netstat: command not found, net-tools missing

Home
Leave a comment

The error: -bash: netstat: command not found, occurs after trying to execute the “netstat” command in bash on Debian and Ubuntu Linux. Because this command is no longer included by default. In this tutorial you will learn how to install the net-tools package on a Debian-based Linux, which includes, among other things, the netstat command.

netstat: command not found, net-tools missing

netstat error message in bash

When running the netstat command, the following error message occurs:

-bash: netstat: command not found

This simply means that the corresponding net-tools package, which contains the netstat executable, is not installed and is therefore missing. The net-tools package may not be installed on the system by default, it must be installed manually.

Install the net-tools package

To make netstat available on the system, simply install the net-tools package with the following command:

$ sudo apt update
$ sudo apt install net-tools -y

The net-tools package also includes additional utilities such as arp, ifconfig, netstat, rarp, and route.

Detect package net-tools and netstat

Determine the net-tools package based on the package name.

$ apt list net-tools
Listing... Done
net-tools/oldstable,now 1.60+git20181103.0eebece-1 amd64 [installed]

net-tools is a collection of basic network programs. If the net-tools package is installed, the netstat commands are available on the host.

$ apt show net-tools

Examples with netstat

With net-tools installed on the system, we can now use some of the following netstat commands.

First, let’s look at the processes waiting for connections. To do this we enter the following netstat command.

$ sudo netstat -tulpen

Now let’s take a look at all the current network connections. To do this, we enter the following netstat command, which is similar to the previous one, except that we use -a to show all sockets and not -l to show only the listening sockets.

$ sudo netstat -atupen

If you only want to see the ESTABLISHED connections. This is done by forwarding the output of netstat to grep.

$ sudo netstat -atupen | grep ESTABLISHED

ss command replaces the deprecated netstat command

The net-tools restore the availability of the obsolete Linux network commands, the following table shows the obsolete Linux “netstat” commands, and the new replacement commands with “ss”:

Outdated commandsNew commands
arpip n (ip neighbor)
ifconfigip a (ip addr), ip link
iptunnelip tunnel
iwconfigIw
nameifip link
netstatss -t (for netstat -t), ss -u (for netstat -u)
ip route (for netstat -r)
ip -s link (for netstat -i)
ip maddr (for netstat -g)
routeip r (ip route)

  ss – is the new utility to check sockets, ss is used to dump socket statistics. It allows showing information similar to netstat.

Example of using ss instead of netstat (net-tools):

$ ss -atulpen4

Conclusion

In this tutorial, we have seen how to install the missing netstat command on a Debian-based Linux or Ubuntu using the net-tools package. We also learned some basic ways to use the netstat command to get started using it. Attention is also drawn to the ss command, which replaces netstat but has a different syntax.

Protect WordPress from Brute-Force-Attacks with Fail2ban

Home
Leave a comment

How To Protect WordPress against Brute-Force-Attacks using Fail2ban

WordPress itself does not offer any protection against brute force attacks. But there are several methods for protection, besides lock-down plugins they blocking IP addresses after every failed login attempt. Another way gives the kernel firewall controlled with Fail2ban. With it the suspicious host is locked out for a certain time.

To Protect your WordPress from Brute-Force-Attacks by Fail2ban, follow this install tutorial.

  To install fail2ban on RHEL then the EPEL repository must be added. Debian provide fail2ban already in the default repository.

$ yum install epel-release

The installation here as root is as follows, a standard configuration is provided, and does not require any further adjustments:

$ yum install fail2ban -y

On Debian and Ubuntu Linux fail2ban is installed as follow.

$ apt install fail2ban -y

After fail2ban is installed on the server, the Apache access_log can be scanned for login attempts.

10.241.83.170 - - [02/Jul/2017:21:23:17 +0200] "POST /xmlrpc.php HTTP/1.1" 200 406
10.241.83.170 - - [02/Jul/2017:21:23:19 +0200] "GET /wp-login.php HTTP/1.1" 200 6387
10.241.83.170 - - [02/Jul/2017:21:23:19 +0200] "POST /wp-login.php HTTP/1.1" 200 6561
10.120.13.157 - - [02/Jul/2017:21:27:55 +0200] "POST /xmlrpc.php HTTP/1.1" 200 406
10.120.13.157 - - [02/Jul/2017:21:27:56 +0200] "GET /wp-login.php HTTP/1.1" 200 6440
10.120.13.157 - - [02/Jul/2017:21:27:56 +0200] "POST /wp-login.php HTTP/1.1" 200 6614

So that fail2ban knows which parsers to search for in the log file. The filter is created by editing with vim or other preferred editors. We create the filter file with use the command vi /etc/fail2ban/filter.d/wp-auth.conf

# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
[Definition]
failregex = ^<HOST> .*"POST \/wp-login\.php HTTP\/.*$
            ^<HOST> .*"POST \/\/wp-login\.php HTTP\/.*$
            ^<HOST> .*"POST \/xmlrpc\.php HTTP\/.*$
            ^<HOST> .*"POST \/\/xmlrpc\.php HTTP\/.*$
ignoreregex =

The main configuration of fail2ban is located in the file /etc/fail2ban/jail.conf, this is copied to jail.local. Or you insert only the filter by add the configuration with vi /etc/fail2ban/jail.local

[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=AuthFailures, port="http,https"]
logpath = %(apache_access_log)s
bantime = 1800
maxretry = 5

After 5 login attempts (maxretry) is blocked for 30 min.

Before fail2ban is used, a look is given in /etc/fail2ban/jail.conf, under the section [INCLUDES] the paths of the currently used Linux distribution are defined at the line before = paths-distro.conf, here we use CentOS 7 and the appropriate file /etc/fail2ban/paths-fedora.conf

[INCLUDES]
before = paths-centos.conf

We copy the file paths-fedora.conf to paths-centos.conf. All logs should be read under /var/www/*/logs, adjusting the paths to the Apache logs if necessary.

# apache server log
apache_error_log = /var/log/httpd/*error_log
apache_access_log = /var/log/httpd/*access_log

# apache virtual hosts
apache_error_log = /var/www/*/logs/*error_log
apache_access_log = /var/www/*/logs/*access_log

Under Debian the following content is defined in /etc/fail2ban/jail.conf

[INCLUDES]
before = paths-debian.conf

Now restart fail2ban to activate the filter.

 $ systemctl restart fail2ban

Check fail2ban status as follows.

$ fail2ban-client status wp-auth

Output the iptable status of the filter in the chain.

$ iptables -vnL | grep AuthFailures

The iptables output of the filter AuthFailure follows about a lot.

Chain f2b-AuthFailures (1 references)
 pkts bytes target prot opt in out source destination
 252K 32M RETURN all -- * * 10.241.83.170/0 0.0.0.0/0
 232K 29M RETURN all -- * * 10.120.13.157/0 0.0.0.0/0

If you have locked yourself out by too many failed attempts and tests. You can unlock yourself again with the following command.

$ fail2ban-client set wp-auth unbanip 10.110.51.25

  The advantage of this method is that fail2ban blocks suspicious host for all services, many bots will usually go to the next website to continue try attacks, ssh and ftp requests also go nowhere while ICMP requests remain unanswered for the investigated IP address.

Exit mobile version