I encountered a peculiar issue where my WordPress instance was unable to reach wordpress.org, and DokuWiki could not access its plugin repository. All standard network checks (wget, curl, DNS) worked fine, and no drops were registered by the standard firewall rules.
However, logging revealed a problem deep within the Intrusion Prevention System (IPS) layer.
The Diagnostic: Stream Errors
I noticed an unusually high number of dropped packets related to stream errors in the stats.log:
ips.drop_reason.flow_drop | Total | 837
ips.drop_reason.rules | Total | 3398
ips.drop_reason.stream_error | Total | 19347
This confirmed that Suricata’s TCP Stream Engine was classifying legitimate traffic as invalid, causing the connection to stall before the application layer could proceed. The volume of stream_error drops was alarmingly high.
Further investigation into Suricata’s internal statistics revealed details about the nature of the errors:
stream.fin_but_no_session | Total | 12508
stream.rst_but_no_session | Total | 2577
stream.pkt_spurious_retransmission | Total | 14735
These specific counters (FINs/RSTs without an active session, spurious retransmissions) point to common issues in asymmetric routing or session tracking in complex bridged/virtualized environments.
The Workaround: Disabling Strict Stream Enforcement
Based on community discussions regarding unexpected drops in IPS mode, I tested a key stream-configuration variable.
The default setting drop-invalid: yes instructs Suricata to immediately drop packets it deems invalid according to its internal state machine (often due to out-of-sync sequence numbers or timing issues).
The Fix:I set this directive to no.
stream:
memcap: 64mb
memcap-policy: ignore
drop-invalid: no # Set to 'no' to fix legitimate traffic drops
checksum-validation: yes
midstream-policy: ignore
inline: auto
reassembly:
As soon as I applied this change, the traffic to wordpress.org and the DokuWiki repository resumed functioning normally.
Conclusion: The Security Trade-off
While this workaround immediately solved the connectivity problem, I am consciously accepting a security trade-off. Disabling drop-invalid instructs the IPS to allow potentially ambiguous or invalid packets to pass.
Risk: This allows a low-volume attacker to potentially use malformed packets to bypass the stream state-tracking.
Benefit: It ensures Service Availability for crucial application updates and connections that the IPS was incorrectly flagging due to virtualization or network environment subtleties.
My next step will be to investigate the root cause of the high stream_error count to see if the error is caused by a kernel-level configuration or a misaligned network path.
Sources / See Also (Quellen)
Suricata Documentation. Stream Configuration and Settings (Specifically drop-invalid). https://docs.suricata.io/en/latest/configuration/stream.html
Suricata Documentation. Understanding and Analyzing the Stats Log. https://docs.suricata.io/en/latest/output/stats/stats-log.html
Suricata Documentation. IPS Mode and Traffic Drop Reasons. https://docs.suricata.io/en/latest/performance/ips-mode.html
OISF Community Forum. Discussion on high stream errors/spurious retransmissions and network offloading. (Diese Art von Diskussion ist der primäre Fundort für solche Workarounds).
Linux Manpage: ethtool. Documentation on Network Offloading (TSO, GSO, LRO) which often causes Suricata Stream issues.
When I read about paperless-ngx, I was immediately drawn to the idea of having all my documents indexed (via OCR) and centrally stored. With a proper tagging system, exporting my documents for my annual tax declaration should only take seconds.
The installation procedure is straightforward but contains several critical security pitfalls that must be addressed, especially when integrating a reverse proxy. Here are my notes on setting up Paperless-NGX in Debian 12 Bookworm.
Part I: Installation and Secure User Setup
1. Install Docker Engine
Please consult the official Docker documentation for the installation of the Docker Engine.
2. Add a Dedicated, Unprivileged User
The safest approach is to use a dedicated system user. This ensures the application does not run with root privileges, even if the installation script or containers were ever compromised.
