Fail2Ban – China attacks my Sendy Server
fail2ban to the rescue once again. This one utility along with iptables is an absolute must on any Linux server. A doddle to set up – it just works and a quick read of the config file in /etc makes it easy – to begin with.
I’ve been toying with the idea of changing over from Aweber to a self hosted solution for a few years. I’ve used them for years since about 2005 – but I’m not really using it to capacity so it’s quite an expense over a year. Email is now a lot cheaper because every one and his dog in the cloud now has a high capacity email service – MailGun, Mandrill, SES and a half-dozen others.
I’d looked at phplist and found it too clunky and not really up to the task – especially for auto-responders.
Well guess what I found one: Sendy. It uses Amazon SES for bulk mail delivery – which as I’ve already got S3 buckets and what-not means I’m good to go. Actually getting my domains verified for SES is another post for another day but was a royal PITA. Even so Sendy at $59 was an absolute steal – It would take me a good few hours to roll my own and the time lost is worth more to me.
Dave Kiss even details how to set up a dedicated small Droplet server with Digital Ocean to install Sendy and get it running. It took about an hour to get the machine set up but my current hosting provider took 12 hours to get a new domain registered before I could change the CNAME to point at the Droplet. $5 a month is peanuts… literally.
Cost so far – Nothing because I got a couple of months free via an affiliate link (just like the one above). I’ll break even completely two months after I cancel my Aweber account and then the outgoing will be $5-6 a month instead of $20 or so.
Even so setup was painless, the software is clean and simple to use – and best of all its mostly native PHP except for a couple of encrypted licensing files. This means its easy to customise and its easy to see what’s going on under the covers. It doesn’t come with any email templates but there are dozens around on github and you can create nice ones using stamplia’s new email building tool online too
However the instructions neglected to say anything about security. Being a bit lazy (a cut and paste lazy – duh) when I set up the droplet I didn’t use my public ssh key, but set it up with a password. And lo and behold ten minutes after the machine had booted, some bliddy Shenzhen IP address started a brute force password attack. Of course I was busy doing other things and it took a couple of days to notice the auth.log was filling up. But as soon as I found out a quick
apt-get install fail2ban
Fail2ban basically locks out IP addresses for a configurable time after a set number of failed login attempts. So after 5 attempts you are locked out (blocked at the firewall level) from the machine. You can’t even connect to port 22 it’s dropped immediately. You’ve failed and now you’re banned – fail2ban – simples.
A bit of quick config so I don’t get flooded with emails and it was adios to the monkey. Note to self – must drop the Digital Ocean peeps a note that says add fail2ban to base lamp droplets.
The one thing that Sendy is lacking is specialist automation like you get with infusionsoft or with Aweber Pro Tools. BUT given that its fairly straightfoward to see how Sendy works – I’ve started developing a separate app to handle it – which I’ll host on the same box. More on that in another post – lots of fun with zf2, doctrine, hoa-rules and slmqueues.