Skip to main content

Posts

Showing posts from 2020

How To Install and Secure Memcached on Ubuntu 16/18.04 ?

Memcached is an open-source memory caching system that you can use to speed up web applications and dynamic websites. Memcached works by storing frequently accessed data in RAM hence reducing the time an application reads data from databases, files or API interfaces. If your website, web application or API server has high read calls and infrequent writes, Memcached can be a great tool for you.  Install Memcached and Client Library  # sudo apt install memcached libmemcached-tools # sudo systemctl status memcached Securing Memcached Configuration Settings # vi /etc/memcached.conf -d -vv -m 256 -p 11211 -u memcache -l 127.0.0.1 add the following option to the bottom of this file: -U 0 Restart your Memcached service to apply your changes: # sudo systemctl restart memcached Verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing: # sudo netstat -plunt To check that Memcached is up and running, type the following: # memcstat --servers

How to Install Redis on Ubuntu 16/18/20 LTS ?

With the new transactional file locking in place, we felt it was time to get rid of APCu and replace our cache with Redis instead. APCu is kind of old, and from our understanding, it doesn’t work well with the new Laravel locking system. Redis cache is the preferred way to go. Update APT and Install Development Tools First:   # apt update && apt upgrade # sudo apt install build-essential -y # apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev Install and Enable Redis Server # sudo apt install redis-server # sudo systemctl enable redis-server Change Redis configuration in file /etc/redis/redis.conf # vi /etc/redis/redis.conf bind 127.0.0.1 ::1 maxmemory 500mb maxmemory-policy volatile-lru port 6379 and after change the system configuration: (for redis use) # echo 1 > /proc/sys/vm/overcommit_memory add at file /etc/sysctl.conf (for redis use) vm.overcommit_memory = 1 [at end of the line] and update the system configuration: # sysctl -p Restart Red

How to remove exim mail server from VestaCP on Ubuntu ?

Of all MTAs we’re reviewing, Postfix has the strongest emphasis on security. The likely reason is that it was created by Wietse Zweitze Venema , a prolific freeware security specialist. Sendmail cannot be considered a secure MTA. Moreover, Postfix was originally designed to mitigate the vulnerabilities associated with Sendmail. Exim is quite secure for most cases but loses to Postfix. A proper configuration of your Postfix MTA provides improved defenses against spam, abuse, and leakage of sensitive data. So i don't want to use EXIM as a MTA with VestaCP on Ubuntu. I want to remove exim  completely from my VestaCP control panel. I want to use Postfix/Dovecot RSPAMD as a AntiSPAM solutions . I will publish details in next tutorials  Check Exim Status # systemctl status exim # systemctl status exim4 Remove Frozen mail # exim -bp # exim -bpc # exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash Remove Completely  # sudo apt remove --auto-remove exim4 #

How to Install Maldet Malware Detect and clean malware with clamav on Debian / Ubuntu ?

Linux Malware Detect (LMD), popularly known as Maldet is an open-source malware scanner for Linux released under the GNU GPLv2 license. It is designed around the threats faced in shared hosted environments. Install, configure and run this free software to detect and clean malware on your system.  Install Maldet # cd /usr/local/src/ # curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -zxvf maldetect-current.tar.gz # cd maldetect-1.6.2/ # bash install.sh ( best for Ubuntu 16.04 ) # sudo ./install.sh ( for Ubuntu 20.04 ) Configuration:  For configuring maldet, the configuration file at /usr/local/maldetect/conf.maldet has to be edited. # vi /usr/local/maldetect/conf.maldet Line no 16 # Enable Email Alerting email_alert="1" Line no 21 # Email Address in which you want to receive scan reports email_addr="you@domain.com" Line no 141 # Use with ClamAV scan_clamscan="1" Line no 173 # Enable scanning for root-owned files. Set 1 to disable.

How to use Malware Patrol along with ClamAv in Ubuntu 16.04/20.04 LTS?

Malware Patrol provides signatures that are compatible with Clam AV software. You can follow these simple steps to configure your Clam AV instance and protect your internal network, computers and users from getting infected by malware.  1) Make sure your Clam AV instance is installed and working properly. There are a few resources on the internet that can help you configure Clam AV in your platform.  If you are experiencing trouble installing and configuring Clam AV, start at the following URL:  How to install ClamAv antivirus with rspamd on Ubuntu 16.04/20.04 LTS? If you followed the above instructions, skip to step 14. 2. Install curl. For example: apt-get install curl 3. Install rsync. For example: apt-get install rsync 4. Install unzip. For example: apt-get install unzip 5. cd /tmp 6. wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’ 7. unzip /tmp/clamav-unofficial-sigs.zip 8. cp /tmp/clamav-unofficial-sigs-master/clama

How to install ClamAv antivirus with rspamd on Ubuntu 16.04/20.04 LTS?

