msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

03 Apr 18 Installing the missing mcrypt module for PHP 7.2

Inroduction:
Because of the module mcrypt for PHP neot being maintained since a bout 10 years the PHP team has decided to drop it from the PHP version 7.2 on.
For PHP applications that need this module here are the instructions to compile and install it for PHP 7.2.
Reference:
https://lukasmestan.com/install-mcrypt-extension-in-php7-2/

STEPS:
We need to install the proper building tools for PECL Mcrypt 1.0.1

Install mcrypt extension
sudo apt-get -y install gcc make autoconf libc-dev pkg-config
sudo apt-get -y install libmcrypt-dev
sudo pecl install mcrypt-1.0.1

When you are shown the prompt
libmcrypt prefix? [autodetect] :
Press [Enter] to autodetect.

After success installing mcrypt trought pecl, you should add mcrypt.so extension to php.ini.
The output will look like this:

Build process completed successfully
Installing '/usr/lib/php/20170718/mcrypt.so' ----> this is our path to mcrypt extension lib
install ok: channel://pecl.php.net/mcrypt-1.0.1
configuration option "php_ini" is not set to php.ini location
You should add "extension=mcrypt.so" to php.ini

Grab installing path and add to cli and apache2 php.ini configuration.
sudo bash -c "echo extension=/usr/lib/php/20170718/mcrypt.so > /etc/php/7.2/cli/conf.d/mcrypt.ini"
sudo bash -c "echo extension=/usr/lib/php/20170718/mcrypt.so > /etc/php/7.2/apache2/conf.d/mcrypt.ini"

Verify that the extension was installed
Run command:
php -i | grep "mcrypt"
The output will look like this:

/etc/php/7.2/cli/conf.d/mcrypt.ini
Registered Stream Filters => zlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*, mcrypt.*, mdecrypt.*
mcrypt
mcrypt support => enabled
mcrypt_filter support => enabled
mcrypt.algorithms_dir => no value => no value
mcrypt.modes_dir => no value => no value

02 Jan 18 Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch

Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch

Ubuntu 16.04 HOWTO:

Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Advanced Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.
Since your server architecture doesn’t yet support automatic installation you’ll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the “webroot” plugin.
Alternatively, you can specify more information on the command line.
To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
$ sudo certbot certonly --standalone -d example.com -d www.example.com
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can do automatic renewal for your certificates by running this command:
$ sudo certbot renew

Debian Stretch(9.0) HOWTO:

Install
Since Certbot is packaged for your system, all you’ll need to do is apt-get the following packages.
First you’ll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so.
For this run:
$ sudo echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install certbot -t stretch-backports

Advanced Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.
Since your server architecture doesn’t yet support automatic installation you’ll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the “webroot” plugin.
Alternatively, you can specify more information on the command line.
To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
$ sudo certbot certonly --standalone -d example.com -d www.example.com
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can do renewal for your certificates by running this command:
$ sudo certbot renew

02 Jan 18 Configuring Letsencrypt in ISPConfig 3.1

Intro:
Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy.
Here is how we can also use Letsencrypt with ISPConfig 3.1.

Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/

STEPS:
Define ISPconfig to use the new SSL certificate with symbolic links.
(If you don’t know how to use symbolic links this how-to is not for you)
/usr/local/ispconfig/interface/ssl/
ispserver.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem
ispserver.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem

Define Postfix to use the new SSL certificate in /etc/postfix/main.cf.
(If you don’t know how to add these entries this how-to is not for you)
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.com/fullchain.pem

Define Dovecot to use the new SSL certificate in /etc/dovecot/dovecot.conf.
(If you don’t know how to add these entries this how-to is not for you)
ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

# Restart/reload the services involved
sudo service postfix reload
sudo service dovecot reload
sudo service apache2 restart

29 Nov 17 Verifying PHP syntax.

After an upgrade from php 5.6 to 7.0/7.1 many php scripts gave me trouble. So I looked for a way to test the php syntax before errors showed up later when the sites are live. I found this one which is quite helpful:
find . -name "*.php" -exec php -l {} \; 1>/dev/null

09 Nov 17 piwik: Could not open input file: ./console

Introduction:
In order to know the location of the visits your website received before you started using Piwik with GeoIP you need to run a command.
The reference to this command is at: https://piwik.org/faq/how-to/faq_167/

