Profile Details

Toggle Sidebar
Recent updates
  • Nick Howitt
    Nick Howitt's reply was accepted as an answer

    Re: Fresh install, can not connect to web interface, but I can ping the ClearOS system.

    Please can you confirm you are using https and not http - https://your_server_ip:81. You will get a browser warning in Firefox and you will have to accept the the default certificate. I believe Brave won't work as it will not allow a self-signed certificate.

    Be wary of manipulating the firewall manually. At some point ClearOS will overwrite anything you do. I suggest you restart it with a "systemctl restart firewall". This will reset it and, by default it should be open on ports 22 and 81.

  • Ugh. Your second message had not been approved before I replied. You have already found the solution. Enjoy!

  • Please can you confirm you are using https and not http - https://your_server_ip:81. You will get a browser warning in Firefox and you will have to accept the the default certificate. I believe Brave won't work as it will not allow a self-signed certificate.

    Be wary of manipulating the firewall manually. At some point ClearOS will overwrite anything you do. I suggest you restart it with a "systemctl restart firewall". This will reset it and, by default it should be open on ports 22 and 81.

  • Nick Howitt
    Nick Howitt replied to a discussion, Attack Detector and httpd

    F2b comes with a whole stack of pre-defined jails. Have a look in /etc/fail2ban/jail.conf. If you want to enable any, it is best to either do it in /etc/fail2ban/jail.local or in a file in /etc/fail2ban/jail.d. Any values specified in those files would override anything in /etc/fail2ban/jail.conf. At a minimum you just need to override the `enabled = false` for the jail. F2b can be hard to understand as it is massively hierarchical, so in this case it is a global setting (false) but it can also be set the individual jail level. Values in .local files override values in .conf files and good luck to you trying to work out some of the log paths!

    I have very few home-made jails. I have one for banning entire /24 subnets for qq.com, dynamic.163.data.com and mari-el.ru.com as I was getting a huge amount of spam from dynamic IP's belonging to these ISPs. I think it has stopped or quietened down but I keep the jail going.

    I have one which immediately bans any IP trying to use me as a mail relay as all my valid relaying is authenticated on port 587.

    I have two which use the same filters picking up people who continually connect to the mail server then disappear leaving "lost connection from ...." messages in the logs. One is for slow uchipping away and one is for faster bursts of data but they massively overlap.

    I have a home made one for apache which picks up on 400/404/405 responses which are people probing for invalid paths, but it is aggressive and kills you if you make a typo in the path.

    Otherwise I use the built-in jails.

    There is no way I've seen of protecting the webconfig as it is. This is because there is no webconfig logging of authentication failures which shows the IP of the host.

  • Nick Howitt
    Nick Howitt replied to a discussion, Attack Detector and httpd

    I suspect we have the same source for out openvpn filters, but I've tweaked mine differently,

    /etc/fail2ban/jail.d/clearos-openvpn.conf:


    /etc/fail2ban/filter.d/openvpn.local:

  • I have been told not to expect updates for the "main part of the summer" as there are some issues to be resolved with our supplier. I have queried this but not had a response, unfortunately.

  • Nick Howitt

    RDP is TCP:3389. SMB is all over the place but mainly TCP. We don't touch the MTU in OpenVPN, but it could also be affected by your ISP's MTU. You may find better expertise on the OpenVPN forums.

    NATing inbound packets in openVPN is in the Webconfig and can be useful - see the app documentation.

  • Nick Howitt

    I really don't see why SMB or MySQL would mess up. Are you NAT'ing the inbound packets in the OpenVPN Webconfig?

    My data connection is normally much faster than the first test. It was fine in my second test.

  • Nick Howitt

    Repeating the test again on my laptop with OpenVPN 2.5.7 was fine but I somehow doubt it was the OpenVPN upgrade which did the trick. Confused.

  • Nick Howitt

    The last OpenVPN server update was in March, but you say your Linux client still works. I am testing with Win11, OpenVPN (Community) 2.5.5 and using a laptop connection via my phone and it sucks. It took a while to connect. Having connected, it took the laptop a long time (5 min+) before it would route to my LAN. The shared folder listing was OK, but the subsequent download is stuck. I have no idea if this is a Windows issue or a Server issue or a poor data connection (but my phone gives me 3 bars on a 4G connection). This is pants.

    Then my mother connects to my LAN by OpenVPN through her cable connection. Taking control of her PC with VNC and browsing a share on my LAN and downloading from my LAN was very fast so I don't know what to say. Her PC is old, Win10 with OpenVPN 2.4.8.

    There are too many variables to know why my laptop > cell phone > me was slow. My mother's desktop to me was totally acceptable.