• Home
  • Code
  • Networking
  • System Administration

Stuff I Wanna Remember

  • Apache SSL Configuration Snippets

    Wed 01 March 2015
    By alex

    Certificates, Protocols and Options

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/cert.pem
    SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on          # Ciphers specified by the server take precedence
    # Optional, defaults to off
    SSLInsecureRenegotiation off    # Mitigates CVE-2009-3555
    SSLCompression off              # Mitigates CRIME and ...
  • Sending Everything to Syslog

    Fri 29 January 2016
    By alex

    This is a running collection of syslog settings for various applications

    Apache

    Apache natively has the ability to send error logs to syslog, but if that method is used then the severity of each message is not uniform and searching is slightly more involved. By piping error logs to logger ...

  • Get proxied client IP with apache

    Tue 10 February 2015
    By alex

    Using mod_remoteip and modifying apache's log format, real client IP addresses can easily be captured

    Enable and configure mod_remoteip

    LoadModule remoteip_module modules/mod_remoteip.so
    <IfModule mod_remoteip.c>
        RemoteIPHeader          X-Forwarded-For  # YMMV for different load balancers
        RemoteIPInternalProxy   127.0.0.1
    </IfModule>
    

    Modify log variables

    Replace the remote hostname variable, %h ...

  • Apache enable SNI

    Thu 01 January 2015
    By alex

    Problem:

    The proper versions of apache and OpenSSL are installed to support SNI but when multiple SSL certificates are configured in apache you get the following errors in the error.log and apache fails to start.

    [ssl:emerg] [pid 48715] AH02242: Init: Multiple RSA server certificates not allowed
    [ssl:emerg ...
  • Oneliners every sysadmin should know

    Wed 24 December 2014
    By alex

    Apache

    Dump virtualhosts

    apachectl -S
    

    Dump enabled modules

    apachectl -M
    

    Show version and current MPM (and compile options)

    apachectl -V
    

    Test config file

    apachectl -t
    

    PHP

    Test config file

    php -t
    

    Show phpinfo()

    php -i
    

    Dump configured modules

    php -m
    

    Show loaded ini files

    php --ini
    

    Mysql

    Test config file ...

  • Mysql Cheatsheet

    Mon 15 December 2014
    By alex

    Secure Operations

    Configure securely

    sudo mysql_secure_installation
    

    Running securely

    sudo mysqld_safe
    

    Managing Users

    List users

    SELECT user FROM mysql.user;
    

    Create a user and assign permissions for a database

    GRANT ALL PRIVILEGES ON <database>.* TO <newuser>@<hostname> IDENTIFIED BY '<password>';
    

    Reset a user's password

    SET PASSWORD FOR '<user>'@'<hostname>'=PASSWORD ...
  • Enable passive mode FTP

    Thu 11 December 2014
    By alex

    I've found that getting passive FTP transfers to work has often been the most frustrating part of setting up a server. Because of that, here are instructions for configuring passive mode for the most popular FTP servers.

    proFTPD

    vi /etc/proftpd.conf
    PassivePorts 30000 50000
    

    vsftpd

    vi /etc/vsftpd ...
  • Find wordpress versions

    Thu 11 December 2014
    By alex
    find . -iname 'version.php' -exec grep '$wp_version' '{}' \;
    
  • Custom Rsyslog filters

    Mon 08 December 2014
    By alex

    Rsyslog has the ability to filter messages by pattern matching properties within a message.

    :[property], [!][compare type], "[string]"
    

    So to match all proftpd logs and send them to a specific file, we can search the app-name property for proftpd

    :app-name, isequal, "proftpd"   /var/log/proftpd/proftpd.log
    ~
    

    That would be ...

  • Using htpasswd files with cPanel

    Fri 28 November 2014
    By alex

    When specifying the location to an htpasswd file, the path must be relative to the webserver's ServerRoot. Shared hosting often doesn't provide access to the ServerRoot nor do they tell their account holders what it is. Well, chances are it's /usr/local/apache/. Now that we know ...

  • Setup an email server with exim courier and spamassassin

    Sat 15 November 2014
    By alex


    1. Install exim
    2. Install spamassassin
    3. Install courier

    Exim

    1) Install exim

    sudo apt-get install exim4-daemon-heavy
    

    2) Configure

    sudo dpkg-reconfigure exim4-configure
    

    3) Harden

    Reduce banner information

    vi /etc/exim4/exim4.conf.template
        # Add
        smtp_banner = $smtp_active_hostname ESMTP    
    

    If not required, disable ipv6

    vi /etc/exim4/exim4.conf.template
        # Add
        disable_ipv6 ...
  • Shellinabox Web Shell

    Wed 29 October 2014
    By alex

    Shellinabox is a browser based, login shell, built using css, html and javascript and it runs entirely over HTTP. At a high level, shellinabox is very similar to an SSH shell session. They both utilize the /etc/passwd user database, they both make use of PAM, and they both execute ...

  • Manage websites and FTP permissions with Webmin

    Tue 28 October 2014
    By alex

    So the question at hand is, how can we setup Webmin to create websites and have an ftp user that can manage the sites with minimal overhead? This can be done in 3 steps:

    1) Create an ftp user, make their home directory the toplevel directory of the default DocumentRoot ...

  • Add an SSL Cert to Zpanel

    Sat 25 October 2014
    By alex

    Zpanel keeps it's control panel and client configurations in the same file /etc/zpanel/configs/apache/httpd-vhosts.conf. When changes are made to any of the panel's domains, this file is automatically updated. This overwrites any changes to the panel's vhost config as well.