Problem:
Unfortunately after having logged in as root in the server this command gave me the following error:
Could not open input file: ./console
After doing research and using my own Linux experience here is a(the?) solution:
Ref: https://stackoverflow.com/questions/10637230/could-not-open-input-file-app-console

Solution:
# Make temporarily the www-data user login possible
usermod -s /bin/bash www-data
# Login as www-data
sudo su - www-data
# Change the htdocs directory to the installed Piwik.
cd /var/www/piwik.myserver.com/
# Run the command
php ./console usercountry:attribute 2012-01-01,2013-01-01
Result:
Re-attribution for date range: 2012-01-01 to 2013-01-01. 0 visits to process with provider "ip2location".
Completed. Time elapsed: 0.819s

# Get out of www-data user login and back to root login
exit
# Prevent back login of the user www-data(as it was originally)
usermod -s /usr/sbin/nologin www-data
Important Note:
In the command given you need to give the exact date range (eg. 2012-01-01,2017-11-01) which needs to be evaluated in your Piwick reports.

16 May 17 Hardening the SSL security in Apache, Dovecot and Postfix

Introduction:

After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this.
I found very good sites which helps me making these improvements:
https://weakdh.org/sysadmin.html
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://bettercrypto.org/static/applied-crypto-hardening.pdf
Based on this site and extending to cover dovecot mail service here is the result:

Hardening Apache:

In /etc/apache2/mods-available/ssl.conf
Change the following parameters as follows:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DH+3DES:!RSA+3DES
SSLHonorCipherOrder on

Hardening Dovecot:

Note: you should have openssl >=1.0.0 dovecot >=2.1.x required, better dovecot >=2.2.x because of ECDHE support Dovecot tryies to use PFS by default, so besides the enabled SSL almost no actions are required change the log settings to see the cipher, grep for a login_log_format_elements in dovecot configs and add %k to it
eg:
login_log_format_elements = "user=< %u> method=%m rip=%r lip=%l mpid=%e %c %k"
Configure the allowed ciphers. Server side enforcement works only for dovecot >=2.2.6
In /etc/dovecot/conf.d/ssl.conf
Change some parameters as follows:
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes
#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3

Add the following parameter:
ssl_dh_parameters_length = 2048
Delete the file /var/lib/dovecot/ssl-parameters.dat
and restart Dovecot service:
service dovecot restart
Dovecote seeing that the Diffie Hellman parameters are assigned to be 2048 bits long and that its file is just been deleted, will regenerate a new one in the background.

Hardening Postfix

In /etc/postfix/main.cf
Change or add the following configuration parameters:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file=/etc/ssl/dh2048.pem

Generate a new Diffie Hellman parameters file as follows:
openssl dhparam -out /etc/ssl/dh2048.pem 2048

19 Jan 17 Installing TeamPass in Debian Jessie

Introduction:
TeamPass is a very good Web application which can store securely Passwords for single person or teams. Here are the steps I used to install it in Debian Jessie. These instructions can also be used with no or minimal changes to install TeamPass in other Debian or Ubuntu systems.
These instruction are partly based on this site:
http://teampass.net/2013-12-31-installation-on-linux-server
and these
http://bourntech.com/blog/install-teampass-on-ubuntu-14-6lts/
https://github.com/nilsteampassnet/TeamPass/

Steps:
Create the user that will be used as owner of the TeamPass htdocs and Apache TeamPass requests processes.
useradd -d /opt/teampass/ -s /bin/false passwords
Prepare the teampass home directories
mkdir -p /var/www/teampass/fcgi/tmp
mkdir /var/www/teampass/logs
mkdir /var/www/teampass/auth
cd /var/www/teampass/
#Get the latest released software:
wget --no-check-certificate https://github.com/nilsteampassnet/TeamPass/archive/master.zip
unzip master.zip

Install the required packages:
apt-get install php5-mcrypt php5-mysqlnd php5-gd openssl apache2-suexec-custom apache2-mpm-prefork libapache2-mod-fcgid libapache2-mod-php5 php5-cgi mariadb-server
In order to allow Apache to modify files inside the TeamPass htdocs we use FCGI/suexec Modules.
a2enmod fcgid
a2enmod suexec
a2enmod ssl