# 1. Create dedicated system user 'paperless'
adduser paperless --system --home /opt/paperless --group
# 2. Grant the user permissions to use Docker
usermod -aG docker paperless
3. Run the Install Script Securely
Execute the official install script using the newly created, unprivilegedpaperless user by leveraging sudo -Hu paperless.
Necessary for reverse-proxy and SSL configuration.
Database backend
postgres
Recommended for production and better performance compared to SQLite.
Enable Apache Tika?
yes
Required for indexing complex document types (Word, Excel, PowerPoint).
OCR language
deu+eng+fra+ara
Caution: Each language increases resource usage. Choose only what is necessary.
Part II: Configuration and Container Management (Beginner Guide)
1. Modifying Configuration (docker-compose.env)
The environment variables are managed via the docker-compose.env file located in the installation directory (/opt/paperless/paperless-ngx/).
I recommend immediately setting the following variables, which are essential for security and functionality:
PAPERLESS_URL=https://documents.example.com
PAPERLESS_SECRET_KEY=------------USE-A-LONG-CRYPTIC-RANDOM-KEY----------------
PAPERLESS_OCR_LANGUAGE=ara+deu+eng+fra
PAPERLESS_OCR_LANGUAGES=ara deu eng fra # Note: space vs. plus sign syntax
PAPERLESS_CONSUMER_RECURSIVE=true
PAPERLESS_PORT=8000
OCR Note: Be sure to set both variables (_LANGUAGE and _LANGUAGES) as the syntax requirements for the Tesseract engine and the Docker Compose files differ.
CONSUMER_RECURSIVE: Set to true to allow dropping folders into the consume directory.
2. Container Management: Start, Stop, and Update
For users new to Docker, knowing the exact commands for managing the environment after configuration changes is essential.
First, navigate to the directory containing the configuration files:
# cd /opt/paperless/paperless-ngx/
Stop and Restart (After configuration change):
root@paperless:/opt/paperless/paperless-ngx# sudo -Hu paperless docker compose down
[+] Running 6/6
✔ Container paperless-webserver-1 Removed 6.9s
...
root@paperless:/opt/paperless/paperless-ngx# sudo -Hu paperless docker compose up -d
[+] Running 6/6
✔ Network paperless_default Created 0.1s
...
✔ Container paperless-webserver-1 Started 0.0s
Part III: Critical Security Fix and NGINX Integration
1. CRITICAL SECURITY FLAW: Port Exposure Fix
The default installation (as of writing this article: 17. Dezember 2023) does not bind the Paperless-NGX webserver (Port 8000) to localhost (127.0.0.1). This means if you lack a strict host firewall, the Paperless login page is accessible from the internet via Port 8000.
Proof of Exposure: A netstat check shows global listening:
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
The Fix: You must edit the ports directive in the docker-compose.yml to explicitly set the binding to 127.0.0.1.
# /opt/paperless/paperless-ngx/docker-compose.yml (webserver section)
ports:
# CRITICAL: Only the localhost can reach Port 8000 on the host.
- "127.0.0.1:8000:8000"
2. NGINX SSL/TLS Basic Hardening
Since Paperless-NGX handles sensitive personal documents, a strong TLS configuration is mandatory. I suggest using the Mozilla SSL Configuration Generator as a reference for modern best practices.
Recommendations:
ECDSA Certificates: Use ECDSA certificates (e.g., secp384r1) over legacy RSA keys for better performance and security.
HSTS: Implement Strict-Transport-Security (HSTS) to force browsers to always use HTTPS.
TLS Protocol: Use ssl_protocols TLSv1.3; to ensure only the most current and secure protocol is allowed.
3. Header Management and Inheritance Logic
A common pitfall with NGINX is the add_header directive. If you use even oneadd_header directive within a location {} block, it overrides/disables all header inheritance from the parent server {} block.
This means if you add the Referrer-Policy header in your location / {} block, you must re-declare all other global headers (like HSTS and other security headers) there as well.
