Description: Since we can’t protect docker advertised ports on docker using a normal firewall like UFW against attacks from Internet, a script has been written to do just that. Reading the comments in the script does gives an idea of how it works. The only thing to do is to fill in the variables in …
Category: Security
Deleting UFW Rules backwards.
Intro: Sometimes one has a lot of ‘V6’ rules that need to be deleted. UFW does allow to delete the rules but only one by one, which can be time consuming. Here is a short bash script that does the trick of deleting them. IMPORTANT NOTE: In order for this script to work as desired …
Using UFW as IP Blacklist
Introduction: There are instances where a service provider is taking care of the Firewall which is working between Internet and the rented server. In this case only certain standard ports will be made available to access the rented server. But what if you need a general use ‘blacklist’ firewall that will filter out abusive traffic …
Resetting MySQL/MariaDB root password in Ubuntu 16.04/18.04
Introduction: In case you have forgotten the ‘root’ password in MySQL/MariaDB(10.0.x) you can reset the password as follows: Ref: https://kofler.info/root-login-problem-mit-mariadb/ STEPS: Stop the currently running MySQL/MariaDB service mysql stop Start MySQL/MariaDB in non-protected mode: mysqld_safe –skip-grant-tables –skip-networking & Login as root in MySQL/MariaDB mysql -u root Set the new root password: For MySQL Previous to …
Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch
Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch Ubuntu 16.04 HOWTO: Install On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages. $ sudo apt-get …
Configuring Letsencrypt in ISPConfig 3.1
Intro: Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy. Here is how we can also use Letsencrypt with ISPConfig 3.1. Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/ STEPS: Define ISPconfig to use the new SSL certificate with symbolic links. (If you don’t know how to use symbolic links this how-to …
Blocking hosts blacklist and iptables
Intro: I happen to have sone attacks coming from specific hosts which I decided to block access to the server. Here is how I did it using a script which deletes and reload a full iptables CHAIN based on a file containing a list of IPs/Ranges. STEPS: Create a file called blacklist.txt with one IP/Range …
OpenDKIM doesn’t start after Upgrade from Jessie to Stretch
Introduction: After having done a dist-upgrade fo Jessie to Stretch OpenDKIM didn’t start any more. After research I found the answer which worked for me in this site: https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim INFO: I’m using the ‘inet’ socket for the communication between Postfix and OpenDKIM at port 12345. eg. My config in of OpenDKIM in Postfix: milter_default_action = …
Disabling the admin security password confirmation in Jira and Confluence
Introduction: Although in Jira and Confluence the WebSudo, requesting the confirmation of the administrator’s password, are neat security features if you are working in a company where the chances of someone fiddling around with your computer are high. BUT in a very small company, where this risk is almost none, this feature has proven very …
Hardening the SSL security in Apache, Dovecot and Postfix
Introduction: After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this. I found very good sites which helps me making these improvements: https://weakdh.org/sysadmin.html https://wiki.dovecot.org/SSL/DovecotConfiguration Click to access applied-crypto-hardening.pdf Based on this site and extending to cover dovecot mail service here …
Mounting a remote directory using SSHFS in Debian Jessie
Introduction: If you want to mount a directory on a remote server via Internet NFS can be quite a challenge to protect. A good solution would then be to use SSHFS. Here is a shot Howto for Debian Jessie. Note: In Wheezy and in Jessie before I did an upgrade to the kernel 3.16.0-4-amd64, the …
Installing TeamPass in Debian Jessie
Introduction: TeamPass is a very good Web application which can store securely Passwords for single person or teams. Here are the steps I used to install it in Debian Jessie. These instructions can also be used with no or minimal changes to install TeamPass in other Debian or Ubuntu systems. These instruction are partly based …
SSH doesn’t accept my key since upgrade Mac OS X to Sierra
Introduction: I have two MacBooks. One that still has Mavericks OS X and one that I just upgrade to Sierra OS X. Since the upgrade I can’t connect via SSH to one of my Linux servers using the RSA/DSA Keys any more. It always asks for a password. After adding the ‘-v’ option to the …
Changing Linux system password in bash script
Introduction: I created a script that creates a full email account for a new user including setting the password. I was looking for a way to change/set the password programmatically in the script using clear text passwords provided in variables. I took this information for the man page of chpasswd Some solution examples: Changing/setting the …
Discover live hosts on a network under Linux
