https://www.debian.org/
https://www.debian.org/distrib/
https://www.debian.org/doc/
Zdaj glede te tematike je že dosti napisanega in narisanega, slednji način postavitve WEB-Serverja oz. spletnega strežnika je moj osebni pogled in način postavitve CMS WordPress na Debian Linux strežnik z pomočjo WEBMin za administracijo strežnika. Osebno nisem računalničar zato menim, da obstaja tisoče boljših načinov postavitve to je eden izmed primerov, če si hočete za vaše podjetje ali osebno uporabo postaviti odlično predstavitveno stran – Blog WordPress – stari prenosni računalnik ali stacionarni računalnik, konvertiramo v strežnik, lahko tudi po izbiri direktno preko vašega Windowsa to isto izvedete s pomočjo XAmpp aplikacije za Windows (Apache, SQL, FTP,…) serverji lokalna postavitev. V tem primeru, ko smo naprimer postavili oz. namestili enega izmed strežnikov Linux Ubuntu, Debian, CentOS,…. po želji tukaj primer Debian začetek postavitve.
Osebno uporabljam za SSH povezave pri Windows Putty in največ SmartFTP – SSH/sFTP povezava – Stvar navade tudi npr. od kar poznam računalništvo uporabljam za Windows TotalCommander – pred tem je bil Windows Commander in še prej Norton Commander… dolgo nazaj…
Recimo da ste ustvarili sebi na vašem strežniku račun admin@debianlinux se pravi hostname je debianlinux sedaj se povežite preko putty ali SmartFTP ali vašim priljubljenim programom na SSH oz. port 22
Namestitev CMS WordPress na Debian Linux Buster 10 – Apache Server local IP 192.168.0.100 debianlinux
sudo nano /etc/hostname
debianlinux
sudo visudo
# KOPIRAJTE NA KONCU TE SPODNJE KOMANDE
admin ALL=(ALL) ALL
admin ALL = NOPASSWD: ALL
# ZAŽENITE OZ. IZVRŠITE SPODNJO KOMANDO V TERMINALU
sudo usermod -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,www-data admin
sudo nano /etc/ssh/sshd_config
# Na koncu dodajte spodnje direktive IN SHRANI
AllowUsers admin
# LAHKO SI TUDI ZAŠČITITE DOSTOP Z VAŠIM SSH CERTIFIKATOM BOLJ VARNO
sudo apt-get install openssh-server
ssh-keygen
sudo systemctl restart ssh
sudo service ssh reloadPRIPRAVA NAMESTITVE PROGRAMOV ZA WEB SERVER
sudo apt-get update
sudo apt-get upgrade
sudo apt-get full-upgrade
sudo apt-get -y dist-upgrade
Prva stvar nastavitev požarnega zidu Linux iptables (če ne želite uporabljati vaše spletne pošte zakomentirajte # vse od mail porti ne COMIT!!!:
sudo iptables -L
sudo ip6tables -L
sudo nano /tmp/v4
# Kopiraj vse te kode spodaj do commit in shrani
*filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping.
-A INPUT -p icmp -m state –-state NEW –-icmp-type 8 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp –-dport 22 -m state –s-tate NEW -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp –-dport 80 -m state –-state NEW -j ACCEPT
-A INPUT -p tcp –-dport 443 -m state –-state NEW -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state –-state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit -–limit 5/min -j LOG -–log-prefix “iptables_INPUT_denied: ” –log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit -–limit 5/min -j LOG -–log-prefix “iptables_FORWARD_denied: ” –log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
#-A FORWARD -i eth0 -o usbnet0 -m state --state RELATED,ESTABLISHED -m limit --limit 10/sec -j ACCEPT
# -MAIL ZA VAŠO POŠTO ČE JO NE ŽELITE ODOBRITE SPODNJE DIREKTIVE #-A INPUT
#SMTP
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
#IMAP(S)
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
#POP(S)
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
COMMITsudo nano /tmp/v6
# Kopiraj vse te spodaj kode in shrani
*filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
# Allow ICMP
-A INPUT -p icmpv6 -m state –-state NEW -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp -–dport 80 -m state –-state NEW -j ACCEPT