Create the fcgi_wrapper script:
touch /var/www/teampass/fcgi/php-fcgi-starter
mcedit /var/www/teampass/fcgi/php-fcgi-starter

Content:
#!/bin/sh
export PHPRC=/var/www/teampass/fcgi/
export PHP_FCGI_CHILDREN=2
export PHP_FCGI_MAX_REQUESTS=500
exec /usr/bin/php5-cgi

Make it runnable but not for others:
chmod 750 /var/www/teampass/fcgi/php-fcgi-starter
Copy the php.ini from system to /var/www/teampass/fcgi/
cp /etc/php5/apache2/php.ini /var/www/teampass/fcgi/
Adapt the php.init to the site:
mcedit /var/www/teampass/fcgi/php.ini
Add the following 2 lines at the end:
upload_tmp_dir = /var/www/teampass/fcgi/tmp
session.save_path = /var/www/teampass/fcgi/tmp

And look for the configuration: max_execution_time and change its value from 30 to 60. Eg.
max_execution_time = 60
Create the Apache2 configuration:
Content of config file in /etc/apache2/sites-available/teampass.mydomain.com.conf:
# ============ https://teampass.mydomain.com ==================
<virtualhost *:443>
ServerName teampass.mydomain.com
DocumentRoot /var/www/teampass/TeamPass-master
SuexecUserGroup passwords passwords
<directory /var/www/teampass/TeamPass-master>
Options -Indexes +FollowSymLinks +ExecCGI
FCGIWrapper /var/www/teampass/fcgi/php-fcgi-starter .php
AddHandler fcgid-script .php
DirectoryIndex index.php
Require 192.168. granted
AuthType Basic
AuthName "Private area"
AuthUserFile /var/www/teampass/auth/web.auth
Require valid-user
Satisfy all
</directory>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/teampass.mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teampass.mydomain.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/teampass.mydomain.com/chain.pem
ErrorLog /var/www/teampass/logs/error_log
CustomLog /var/www/teampass/logs/access_log combined
</virtualhost>

Create the first layer(BASIC) Authentication credentials for first user:
htpasswd -c /var/www/teampass/auth/web.auth username
Give the whole directory ownership to ‘passwords’ user
chown -R passwords: /var/www/teampass/
NOTE: Before you restart your Apache2 service, make sure the Certificate is been issue and installed in the directory: /etc/letsencrypt/live/teampass.mydomain.com/
You can use the instructions on this link to install LetsEncrypt software:
https://tipstricks.itmatrix.eu/?s=letsencrypt&x=0&y=0

Enable Apache’s new configuration:
a2ensite teampass.mydomain.com
Restart Apache to activate it’s new configuration:
service apache2 restart
Prepare the suexec permissions files
echo "/var/www/teampass" >> /etc/apache2/suexec/www-data
echo "/var/www/teampass" > /etc/apache2/suexec/passwords
echo "TeamPass-master" >> /etc/apache2/suexec/passwords

IMPORTANT: We need to make sure that the cgi-script called by suexec is residing under the Server’s DocumentRoot for suexec to be allowed to run, therefore we installed the site under /var/www/teampass(which is located under the Server’s DocumentRoot(/var/www/) NOT meaning the VirtualHost’s DocumentRoot. A symlink is allowed here.

Preparing the MySQL database:

Create the new Database in MySQL:
Follow theses instructions:
1) Connect to mysql as root:
mysql -p -u root
PW: ******

2) Create the DB, user and user access rights:
CREATE DATABASE pwdb CHARACTER SET utf8 COLLATE utf8_bin;
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX on pwdb.* TO 'pwuser'@'localhost' IDENTIFIED BY 'password';
flush privileges;

Quit Mysql:
quit;
3) Tip: To confirm if the permissions were granted successfully, log into the DB server with the PWDB DB user(pwuser) and run the command below:
SHOW GRANTS FOR 'pwuser'@'localhost';
4) Quit Mysql:
quit;
Installing TeamPass via the web interface:
In the browser:
https://teampass.mydomain.com/install/install.php
Fill-in the appropriate, paths, MySQL credentials and extra settings and save this configuration.
You are then ready to use TeamPass