There are lost of tools available to scan a network and list the IPs of the hosts that are live. Here is one that I find quite cool using nmap with the following command(for example for the LAN network 192.168.100.0/24): Reference: http://security.stackexchange.com/questions/36198/how-to-find-live-hosts-on-my-network nmap 192.168.100.0/24 -n -sP | grep report | awk ‘{print $5}’ the result …
Forcing pam users to use only FTPS and block SFTP/SSH
Introduction: I needed to force certain PAM users(configured in /etc/passwd) to use FTPS and block them from using SSH or SFTP. Here is a solution I found in: http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users Solution: Add to /etc/shells a new shell: vim /etc/shells Add one line: /bin/false Save. For each user you want to deny ssh/sftp, change the user’s shell: …
Resolving Mysql error: Too many open files
Introduction: As I upgraded from Mysql 5.5 to 5.6 suddenly some sites were showing the following error: …… Too many open files The issue has to do with the present limitations given to the system and PAM system to open max 1024 files. After doing some research I found this site below here which is …
Blocking all traffic from individual countries using IPSet and IPTables
Introduction: As I looked at the syslog I found too often that SSH login attacks are coming either from China or from Russia. Having enough of that, and anyway not expecting any traffic from any of these countries, although I use fail2ban still I decided to block any traffic coming from these 2 countries. Fail2ban …
Activating SPDY in Apache 2.4 (Ubuntu 14.04)
SPDY is a new protocol created by Google and given to the Apache Foundation which allows faster Web traffic under SSL. Apache 2.4 is SPDY capable but its module is not included in Ubuntu 14.04 LTS Server. Here are some instructions that allow to get, install and enable SPDY feature foe Apache 2.4 under Ubuntu …
Installing Webmin in Debian 8(Jessie)
These instructions are a ‘Plagiat’ of the site: http://www.christophe-casalegno.com/2015/07/14/how-to-install-webmin-on-debian-8/ To install webmin on Debian 8 just follow this instructions : cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc echo “deb http://download.webmin.com/download/repository sarge contrib” >> /etc/apt/sources.list echo “deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib” >> /etc/apt/sources.list apt-get update apt-get -y install webmin If it’s too long for you, you can …
Fixing Spamassassin in Debian Jessie(8)
Introduction: For a long time under Debian Wheezy Spamassassin was running quite well until I upgraded the system to Jessie. That is when Spamassassin(spamd) started to crash every now and then without giving much reasons why. Cause of error message: Looking in the system logs(/var/log/syslog) I found the following error: spamd[7490]: util: refusing to untaint …
Using HTTPS as proxy backend in Apache 2.4
Introduction: In Apache 2.4 in a Vhost in order to be able to proxy to a backend with HTTPS using either a self-signed or expired certificate on the backend we need to include the following directives: SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off You also need to enable the required Apache2 modules …
Redirecting HTTP to HTTPS in NginX
Here is a working method of redirecting any requested HTTP URL to HTTPS in NginX VirtualHosts that handles both HTTP and HTTPS. For example, to have a single vhost support both HTTP and HTTPS you have normally the following directives: # Support for HTTP and HTTPS listen 80; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/www.myserver.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.myserver.com/privkey.pem; …
Testing SSL Connections with SSLyze, Nmap or OpenSSL
Introduction: OpenSSL is a great tool to check SSL connections to servers. The difficulty here is when one want a full scan of all possible SSL Cyphers and protocols used by a server. That is where SSLyze comes in handy. This tool is a Python script which will scan the target host/port for SSL handshake …
Recursively delete files securely: shredding
Description: Every administrator should know that when we delete a file on the hard disk, almost nothing is really deleted. The space used by the files is simply put back on the list of ‘free to use‘ space in the filesystem and will no more appear in the directory listing. This means forensic tools can …
Reporting SMART status of RAID disks
Reference site: http://www.cyberciti.biz/faq/linux-checking-sas-sata-disks-behind-adaptec-raid-controllers/ Note: Although Hardware RAID controllers made by other hardware manufacturers here I use Adaptec as an example: Install the software: apt- get install smartmontools Curious which company the RAID controller is from? Find out which RAID controller you have: lspci | grep ‘RAID’ Result: 01:00.0 RAID bus controller: Adaptec Device 028b (rev …
Preventing a bash script from running concurrently
Introduction: In order to prevent a bash script instance from running more than once concurrently, here is a small tip on how to write the script. Script template: #!/bin/bash # Prevents that an instance of the script starts while another instance of it is still running scriptname=$(basename $0) lockfile=”/tmp/${scriptname}.lock” if [ -e $lockfile ]; then …
Creating a web certificate CSR file.
