60-80% of malicious traffic comes from specific countries).

eris · June 23, 2020, 11:32pm

Ipset and apparmor are allready in the new installer…

github.com

hestiacp/hestiacp/blob/master/install/hst-install-ubuntu.sh

#!/bin/bash

# Hestia Ubuntu installer v1.0

#----------------------------------------------------------#
#                  Variables&Functions                     #
#----------------------------------------------------------#
export PATH=$PATH:/sbin
export DEBIAN_FRONTEND=noninteractive
RHOST='apt.hestiacp.com'
GPG='gpg.hestiacp.com'
VERSION='ubuntu'
HESTIA='/usr/local/hestia'
LOG="/root/hst_install_backups/hst_install-$(date +%d%m%Y%H%M).log"
memory=$(grep 'MemTotal' /proc/meminfo |tr ' ' '\n' |grep [0-9])
hst_backups="/root/hst_install_backups/$(date +%d%m%Y%H%M)"
arch=$(uname -i)
spinner="/-\|"
os='ubuntu'
release="$(lsb_release -s -r)"

This file has been truncated. show original

arktex54 · June 23, 2020, 11:33pm

Here’s the primary and production server:
vivaldi_2020-06-23_18-33-07

arktex54 · June 23, 2020, 11:36pm

I installed that script today. It either didn’t install or something happened when the GUI wrote the conf files.

putty_2020-06-23_18-35-55

kpv · June 23, 2020, 11:38pm

@Lupu what would be the recommended method to use my own firewall rules on a Hestia server?

I usually install iptables-persistent with a custom iptables rule-set. Typically, I filter inbound traffic with geoIP ipsets, then use either hashlimit or recent modules block offenders. One could even add offender IPs to an ipset, see https://volkan.xyz/insane-iptables-examples-that-make-nearly-everything-possible/

PS: I haven’t used fail2ban since 2010 … It used to block offender IPs using a separate iptables rule for each IP, which resulted in huge rules.

Lupu · June 23, 2020, 11:44pm

@arktex54 It’s getting very difficult to follow your problem, please describe the steps one would have to do to reproduce your issue starting from a clean Debian10.

@kpv I would prefer to keep this thread focused on problems found when upgrading to Hestia v1.2.0 (which has support for ipset, blacklist and country wide lists)

kpv · June 23, 2020, 11:51pm

@eris I’m using Debian (9 & 10).

Installing HestiaCP v1.1.1 and upgrading to 1.2.0 produced a server with neither ipset nor apparmor (user-space) pkgs.

Looking at git master, the ipset pkg will be installed on a fresh 1.2.0 installation, but not apparmor pkg.

Lupu · June 23, 2020, 11:55pm

Should be installed automatically only if it is used:

github.com

hestiacp/hestiacp/blob/b96c78004df191c939110d0e628c5913c2158701/bin/v-add-firewall-ipset#L63-L70


# Install ipset package if missing
if [ -z "$IPSET_BIN" ]; then
    apt-get --quiet --yes install ipset > /dev/null
    check_result $? "Installing ipset package"

    IPSET_BIN="$(which ipset)"
    check_result $? "ipset binary not found"
fi

arktex54 · June 24, 2020, 12:01am

Debian 10

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh
bash hst-install.sh

reboot

setup as needed…
upgrade

wget https://apt.hestiacp.com/beta/hestia_1.2.0_amd64.deb
wget https://apt.hestiacp.com/beta/hst-debian-10/hestia-nginx_1.17.10.deb
wget https://apt.hestiacp.com/beta/hst-debian-10/hestia-php_7.4.6.deb
dpkg -i hestia-nginx_1.17.10.deb
dpkg -i hestia-php_7.4.6.deb
apt update
apt install -f
dpkg -i hestia_1.2.0_amd64.deb
rm hestia_1.2.0_amd64.deb hestia-nginx_1.17.10.deb hestia-php_7.4.6.deb

Go to admin panel
Server → Firewall → IPset → Add Ipset … Save → Error

kpv · June 24, 2020, 12:18am

@Lupu regarding ipset, the installer won’t install ipset if either iptables or fail2ban are un-selected. I would suggest that you do it only in case of the former. So:

if [ "$iptables" = 'no' ] || [ "$fail2ban" = 'no' ]; then
    software=$(echo "$software" | sed -e "s/fail2ban//")
    software=$(echo "$software" | sed -e "s/ipset//")
fi

becomes:

if [ "$fail2ban" = 'no' ]; then
    software=$(echo "$software" | sed -e "s/fail2ban//")
fi
if [ "$iptables" = 'no' ]; then
    software=$(echo "$software" | sed -e "s/ipset//")
fi

kpv · June 24, 2020, 12:25am

@arktex54 I’ve just tried defining an ipset on a Debian 10 with HestiaCP 1.2.0

root@vm05:~# dpkg -l|fgrep hestia
ii  hestia                            1.2.0                                                          amd64        hestia
ii  hestia-nginx                      1.17.10                                                        amd64        hestia Nginx
ii  hestia-php                        7.4.6                                                          amd64        hestia php-fpm
root@vm05:~# cat /etc/os-release |fgrep VERSION
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
root@vm05:~#