20 Dec 16 Upgrading Apache2 from Debian Wheezy to Jessie

Introduction:
As I tried to make a full distribution upgrade from Wheezy to Jessie the upgrade of Apache2 didn’t go well at all: dpkg kept coming up with dependencies errors and post-install scripts errors. Unfortunately I don’t have a sample of these errors here. Since I had to dist-upgrade over 30 servers of the same nature I decide to find a solution and here is what I found:

STEPS:
Remove the packages(but not the configurations) that will create problems during the dist-upgrade.
apt-get remove apache2 apache2-mpm-prefork apache2-suexec apache2-utils apache2.2-bin apache2.2-common libapache-mod-security libapache2-mod-fcgid libapache2-mod-php5 libapache2-modsecurity
Add the following default repositories of Jessie in /etc/apt/sources.list
# Debian Jessie
deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main
deb http://ftp.at.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.at.debian.org/debian/ jessie main contrib non-free

apt-get update && apt-get dist-upgrade
apt-get install apache2 apache2-bin apache2-data apache2-mpm-worker apache2-suexec apache2-suexec-pristine apache2-utils libapache2-mod-fcgid libapache2-mod-security2

NOTE: During this upgrade the version of Apache will go from 2.2 to 2.4. This means that some directives of version 2.2 will no more be valid for version 2.4 example:
Depreacted
Oder deny,allow
Should change:
Allow from All >> Require All granted
Deny from All >> Require All denied

etc.
See this special Apache site for more information on upgrading Apache 2.2 to 2.4.
https://httpd.apache.org/docs/2.4/upgrading.html

24 Oct 16 Upgrading php from 5.4 to 5.6 in Debian Wheezy

In order to upgrade PHP from 5.4 to 5.6 we need to use the DOTDEB repositories by which many other packages will also be upgraded. Here are the steps.
References:
https://www.dotdeb.org/instructions/

STEPS:
Edit the file /etc/apt/sources.lst and add the following lines:
deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all
deb http://packages.dotdeb.org wheezy-php56-zts all
deb-src http://packages.dotdeb.org wheezy-php56-zts all

Then run the following commands:
Note: Because of a bug in these package’s after-install I added some extra commands that will take care of it:
mkdir -p /etc/apache2/conf-available/
touch /etc/apache2/conf-available/php5-cgi.conf
gpg --keyserver pgpkeys.mit.edu --recv-key E9C74FEEA2098A6E
gpg -a --export E9C74FEEA2098A6E | apt-key add -
apt-get update
apt-get upgrade
apt-get install php5

26 Apr 16 Activating SPDY in Apache 2.4 (Ubuntu 14.04)

SPDY is a new protocol created by Google and given to the Apache Foundation which allows faster Web traffic under SSL. Apache 2.4 is SPDY capable but its module is not included in Ubuntu 14.04 LTS Server. Here are some instructions that allow to get, install and enable SPDY feature foe Apache 2.4 under Ubuntu 14.04.

Get the third party Apache 2.4 module, extract and install it:
cd /usr/local/
https://www.rivy.org/static/mod_spdy.tar.gz
tar zxf mod_spdy.tar.gz
cd /usr/lib/apache2/modules
mv /usr/local/mod-spdy/mod-spdy/src/mod_ssl.so .
mv /usr/local/mod-spdy/mod-spdy/src/out/Release/libmod_spdy.so mod_spdy.so
echo "LoadModule spdy_module /usr/lib/apache2/modules/mod_spdy.so" | sudo tee /etc/apache2/mods-available/spdy.load
echo "SpdyEnabled on" | sudo tee /etc/apache2/mods-available/spdy.conf
a2enmod spdy
service apache2 restart

In case you get the error message in log file eg:
...... [core:notice] [pid 7842:tid 140724740487067] AH00052: child pid 8025 exit signal Segmentation fault (11)
Then that means that you are using a version of the MPM that is not compatible with SPDY module. You might need to change to the thread-stable mpm_prefork as follows:
a2dismod mpm_event
a2enmod mpm_prefork
service apache2 restart

Test your sites for SPDY protocol:
https://spdycheck.org/