As usual I prefer to use open-source components. So the obvious choice is the famous ClamAV virus scanner. But its detection rate is ridiculously low with its default signatures. I heard of a study telling that in their tests ClamAV showed a 100% detection rate.  I myself have been scanning multiple infected emails with it (that have been found by another software) and it did not even find one infection.  So I started researching the alternatives – like a free-beer virus scanner from Sophos that worked well with the amavis-milter in the past. Its detection rate is pretty good. But no matter what I tried – I couldn’t get the two to work together. And to be honest… the documentation of rspamd’s antivirus module is incomplete to put say the least.  Then suddenly a friendly nerd pointed me to the SaneSecurity project that adds anti-virus signatures to ClamAV to make it actually useful. And this finally became the recommended solution for me. In a commercial setup where your customers

How to Install Memcached Server (Caching) on CentOS 7(CWP7)

It is important to secure your Memcached servers, Because systems like Memcached can contribute to denial of service attacks if improperly configured. We will explain how to install and secure your Memcached server on CentOS 7 Linux distribution. These given instructions also work on RHEL and Fedora Linux. First, update the system: # yum update -y Next, install the official Memcached package memcached; as well as libmemcached, which provides several utilities to work with Memcached: # yum install memcached libmemcached Note: libmemcached – a client library that offers a couple of tools to manage your Memcached server. Securing Memcached Configuration Settings for Local Access Only:   To make assure that installed Memcached service is listening on the 127.0.0.1 local interface, We will also disable the UDP listener. Both of these actions will protect our server from denial of service To do this, we will add the -U 0 parameter to our OPTIONS variable. The file in full should look l

How to Produce Postfix MTA logfile summary using Pflogsumm on CWP?

Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is designed to provide an over-view of Postfix activity, with just enough detail to give the administrator a "heads up" for potential trouble spots. Pflogsumm generates summaries and, in some cases, detailed reports of mail server traffic volumes, rejected and bounced email, and server warnings, errors and panics. CentOS 7: # yum -y install postfix-perl-scripts Generate Log Summary # perl /usr/sbin/pflogsumm -d yesterday /var/log/maillog # perl /usr/sbin/pflogsumm -d today /var/log/maillog Generate Log Once a Day and Received via Mail # crontab -e 0 0 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Logwatch for Postfix' admin@awsmonster.com

How to Configure Postfix SMTP Relay on CWP CentOS 7 with Relay Provider ?

You can configure your Postfix  to send email via relay using SASL authentication. Simple Authentication and Security Layer (SASL) is a standard authentication framework supported by many services including Postfix. Make sure the SASL authentication framework, and mailx are all installed. # yum -y install cyrus-sasl-plain mailx In /etc/postfix/main.cf , Add the following lines #Relay smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd header_size_limit = 4096000 In /etc/postfix/sender_relay , add domain that must go through a relay. @glorency.com smtp-relay.rubel.com:587 In /etc/postfix/sasl_passwd , provide credentials that listed in /etc/postfix/sender_relay. smtp-relay.rubel.com:587 admin@glorency.com:3Ba4password0nrTg Don't forget the following commands. # postmap sas

How to Remove Sensitive Data from Postfix Headers ?

E-mail header contain some sensitive information. I’ll show you how to remove that information from the Postfix headers. note: some email clients will mark your email as spam if your header doesn’t contain an IP address. It is also very important to keep header details for your analysis. If any user started to spamming or compromised , then we must need header for analysis. So we will remove only our client private network details. We are assuming that postfix is already up and running and will make below changes. Step:1 Edit ‘/etc/postfix/main.cf’ file header_checks = regexp:/etc/postfix/header_checks Step:2 Append the below line in ‘/etc/postfix/header_checks’ [at the bottom] /^Received:/ IGNORE Step:3 Run postmap to apply the new configuration in /etc/postfix/header_checks [root@server1 ~]# postmap /etc/postfix/header_checks Step:4 Restart or Reload the postfix server [root@server1 ~]# systemctl restart postfix [root@server1 ~]# postfix reload Details: htt

How to Block (Virus) Extensions on Postfix Mail Server ?

It's very important to block virus extension on Postfix mail server. Using  mime_header_checks directive on Postfix , we can block some specific extension to protection our mail server from spamming. So we are going to block some dangerous extension for Postfix users . Login as the root, enter: # vi /etc/postfix/main.cf Use mime_header_checks postfix config directive, enter: mime_header_checks = regexp:/etc/postfix/block_attachments Save and close the file. Open /etc/postfix/block_attachments file and append code as follows: /name=[^>]*\.(bat|com|dll|vbs|exe|pdf|zip)/ REJECT Save and close the file. You must restart or reload postfix: # /etc/init.d/postfix reload Watch log file:  You should see rejected mail log in /var/log/maillog file: # tail -f /var/log/maillog

MaxIOPS Block Storage VPS : Start Your Free Trial for 5 Months, Promo Code: AQX767

Today I’ll introduce with you a VPS server provider which is the best at its price and performance wise also. They are providing World's fastest cloud server as well as Private Cloud with MaxIOPS block storage services. Start Your Free Trial for 5 Months, Use Promo Code: AQX767 Sign Up Link All cloud servers are deployed on enterprise-grade hardware. Together with Upcloud in-house developed software and proprietary MaxIOPS storage technology, you will get industry-leading performance at all times. Cloud servers are deployed in less than 45 seconds . With incredibly fast boot times, you will get up and running within minutes. Yes  Upcloud  , as the VPS provider it includes DDOS protection, Pure SSD and obviously Fair Usage i.e. no issue in the peak time (safe from noisy neighbors). I am using two VMs on Upcloud and Migrated from AWS & Azure . Azure Linux instance is very slow to rebbot . Also Linode took more time to reboot the VMs . I was very frustrated th

How to Configure Browser Caching for Nginx?

