msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

02 Jan 18 Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch

Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch

Ubuntu 16.04 HOWTO:

Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Advanced Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.
Since your server architecture doesn’t yet support automatic installation you’ll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the “webroot” plugin.
Alternatively, you can specify more information on the command line.
To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
$ sudo certbot certonly --standalone -d example.com -d www.example.com
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can do automatic renewal for your certificates by running this command:
$ sudo certbot renew

Debian Stretch(9.0) HOWTO:

Install
Since Certbot is packaged for your system, all you’ll need to do is apt-get the following packages.
First you’ll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so.
For this run:
$ sudo echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install certbot -t stretch-backports

Advanced Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.
Since your server architecture doesn’t yet support automatic installation you’ll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the “webroot” plugin.
Alternatively, you can specify more information on the command line.
To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
$ sudo certbot certonly --standalone -d example.com -d www.example.com
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can do renewal for your certificates by running this command:
$ sudo certbot renew

02 Jan 18 Configurein ISPConfig 3.1 with Letsencrypt

Intro:
Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy.
Here is how we can also use Letsencrypt with ISPConfig 3.1.

Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/

STEPS:
Define ISPconfig to use the new SSL certificate with symbolic links.
(If you don’t know how to use symbolic links this how-to is not for you)
/usr/local/ispconfig/interface/ssl/
ispserver.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem
ispserver.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem

Define Postfix to use the new SSL certificate in /etc/postfix/main.cf.
(If you don’t know how to add these entries this how-to is not for you)
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.com/fullchain.pem

Define Dovecot to use the new SSL certificate in /etc/dovecot/dovecot.conf.
(If you don’t know how to add these entries this how-to is not for you)
ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

# Restart/reload the services involved
sudo service postfix reload
sudo service dovecot reload
sudo service apache2 restart

23 Dec 17 Rectify mailman URLs after a hostname change

Intro:
I had to change the server name of my mailman server. I changed it in /etc/mailman/mm_cfg.py as follows:
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = 'mailman.myserver.com'
#-------------------------------------------------------------
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = 'mailman.myserver.com'

BUT! Some links in the mailman site were OK (new) and others were not OK(Old servername)

SOLUTION:
To remedy to this all the mailing list need to be internally modified to reflect the new hostmname in the sites URLs and the emails URLs.
Ref: https://mail.python.org/pipermail/mailman-users/2006-February/049052.html
Simply run the following 2 commands:
cd /usr/lib/mailman/bin/
./withlist -l -a -r fix_url -- -v

This runs withlist and tells it to lock the lists (-l) process all lists (-a) process by calling fix_url in the module fix_url.py with arguments of the list instance and -v which causes fix_url to report what it’s doing. The — is to separate the -v option for fix_url from the withlist options since there’s no listname to do that in this case.

For mailing lists with different URL then the site is suggesting the following:
———————————–
If you have more than one virtual host, you have to process the lists
one at a time with

bin/withlist -l -r fix_url listname -u url_host

but you could wrap that in a shell script to run the command repeatedly
for all the listname/url_host pairs.
———————————–

21 Dec 17 Blocking hosts blacklist and iptables

Intro:
I happen to have sone attacks coming from specific hosts which I decided to block access to the server. Here is how I did it using a script which deletes and reload a full iptables CHAIN based on a file containing a list of IPs/Ranges.

STEPS:
Create a file called blacklist.txt with one IP/Range per line in the same directory as the script.
eg.
14.141.107.206
23.180.0.0/14
37.59.34.120
46.140.157.157
46.218.35.59
47.74.0.40
51.15.56.170
59.62.0.0/15
59.63.188.3
61.177.172.60

Script to run at boot time
#!/bin/bash
# Tiny firewall protecting rpcbind (port 111)
scriptdir=$(dirname $(readlink -f $0))
blacklist="$scriptdir/blacklist.txt"
# Load the blacklists
HOSTS="$(cat $blacklist | egrep -v '^$|#')"
# Delete the existing custom chain
/sbin/iptables --flush BLACKLIST
/sbin/iptables -X BLACKLIST
/sbin/iptables -t filter -D INPUT -j BLACKLIST
# Create the BLACKLIST Chain and jump
/sbin/iptables -N BLACKLIST
/sbin/iptables -t filter -I INPUT -j BLACKLIST
# Fill-in the BLACKLIST Chain with rejected hosts list
for host in $HOSTS ; do
/sbin/iptables -A BLACKLIST -s $host -p tcp -j DROP
done
# Return from Blacklist
/sbin/iptables -A BLACKLIST -j RETURN
#eof

Note: iptables will complain with the following errors. Not to worry, it will still do the proper job.
iptables: Too many links.
iptables: Chain already exists.