4. Essential Security Headers
To ensure defense against common web attacks, I use a separate headers.conf file:
CSP is the most crucial defense against Cross-Site Scripting (XSS). Paperless-NGX’s UI uses inline scripts and styles, which complicate the policy.
The following CSP is a working compromise, allowing essential inline elements while blocking common injection points. I strongly suggest using the developer console to check for any blocked resources after implementation.
Note: Using 'unsafe-inline' is often necessary for applications that have not fully adopted modern CSP practices.
6. Blocking Search Engine Indexers (robots.txt)
Since this is a system for private documents, we must prevent all search engines and indexing services from crawling or indexing the instance, regardless of the login protection.
This is easily achieved in NGINX without creating a file on the disk:
The final NGINX site configuration combines all security requirements (HSTS, Headers, robots.txt) and correctly proxies to the secure loopback address.
To move beyond the basic secure setup, I suggest investigating these advanced hardening techniques:
Area
Suggestion
Goal
Authentication
External Authentication: Implement a proxy layer like Authelia or Keycloak to enforce Multi-Factor Authentication (MFA) before the Paperless-NGX login page.
Zero Trust: Protect against Brute-Force attacks before they reach the application.
Rate Limiting
Fail2ban Integration: Configure Fail2ban to monitor NGINX access logs for login failures and automatically block the source IP.
Brute-Force Defense at the network/IP layer.
Protocol Security
Disable TLSv1.2: If all client devices are modern, disable TLSv1.2 completely to enforce TLSv1.3 only.
Strong CORS Policies: Implement strict CORS headers (Cross-Origin Resource Sharing) to prevent the Paperless instance from being used to serve resources to unauthorized external domains.
Mozilla SSL Configuration Generator. A reference tool for modern TLS configurations. https://ssl-config.mozilla.org/
Scott Helme. Hardening Your HTTP Response Headers (X-Frame-Options, X-Content-Type-Options). https://scotthelme.co.uk/hardening-your-http-response-headers/
Scott Helme. Content Security Policy – An Introduction. https://scotthelme.co.uk/content-security-policy-an-introduction/
NGINX Documentation. Understanding the NGINX add_header Directive. http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
Bogon networks are IP address ranges that should never appear on the public internet, as they are either reserved or unassigned. Blocking these ranges is a fundamental and highly effective security measure. While this can be done with simple firewall rules, integrating the blocklist directly into the Suricata IP Reputation system is far more performant.
I rely on the lists provided by Team Cymru for both IPv4 and IPv6 bogons.
1. IPv6 Whitelisting: The Link-Local Caveat
When running an IPS/Firewall, one must be careful not to block essential local network traffic. The global IPv6 bogon list often includes the Link-Local and Multicast ranges (fe80::/10 and ff02::/16) because they fall under the wider 8000::/1 block.
Since blocking these addresses is incorrect and breaks internal IPv6 communication, a specific pass rule for ICMPv6 is required.
Suricata Pass Rule and RFC Reference
The rule uses ip_proto:58 (ICMPv6) and is carefully scoped. I use the Suricata reference system to document the source of the decision (RFC 4890).
pass ip [fe80::/10,ff02::/16] any -> any any (msg:"Pass essential ICMPv6 Link-Local traffic"; ip_proto:58; reference:rfc,rfc4890; sid:10; rev:1;)
2. Implementing the IP Reputation System
Suricata’s IP Reputation system is a performant alternative to sequential firewall checks. It loads external IP lists into an internal hashmap, allowing for a single, fast lookup per packet.
Configuration Setup
Enable IP Reputation: Uncomment the relevant sections in suricata.yaml and define the list files:
Define the Category: Define a specific category for bogons in the categories.txt file. The number 1 is the category ID used in the final rule.
# /etc/suricata/iprep/categories.txt
1,Bogons,fullbogons list
The Bash Automation Script (IPv4 Example)
A robust Bash script is needed to fetch the lists and format the output into the Suricata-specific IP Reputation format (IP,categoryID,score).
