Install MariaDB 10.4 on Ubuntu 19.04 (disco)

In the recent years MariaDB has become one of the most popular database servers. The MariaDB server is available under the terms of the GNU General Public License, version 2. It is created by the original developers of MySQL and is promised to stay open source.

Install MariaDB 10.4 on Ubuntu 19.04 Disco

To install MariaDB 10.4 on Ubuntu first you need to add the repository to the system. Ubuntu uses apt for package management. Apt stores a list of repositories or software packages in the file /etc/apt/sources.list or any other file with a .list extension in the same directory. Go to the downloads page of MariaDB Foundation website in order to setup the repository mirror you need. From the menu choose the distro, release, version and mirror.

The menu will generate a code to start the repository and PGP setting. Please notice that in my case I picked Lund University repository. You might want a repository that is closer to you geographically.

sudo apt-get install software-properties-common sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 sudo add-apt-repository 'deb [arch=amd64] http://ftp.ddg.lth.se/mariadb/repo/10.4/ubuntu disco main'

After the key is imported and repository set, you can start with the installation:

sudo apt update
sudo apt install mariadb-server mariadb-common mariadb-client

You are all set. After the installation MariaDB server starts automatically. You can check its status with the command:

systemctl status mariadb

Next step will be to secure the server.

NGINX Reverse Proxy Apache on DirectAdmin

The following article is dealing with the most common problems you can come across, if you decide to switch from Apache- only LAMP server to Apache+NGINX driven one.

Nginx (pronounced engine x) has been around for more than a decade. NGINX is a HTTP and reverse proxy server. It has proved its advantages over Apache in many setups:

  • Nginx works faster when serving high volume of requests
  • Nginx doesn’t spawn new process or thread for each request. Hence it consumes less memory and works much better with high volume of request.
  • Nginx is efficient at serving of static content. It has low memory usage, but consumes more processor time compared to Apache.
  • It is a great solution for dedicated and virtual private servers, where you don’t need Apache .htaccess ability.

In order to get the best of the both servers, we have NGINX serve static assets while Apache processes the dynamic content.

CustomBuild2.X Prerequisive

The new Custombuild2.x versions allows for an easy and quick installation of Apache + NGINX as a reverse proxy server. The only prerequisite for this to work is CustomBuild2.x. As 2.x version was released in 2006, the chances are that your intallation have it by the year of 2019.
In case you want to check CustomBuild version:

cd /usr/local/directadmin/custombuild
./build version

The command above should produce a results similar to the one below:
[root@myserver custombuild]# ./build version
2.0.0 (rev: 2084)

Also check the version of Directadmin. It should be 1.45.2 or later:

/usr/local/directadmin/directadmin v
Version: DirectAdmin v.1.56.4

If you need to update software in DirectAdmin you can follow the steps provided in one of my previous posts. If you have made any changes to Apache or any other software which is installed/updated with cusombuild, they will be overwritten. As you don’t want the changes to be lost, use the official way for customization, creating a custom directory in /usr/local/directadmin/custombuild

Make sure you are in the right directory
cd /usr/local/directadmin/custombuild
mkdir -p custom
cp -Rp configure custom

After that you can edit your configs as needed.

Once you are ready with all the customizations, the following commands will help you switch to apache+nginx (apache in front of apache as a reverse proxy) cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache
./build rewrite_confs

The last command will up rewrite all configuration files, if they are not in the custom directory

Also, after the installing the proxy, it is possible that nginx reverse proxy will not show the images. NGINX serves all the static assets of the website while the user nginx doesn’t have read and execute rights at the website webroot directory. This is easily fixed if you give the user nginx rights to enter +x and read +r the files in the public_html directory:
chmod 755 -R public_html
. Have fun with your new installation.