-A INPUT -p tcp –-dport 443 -m state -–state NEW -j ACCEPT
# Allow inbound traffic from established connections.
-A INPUT -m state -–state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit –-limit 5/min -j LOG –-log-prefix “ip6tables_INPUT_denied: ” –log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit –-limit 5/min -j LOG –-log-prefix “ip6tables_FORWARD_denied: ” -–log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMITZdaj smo ustvarili za naš WEB Server direktive, potrebno jih je naložiti tako da izvršite spodnje komande – Ko namestite skripte vsi odgovori so Yes oz. Da kar vas vpraša “install iptables-persistent”:
sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6
sudo apt-get install iptables-persistent
sudo reboot
# Preverite če deluje
sudo iptables -vL
sudo ip6tables -vL
Zdaj še nastavimo lokalno naš server – Router:
ifconfig
<IP Serverja>
sudo nano /etc/dhcpcd.conf
# Na koncu kopirajte vaše direktive se pravi IP strežnika rezerviran IP na vašem routerju za vaš linux npr. static routers in static domain je IP router medtem ko je static ip naslov vašega strežnika debian:
#static IP configuration
interface eth0
static ip_address=192.168.0.110/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 8.8.8.8
SHRANITE IN ZAŽENITE PONOVNO RAČUNALNIK SUDO REBOOTAPACHE – NAMESTITEV
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install apache2 -y
sudo nano /etc/apache2/apache2.conf
# SPREMENI SAMO DIREKTIVE POT HTML KOT JE TU SPODAJ POIŠČI V DATOTEKI
<Directory /var/www/html/> pot mape in direktivo:
“AllowOverride None” – spremeni v “AllowOverride ALL”
Shrani - Save
sudo nano /etc/apache2/apache2.conf
# Na koncu datoteke shrani spodnje direktive
ServerName localhost
sudo service apache2 restart
sudo /etc/init.d/apache2 restart
# NAMISTITEV PHP
sudo apt-get install php libapache2-mod-php php-ssh2 php-apcu php-smbclient php-imagick libmagickcore-dev -y
sudo nano /etc/php/7.3/apache2/php.ini
# SPREMENITE PO SVOJE SPODNJE DIREKTIVE
max_execution_time = 120
memory_limit = 256M
post_max_size = 256M
upload_max_filesize = 512M
log_errors = On
error_log = /var/log/php/error.log
# SHRANITE IN IN IZVEDITE SPODNJE KOMANDE ZA BELEŽKO NAPAK
sudo mkdir -p /var/log/php
sudo chown www-data /var/log/php
# SQL SERVER BAZE PODATKOV
sudo apt-get install mariadb-client mariadb-server php-mysql php-mbstring -y
# phpMyAdmin UPRAVLJANJE BAZE PODATKOV
sudo apt-get install phpmyadmin
# PRISTOPNI PODATKI SO phpmyadmin uporabnik in geslo ki ste si ga določili, priporočam čim daljše za vašo varnost nikakor admin ali 1234...
sudo phpenmod mysqli
sudo a2enmod rewrite
sudo service apache2 restartZdaj namestimo še noip.com DDNS – domeno, ki smo jo registrirali za naš IP bodisi fiksni ali dinamični.
# bodite kot root sudo su in izvedite spodnje komande:
cd /usr/local/src/
sudo wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
sudo rm noip-duc-linux.tar.gz
cd noip-2.1.9-1/
sudo make install
# Izpolnite vašo epošto noip.com in geslo za prijavo
cd /etc/
sudo nano rc.local
# Kopiraj spodnjo komando v datoteko
sudo noip2
sudo shutdown -r now
sudo noip2 -SPožarni Zid UFW in Fail2ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# Glej objavo nastavitve fail2ban WordPress