    To avoid having ...

  • Git Cheatsheet

    Sat 25 October 2014
    By alex

    How to commit properly

    Commit all files in the working tree that have been modified

    git commit -am 'commit message'
    

    Commit a file individually

    git commit -m 'commit message'
    

    How not to commit

    Only commit changes staged in the index, not all modified files

    git commit -m 'commit message'
    

    Remove ...

  • Backing Up With Rsync and Tar

    Fri 24 October 2014
    By alex

    rsync is used to copy files and tar is used for compression

  • Send HTML email from the command line

    Fri 24 October 2014
    By alex

    Sometimes there's nothing better than receiving an email from some long forgotten cronjob and having it formatted in nice readable HTML. Well it's alot tougher than it should be to make that happen.

    The only way I've found to accomplish this is to inject 'Content-Type' headers into ...

  • Creating certificates with openssl

    Tue 21 October 2014
    By alex

    Self Signed Cert

    Create a single .pem file containing both the private (key) and public (cert) keys.

    openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout site.pem -out site.pem
    

    CSR

    Create an certificate signing request

    openssl req -new -newkey rsa:2048 -nodes -keyout site.key -out site ...
  • Setup logstash (ELK stack)

    Fri 17 October 2014
    By alex

    Logstash is a log processing supertool written in ruby and packaged using the java implementation of ruby, jruby. In other words, it's a ruby app that runs on java. Logstash accepts just about any type of data you can throw at it (apache logs file, syslog data, Windows logs ...

  • Get HTTP Headers Using PHP

    Fri 03 October 2014
    By alex

    The getenv() function is used to parse enviroment variables created by the webserver executing the php code, including HTTP Headers.

    <?php
    $client_ip = getenv('REMOTE_ADDR');
    $user_agent = getenv('HTTP_USER_AGENT');
    
    echo "Client IP: $client_ip</br>"
    echo "User Agent: $user_agent</br>"
    ?>
    

    Using conditional statements, the headers can be parsed and then actions taken based ...

  • Apache add www to domain

    Thu 02 October 2014
    By alex
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
    RewriteRule (.*) http://www.domain.com$1 [R=301,L]
    
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
    RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
    
  • Bash Oneliners

    Thu 02 October 2014
    By alex

    Infinite while loops

    while true; do echo "It Never Ends"; done
    

    The key is the placement of the semicolons.

    while true; do ((x++)); echo $x `date +%T`; done
    while true; do echo "Can you feel it?" | mail -s 'SMTP Test' [email protected]; done
    
  • Configure Linux as a Router

    Thu 02 October 2014
    By alex

    This guide is for a dual NIC machine. The machine will use iptable's NAT feature to act as a router/gateway. This guide does not require editing of the system's routing table.

    1) Enable routing in the kernel

    sudo vi /etc/sysctl.conf
    net.ipv4.ip_forward = 1     # Uncomment ...
  • Fix Locale Errors

    Thu 02 October 2014
    By alex

    In an effort to minimize a system's footprint, providers will sometimes rip out the language files. This will cause irritating locale errors such as:

    perl: warning: Setting locale failed. 
    perl: warning: Please check that your locale settings:
    LANGUAGE = "",
    LC_ALL = (unset),
    LANG = "",
    are supported and installed on your system. 
    perl ...
  • Nagios Tutorial

    Thu 02 October 2014
    By alex

    "Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them when the problem has been resolved." -- wikipedia

    Nagios is relatively easy to ...

  • Ncat Cheatsheet

    Thu 02 October 2014
    By alex

    Ncat is a modernized implementation of the classic Netcat (nc) networking tool. The current version of nc, which is 1.10, was initially released in 1996 by "The Hobbit". A lot's changed since '96. Thankfully, the wonderful people at The Nmap Project decided that to solve modern problems you ...

  • Netcat Cheatsheet

    Thu 02 October 2014
    By alex

    Open a socket

    nc -vlp port
    

    Send file to client

    Server side, opens a socket and closes it once file is transferred

    nc -vlp port -q 0 < file.send
    

    Client side

    nc -v server port > file.receive
    

    Send file to server

    Server side, opens a socket and waits to receive ...

  • Port Forwarding with iptables

    Thu 02 October 2014
    By alex

    Configuring a port forward with iptables takes 2 rules, a PREROUTING rule and a FORWARD rule. The heavy lifting is accomplished by the PREROUTING rule on the nat table. The FORWARD rule simply allows traffic across the FORWARD chain on the filter table.

    iptables -A PREROUTING -t nat -i [external_iface ...
  • Sed Tutorial

    Thu 02 October 2014
    By alex

    Sed's primary function is to search for and replace text; we call this process "substitution". Additionally, sed can easily append, insert and delete text. The syntax can be somewhat intimidating to the new user.

    sed 'command/pattern/replacement/flags' file.txt
    sed '\pattern\|line_number command/input_text/' file.txt
    

    The ...

  • SSH Cheatsheet

    Thu 02 October 2014
    By alex

    Forward a local port through an intermediary host to a remote host

    Opens a shell on intermediary host and forwards a port to remote host through SSH's secure channel. The forwarded port is accessible on the local machine via localhost:port

    ssh -L localport:remotehost:remoteport [email protected]_host
    

    Execute ...


Proudly powered by Pelican, which takes great advantage of Python.