Description: Since we can’t protect docker advertised ports on docker using a normal firewall like UFW against attacks from Internet, a script has been written to do just that. Reading the comments in the script does gives an idea of how it works. The only thing to do is to fill in the variables in …
Category: Security
Deleting UFW Rules backwards.
Intro: Sometimes one has a lot of ‘V6’ rules that need to be deleted. UFW does allow to delete the rules but only one by one, which can be time consuming. Here is a short bash script that does the trick of deleting them. IMPORTANT NOTE: In order for this script to work as desired …
Using UFW as IP Blacklist
Introduction: There are instances where a service provider is taking care of the Firewall which is working between Internet and the rented server. In this case only certain standard ports will be made available to access the rented server. But what if you need a general use ‘blacklist’ firewall that will filter out abusive traffic …
Resetting MySQL/MariaDB root password in Ubuntu 16.04/18.04
Introduction: In case you have forgotten the ‘root’ password in MySQL/MariaDB(10.0.x) you can reset the password as follows: Ref: https://kofler.info/root-login-problem-mit-mariadb/ STEPS: Stop the currently running MySQL/MariaDB service mysql stop Start MySQL/MariaDB in non-protected mode: mysqld_safe –skip-grant-tables –skip-networking & Login as root in MySQL/MariaDB mysql -u root Set the new root password: For MySQL Previous to …
Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch
Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch Ubuntu 16.04 HOWTO: Install On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages. $ sudo apt-get …
Configuring Letsencrypt in ISPConfig 3.1
Intro: Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy. Here is how we can also use Letsencrypt with ISPConfig 3.1. Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/ STEPS: Define ISPconfig to use the new SSL certificate with symbolic links. (If you don’t know how to use symbolic links this how-to …
Blocking hosts blacklist and iptables
Intro: I happen to have sone attacks coming from specific hosts which I decided to block access to the server. Here is how I did it using a script which deletes and reload a full iptables CHAIN based on a file containing a list of IPs/Ranges. STEPS: Create a file called blacklist.txt with one IP/Range …
OpenDKIM doesn’t start after Upgrade from Jessie to Stretch
Introduction: After having done a dist-upgrade fo Jessie to Stretch OpenDKIM didn’t start any more. After research I found the answer which worked for me in this site: https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim INFO: I’m using the ‘inet’ socket for the communication between Postfix and OpenDKIM at port 12345. eg. My config in of OpenDKIM in Postfix: milter_default_action = …
Disabling the admin security password confirmation in Jira and Confluence
Introduction: Although in Jira and Confluence the WebSudo, requesting the confirmation of the administrator’s password, are neat security features if you are working in a company where the chances of someone fiddling around with your computer are high. BUT in a very small company, where this risk is almost none, this feature has proven very …
Hardening the SSL security in Apache, Dovecot and Postfix
Introduction: After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this. I found very good sites which helps me making these improvements: https://weakdh.org/sysadmin.html https://wiki.dovecot.org/SSL/DovecotConfiguration Click to access applied-crypto-hardening.pdf Based on this site and extending to cover dovecot mail service here …
Mounting a remote directory using SSHFS in Debian Jessie
Introduction: If you want to mount a directory on a remote server via Internet NFS can be quite a challenge to protect. A good solution would then be to use SSHFS. Here is a shot Howto for Debian Jessie. Note: In Wheezy and in Jessie before I did an upgrade to the kernel 3.16.0-4-amd64, the …
Installing TeamPass in Debian Jessie
Introduction: TeamPass is a very good Web application which can store securely Passwords for single person or teams. Here are the steps I used to install it in Debian Jessie. These instructions can also be used with no or minimal changes to install TeamPass in other Debian or Ubuntu systems. These instruction are partly based …
SSH doesn’t accept my key since upgrade Mac OS X to Sierra
Introduction: I have two MacBooks. One that still has Mavericks OS X and one that I just upgrade to Sierra OS X. Since the upgrade I can’t connect via SSH to one of my Linux servers using the RSA/DSA Keys any more. It always asks for a password. After adding the ‘-v’ option to the …
Changing Linux system password in bash script
Introduction: I created a script that creates a full email account for a new user including setting the password. I was looking for a way to change/set the password programmatically in the script using clear text passwords provided in variables. I took this information for the man page of chpasswd Some solution examples: Changing/setting the …
Discover live hosts on a network under Linux
There are lost of tools available to scan a network and list the IPs of the hosts that are live. Here is one that I find quite cool using nmap with the following command(for example for the LAN network 192.168.100.0/24): Reference: http://security.stackexchange.com/questions/36198/how-to-find-live-hosts-on-my-network nmap 192.168.100.0/24 -n -sP | grep report | awk ‘{print $5}’ the result …
Forcing pam users to use only FTPS and block SFTP/SSH
Introduction: I needed to force certain PAM users(configured in /etc/passwd) to use FTPS and block them from using SSH or SFTP. Here is a solution I found in: http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users Solution: Add to /etc/shells a new shell: vim /etc/shells Add one line: /bin/false Save. For each user you want to deny ssh/sftp, change the user’s shell: …
Resolving Mysql error: Too many open files
Introduction: As I upgraded from Mysql 5.5 to 5.6 suddenly some sites were showing the following error: …… Too many open files The issue has to do with the present limitations given to the system and PAM system to open max 1024 files. After doing some research I found this site below here which is …
Blocking all traffic from individual countries using IPSet and IPTables
Introduction: As I looked at the syslog I found too often that SSH login attacks are coming either from China or from Russia. Having enough of that, and anyway not expecting any traffic from any of these countries, although I use fail2ban still I decided to block any traffic coming from these 2 countries. Fail2ban …
Activating SPDY in Apache 2.4 (Ubuntu 14.04)
SPDY is a new protocol created by Google and given to the Apache Foundation which allows faster Web traffic under SSL. Apache 2.4 is SPDY capable but its module is not included in Ubuntu 14.04 LTS Server. Here are some instructions that allow to get, install and enable SPDY feature foe Apache 2.4 under Ubuntu …
Installing Webmin in Debian 8(Jessie)
These instructions are a ‘Plagiat’ of the site: http://www.christophe-casalegno.com/2015/07/14/how-to-install-webmin-on-debian-8/ To install webmin on Debian 8 just follow this instructions : cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc echo “deb http://download.webmin.com/download/repository sarge contrib” >> /etc/apt/sources.list echo “deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib” >> /etc/apt/sources.list apt-get update apt-get -y install webmin If it’s too long for you, you can …