#!/bin/bash
# ... (Source URL and File paths defined) ...
# 1. Fetch the list and check for changes
wget -q -O "$TMPIPREPFILE" "$SRCURL"
# ... (Diff check to prevent unnecessary updates) ...
# 2. Format and load the list
if [ -s "$TMPIPREPFILE" ]; then
# Remove current list for atomic update
if [ -f $IPREPFILE ]; then
rm $IPREPFILE
fi
# Add each CIDR block with the category ID (1) and a score (10)
while read -r NETWORK; do
# Note: Score > 1 is needed to trigger the alert/drop rule
echo "$NETWORK,1,10" >> $IPREPFILE
done< <(grep -v "^#" $TMPIPREPFILE)
fi
Note: I use a score of 10, meaning a source must have a reputation score greater than 1 to trigger the rule.
3. The Final Detection and Prevention Rules
The final rule leverages the iprep keyword to check the source IP against the newly loaded Bogon list.
Detection Rule (Testing Phase)
The detection rule is used first to verify the configuration and observe traffic without blocking. The rule is triggered if the source IP’s reputation is in the Bogons category (category ID 1) and the score is greater than 1.
# Use this first to see what it would drop.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DROP FullBogons listed."; iprep:src,Bogons,>,1; sid:11; rev:1;)
Prevention Rule (Active Defense)
Once testing is complete, the rule is switched to drop for active prevention.
# Use this for active IPS defense.
drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DROP FullBogons listed."; iprep:src,Bogons,>,1; sid:11; rev:1;)
4. Verification
Verification confirms the lists are loaded and the counts are correct. The vast number of IPv6 bogons (142054) highlights the importance of this protection layer.
This article documents a two-part process: successfully upgrading Suricata to version 7 on Debian Bookworm and solving a critical stability issue required to run the AF-Packet IPS mode with high-performance VirtIO NICs in a virtual machine. Without this specific configuration, the IPS failed to function.
Part I: Suricata 7 Upgrade and Policy Changes
A much newer Suricata version can be installed by utilizing Debian’s bookworm-backports repository, which is essential for access to the latest security features and performance enhancements.
The Backports Installation
Ensure the backports repository is configured in your /etc/apt/sources.list:
deb https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
Install Suricata using the specific target:
apt-get install -t bookworm-backports suricata
Post-Upgrade Security Alert (Critical)
After upgrading to Suricata 7, you may experience immediate traffic blocking. This is not a bug, but a deliberate change in the application’s default security posture.
Reason: Suricata 7 introduced new policy rules that are often set to drop by default.
Action: You must review your new suricata.yaml configuration. The recommended approach is to install the new configuration files, compare them with your old setup, and set unwanted policies to ignore.
Reference: This new behavior is explicitly documented in the official Suricata 7 Changelog. Consult the Suricata FAQ for troubleshooting details on blocking issues.
Part II: The VirtIO and AF-Packet Critical Failure Fix
When using Suricata in IPS mode with the high-performance AF-Packet acquisition method, using VirtIO NICs is preferred. However, without a specific Libvirt configuration, the IPS fails entirely to process bridged traffic.
The Problematic Default VirtIO Config
If the VirtIO NIC is defined simply with <model type='virtio'/> in the Libvirt XML, AF-Packet fails to initialize or correctly process traffic.
The Solution: Disabling Guest Checksum Offload
The fix requires overriding the default driver settings by introducing the <driver> block and explicitly setting checksum (csum) offloading to off for the guest system.
This solution was found while troubleshooting similar packet loss issues in a thread related to XDP drivers in RHEL environments, suggesting a common kernel/driver interaction problem with aggressive offloading features.
The minimal required working Libvirt XML configuration looks like this:
Crucial Insight: The key fix is the parameter csum='off' within the <guest/> tag. If checksum offloading is left enabled (csum='on'), the system fails to bridge traffic completely.