21 Dec 17 Blocking reception of full TLDs

Intro:
Lately I was receiving a lot of spam from a ‘.date’ TLD sources and wanted to block all these emails using Postfix.
Here is a solution found at: https://serverfault.com/questions/728641/blacklisting-tld-in-postfix/728658

Steps:
Install the Postfix PCRE dictionary
apt-get install postfix-pcre
Configure postfix
postconf -e smtpd_sender_restrictions=pcre:/etc/postfix/rejected_domains
postconf -e reject_unauth_destinations=pcre:/etc/postfix/rejected_domains

Edit the new file /etc/postfix/rejected_domains with the following content:
/\.date$/ REJECT All Date Domains
Reload Postfix
service postfix reload

11 Dec 17 OpenDKIM doesn’t start after Upgrade from Jessie to Stretch

Introduction:
After having done a dist-upgrade fo Jessie to Stretch OpenDKIM didn’t start any more.
After research I found the answer which worked for me in this site:
https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim

INFO:
I’m using the ‘inet’ socket for the communication between Postfix and OpenDKIM at port 12345.
eg. My config in of OpenDKIM in Postfix:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Solution found in the above web site:
/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart

Note: There are other solutions for the ones that use other kind of communication sockets for the communication between Postfix and OpenDKIM found in the same above site.

Solution: Regenerate the proper

29 Nov 17 Verifying PHP syntax.

After an upgrade from php 5.6 to 7.0/7.1 many php scripts gave me trouble. So I looked for a way to test the php syntax before errors showed up later when the sites are live. I found this one which is quite helpful:
find . -name "*.php" -exec php -l {} \; 1>/dev/null

20 Nov 17 Some Zabbix tools

Introduction:
In order to debug some Zabbix problems here are some tools I gathered to help.

Requirements:
Installation of the package zabbix-get in the monitoring server
apt-get install zabbix-get
Installation of the package zabbix-agent in the monitored hosts.
apt-get install zabbix-agent

TIP: In order to programmatically (using bash for example) create scripts that monitor anything in remote hosts. Then:
– Install the package zabbix-agent in the watched hosts
– Configure /etc/zabbix/zabbix-agentd.conf to accept requests from the monitoring host (eg. Directive: ‘Server=myscripts.server.com’)
– Restart the zabbix agent(service zabbix-agent restart)
– Open their firewall on port 10050
– Install the package zabbix-get in the monitoring host(apt-get install zabbix-get)
– And use the same commands below inside your scripts to get this information required from the monitored hosts.

The following commands are given on the Zabbix server and the monitored host is eg. ‘examle1.myzabbix.com’

Commands:

Verify the availability of the zabbix agent on monitored host:
zabbix_get -s examle1.myzabbix.com -k agent.ping
Show the number of running processes on monitored host:
zabbix_get -s examle1.myzabbix.com -k proc.num[,,,]
Show the number of daemons up and running called ‘apache2’
zabbix_get -s examle1.myzabbix.com -k proc.num[,,,apache2]
Show free disk space mounted on ‘/’
zabbix_get -s examle1.myzabbix.com -k vfs.fs.size[/,free]

09 Nov 17 piwik: Could not open input file: ./console

Introduction:
In order to know the location of the visits your website received before you started using Piwik with GeoIP you need to run a command.
The reference to this command is at: https://piwik.org/faq/how-to/faq_167/

Problem:
Unfortunately after having logged in as root in the server this command gave me the following error:
Could not open input file: ./console
After doing research and using my own Linux experience here is a(the?) solution:
Ref: https://stackoverflow.com/questions/10637230/could-not-open-input-file-app-console

Solution:
# Make temporarily the www-data user login possible
usermod -s /bin/bash www-data
# Login as www-data
sudo su - www-data
# Change the htdocs directory to the installed Piwik.
cd /var/www/piwik.myserver.com/
# Run the command
php ./console usercountry:attribute 2012-01-01,2013-01-01
Result:
Re-attribution for date range: 2012-01-01 to 2013-01-01. 0 visits to process with provider "ip2location".
Completed. Time elapsed: 0.819s

# Get out of www-data user login and back to root login
exit
# Prevent back login of the user www-data(as it was originally)
usermod -s /usr/sbin/nologin www-data
Important Note:
In the command given you need to give the exact date range (eg. 2012-01-01,2017-11-01) which needs to be evaluated in your Piwick reports.

08 Sep 17 Prepare Debian Stretch for Installing GlusterFS 3.12

In order to install this version of GlusterFS we need to add the repositories:
Ref: https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/
echo deb [arch=amd64] http://download.gluster.org/pub/gluster/glusterfs/3.12/LATEST/Debian/stretch/apt stretch main > /etc/apt/sources.list.d/gluster.list
wget -O - http://download.gluster.org/pub/gluster/glusterfs/3.12/rsa.pub | apt-key add -
apt-get update
apt-get install glusterfs-server xfsprogs

Format the dedicated partition for GlusterFS synchronized data:
eg. /dev/xvda3
mkfs.xfs -f -i size=512 /dev/xvda3
Example of result:
meta-data=/dev/xvda3 isize=512 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=0, rmapbt=0, reflink=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0

Regarding the configuration steps see:
https://wp.me/pKZRY-Kk
OR better:
https://gluster.readthedocs.io/en/latest/Install-Guide/Configure/