If you’ll open SSH on a server to the open internet, you’ll notice a lot of bots trying to login. You certainly should setup certificate based login, but banning offending IPs is also an important security measure.
I’ve installed fail2ban on my Raspbian installations and want to explain the installation and configuration. Its quite easy and the benefits are huge!
sudo apt-get install fail2ban
Create a copy of the original configuration file so that it won’t be overwritten by any updates:
> msmtp --version
msmtp version 1.6.6
TLS/SSL library: GnuTLS
Authentication library: GNU SASL
Supported authentication methods:
plain scram-sha-1 external gssapi cram-md5 digest-md5 login ntlm
IDN support: enabled
NLS: enabled, LOCALEDIR is /usr/share/locale
Keyring support: none
System configuration file name: /etc/msmtprc
User configuration file name: /home/pi/.msmtprc
Copyright (C) 2016 Martin Lambers and others.
This is free software. You may redistribute copies of it under the terms of
the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.
There is NO WARRANTY, to the extent permitted by law.
Configure the system configuration:
sudo vi /etc/msmtprc
The content of my configuration file (note the necessary changes for servers and email addresses):
# Set default values for all following accounts.
# Use the mail submission port 587 instead of the SMTP port 25.
# Always use TLS.
# Set a list of trusted CAs for TLS. The default is to use system settings, but
# you can select your own file.
# If you select your own file, you should also use the tls_crl_file command to
# check for revoked certificates, but unfortunately getting revocation lists and
# keeping them up to date is not straightforward.
# Mail account
# TODO: Use your own mail address
# Host name of the SMTP server
# TODO: Use the host of your own mail account
host <your Username provided by KAS>.kasserver.com
# As an alternative to tls_trust_file/tls_crl_file, you can use tls_fingerprint
# to pin a single certificate. You have to update the fingerprint when the
# server certificate changes, but an attacker cannot trick you into accepting
# a fraudulent certificate. Get the fingerprint with
# $ msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.freemail.example
# Envelope-from address
# TODO: Use your own mail address
# Authentication. The password is given using one of five methods, see below.
# TODO: Use your own user name fpr the mail account
user <The username of the email account you use for sending emails>
# Password method 1: Add the password to the system keyring, and let msmtp get
# it automatically. To set the keyring password using Gnome's libsecret:
# $ secret-tool store --label=msmtp \
# host smtp.freemail.example \
# service smtp \
# user joe.smith
# Password method 2: Store the password in an encrypted file, and tell msmtp
# which command to use to decrypt it. This is usually used with GnuPG, as in
# this example. Usually gpg-agent will ask once for the decryption password.
#passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
# Password method 3: Store the password directly in this file. Usually it is not
# a good idea to store passwords in plain text files. If you do it anyway, at
# least make sure that this file can only be read by yourself.
# TODO: Use the password of your own mail account
password <The password of the email account you use for sending emails>
# Password method 4: Store the password in ~/.netrc. This method is probably not
# relevant anymore.
# Password method 5: Do not specify a password. Msmtp will then prompt you for
# it. This means you need to be able to type into a terminal when msmtp runs.
# Set a default account
# TODO: Use your own mail address
account default: firstname.lastname@example.org
# Map local users to mail addresses (for crontab)
This file contains a username and password. Therefore limit its access to only root:
sudo chmod 600 /etc/msmtprc
Duplicate the config file to ~/.msmtprc if you want to provide email configuration for your user as well.
Now configure the recipients for your systems users by setting the recipients in /etc/aliases. Make sure, that you don’t have trailing spaces behind the email addresses:
Let your computer now that msmtp should be used as replacement for sendmail by adding this content to /etc/mail.rc
set sendmail="/usr/bin/msmtp -t"
Test your configuration by sending an email from the terminal:
echo "Content of your mail" | mail -s "Subject" email@example.com
I’ve recently stumbled over an article in the german magazine C’T about visualisations of your Fritz!Box’s connection. The solution looked quite boring and outdated, since it used MRTG for the graph creation.
I’ve started searching for a better solution using Grafana, InfluxDB and my Raspberry Pi and found this great blog post. I’ve already explained how to install Grafana and InfluxDB in this post, so I’ll concentrate on the Fritz!Box related parts:
Start with the installation of fritzcollectd. It is a plugin for collectd.
Now create a user account in the Fritz!Box for collectd. Go to System, Fritz!Box-user and create a new user with password, who has access from internet disabled. The important part is to enable “Fritz!Box settings”.
Additionally make sure that your Fritz!Box is configured to support connection queries using UPnP. You can configure this under “Home Network > Network > Networksettings”. Select “Allow access for applications” as well as “Statusinformation using UPnP”.
Next part is the installation and configuration of collectd:
Login to your grafana installation and configure a new datasource. Make sure to set the collectd database. If you’re using credentials for the InfluxDB, you can add them now. If you’re not using authentication you can disable the “With credentials” checkbox.
Check if your configuration is working by clicking on “Save & Test”.
If everything worked, you can proceed to importing the Fritz!Box Dashboard from the Grafana.com dashboard. The ID is 713. Make sure to select the right InfluxDB during the import setup.
After clicking on import, you’ll should be able to see your new Dashboard. It might take a few minutes/hours until you’ve gathered enough data to properly display graphs.
Be aware though that if you start gathering this much data you’ll might end up with “insufficient memory” errors. You’ll might want to tweak your InfluxDB settings accordingly.
I’m using influxdb on my Raspberry Pi in combination with a NFS mount. The NFS mount is on my Synology NAS and should store the database data of influxdb. Reason for this setup is that I fear that the SD card won’t survive the many write/read cycles caused by a database writing to it.
The shared folder on my Synology is configured to be accessible by various IPs in my network:
Unmount the existing NFS share. Remove/comment out the line for the nfs mount in your /etc/fstab so that it doesn’t conflict with autofs. Restart autofs with
sudo service autofs restart
Now check the content of your mount point with e.g.
Autofs should now automatically mount the NFS share. This might take a while, which is a good sign that the mount is loaded. You can also verify with
that your NFS share is mounted to e.g. /mnt/databases. If you’ll restart now, influxdb should be happy on restart. When it tries to start, autofs will see the access to the mounted folder and will mount the NFS share before influxdb can start up properly.
Inspired by a friend I’ve decided to install InfluxDB and Grafana on my Raspberry Pi 3. InfluxDB is a database optimized for storing time related data like measurements of my recently installed particle sensor. Grafana is used to create beautiful graphs to display the stored data.
The InfluxDB installation can be done in a few simple steps:
This will install the InfluxDB without a user and any rights. You can read up further on that topic. Ideally you should setup an user for authentication but since some IoT devices do not support this I’m not going to explain it here.
The Grafana installation is similar simple:
Please make sure that you’ll get the most current version from github and replace it in the wget command:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.