The process of buying an SSL certificate for a web site is usually as follows: – You create a secret key and CSR files using the method showm in this post. – You cut and paste the content of the CSR file into a field in a SSL Vendor web site – The SSL vendor …
Scanning for viruses on a Debian/Ubuntu server
Situation: Although most viruses would be mostly harmless in a Linux environment if the viruses are just files laying around, BUT since a server is meant to SERVE it is one of the best place to spread the viruses to other systems where it could do damages. Solution: Scan the system or certain vulnerable directories …
Example of using UFW firewall in Debian/Ubuntu
Introduction: I just started to use the firewall UFW which is a terminal commands based firewall. The tool seemed a bit difficult to understand at first but with a bit of trying and errors I finally got something working. So here is what I did. I install the UFW firewall: apt-get install ufw Assumption: I …
Installing pure-ftpd in Debian/Ubuntu
Difficulty with FTP servers and firewall: If you configure a firewall for a host which runs an FTP server you normally need to leave the ports 1024-65365 range open, since you never know which port the FTP server will use to send data to the FTP client. This situation is quite critical if you have …
Limiting the number of connected clients on a VirtualHost in Apache
Problem: When a DDOS attack or a burst of requests are coming at the same time in my Apache2 Web server, the whole server can run out of RAM and crash. Possible solution: Limit the number of simultaneous connections to your Web server per VirtualHost Method: One simple and effective method done directly on the …
Verifying the integrity of files with md5sum
In order to transfer files and be sure that they were not compromised on their way to their destinations a method of ‘checksumming’ the file’s content can help. Under Linux the tool is called ‘md5sum’. Here is how to use it. For example to check the integrity of the downloaded Ubuntu Linux .iso file. md5sum …
Installing VSFTPD for FTP-SSL web sites upload on Ubuntu
In order to force an exclusive use of the SSL/TLS connectivity to users here is how to install it: Note: This tutorial was base from this site: https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-an-ubuntu-vps Install the vsftpd package sudo apt-get install vsftpd Edit the /etc/vsftpd.conf configuration file and add the following at the end of the file or alternatively adapt the …
Encrypt a password with different encryption methods
Situation: I happen to have configured a Linux system with MySQL database and wanted to enter a password in the password field in the DB. Here is a way I found. This will output in the terminal the encrypted string you can then enter directly in the password field via phpmyadmin or mysql client. Note: …
Using TLS for mail delivery from postfix to another TLS activated mail server
Introduction: The default encryption method for delivering email from Postfix to another mail server is ‘NONE’ In certain cases for enhanced security reasons emails for certain destinations should be encrypted all the way: Meaning: Client 1 ==(TLS)==> Postfix Server ==TLS==> Other email Server ==SSL/TLS==> Client 2 In this case we cannot influence the way the …