brent

In this tip we will see how to use the terminal to check and change the current speed of your network card under Ubuntu or any Debian-based system. This tip will be useful for those having incorrect network card speed that is running for example at 100Mb/s rather than 1000Mb/s. To check the current network card speed, we will use the "ethtool" command line utility. To install it under Ubuntu/Debian, run the following command: sudo apt-get install ethtool Replace "eth0" with your own network interface (eth1, eth2, etc.). Here are the outputs returned for my system (speed is displayed under the "Advertised auto-negotiation (...) line): ~$ sudo ethtool eth0 Settings for eth0: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: Unknown Supports Wake-on: umbg Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes To change for example the speed of your network card from 100Mb/s to 1000M/s, run this command: sudo ethtool -s eth0 speed 1000 duplex full autoneg off

PhpMyAdmin is a great easy to use web admin interface for your mysql databases. The one down side is it can be a security threat. Seems like many bots on the internet just go looking for phpmyadmin installed on web servers. Then run automated attacks. If you have logwatch installed you may often see many failed attempts To add an extra layer of security you can prevent any one from accessing phpMyAdmin except by defined IP address. We will be setting this up on an Ubuntu 12.04 Server. Before we begin we will need to know the IP Address that you will be using to connect to phpmyadmin. If the server you are going to be accessing is hosted or on another network you can use http://whatismyip.com to find your external address. Login to your server at the console or using SSH to connect to it remotely. The file we will be editing is /etc/apache2/conf.d/phpmyadmin.conf. In this example I am going to use command line text editor nano to keep things simple. If you preffer to use another text editor like vim or emacs feel free to do so. sudo nano /etc/apache2/conf.d/phpmyadmin.conf Add the following code. Note: Remove the "#" from the from of the thrid line and replace ENTER.YOUR.IP.ADDRESS with the IP address you wish to allow. Also If you are behind a router you may want to use your router IP eg: 192.168.2.1 Order Allow,Deny Allow from 127.0.0.1 #Allow from 192.168.2.106 Now lets restart apache. sudo /etc/init.d/apache2 restart

Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS and running in a chroot environment. Postfix is Wietse Venema's mailer that started life as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different. This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix. This rpm supports LDAP, SMTP AUTH (trough cyrus-sasl) and TLS. Lets get started. First of all we need to install postfix sudo apt-get install postfix sudo /usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) (press Enter here) Making CA certificate ... Generating a 1024 bit RSA private key ..........++++++ .........++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: <type a password here> Verifying - Enter PEM pass phrase: <retype the password> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: <enter> State or Province Name (full name) [Some-State]: <enter> Locality Name (eg, city) []: <enter> Organization Name (eg, company) [Internet Widgits Pty Ltd]: <enter> Organizational Unit Name (eg, section) []: <enter> Common Name (eg, YOUR name) []: <your name> Email Address []: <your email> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <enter> An optional company name []: <enter> Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: <same password as before> Check that the request matches the signature Signature ok $ openssl genrsa -out NAS.key 1024 Generating RSA private key, 1024 bit long modulus $ openssl req -new -key NAS.key -out NAS.csr -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: <enter> State or Province Name (full name) [Some-State]: <enter> Locality Name (eg, city) []: <enter> Organization Name (eg, company) [Internet Widgits Pty Ltd]: <enter> Organizational Unit Name (eg, section) []: <type something here, this must be different from above> Common Name (eg, YOUR name) []: <your name> Email Address []: <your email> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <enter> An optional company name []: <enter> $ openssl ca -days 3650 -crldays 3650 -out NAS.pem -infiles NAS.csr Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: <same password as before> Check that the request matches the signature Signature ok Certificate is to be certified until Oct 18 11:08:58 2021 GMT (365 days) Sign the certificate? [y/n]: <type y> 1 out of 1 certificate requests certified, commit? [y/n] <type y> Write out database with 1 new entries Data Base Updated sudo mkdir /etc/postfix/certs sudo cp NAS.key NAS.pem /etc/postfix/certs sudo cp /etc/ssl/certs/Equifax_Secure_CA.pem /etc/postfix/certs/cacert.pem sudo nano /etc/postfix/sasl/sasl_passwd and enter your email account and password. You can create a new gmail account if you are not happy to leave your password in the file. Also in case you sometimes change your own gmail password, you dont have remember to change it here. The file should look like this: gmail-smtp.l.google.com [email protected]:mypassword smtp.gmail.com [email protected]:mypassword Change the permissions of the sasl_passwd file with: sudo chmod 400 /etc/postfix/sasl/sasl_passwd We want to make a backup of postfix main.cf file: sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.orig sudo nano/etc/postfix/main.cf This is how the main.cf will look. # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # auth smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd # TLS client side certificate smtp_use_tls = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes tls_random_source = dev:/dev/urandom smtp_tls_scert_verifydepth = 5 smtp_tls_CAfile = /etc/postfix/certs/cacert.pem smtp_tls_key_file=/etc/postfix/certs/NAS.key smtp_tls_cert_file=/etc/postfix/certs/NAS.pem smtp_tls_enforce_peername = no # TLS parameters smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert =no smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = NAS alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = NAS, localhost.localdomain, , localhost #relayhost = relayhost = [smtp.gmail.com]:587 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all sudo postmap /etc/postfix/sasl/sasl_passwd sudo /etc/init.d/postfix reload from the box you will send emails from, login with your browser to: http://www.google.co...ayUnlockCaptcha and unlock your IP to allow you to send email from postfix Open two terminals: In one type tail -f /var/log/mail.log and in the other do your test to send out an email: lets send a test email telnet 127.0.0.1 25 EHLO test MAIL FROM: <from-email> RCPT TO: <recipient-email> DATA Type message here. <Enter>.<Enter> (press enter, type a dot, press enter) QUIT