Part III: The Deep Dive: Why Checksum Offload Causes Complete Failure
Here is the rationale for why Checksum Offload (CSUM) leads to complete non-functionality:
1. The CSUM Optimization Paradigm (CSUM=’on’)
When you set csum='on', you are performing a performance optimization aimed at saving CPU cycles:
The Host/Hypervisor receives packets and passes them to the VirtIO Driver (Vhost).
The Vhost Driver passes the packets into the VirtIO Ring in the Guest System, but marks them with a special flag (e.g., in the skb—Socket Buffer—metadata) signaling to the Guest Kernel: “Attention, the L3/L4 checksum is invalid/missing and must be corrected or calculated before further processing up the stack.”
This is a performance trick: the CPU-intensive checksum calculation is delegated to the Guest Kernel, but only when it is truly necessary.
2. The Collision Point: AF-Packet Bypass
Suricata using AF-Packet now bypasses precisely this process:
AF-Packet is a very low-level packet capture method. It operates directly above the driver (or in the kernel) and fetches the raw L2 frames directly from the VirtIO Ring.
Suricata receives the packet at a point before the standard kernel stack has performed the checksum finalization.
Suricata’s Deep Packet Inspection (DPI) engine relies on the integrity of the Layer 3/Layer 4 headers (e.g., to check the TCP segment length, track the TCP state machine, or evaluate the validity of IP headers).
The Non-Functionality: Since Suricata receives a packet with the “Checksum missing/invalid” flag, it interprets this not as an optimization instruction, but as a critical error in the packet itself (Corrupted Packet).
3. The Resolution (CSUM=’off’)
By explicitly setting <guest csum='off'>, we force the Host/Vhost Driver to deliver the packets to the Guest as if they were ‘normal’ Ethernet frames that already contain all checksums. Suricata therefore only sees complete, consistent packets and can apply the DPI logic without error.
Sources / See Also
Suricata Documentation. Suricata 7 Changelog (Note new policy behavior). https://suricata.io/changelog/
Suricata Documentation. FAQ: Traffic gets blocked after upgrading to Suricata 7. https://suricata-update.readthedocs.io/en/latest/faq.html#my-traffic-gets-blocked-after-upgrading-to-suricata-7
Suricata Documentation. Working with AF-Packet. https://docs.suricata.io/en/latest/install/af-packet.html
In my last posts, I established a central syslog hub feeding Fail2ban and demonstrated Suricata as an intrusion prevention system (IPS). This final piece connects the two: feeding Suricata with the ban results from Fail2ban by creating a dynamic, external rule file.
This process is highly automated, but requires robust Bash scripting and careful handling of security context.
1. Fail2ban Action and Scripting Logic
The core idea is to replace Fail2ban’s default firewall action with a custom script that modifies a public rule file.
Custom Action Definition
The actionban and actionunban directives in /etc/fail2ban/action.d/firewall.conf point to simple Bash wrappers.
The ban script must: (1) validate the input, (2) generate a unique Signature ID (SID), (3) append the rule, and (4) atomically update the ruleset’s MD5 checksum for Suricata-Update to fetch the change.
#!/bin/bash
#
# ban.sh: Adds a banned IP to the Fail2ban Suricata ruleset.
IP="$1"
RULESFILE="/var/www/f2b/htdocs/fail2ban.rules"
MSG="BRUTE-FORCE detected by fail2ban"
# INPUT VALIDATION: Ensure the input is a valid IPv4/IPv6 address.
if ! [[ $IP =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ || $IP =~ ^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$ ]]; then
echo "ERROR: Invalid IP address received: $IP" >&2
exit 1
fi
# 1. Generate Unique SID (Timestamp + Counter)
TSTAMP=$(date +%s)
CNT=$(wc -l $RULESFILE | cut -d' ' -f1);
# Generate a SID in a high range to avoid conflicts with commercial rules (e.g., 90000000+)
SID=$(($CNT + $TSTAMP + 90000000))