enabled = true
filter = apache-badbots
ls /etc/fail2ban/filter.d/
sudo apt install ufw
# Oddobri takoj porte 80 443 in maile, če si namestil-a
sudo ufw allow 80
sudo ufw allow 443
sudo ufw limit ssh/tcp
# NPR. ODOBRIŠ RAČUNALNIK PREKO KATEREGA UPORABBLAŠ SSH
sudo ufw allow from 192.168.0.10 port 22
sudo ufw enable
cd /etc/
sudo nano rc.local
#!/bin/sh -e
#
# rc.local
sudo noip2
sudo ufw enable
#
# Kopiraj spodnjo direktivo nekje pod rc.local npr. zraven noip...
sudo ufw enableElektronska Pošta:
sudo apt-get install ssmtp -y && sudo apt-get install mailutils -y && sudo apt-get install mpack -y
sudo apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql -y
# Glej objavo kako se nastavi spletna pošta za tvoj server linux, postfix in dovecot nastavitve - Lažje vam bo vse delati z WEBMin.com za Debian Strežnik
Nastavitve za Google Mail - mailutils:
sudo apt-get install ssmtp && sudo apt-get install mailutils && sudo apt-get install mpack -y
sudo nano /etc/ssmtp/ssmtp.conf
# Na koncu kopiraj svoje direktive se pravi google mail in geslo
AuthUser=moj.mail@gmail.com
AuthPass=geslogooglemail
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
shrani
sudo nano /etc/ssmtp/revaliases
# Na koncu kopipiraj spodnje direktive svoj googlemail
root:moj.mail@gmail.com:smtp.gmail.com:587
mainuser:moj.mail@gmail.com:smtp.gmail.com:587
shrani
Certbot SSL certifikat – https://certbot.eff.org/
# Spodnje komande izvrši kot ROOT to velja tudi za obnovo certifikata
sudo apt-get install certbot python-certbot-apache
sudo certbot --apache
# Ko se začne postopek bodite pozorni, da ste prej v vašem usmerjevalniku za
# vaš strežnik v lokalnem omrežju posredovali dalje, se pravi Linux server
# interni porti 80 in 443 v usmerjevalniku posredujete dalje na 80 in 443,
# npr: moj server interno v omrežju je na IP 192.168.0.100 in posredujem za
# ta rezerviran IP DHCP router nastavitve port 80 na externo port 80 itd..
# port 443 interno za ip 192.168.0.100 na port 443 externo.... email....
sudo certbot --apache certonly
# Obnova certifikata - test
sudo certbot renew --dry-runV vašem Routerju oz. Usmerjevalniku ali svičerju obvezno posredujte za vaš strežnik porte 80 in 443 za implementacijo SSL certifikata – certbot, sslforfree, namecheap, itd…
Glede na to da smo ta Apache server napotili v pot VAR/WWW/HTML prenesemo v to mapo WordPress
cd /var/www/html/
sudo rm *
sudo wget http://wordpress.org/latest.tar.gz
sudo tar xzf latest.tar.gz
sudo mv wordpress/* .
sudo rm -rf wordpress latest.tar.gz
sudo chown -R www-data: .Namestitev baze podatkov za CMS WordPress
sudo mysql_secure_installation
Prvi odgovor NE (menjava gesla) drugi vsi so YES oz. DA !!!
sudo mysql --user=root --password=vašegesloadmin
create user 'wordpress'@'localhost' identified by 'DAJTETUDOLGOKODOZAVAŠOAPLIKACIJO';
create database bazapodatkov;
grant all privileges on bazapodatkov.* to 'wordpress'@'localhost';
flush privileges;
exitWordPress namestitev
Npr. odprite vaš url noip.com – http://mojadomena.ddns.net, če uporabljaš certbot certifikat pol lahko tudi https preveri prej če deluje vse pravilono v apache – ko instaliraš npr. certbot daj obveno redirect oz. preusmeritev na https !!!
