If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

In /etc/fail2bain/jail.conf I added:

 [vsftpd2allow443]
 
 enabled  = true
 port     = 443
 filter   = vsftpd-2-https
 banaction = iptables-accept-https
 logpath  = /var/log/vsftpd.log
 maxretry = 1
 bantime  = -1

filter has to match the name of the corresponding file in the /etc/fail2ban/filter.d folder. banaction has to match the corresponding file in the /etc/fail2ban/action.d folder. Max retry is 1 so the person doesn’t need to successfully login to the FTP more than once to get access to our secret port back door. Bantime -1 should add the person for ever. For added security try bantime = 86400 for 1 days access (bantime uses seconds).

Next make a copy of a default action for a template:

 cp -vip /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/iptables-accept-https.conf

Then modify all the DENYs to ACCEPT and change the port:

 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Becomes
 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ACCEPT
 
 actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 # Becomes
 actionunban = iptables -D fail2ban-<name> -s <ip> -j ACCEPT
 
 port = ssh
 # Becomes
 port = 443

And lastly you need your fail2ban filter that watches vsftpd for successful authenticions of our special user who gets special ports opened up for them. Since I’m using vsftpd as my FTP I just copied it’s current filter and modified it to look for good auths instead of bad auths.

 cp -vip /etc/fail2ban/filter.d/vsftpd.conf /etc/fail2ban/filter.d/vsftpd-2-accept-https.conf

Change ‘specialuser‘ to whatever FTP user you want to gain special access to your server.

 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Becomes
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[specialuser\] OK LOGIN: Client "<HOST>"\s*$

If you’re not using VFTPd then fail2ban has many other popular linux FTP client’s setup in the filter.d folder. You should also look in your log file (ls /var/log/*ftp* should find it) to find out what syntax it uses to denote a successful FTP login because it will most likely be different than what VSFTPd uses.

Now you just need to remember the password for your specialuser and you just FTP to your server with that login from any computer in the world to open your hidden port to access your secret content. This idea is mostly for personal use and I recommend against trying to have any beginner users use this as a mechanism for accessing content or even using it in a serious This slight modification isn’t revolutionary or anything and I may not be the first to come up with it but it definitely isn’t a well search indexed idea so I thought I’d throw this out there for others.

There are plenty of tutorials out there which cover configuring a normal SAB installation so I won’t cover that here. What I am going to do is make my SAB available through a web accessible passworded page, this can be accomplished with default SAB features by putting a web username/password in the general configuration section. However I find it annoying to have to enter the password when I’m on my internal 192.168 home network just to make it protected from the outside, and I don’t like the way it presents the username/password prompt in a website form rather than an generic apache pop-up. I’m sure open accessibility could be fixed in the SABnzbd+ code but I’m not a pro python hacker yet so I’ll just stick to what I know.

Basically I want a generic pop-up password that is only for people outside my network so I’m not bothered with SAB passwords while at home (And I can’t get nzbdStatus to work with a pass enabled). The htpasswd also acts as a bit of camouflage and additional security. There are some concepts which aren’t covered here which are required, you need to know how to configure your own SAB servers, Portforwarding or Firewall/iptables.

If you’re using a router, you’re going to want to make sure you’re not port forwarding the default SAB port of 8080 (which would make it wide open) and only are forwarding the apache2 port you setup for the SAB proxy. If you’re not on an internal IP subnet and have a static IP assigned directly to the linux machine you’re doing this on then I expect you have enough knowledge of IPTables to block the SAB port and allow the proxy port.

SABnzbd Daemon (optional)

Download the latest SABnzbd version from http://www.sabnzbd.org/download/ to your favorite place to install python apps and optionally install a deamon to auto start SAB: http://artur.hefczyc.net/node/10. Mine is modified to include a restart command:

#!/bin/sh
# Source: http://sabnzbd.wikidot.com/install-as-a-unix-daemon
case "$1" in
start)
echo "Starting SABnzbd."
/usr/bin/sudo -u sabuser -H /usr/local/src/SABnzbd/SABnzbd.py -d -f /home/sabuser/.sabnzbd/sabnzbd.ini
;;
stop)
echo "Shutting down SABnzbd."
/usr/bin/wget -q --delete-after "http://localhost:8080/sabnzbd/api?mode=shutdown"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

At this point I’ll assume you have a working sabnzbd installation and have tested to confirm it’s working.

vi /home/sabuser/.sabnzbd/sabnzbd.ini

Change

host = localhost

to

host = 192.168.0.53

to make it accessible from elsewhere besides the box running SAB.
That’s all you need to do with SAB other than configure servers and preferences.

Apache Proxy Setup

apt-get install apache2
htpasswd -c /usr/local/src/SABnzbd/.htpasswd username # Enter your password when prompted
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_html

Ubuntu mod_proxy Denies all but default so you’ll need to make a similar modification to what follows – see your Apache error files for something like if your proxy isn’t working. You can either change

Deny from all

to

Allow from all

if you expect to be using it from any external IP address or individual IPs you’ll expect needing access (work IP). In my case 192.168.0.1 port forwards so that’s the only one I need but I put in my entire internal subnet for testing purposes.

vi /etc/apache2/mods-enabled/proxy.conf

<Proxy *>
  AddDefaultCharset off
  Order deny,allow
  Deny from all
  Allow from 192.168.0.0/24
<Proxy>

Add something like this to your apache2 vhost config (logs are optional)

vi /etc/apache2/conf.d/vhosts.conf

Listen 8001 # Use whatever port you want, I usually use obscure ports that aren't regularly scanned.
NameVirtualHost 192.168.0.53:8001  # Change 192.168.0.53 to whatever your SAB server's IP is (make sure it's static too).

<VirtualHost 192.168.0.53:8001>
ServerName sabuser.dyndns.org # Enter your hostname or <strong>static</strong> IP address here.  I use dyndns.org since I have a dynamic IP
ProxyPass /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPassReverse /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPreserveHost On
# Password Protect the external proxy only.
<Location /sabnzbd>
AuthUserFile /usr/local/src/SABnzbd/.htpasswd
AuthName "Authenticate Yourself."
AuthType Basic
Require valid-user
</Location>
# Alternate method, requires rewrite mod:
#RewriteEngine   on
#RewriteRule     (.*) http://192.168.0.53:8080/sabnzbd/$1 [P]
</VirtualHost>

References

# Apache Proxy
http://snippets.dzone.com/posts/show/1318
http://mail-archives.apache.org/mod_mbox/httpd-users/200307.mbox/%3C20030723191854.43885.qmail@web40903.mail.yahoo.com%3E
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html