if ! grep -q "$IP" $RULESFILE; then
# Rule: Drop all traffic from the banned IP to any network home port.
# Using 'drop ip' is robust; adjust ports if required (e.g., $SSH_PORTS).
RULE="drop ip $IP any -> \$HOME_NET any (msg:\"$MSG - $IP\"; sid:$SID; rev:1;)"
echo $RULE >> $RULESFILE
# Set correct permissions (Critical step for web delivery)
chown www-data:www-data $RULESFILE
# 2. Atomically update the MD5 checksum file
SUM=$(md5sum $RULESFILE | cut -d' ' -f1);
echo $SUM > $RULESFILE.md5
fi
The Unban Script (unban.sh)
The unban script removes the line and performs the critical MD5 update.
#!/bin/bash
#
# unban.sh: Removes a banned IP from the Suricata ruleset.
IP="$1"
RULESFILE="/var/www/f2b/htdocs/fail2ban.rules"
if grep -q "$IP" $RULESFILE; then
# Use sed -i to remove the line containing the IP address
sed -i '/'$IP'/d' $RULESFILE
# Atomically update the MD5 checksum
SUM=$(md5sum $RULESFILE | cut -d' ' -f1);
echo $SUM > $RULESFILE.md5
fi
2. Integration and Verification
The final step is to make the ruleset publicly available (via HTTPS/SSL) and configure Suricata to fetch it.
Suricata-Update Configuration
The rule file (fail2ban.rules) must be made available via a web server (e.g., NGINX) with a specific URL (e.g., https://f2b.example.com/fail2ban.rules). I add this URL as a new source to Suricata-Update.
Verification confirms that the new rules are loaded and actively dropping traffic. The log analysis command must be adapted to track these specific fail2ban drops.
# Awk command to filter and count dropped packets (Excerpt showing drop sources)
# awk '/Drop/{...}' fast.log | sort | uniq -c | sort -hr
6505 IP dropped due to fail2ban detection
638 ET DROP Dshield Block Listed Source
...
This ensures a comprehensive, self-healing Incident Response Chain.
Sources / See Also
Suricata Documentation. High-performance AF_PACKET IPS mode configuration and usage. https://docs.suricata.io/en/latest/install/af-packet.html
Suricata Documentation. Working with Suricata-Update (Ruleset Management). https://suricata-update.readthedocs.io/en/latest/update.html
Suricata Documentation. EVE JSON Output for Structured Logging. https://docs.suricata.io/en/latest/output/eve/eve-json-format.html
Google Development. Google Perftools (TCMalloc) Documentation. https://github.com/google/gperftools
Emerging Threats (Proofpoint). Information on the Emerging Threats Open Ruleset. https://www.proofpoint.com/us/security-awareness/blog/emerging-threats
Elastic Stack (ELK) Documentation for Log Analysis. https://www.elastic.co/what-is/elk-stack
Linux Manpage: ethtool (Network Offload Configuration). https://man7.org/linux/man-pages/man8/ethtool.8.html
Suricata functions as a powerful engine for Network Intrusion Detection and Prevention (IDS/IPS). This guide demonstrates how to set up Suricata as a transparent Intrusion Prevention System (IPS) within a KVM environment by replacing the kernel bridge with the high-performance AF-Packet mechanism.
A very light-weight and efficient approach for consolidating logs centrally is by using rsyslog. My virtual machines all use rsyslog to forward their logs to a dedicated internal virtual machine, which acts as the central log hub. A fail2ban instance on this hub checks all incoming logs and sends a block command to an external firewall—a process helpful for automated security.
Improving your web security and performance starts with a solid foundation. I regularly use external online generators and verification tools to ensure my NGINX configuration meets the highest standards. This guide details my steps to achieve an A+ security rating and optimal performance settings.