From c2d66c927cbf13998147e4abce873c46d45550f2 Mon Sep 17 00:00:00 2001 From: Robert Date: Sun, 5 May 2024 10:28:51 -0700 Subject: [PATCH 1/3] docs: Leave a note about fail2ban reading from the journal and not syslog. --- doc/install-prod.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/install-prod.md b/doc/install-prod.md index 32c44c118..a990d04b9 100644 --- a/doc/install-prod.md +++ b/doc/install-prod.md @@ -95,6 +95,8 @@ server { ## Additional Configuration +### Fail2ban + Default fail2ban bantime is very short. Make it longer: ``` @@ -102,6 +104,20 @@ fail2ban-client start sshd fail2ban-client set sshd bantime 86400 ``` +Make sure that fail2ban is reading logs. Run `fail2ban-client status +sshd`. If it's not failing any IPs, that's a sign it's not working. +The default backend of `auto` normally works, but may get confused if +`/var/log/auth.log` exists. If deleting `/var/log/auth.log` doesn't +work, or you want to force it to always read the journal... in +`/etc/fail2ban/jail.conf`: + +``` +[DEFAULT] +backend = systemd +``` + +### Package upgrades + Automatic security upgrades are a good idea, and probably outweigh the risks. From aa0fc9c7098e570d69b679733227000b612a9e58 Mon Sep 17 00:00:00 2001 From: Robert Date: Sun, 5 May 2024 10:41:24 -0700 Subject: [PATCH 2/3] docs: make notes about aditional node-exporter modules we probably want to enable --- doc/install-prod.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/install-prod.md b/doc/install-prod.md index a990d04b9..12e4874dc 100644 --- a/doc/install-prod.md +++ b/doc/install-prod.md @@ -66,6 +66,17 @@ Install node exporter. apt -y install prometheus-node-exporter ``` +### General + +You probably want to enable some non-default collectors. In +`/etc/default/prometheus-node-exporter`: + +``` +ARGS="--collector.systemd" +``` + +### nginx + Consider [nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter). From 0a4ec44973225e6bfbf0d5a8b93b2bf45026550c Mon Sep 17 00:00:00 2001 From: Robert Date: Sun, 5 May 2024 11:26:30 -0700 Subject: [PATCH 3/3] bootstrap: sort @required_debs --- bootstrap/selfconfig-root | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/selfconfig-root b/bootstrap/selfconfig-root index 8f511728d..a9bde1fdd 100755 --- a/bootstrap/selfconfig-root +++ b/bootstrap/selfconfig-root @@ -68,13 +68,13 @@ my @required_debs = qw( libexpat1-dev libgetopt-long-descriptive-perl libpath-tiny-perl + libsasl2-modules libssl-dev nginx python3-certbot-nginx + ufw unzip zlib1g-dev - libsasl2-modules - ufw ); run_cmd(qw(apt-get -o DPkg::Lock::Timeout=60 install -y), @required_debs);