Database Name: wordpress
User Name: bazapodatkov
Password: DAJTETUDOLGOKODOZAVAŠOAPLIKACIJO
Database Host: localhost
Table Prefix: mojblog_
Za Debian Linux obstaja fantastična aplikacije in sicer WEBMin http://www.webmin.com/
WEBMin = http://www.webmin.com/
sudo apt-get update && sudo apt-get upgrade
sudo apt install apt-transport-https -y
sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.960_all.deb
sudo dpkg --install webmin_1.960_all.deb
hostname -I
https://192.168.0.100:10000
https://localhostdebian:10000Z WEBMin oz. Spletnim Administratorjem strežnika si pomagajte pri rednih varnostnih kopijah SQL baz podatkov in enostavno upravljajte in konfigurirajte vaše strežnik po vaših potrebah.
Glede uporabe vašega strežnika priporočam, da si preko WEBMin namestite še FTP strežnik, če ga že niste prej. WebMin si lahko nastavite, da bo celotno delovanje vašega strežnika popolnoma avtomatizirano z dnevnimi varnostnimi kopijami sistema ali baz potakov, kar je najbolj pomembno!
Namestitev novjejšega php 7.4 Za Debian Server
Za izklop vaše starejše verzije php 7.3 in vklopit php 7.4, ko namestite novejšo verzijo zaženite te komanda:
#Za izklopit modul php 7.3
sudo a2dismod php7.3
#Za aktivirat modul php 7.4 (ne pozabit izbrisat vse starejše verzije)
sudo a2enmod php7.4
Pripravimo na novo izvor skriptov za php najnovejši – Zaženi v terminalu:
sudo apt-get -y install apt-transport-https lsb-release ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/apache2.gpg https://packages.sury.org/apache2/apt.gpg
sudo sh -c 'echo "deb https://packages.sury.org/apache2/ $ (lsb_release -sc) main"> /etc/apt/sources.list.d/apache2.list'
sudo apt update
sudo nano /etc/apt/sources.list
#Kopiraj spodnjo direktivo na koncu
deb http://deb.debian.org/debian stretch-backports main
# Lahko posebej module, ki potrebujete namestite ali večje število hkrati:
sudo su
sudo apt update && apt install php7.4-gd php7.4-mysql php7.4-curl php7.4-xml php7.4-zip php7.4-intl php7.4-mbstring php7.4-json php7.4-bz2 php7.4-ldap php-apcu php-smbclient ldap-utils php7.4-fpm -y
# Ali namestite tako php 7 4 in po potrebi module najboljša varianta:
sudo apt update
sudo apt -y install php7.4
sudo apt-get install php7.4-{bcmath,bz2,intl,gd,mbstring,mysql,zip}
# V oklepaj dodajte vse vaše module php po potrebi ločite z vejico{zip,curl}
# Za apache nastavitve php:
sudo nano /etc/php/7.4/apache2/php.ini
# SPREMENITE PO SVOJE SPODNJE DIREKTIVE
max_execution_time = 120
memory_limit = 256M
post_max_size = 256M
upload_max_filesize = 512M
log_errors = On
error_log = /var/log/php/error.log
#Naredi mapo in pooblastila za error.log obvezno z:
sudo mkdir -p /var/log/php
sudo chown www-data /var/log/php
####################################################################
# Za uporabnike nginx modul php7.4-fpm v nastavitvah virtual host:
server {
# other codes
location ~* \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
# Za Debian nginx server nastavitve php modul 7.4-fpm
sudo nano /etc/php/7.4/fpm/conf.d/90-custom.ini
cgi.fix_pathinfo=0
upload_max_filesize=128m
post_max_size=128m
max_execution_time=600
sudo service php7.4-fpm reload
Uporabne komande za iptables – ufw – fail2ban / Blokade in Deblokade
Iptables požarni zid linux:
iptables -L -n
iptables -L -n -v
iptables -L chain-name -n -v
iptables -L spamips -n -v
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L spamips -n -v --line-numbers
iptables -L spamips -n -v --line-numbers | grep 202.54.1.2
Chain droplist (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG 0 -- * * 116.199.128.0/19 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
2 0 0 DROP 0 -- * * 116.199.128.0/19 0.0.0.0/0
3 0 0 LOG 0 -- * * 116.50.8.0/21 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
4 0 0 DROP 0 -- * * 116.50.8.0/21 0.0.0.0/0
5 0 0 LOG 0 -- * * 128.199.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
6 0 0 DROP 0 -- * * 128.199.0.0/16 0.0.0.0/0
7 0 0 LOG 0 -- * * 132.232.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
8 0 0 DROP 0 -- * * 132.232.0.0/16 0.0.0.0/0
9 342 23317 LOG 0 -- * * 134.175.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DROP Block'
10 342 23317 DROP 0 -- * * 134.175.0.0/16 0.0.0.0/0
11 0 0 LOG 0 -- * * 134.33.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `LASSO DR
iptables -D INPUT 10
iptables -D INPUT -s xx.xxx.xx.xx -j DROP
iptables -D INPUT -s xx.xxx.xx.xx/yy -j DROP
iptables -D spamlist -s 202.54.1.2 -d 0/0 -j DROP
iptables -D spamlist -s 202.54.1.2/29 -d 0/0 -j DROP
service iptables save
Ban:
iptables -I INPUT -s 25.55.55.55 -j DROP
Unban:
iptables -D INPUT -s 25.55.55.55 -j DROPFail2Ban – Požarni zid
iptables -L -n
fail2ban-client set <JAIL> unbanip <IP>
version 0.10.0 fail2ban-client Unban ALL:
unban --all
unban <IP> ... <IP>
sudo fail2ban-client set apache-myadmin unbanip 46.101.89.227
sudo fail2ban-client set webmin-auth unbanip 104.236.233.182
sudo fail2ban-client get f2b-wordpress-hard actionunban 198.16.70.52
sudo /etc/init.d/fail2ban restart
UFW (Nekomplicirani požarni zid)
ufw firewall status
sudo ufw status numbered
sudo ufw reject from 202.54.5.7 to any
sudo ufw deny from 192.168.1.5 to any
ufw deny from {ip-address-here} to any port {port-number-here}
sudo ufw status numbered
[ 1] 192.168.1.10 80/tcp ALLOW Anywhere
[ 2] 192.168.1.10 22/tcp ALLOW Anywhere
[ 3] Anywhere DENY 192.168.1.5
[ 4] 80 DENY IN 202.54.1.5
sudo ufw deny proto tcp from 202.54.1.1 to any port 22
sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22
sudo ufw status numbered
sudo ufw delete NUM
sudo ufw delete 4
sudo ufw reload
sudo ufw insert 1 deny from {BADIPAddress-HERE}
sudo ufw insert 1 deny from 178.137.80.191 comment 'block spammer'
sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet'
IZPIS BLOKAD LOG DATOTEKA:
> sudo iptables -L -n --line
Chain INPUT (policy DROP)
num target prot opt source destination
1 f2b-wp-nfw tcp -- 0.0.0.0/0 0.0.0.0/0
2 f2b-error tcp -- 0.0.0.0/0 0.0.0.0/0
3 f2b-apache-myadmin tcp -- 0.0.0.0/0 0.0.0.0/0
4 f2b-pam-generic tcp -- 0.0.0.0/0 0.0.0.0/0
5 f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0
6 f2b-postfix-sasl tcp -- 0.0.0.0/0 0.0.0.0/0
7 f2b-dovecot tcp -- 0.0.0.0/0 0.0.0.0/0
8 ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
9 ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
10 ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
11 ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
12 ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
13 ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
2 ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
2 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-input (1 references)
num target prot opt source destination
Chain ufw-before-logging-output (1 references)
num target prot opt source destination
Chain ufw-before-logging-forward (1 references)
num target prot opt source destination
Chain ufw-before-input (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
7 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
10 ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
12 ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
13 ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-forward (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
num target prot opt source destination
1 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
4 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
5 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
6 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
num target prot opt source destination
Chain ufw-after-forward (1 references)
num target prot opt source destination
Chain ufw-after-logging-input (1 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num target prot opt source destination
Chain ufw-after-logging-forward (1 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
num target prot opt source destination
Chain ufw-reject-output (1 references)
num target prot opt source destination
Chain ufw-reject-forward (1 references)
num target prot opt source destination
Chain ufw-track-input (1 references)
num target prot opt source destination
Chain ufw-track-output (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-forward (1 references)
num target prot opt source destination
Chain ufw-logging-deny (2 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-not-local (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
4 ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
5 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
5 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
6 ufw-user-limit tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
7 ufw-user-limit-accept tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
11 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
13 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:143
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
15 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:465
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
17 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:587
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
19 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
23 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
Chain ufw-user-output (1 references)
num target prot opt source destination
Chain ufw-user-forward (1 references)
num target prot opt source destination
Chain ufw-user-logging-input (0 references)
num target prot opt source destination
Chain ufw-user-logging-output (0 references)
num target prot opt source destination
Chain ufw-user-logging-forward (0 references)
num target prot opt source destination
Chain ufw-user-limit (1 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-dovecot (1 references)
num target prot opt source destination
1 REJECT all -- 61.164.115.242 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 193.169.253.178 0.0.0.0/0 reject-with icmp-port-unreachable
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-postfix-sasl (1 references)
num target prot opt source destination
1 REJECT all -- 193.56.28.152 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 193.169.252.206 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all -- 185.234.219.230 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all -- 185.234.219.229 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all -- 185.234.219.228 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all -- 185.234.219.227 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all -- 185.234.219.14 0.0.0.0/0 reject-with icmp-port-unreachable
8 REJECT all -- 185.234.219.13 0.0.0.0/0 reject-with icmp-port-unreachable
9 REJECT all -- 185.234.219.12 0.0.0.0/0 reject-with icmp-port-unreachable
10 REJECT all -- 185.234.219.11 0.0.0.0/0 reject-with icmp-port-unreachable
11 REJECT all -- 185.234.218.85 0.0.0.0/0 reject-with icmp-port-unreachable
12 REJECT all -- 185.234.218.84 0.0.0.0/0 reject-with icmp-port-unreachable
13 REJECT all -- 185.234.218.83 0.0.0.0/0 reject-with icmp-port-unreachable
14 REJECT all -- 185.234.218.82 0.0.0.0/0 reject-with icmp-port-unreachable
15 REJECT all -- 185.234.216.66 0.0.0.0/0 reject-with icmp-port-unreachable
16 REJECT all -- 185.234.216.64 0.0.0.0/0 reject-with icmp-port-unreachable
17 REJECT all -- 185.234.216.63 0.0.0.0/0 reject-with icmp-port-unreachable
18 REJECT all -- 114.64.255.85 0.0.0.0/0 reject-with icmp-port-unreachable
19 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-recidive (1 references)
num target prot opt source destination
1 REJECT all -- 5.39.11.99 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 193.169.253.178 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all -- 190.8.42.10 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all -- 178.62.52.76 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all -- 159.65.216.221 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all -- 146.59.163.133 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all -- 103.105.197.10 0.0.0.0/0 reject-with icmp-port-unreachable
8 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-pam-generic (1 references)
num target prot opt source destination
1 REJECT all -- 193.169.253.178 0.0.0.0/0 reject-with icmp-port-unreachable
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-apache-myadmin (1 references)
num target prot opt source destination
1 REJECT all -- 123.57.249.86 0.0.0.0/0 reject-with icmp-port-unreachable
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-error (1 references)
num target prot opt source destination
1 REJECT all -- 64.227.43.185 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 193.27.229.26 0.0.0.0/0 reject-with icmp-port-unreachable
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-wp-nfw (1 references)
num target prot opt source destination
1 REJECT all -- 88.198.154.149 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 82.165.253.73 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all -- 40.89.147.181 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all -- 192.95.30.59 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all -- 185.239.242.156 0.0.0.0/0 reject-with icmp-port-unreachable
6 RETURN all -- 0.0.0.0/0 0.0.0.0/0 