How To Install Configure Config Server Firewall on Centos7

Config Server Firewall Security Application For Linux Servers

Config Server Firewall is a free security application tested on almost all mainstream RedHead and Debian derivative Linux distribution. It is also works with the most popular virtual servers. It is a firewall configuration script that provides better security for your server using advanced interface for managing your firewall settings. It offers UI integration for cPanel, DirectAdmin and Webmin. CSF relies upon iptables to lock down public access to services. It only allows certain connections, such as FTP HTTP etc.
Here is a comprehensive list of all features this suite of script provides at the author’s website.

Basic Information About Config Server Firewall

There is a Login Failure Daemon (lfd) to complement the ConfigServer Firewall (csf). lfd process runs all the time and periodically (every X seconds) to scan the latest log file entries for login attempts against the server.
The daemon checks for login authentication failures at the logs of:

  • IMAP Servers (Dovecot, Kerio)
  • Exim SMTP AUTH
  • Suhosin failures
  • Mod_security failures (v1 and v2)
  • HTTP password protection
  • Custom login failures
  • cPanel servers

The csf itself have a lot many features:

  • Auto-configures the SSH port if it’s running on a non- standard port.
  • Blocks traffic on unused server IP addresses – you setup which ports to open at csf.conf the main configuration file.
  • Alert when end-user scripts sending excessive emails per hour – for identifying spamming scripts

Installing ConfigServer Firewall csf

Installing the firewall is easy and straightforward.

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

The script install.sh will create a directory for the firewall in /usr/local/csf/.
After the installation csf starts with TESTING mode is enabled, which means that lfd will not be started until the flag “TESTING” = 1 is up.
In /etc/csf you can find the configuration files of the firewall.

/etc/csf/csf.allow
/etc/csf/csf.blocklists
/etc/csf/csf.cloudflare
/etc/csf/csf.deny
/etc/csf/csf.dirwatch
/etc/csf/csf.dyndns
/etc/csf/csf.ignore

First step to consider after installing the script is adding your IP address in csf.ignore and csf.allow. This will prevent you from getting locked out of your server. Next, tests whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl
After you are ready with the installation and setup, set the flag “TESTING” = 0 to start the firewall and the demon. Don’t forget to restart them so that all the changes can come into effect. csf can be restarted with the command:

csf -r while lfd : service lfd restart.
The fastes way to uninstall the firewall is to run the script. <>

Adding ConfigServer Firewall Blocks To Cloudflare

Why Adding ConfigServer Firewall Blocks To Cloudflare

Ideally after installing mod_cloudflare on Apache, we should be able to get the real IP of the visitors. This is true for any application that is in operation after Apache. Unfortunately, the firewall runs before mod_cloudflare comes into effect. This means csf doesn’t see the correct remote IP address for requests via CloudFlare. It sees is as a part of Cloudflare IP block.
As a consequence, the IP cannot be blocked because the firewall is seeing the whitelisted CloudFlare IP addresses.

BLOCK_REPORT = “” Option in /etc/csf/csf.conf

BLOCK_REPORT = “” option in /etc/csf/csf.conf gives you a workaround this problem. Here you can add a script name that is run whenever LFD (Login Failure Daemon) adds a new IP to the firewall deny list.
On the other hand CloudFlare has a simple API which can be used to add IP address blocks. Here you can find a simple script , utilizing Cloudflare’s API, that you can manually add to your server installation and i.ts path to /etc/csf/csf.conf
Alternatively there is an script on Github which installs the script and adds the line in /etc/csf/csf.conf. During the installation you will be prompted to enter your Cloudflare account API and email address.

RESTRICT_SYSLOG Security Option In ConfigServer Firewall CSF

lfd relies on /syslog auth.log/ /messages secure/

As you can read in the CSF readme.txt file any end- user on the server can maliciously trigger applications that
monitor the logs of syslog/rsyslog.
Red Hat family distributions (CentOS and Fedora) use /var/log/messages and /var/log/secure where Debian-family distributions use /var/log/syslog and /var/log/auth.log.