If you are running a headless server and would like to see what the processor you are using then here is the steps. cat /proc/cpuinfo and to see the cores grep -c processor /proc/cpuinfo

If you go into /boot and do a ls chances are you are going to have a very long list of images sitting in there. all these images are taking up memory. In order to remove them completely. take in mind it is always good to keep an older kernel after an upgrade in case an issue arises. but if you have the latest kernel and everything is working fine and you want to free up some space then here is the script that you will want to use to remove all of the bloat.. dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d' | xargs sudo apt-get -y purge

Using sub-domains is a good way to organize your website. example.com is what we will call the parent domain. You could have many different parts to your website. For example you could have forums, books, music, really anything. so instead of having all your components to your website lay in the same directory /var/www you could go a step further and organize it. Here is an example of how you could structure /var/www using sub-domains /var/www/example.com/html { Main domain } /var/www/example.com/logs {apache logs for site} /var/www/music.example.com {subdomain} /var/www/media.example.com {subdomain} By using this type of structure to set up sub-domains all your website components eg: forums, music, books wont have to all be in the root directory of the website. Do you like www.example.com/forums? or would you rather see forums.example.com? Here is how we accomplish this. We need to navigate to cd /etc/apache2/sites-available/ Now we are going to create our sub-domain file. sudo nano forums.example.com We will use a virtual host here is what it will look like. <VirtualHost *:80> ServerName forums.example.com ServerAlias www.forums.example.com DocumentRoot /var/www/forums/ </VirtualHost> <Directory /var/www/forums/> Options -Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> If you want your individual site logs to reside in /var/www/subdomain.example.com/logs you need to create the logs/ directory in the root of your sub-domain directory. Once directory is created you need to modify your host file to look like the below. <VirtualHost *:80> ServerName forums.example.com ServerAlias www.forums.example.com DocumentRoot /var/www/forums.example.com </VirtualHost> LogLevel warn ErrorLog /var/www/subdomain.example.com/logs/error-mysubdomainname.com.log CustomLog /var/www/subdomain.example.com/logs/access-mysubdomainname.com.log combined <Directory /var/www/forums/> Options -Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> Next we will need to enable the site with apache2. sudo a2ensite subdomain.example.com Now we need to reload apache for the changes to take place. sudo /etc/init.d/apache2 reload Now all you need to do is create a folder in /var/www called forums eg; /var/www/forums In order for you to be able to access the forums.example.com you will need to modify DNS and add an A record. You Can go to the registar where you got the domain and register the sub-domain and point it to your server, you could use a third party dns such as zoneedit to handle all your dns needs for your domain

