Linux/Unix

Suricata IPS for running server

Posted on by Andy

Make sure that suricata is started with “-q 0” parameter so it uses NFQUEUE!

In /etc/suricata/suricata.yaml change to:

nfq:
    mode: repeat
    repeat-mark: 1
    repeat-mask: 1

In /etc/ufw/before.rules and /etc/ufw/before6.rules insert section:

### SURICATA ###
-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###

In case you are on RHEL or alike:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -j NFQUEUE

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j NFQUEUE

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -j NFQUEUE

Enable EXT4 quotas on root partition

Posted on by Andy

Enabling quota handled by EXT4 on a root partition is not doable as it needs the device to be unmounted and can only be done if booted from a live disk or alike… Yeah whoever took that decision needs to be punished. I found a script which tunes the FS before it is getting mounted at boot time. Here the script:

#!/bin/bash


cat > /etc/initramfs-tools/scripts/init-premount/ext4_quota <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac


/sbin/tune2fs -l "${ROOT}" | grep -q features || (echo "no ext4 found in ${ROOT}"; exit 0)
echo "Enabling ext4 quota on ${ROOT} "
/sbin/tune2fs -O quota "$ROOT" || echo "tune2fs: $?"
EOF

chmod 0755 /etc/initramfs-tools/scripts/init-premount/ext4_quota

cat >/etc/initramfs-tools/hooks/tune2fs <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/tune2fs /sbin
EOF

chmod 0755 /etc/initramfs-tools/hooks/tune2fs

update-initramfs -k all -u
rm -v /etc/initramfs-tools/scripts/init-premount/ext4_quota /etc/initramfs-tools/hooks/tune2fs

I found the script over here:

https://anton.dollmaier.name/2024/10/enable-native-filesystem-quotas-in-ext4

Thank you a ton dear Anton!