I just tried adding an ipset for e.g. China: Server -> Firewall -> IPset -> Add IPset … Save -> Error) due to using _ (valid char btw) geoip_china, so I changed the ipset’s name to geoip-china and it worked:

# ipset -L -n
geoip-china
# ipset -L |more
Name: geoip-china
Type: hash:net
Revision: 6
Header: family inet hashsize 2048 maxelem 1048576
Size in memory: 21848
References: 0
Number of entries: 5334
Members:
43.226.32.0/19
203.8.184.0/24
103.248.64.0/22

Lupu · June 24, 2020, 12:26am

Makes sens, will take a look. Doing a debian install now to reproduce @arktex54 issue

Lupu · June 24, 2020, 12:55am

@arktex54 Done testing debian10 exactly as you described, but could not reproduce your issue. ipset func worked as expected after upgrade to 1.2.0

kpv · June 24, 2020, 1:20am

@Lupu I’ve noticed your very nice work with building a “meta-ipset” of blacklists with /usr/local/hestia/install/deb/firewall/ipset/blacklist.sh

May I suggest adding in blacklist.sh the SpamHaus EDROP list (EDROP is an extension of the DROP list that includes suballocated netblocks controlled by spammers or cyber criminals. EDROP is meant to be used in addition to the direct allocations on the DROP list) to the regular DROP list – see https://www.spamhaus.org/drop/

Also a question: is it possible to create a “complex” ipset rules ? E.g. I often use rules like “match-set blacklist_net src ! match-set whitelist_net src” so I wouldn’t get locked out of my server if my IP were to be added accidentally.

# diff /tmp/blacklist.sh-new /usr/local/hestia/install/deb/firewall/ipset/blacklist.sh
12,13c12
<     "https://www.spamhaus.org/drop/drop.txt" # Spamhaus Don't Route Or Peer List (DROP)
<     "https://www.spamhaus.org/drop/edrop.txt" # Spamhaus Extended Don't Route Or Peer List (EDROP)
---
>     "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
#

Lupu · June 24, 2020, 2:01am

Will take a look, but the way I implemented the ipset was to be pretty generic and easy to create other custom lists. I don’t plan to update that blacklist script very regulary as there is no perfect solution, different sysadmins have different preferences/requirements.

v-add-firewall-ipset accepts 3 types of data sources: url, script, file (PR)
-one ip prefix per line, empty lines or starting with ‘#’ are ignored
-the script: datasource can be used on-demand to cleanup and compile different sources and print the result to stdout.
-the file: data source is to be used when you have a external system that compiles the lists and pushes it to the server or when it gets updated continuously by a different app like fail2ban or a bgp stream etc.

kpv · June 24, 2020, 6:01pm

Wrt minor improvements before release of 1.2.0, what do you think about this change in sshd_config ?

Instead of inline editing of /etc/ssh/sshd_config with sed, replace the section “Match User sftp_dummy99,…” with “Match Group hestia-users” (see sshd_config snippet below)

root@vm05:~# tail -15 /etc/ssh/sshd_config
 
# Hestia SFTP Chroot for admin
Match User admin
ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp

# Hestia SFTP Chroot for users
Match Group hestia-users
ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp

root@vm05:~#

arktex54 · June 24, 2020, 7:24pm

arktex54:

Setting up apache2 (2.4.43-1+0~20200511.11+debian10~1.gbpdc0c89) ...
ERROR: Config file status.conf not properly enabled: /etc/apache2/mods-enabled/status.conf is a real file, not touching it
dpkg: error processing package apache2 (--configure):
 installed apache2 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 apache2
E: Sub-process /usr/bin/dpkg returned an error code (1)

Finally have apache2 fixed with

mv /etc/apache2/mods-available/status.conf /etc/apache2/mods-available/status.conf.bak
dpkg --purge javascript-common && apt install javascript-common -y
reboot

Raphael · June 24, 2020, 7:44pm

Hi @arktex54

Thanks, I’ll have a look and will implement a fix. Can you share your apache2 and os version?

arktex54 · June 25, 2020, 3:29am

root@hestia:~# apache2 -v
Server version: Apache/2.4.43 (Debian)
Server built:   2020-05-11T11:55:17

root@hestia:~# cat /etc/debian_version
10.4

root@hestia:~# nginx -v
nginx version: nginx/1.19.0

root@hestia:~# php -v
PHP 7.3.19-1+0~20200612.60+debian10~1.gbp6c8fe1 (cli) (built: Jun 12 2020 07:48:33) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.19, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.19-1+0~20200612.60+debian10~1.gbp6c8fe1, Copyright (c) 1999-2018, by Zend Technologies

uname ->  4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux