Category: Security

Docker, Linux, Security

Docker Firewall script for DOCKER-USER iptables Chain

Description: Since we can’t protect docker advertised ports on docker using a normal firewall like UFW against attacks from Internet, a script has been written to do just that. Reading the comments in the script does gives an idea of how it works. The only thing to do is to fill in the variables in …

Linux, Security

Using UFW as IP Blacklist

Introduction: There are instances where a service provider is taking care of the Firewall which is working between Internet and the rented server. In this case only certain standard ports will be made available to access the rented server. But what if you need a general use ‘blacklist’ firewall that will filter out abusive traffic …

Linux, MySQL, Security

Resetting MySQL/MariaDB root password in Ubuntu 16.04

Introduction: In case you have forgotten the ‘root’ password in MySQL/MariaDB(10.0.x) you can reset the password as follows: Ref: https://kofler.info/root-login-problem-mit-mariadb/ STEPS: Stop the currently running MySQL/MariaDB service mysql stop Start MySQL/MariaDB in non-protected mode: mysqld_safe –skip-grant-tables –skip-networking & Login as root in MySQL/MariaDB mysql -u root Set the new root password: update mysql.user set password=password(‘new-root-password-here’) …

Apache, Linux, NGinX, Postfix, Security

Install CERTBOT in Ubuntu-16-04-xenial and Debian Stretch

Intro: Here is a 1-to-1 copy of the article on how to install certbot in Ubuntu 16.04 and Debian Stretch Ubuntu 16.04 HOWTO: Install On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages. $ sudo apt-get …

Apache, Linux, Security

Configuring Letsencrypt in ISPConfig 3.1

Intro: Since a while now the wonderful idea of creating the service Letsencrypt has made lots of admins happy. Here is how we can also use Letsencrypt with ISPConfig 3.1. Ref: https://www.howtoforge.com/community/threads/ssl-how-to-for-ispconfig-3-with-letsencrypt.74738/ STEPS: Define ISPconfig to use the new SSL certificate with symbolic links. (If you don’t know how to use symbolic links this how-to …

Linux, Security

Blocking hosts blacklist and iptables

Intro: I happen to have sone attacks coming from specific hosts which I decided to block access to the server. Here is how I did it using a script which deletes and reload a full iptables CHAIN based on a file containing a list of IPs/Ranges. STEPS: Create a file called blacklist.txt with one IP/Range …

Email, Linux, Postfix, Security, Systemd

OpenDKIM doesn’t start after Upgrade from Jessie to Stretch

Introduction: After having done a dist-upgrade fo Jessie to Stretch OpenDKIM didn’t start any more. After research I found the answer which worked for me in this site: https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim INFO: I’m using the ‘inet’ socket for the communication between Postfix and OpenDKIM at port 12345. eg. My config in of OpenDKIM in Postfix: milter_default_action = …

Atlassian, Linux, Security

Disabling the admin security password confirmation in Jira and Confluence

Introduction: Although in Jira and Confluence the WebSudo, requesting the confirmation of the administrator’s password, are neat security features if you are working in a company where the chances of someone fiddling around with your computer are high. BUT in a very small company, where this risk is almost none, this feature has proven very …

Apache, Email, Linux, Postfix, Security

Hardening the SSL security in Apache, Dovecot and Postfix

Introduction: After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this. I found very good sites which helps me making these improvements: https://weakdh.org/sysadmin.html https://wiki.dovecot.org/SSL/DovecotConfiguration Click to access applied-crypto-hardening.pdf Based on this site and extending to cover dovecot mail service here …

Linux, Security, Systemd

Mounting a remote directory using SSHFS in Debian Jessie

Introduction: If you want to mount a directory on a remote server via Internet NFS can be quite a challenge to protect. A good solution would then be to use SSHFS. Here is a shot Howto for Debian Jessie. Note: In Wheezy and in Jessie before I did an upgrade to the kernel 3.16.0-4-amd64, the …

Apache, Linux, Security

Installing TeamPass in Debian Jessie

Introduction: TeamPass is a very good Web application which can store securely Passwords for single person or teams. Here are the steps I used to install it in Debian Jessie. These instructions can also be used with no or minimal changes to install TeamPass in other Debian or Ubuntu systems. These instruction are partly based …

Linux, MAC OS X, Security

SSH doesn’t accept my key since upgrade Mac OS X to Sierra

Introduction: I have two MacBooks. One that still has Mavericks OS X and one that I just upgrade to Sierra OS X. Since the upgrade I can’t connect via SSH to one of my Linux servers using the RSA/DSA Keys any more. It always asks for a password. After adding the ‘-v’ option to the …

Linux, Security

Changing Linux system password in bash script

Introduction: I created a script that creates a full email account for a new user including setting the password. I was looking for a way to change/set the password programmatically in the script using clear text passwords provided in variables. I took this information for the man page of chpasswd Some solution examples: Changing/setting the …

Linux, Security

Discover live hosts on a network under Linux

There are lost of tools available to scan a network and list the IPs of the hosts that are live. Here is one that I find quite cool using nmap with the following command(for example for the LAN network 192.168.100.0/24): Reference: http://security.stackexchange.com/questions/36198/how-to-find-live-hosts-on-my-network nmap 192.168.100.0/24 -n -sP | grep report | awk ‘{print $5}’ the result …

Bash, Linux, Security

Forcing pam users to use only FTPS and block SFTP/SSH

Introduction: I needed to force certain PAM users(configured in /etc/passwd) to use FTPS and block them from using SSH or SFTP. Here is a solution I found in: http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users Solution: Add to /etc/shells a new shell: vim /etc/shells Add one line: /bin/false Save. For each user you want to deny ssh/sftp, change the user’s shell: …

Linux, MySQL, Security, Systemd, Wordpress

Resolving Mysql error: Too many open files

Introduction: As I upgraded from Mysql 5.5 to 5.6 suddenly some sites were showing the following error: …… Too many open files The issue has to do with the present limitations given to the system and PAM system to open max 1024 files. After doing some research I found this site below here which is …

Linux, Security

Blocking all traffic from individual countries using IPSet and IPTables

Introduction: As I looked at the syslog I found too often that SSH login attacks are coming either from China or from Russia. Having enough of that, and anyway not expecting any traffic from any of these countries, although I use fail2ban still I decided to block any traffic coming from these 2 countries. Fail2ban …

Apache, Linux, Security

Activating SPDY in Apache 2.4 (Ubuntu 14.04)

SPDY is a new protocol created by Google and given to the Apache Foundation which allows faster Web traffic under SSL. Apache 2.4 is SPDY capable but its module is not included in Ubuntu 14.04 LTS Server. Here are some instructions that allow to get, install and enable SPDY feature foe Apache 2.4 under Ubuntu …

Linux, Monitoring, Security

Installing Webmin in Debian 8(Jessie)

These instructions are a ‘Plagiat’ of the site: http://www.christophe-casalegno.com/2015/07/14/how-to-install-webmin-on-debian-8/ To install webmin on Debian 8 just follow this instructions : cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc echo “deb http://download.webmin.com/download/repository sarge contrib” >> /etc/apt/sources.list echo “deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib” >> /etc/apt/sources.list apt-get update apt-get -y install webmin If it’s too long for you, you can …