vsftpd is a secure ftp daemon vsftpd - FTP Server Installation vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can run the following command: sudo apt-get install vsftpd We need to set the passive ports I then insert two lines into /etc/vsftpd/vsftpd.conf as the following: pasv_min_port=5000 pasv_max_port=5025 If you are using a fire wall make sure that you allow these ports through, I use UFW sudo ufw allow 5000:5025/tcp Anonymous FTP Configuration By default vsftpd is configured to only allow anonymous download. During installation a ftp user is created with a home directory of /home/ftp. This is the default FTP directory. If you wish to change this location, to /srv/ftp for example, simply create a directory in another location and change the ftp user's home directory: sudo mkdir /srv/ftp sudo usermod -d /srv/ftp ftp After making the change restart vsftpd: sudo /etc/init.d/vsftpd restart Finally, copy any files and directories you would like to make available through anonymous FTP to /srv/ftp. User Authenticated FTP Configuration To configure vsftpd to authenticate system users and allow them to upload files edit /etc/vsftpd.conf: local_enable=YES write_enable=YES Now restart vsftpd: sudo /etc/init.d/vsftpd restart Now when system users login to FTP they will start in their home directories where they can download, upload, create directories, etc. Similarly, by default, the anonymous users are not allowed to upload files to FTP server. To change this setting, you should uncomment the following line, and restart vsftpd: anon_upload_enable=YES Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable anonymous upload on servers accessed directly from the Internet. The configuration file consists of many configuration parameters. The information about each parameter is available in the configuration file. Alternatively, you can refer to the man page, man 5 vsftpd.conf for details of each parameter. Securing FTP There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting: chroot_local_user=YES You can also limit a specific list of users to just their home directories: chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd: sudo /etc/init.d/vsftpd restart Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root, daemon, nobody, etc. To disable FTP access for additional users simply add them to the list. FTP can also be encrypted using FTPS. Different from SFTP, FTPS is FTP over Secure Socket Layer (SSL). SFTP is a FTP like session over an encrypted SSH connection. A major difference is that users of SFTP need to have a shell account on the system, instead of a nologin shell. Providing all users with a shell may not be ideal for some environments, such as a shared web host. To configure FTPS, edit /etc/vsftpd.conf and at the bottom add: ssl_enable=Yes Also, notice the certificate and key related options: rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key By default these options are set the certificate and key provided by the ssl-cert package. In a production environment these should be replaced with a certificate and key generated for the specific host. For more information on certificates see the section called “Certificates”. Now restart vsftpd, and non-anonymous users will be forced to use FTPS: sudo /etc/init.d/vsftpd restart To allow users with a shell of /usr/sbin/nologin access to FTP, but have no shell access, edit /etc/shells adding the nologin shell: # /etc/shells: valid login shells /bin/csh /bin/sh /usr/bin/es /usr/bin/ksh /bin/ksh /usr/bin/rc /usr/bin/tcsh /bin/tcsh /usr/bin/esh /bin/dash /bin/bash /bin/rbash /usr/bin/screen /usr/sbin/nologin This is necessary because, by default vsftpd uses PAM for authentication, and the /etc/pam.d/vsftpd configuration file contains: auth required pam_shells.so The shells PAM module restricts access to shells listed in the /etc/shells file. Most popular FTP clients can be configured connect using FTPS. The lftp command line FTP client has the ability to use FTPS as well.

First we have to install the samba server: (**Ubuntu 12.04**) sudo apt-get install samba smbfs (**Ubuntu 14.06**) sudo apt-get install samba cifs-utils To mount a smb share to a ubuntu server run click here Here is the steps to mount a drive to your ubuntu desktop click here or if you want to mount the drives using CIFS click here Now you need to configure samba. Lets open up smb.conf. sudo nano /etc/samba/smb.conf Here is a copy of my Samba conf file. *****NOTE***** I don't have home directory sharing enabled by default. I manually add them. #======================= Share Definitions ======================= # Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username #[homes] #comment = Home Directories #browseable = yes # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only "username" can connect to \\server\username valid users = %S # By default, the home directories are exported read-only. Change next # parameter to 'yes' if you want to be able to write to them. writable = yes [global] server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d valid users = brent, brian, linda admin users = brent, linda write list = brent, brian, linda [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [www] path = /var/www valid users = brent write list = brent [Brent] path = /home/brent valid users = brent write list = brent [Linda] path = /home/linda valid users = brent, linda write list = brent, linda [movies] path = /home/shares/movies valid users = brent, linda write list = brent, linda [Data] path = /home/shares/data valid users = brent write list = brent [subtitles] path = /home/shares/subtitles valid users = brent write list = brent [music] path = /home/shares/music valid users = brent, linda write list = brent, linda [pictures] path = /home/shares/pictures valid users = brent write list = brent [scans] path = /home/scans valid users = brent, linda write list = brent, linda [Work] path = /home/shares/work valid users = brent write list = brent Now you should be able to map a drive on windows using the following share format: \\ubuntumachine\username For example, if the Ubuntu machine is named ubuntuserv, and the username is unixmen, your share path would be \\ubuntuserv\unixmen Here is a copy of what my samba.conf file looks like To create the users you will need to run this command sudo smbpasswd -a your-user-name If your unix account has been disabled you will want to run the -e command sudo smbpasswd -e your-user-name Then restart the samba server with: sudo restart smbd

The CentOS 7 official software repositories have PHP 5.4 which has reached the end of life and no longer actively maintained by the developers. To keep up with the latest features and security updates, you need a newer (probably the latest) version of PHP on your CentOS 7 system. Installing PHP 7 on CentOS 7 1. To install PHP 7, you have to install and enable EPEL and Remi repository to your CentOS 7 system with the commands below. # yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm 2. Next, you need to install yum-utils, a collection of useful programs for managing yum repositories and packages. It has tools that basically extend yum’s default features. It can be used for managing (enabling or disabling) yum repositories as well as packages without any manual configuration and so much more. # yum install yum-utils 3. One of the programs provided by yum-utils is yum-config-manager, which you can use to enable Remirepository as the default repository for installing different PHP versions as shown. # yum-config-manager --enable remi-php70 [Install PHP 7.0] If you want to install PHP 7.1 or PHP 7.2 on CentOS 7, just enable it as shown. # yum-config-manager --enable remi-php71 [Install PHP 7.1] # yum-config-manager --enable remi-php72 [Install PHP 7.2] 4. Now install PHP 7 with all necessary modules with the command below. # yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo Afterwards, double check the installed version of PHP on your system. # php -v You now have php7.0 installed