The first time you visit a domain, these files are downloaded and stored in the browser’s cache. On subsequent visits, the browser can serve the local versions instead of downloading the files again. This enables the web page to load much faster as it only needs to retrieve the data that has changed since the last visit. It offers a much better experience for users and is the reason Google’s PageSpeed Insights recommends that it be implemented. You will add a small piece of code that will tell browsers to store CSS, JavaScript, images, and PDF files in their cache for a period of seven days or max. Insert the following snippet inside the server block directly after the previous code for Gzip compression: # vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf location ~* ^.+\.(3gp|gif|bmp|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ { expires max; ad

How to enable GZIP compression to increase PageSpeed Score for Nginx?

Gzip is a popular compression algorithm and format on the web. Gzip requires browser support, but you don’t have to worry because most popular browsers have support for it. Although Instructions to enable Gzip varies with different web servers, they are still very similar.  Here’s how Gzip works with Nginx: Now add the following Code to your Nginx Configuration file or you can add it to your vhost domain # Compression gzip gzip on; gzip_vary on; gzip_comp_level 6; gzip_min_length 512; gzip_buffers 8 64k; gzip_types application/atom+xml application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/xml+rss application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/png image/svg+xml image/x-icon image/gif image/jpeg text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc

How to Install Vesta Plugin "Tools" ?

A found a plugin for VestaCP named "Tools" . This tool currently lets you view all the users, mail domains, cron jobs, databases, and more in one global view without having to login to each individual user. # wget https://raw.githubusercontent.com/SS88UK/VestaCP-Tools-Plugin/master/Install_Tools.sh -O ./Install_Tools.sh # chmod 777 ./Install_Tools.sh # sudo ./Install_Tools.sh Open the Configuration file and Add the Following Code that mentioned snapshot # vi /usr/local/vesta/web/templates/admin/panel.html Source Details: https://forum.vestacp.com/viewtopic.php?t=12819

How to Strengthening Nginx Security and Website Security Headers with SSL?

Using a SSL certificate that doesn't mean you are secure, but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works. Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP). What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL. But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header call

How to Change Admin Port for Vesta Admin Control Panel?

I will show you  how to change the default Vesta port from port 8083 to port 2087. You could change your port number to any other number. I will use 2087 port because Cloudflare  supports that port in their free subscription. So I can protect my server from DDOS Attack using Cloudflare Free Subscription. In brief the steps to change your port are: Add the new port(2087) on VestaCP firewall Edit Nginx to Listen to the new port Restart vesta Delete the old port, 8083 . I am not using VestaCP firewall, I am using CSF firewall to my Vesta Control Panel. So I not showing you Step 1. 2.Edit Nginx to Listen to the new port # vi /usr/local/vesta/nginx/conf/nginx.conf

How to enable http2 and Secure Server FQDN for VestaCp in Ubuntu 16.04 L.T.S?

We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2   then i will redirect all http request to https . 1. At first Enable http2 in server block # vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf server { listen 192.146.82.3:443 ssl http2; server_name mail.datahead.biz ; server_tokens off; root /home/admin/web/mail.datahead.biz/public_html; index index.php index.html index.htm; access_log /var/log/nginx/domains/mail.datahead.biz.log combined; access_log /var/log/nginx/domains/mail.datahead.biz.bytes bytes; error_log /var/log/nginx/domains/mail.datahead.biz.error.log error; #ssl on; ssl_certificate /home/admin/conf/web/ssl.mail.datahead.biz.pem; ssl_certificate_key /home/admin/conf/web/ssl.mail.datahead.biz.key; 2. Redirect all ht

How to Harden Vesta Nginx with Let's Encrypt SSL Certificate ?

Nginx 1.17.10 working as a reverse proxy for Vesta Admin Control Panel where it is installed as nginx-vesta. You can check the vesta-nginx version: # /usr/local/vesta/nginx/sbin/vesta-nginx -v nginx version: nginx/1.12.2 Vesta Nginx Location # cd /usr/local/vesta/nginx Take Backup vesta-nginx configuration file # cd /usr/local/vesta/nginx/conf # cp -a nginx.conf nginx.conf-bak 1. Replace the below code  # vi /usr/local/vesta/nginx/conf/nginx.conf # SSL PCI Compliance ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; With # SSL Settings #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers ECDHE

How to Harden Nginx with Let's Encrypt SSL Certificate and get A+ Score from Qualys Lab ?

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only. Source Details: 1.  Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working 2.  Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working My Certificate Score after SSL hardening: There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser. Article :  How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel? Using a SSL certificate that doesn't mean you are secure . You have to harden(secure) your SSL configurat