How to Protect a LAMP Server Against nf_conntrack Flood Attacks

An AWS hosted website went offline at 02:00 this morning. It was running on a t2.nano Debian 9 instance. I was unable to log into the affected server, and a reboot was the only available course of action. Logging in and checking the logs afterwards revealed thousands of errors like this in the kernel log file, from 2:00 AM onward:

nf_conntrack: nf_conntrack: table full, dropping packet

The cause was a denial of service attack, coming from a couple of IP addresses seemingly in Iran. However, it was a little unusual for a couple of reasons. This article explains more about the attack vector and presents a solution to guard against future attacks. (In summary: block IP addresses, tune the kernel).

Continue reading

Automatic Nextcloud Installation on Raspberry Pi

Nextcloud is an open source software package providing remote file sharing services. It is similar to Dropbox. But with Nextcloud, you retain ownership, security and control of the shared data. This procedure describes how to build a working Nextcloud service using just 3 commands.  It has been tested on Raspbian Stretch and on the Raspberry Pi 4 / Raspbian Buster (this article updated 9/8/19)

Note: If you would rather do the installation manually, step-by-step, without the help of a script, please see my previous article Simple Nextcloud Installation on Raspberry Pi. It explains how to do the installation in detail, and provides more background information on Nextcloud. Both procedures achieve the same overall result, however.

Note: If you are running Raspbian Buster, then Nextcloud 16 will be installed.  For Stretch, it’s Nextcloud 15.

Continue reading

Using Address Ranges and Port Ranges with Iptables

Iptables is the name of the firewall built into the Linux kernel. It is also the tool used for firewall configuration. This post explains how to use iptables with a range of IP addresses and/or ports. It could be used, for example, to allow SSH traffic from a number of systems. Or to open up a range of ports with a single firewall rule.

Note: This article is not about blacklisting. If you are looking to set up a blacklist, perhaps to protect your server from a number of unrelated IP addresses, my related procedure on how to protect your webserver with IPset might be more appropriate.

The Linux firewall (part of the Netfilter project) is important on Internet facing systems, “edge” servers and “jump” boxes. Particularly when they do not sit behind another protective network element such as a load balancer or discrete firewall. For example, standaline cloud instances that are not part of a protected VPC infrastructure. Continue reading

Simple Nextcloud Installation on Raspberry Pi

This article explains how to install Nextcloud on the Raspberry Pi. It has been tested with the latest version of Nextcloud (16.0.3 at the time of writing), but should work for future versions too.  It has also been successfully tested on the latest Pi hardware, the Raspberry Pi 4, and on earlier Pi versions, and on the latest Pi OS, Raspbian 10 “Buster”.

Nextcloud is an open source software package providing remote file sharing services, similar to Dropbox. But with Nextcloud, you retain ownership, security and control of the shared data. Nextcloud works well on a Pi 2, Pi 3 and especially a Pi 4 but will run very slowly on a Pi 1.

Note: This is a manual, step-by-step procedure. If you would rather do the installation automatically, please see my recent article Automatic Nextcloud Installation on Raspberry Pi, which explains how to install Nextcloud with 3 commands. It is the quickest and easiest way to get Nextcloud running. Both procedures achieve the same overall result, however.
Continue reading

Simple Owncloud Installation on Raspberry Pi 2

The Raspberry Pi’s low power consumption makes it well suited to the role of always-on server. This post describes how to install Owncloud onto the Pi. Owncloud is an open source software package providing remote file sharing services, similar to Dropbox. But with Owncloud, you retain ownership, security and control of the shared data. Owncloud works well on a Pi 2 and Pi 3 but will run very slowly on a Pi 1.

Update 20th November 2016 – There is a newer version of this article. Please see Simple Nextcloud Installation on Raspberry Pi. Nextcloud was forked from ownCloud in June 2016. It now seems to have become the natural successor to Owncloud. I recommend using Nextcloud rather than Owncloud. This article remains on line because it might be helpful to existing Owncloud users, particularly the parts about upgrading and using external USB media.

UPDATE 16th July 2016 – Nextcloud was forked from Owncloud in June 2016. The procedure below can be used both for Owncloud and the initial release of Nextcloud (version 9.0.52). Thanks to Dan for this information.

My Raspberry Pi 2 was purchased from RS Components in the UK. It was installed with Raspbian “Jessie” (Debian 8) by applying the image “2016-02-09-raspbian-jessie.img” downloaded from the raspberrypi.org downloads page. The following procedure was then performed without any further pre-work (other than enabling ssh in the basic setup). Continue reading