The option RESTRICT_SYSLOG disables all these features that rely on affected logs. These features are:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
PORTKNOCKING_ALERT

The Possible RESTRICT_SYSLOG Values

Here are the possible values of RESTRICT_SYSLOG in csf.conf

    • RESTRICT_SYSLOG = “0”

Allow features listed above to be used

    • RESTRICT_SYSLOG = “1”

Disable all the features above

    • RESTRICT_SYSLOG = “2”

Disable only alerts about this feature and do nothing else

    • RESTRICT_SYSLOG = “3”

Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP

As you can see the only recommendable options are 0 and 3. The default installation option is 0. If you want to use the features above, choose the option 3. It restricts the write access to the syslog/rsyslog unix socket(s) to the local group you setup with RESTRICT_SYSLOG_GROUP option.

RESTRICT_SYSLOG_GROUP Value

In order to work, choose RESTRICT_SYSLOG_GROUP that doesn’t exist in your /etc/group yet.
For example:
RESTRICT_SYSLOG_GROUP = "syslog"
You can add users to this group by changing /etc/csf/csf.syslogusers and then restarting lfd. This will create the system group and add the users from csf.syslogusers if they exist to that group. This list will include all the system, ControlPanel, or DirectAdmin users. It will include root, daemon,sshd, etc. For complete list of all users on a linux system use the command:
cut -d: -f1 /etc/passwd

How To Install mod_cloudflare for Apache httpd

mod_cloudflare for Apache for Logging Real Visitor IP Addresses

Cloudflare acts as a proxy and can help you speed your website, no matter static or dynamic. After switching to Cloudflare, you will notice that all your website visitors’ IP addresses appear to be coming from Cloudflare IP addresses. Here mod_cloudflare for Apache httpd comes in handy. Read more about the reasons for this at their website.

If you want Apache to log the real IP addresses of the websites’ visitors, you need to install the Apache httpd module mod_cloudflare. If you are not using cPanel or DirectAdmin on your server, the knowledge resource at Cloudflare website will suffice Technical Support mod_cloudflare

There are detailed heads up for the main Linux distribution used for servers RedHat, CentOS, CloudLinux, Debian, and Ubuntu together with the corresponding downloads.

You can find a help with installing mod_cloudflare on cPanel servers on the same page. cPanel uses EasyApache to rebuild Apache httpd during updates.

mod_cloudflare for Apache on DirectAdmin Servers

On DirectAdmin Servers, httpd is modified and updated by CustomBuild. Hence we use the httpd-includes.conf file, as it’s not modified by CustomBuild. Instead of using package managers, we install mod_cloudflare.c manually using apxs. apxs is a tool for building and installing extension modules for the Apache. More info on the DirectAdmin Website

How To Update Software Directadmin

Software Directadmin vs Yum Software Manager Apt-Get

Generally we update linux software using the yum command in Centos and RedHat or apt-get in Debian and Ubuntu. YUM is a command line package manager for DEB program packages. Apt is a command line command for the dpkg packaging system. Apt-get also takes care of dependency handling.

Update Software in Directadmin

Updating the software in DirectAdmin is be done through the custombuild script. First navigate to directadmin custombild directory.

cd /usr/local/directadmin/custombuild
This is location of the custombuild script.

./build update
If you want to check if there are new updates available, you can execute the above command.

./build versions 
This command will provide a list of packages that are installed or need an update)

./build update_versions
With the above command you can update the available new versions of the software.

How to change ssh port

Advantages of Changing SSH Port

First, I want to explain the reasons behind changing the ssh port of a server.
Why changing ssh port when you have a strong password and/or a certificate? Additionally, it is always a good advice to use iptables rules to limit brute forcing attacks. For example, you can limit login attempts per IP address/minute.
The main reason to change the port is that malicious internet users usually probe each IP address on well known ports such as port 22. After collecting a list of IPs, they start password brute force to guess usernames/passwords.
Although changing ssh server port sounds like the right solution, it is very important to make sure the new port is not blocked by the firewall rules or doesn’t pose a conflict.

Strict User Policy Vs ssh port change

As I already mentioned hiding the SSH port is not the the right solution to the problems it purports to solve. There is a need for more than just some uncommon port to use. If you look around, you will easily find port scanning tools. These programs are used to find all open ports of a server. It may take some time to find the new port of the ssh server, but will not prevent the malicious users from brute- forcing the SSH server afterwards. As I already mentioned, here are the three points to consider when hardening the SSH server.
1. Imposing strong SSH passwords policy
2. Limiting the maximum amount of incoming SSH connections from a single IP
3. Limiting the connection attempts from a single IP on a time basis.

Actual Steps In Changing SSH Port

1. You will need ssh connection to the server.
2. use your favorite text editor. I am using nano.
nano /etc/ssh/sshd_config
3. Find the line # Port 22
Remove the # and change the port number to your desired one.
4. Restart the ssh server
service sshd restart
4. If you are logging to your server with a public key instead of password, you should look at the Home directory of your local user (Unixes). Find the config file inside the ./ssh directory and find the line
Port 22
and change the port number to the one of the server.

SSH Hardening Techniques

SSH Hardening Techniques

These are the top practices to harden ssh. In this article I am going to list the best and most important open ssh server security practices.
SSH protocol is the best option when it comes to remote login, making backups, remote file transfer and so on. It is a must have on any commercial server. It comes bundled with the installation of a CentOS, Debian Linux, fedora linux, FreeBSD, Gentoo Linux, Ubuntu linux server.

1. Ssh is so powerful that can pose a real breach of the security.

If you don’t need it, remove its installation. If you are not sure whether sshd is installed on the server or not, use chkconfig utility. The chkconfig is a powerful utility. It can help you list all services or specify in which runlevel to start a selected service.
#chkconfig --list service_name
command will list service’s status (on or off) for each of the seven numbered runlevels
# chkconfig sshd off
command will switch off sshd in all seven runlevels

2. Use only SSH version 2-compatible servers and clients whenever possible

In most Linux distributions server suite comes with Version 2 enabled per default. As a system administrator you should make sure that this is the case on your server. Make sure that the following line exists in sshd_config file
Protocol 2

3. Limit maximum authentication attempts.

It could be recommendable to limit the number of authentication attempts.
MaxAuthTries 3

4. Automatically log out unattended ssh sessions

You can set an idle timeout to force log out after a period of inactivity. Open sshd_config file and comment out the following values:

ClientAliveInterval XXX
ClientAliveCountMax 3

where XXX is an idle timeout interval in seconds. After this interval has passed, the idle user will be logged out.

5. Public key authentication

Using public key authentication is probably one of the most important steps in hardening the ssh. Password authentication belongs to the past. Every server administrator should use public key instead of passwords, to set up key-based authentication.
Force users to use public key authentication by adding the following line in /etc/ssh/sshd_config file:
Disable PasswordAuthentication

6. Change SSH Port

This approach gives security through obscurity. Although this is not considered the best approach to hardening ssh, it can help a lot. Here is the line you can add to line in /etc/ssh/sshd_config
Port 333
The code above tells the server to listens for connections on the port #333 only.
You can also specify the address the sshd listens to:
ListenAddress 192.168.1.7
ListenAddress 192.168.1.14

If you change the port sshd to listen to another port, don’t forget to find the line that reads the port number to
7. Disable root login
It is best practice not to log in as the root user. Use a normal user account to initiate your connection instead, together with sudo. Direct root logins may result in bad accountability of the actions performed by this user account.

How To Use Public Key Authentication Instead Of Password

Password Login Belongs To The Past

Public key authentication is an easier and more reliable compared to the old- fashioned password-based login. Keys are basically less prone to brute-force attacks.
If you want to force users to use keys add the line in the /etc/sshd/sshd_condig
Disable PasswordAuthentication