In this article we demonstrate how to forward the root users Inbox to an external email address. An email heading to the root users local inbox will not be delivered to root but instead forwarded to the specified email addresses. Yes, we can forward to multiple addresses. Edit the “/root/.forward”
Read more
The cyber security threats are increasing and the solution either isn’t known or very poorly communicated to those who can actually make a difference. The later is my assumption and the topic of this article. No matter how many resources the authorities have, no matter how technologically advanced they are,
Read more
This article demonstrates how to rate limit Search Bots with NginX. Our objective is to allow all visitors high speeds while trying to slow down search bots. We’ll limit both kinds of traffic but our priority is to ensure real people have a nicer experience. We’ll be limiting search bots
Read more
This is a short example article showing how you can add an existing use to an existing group. Read the other Ansible articles on this blog site for more information about how YML files are formatted. — – hosts: all sudo: yes tasks: – user: name: myusername shell: /bin/bash groups:
Read more
We’ve got a virtual server that’s low on disk space. The system administrator responsible for the virtual machine has expanded the disk. Now we need to expand the filesystem to include the additional disk space. TIP: There are two ways we can do this. 1) Don’t expand the disk but
Read more
This article shows how to copy role permissions from one server to another. In other words, if you’re moving a database from one server to another and you want permissions to come across too, you’ll be interested in this article. if you have trouble wit this, make sure you run
Read more
The architecture that you decide to use for your Magento site will directly impact the performance of the online store. This article discusses a few alternative ways you can put the puzzle together. There are more and you can be creative with where you place your caching (Varnish) server but
Read more
This article shows how to check if your SSL key and certificate match. Why would you do this? Suppose you’ve just purchased a certificate and in the process mixed up your files OR perhaps the files aren’t named in the way the documentation suggests they are. Let’s first see what
Read more
This is how to change your Windows (Active Directory) password from a Linux system. First make sure you have “smbpasswd” installed. If not, install the “samba-common” package via YUM. The command to change your password is: smbpasswd -r dc.example.com The above specifies the domain controller that you want to change
Read more
Assuming you have used LetsEncrypt to generate (create) your SSL certificates, you can then run the following command to update those certificates. certbot renew Note that this was done with version: [root@server]# certbot –version certbot 0.14.1 You may have to restart the web server having run the above command.
Read more
It’s an hour (give or take) but an excellent watch. The sound isn’t great so lift the volume or use headphones. https://www.youtube.com/watch?v=LWwaVe1RF0c&t=2s
Read more
There is talk of weakening Cybersecurity in an attempt to make it easier for authorities to listen in on criminal communications. The two obvious arguments against this are a) weakening security hurts everyone, and b) criminals will simply shift to other methods of communication. I will discuss both of those
Read more
https://www.schneier.com/blog/archives/2017/07/australia_consi.html#comments I’ll be writing more on this in the coming days. I honestly hope this is not how it plays out.
Read more
This article demonstrates how easy it is to limit users SSH’ing into your system to just Rsync and/or SCP. We’re using CentOS 6 for this demo. For example, suppose you want to allow users (or a script on a remote system) to SCP or Rsycn files to and from a
Read more
In this article, I am arguing that a regulated Information Technology industry will result in higher quality systems and software and a new focus on security. Australia is about to create a new cyber warfare division within the Australian Defence Force. Whilst the details are still secret, the objectives will
Read more
This article covers server backups and guides you through the process of designing a backup plan. The process will result in a data backup plan that the business is comfortable with. How much data and time can your business lose without damaging your reputation and income? When a disaster hits,
Read more
If you are trying to enable PIN or Fingerprint login options and you find that these options are disabled (with the message “Some settings are managed by your organization”), this is because it is done by Microsoft design. To resolve this you need to enable the “Turn on convenience PIN
Read more
This article explains how to add new maps to Minecraft. We’re working with a Linux server and we’re going to download maps from public download sites. We’re starting with a working Linux Mincraft server. See how to start from scratch with Minecraft on Linux here “https://www.agix.com.au/minecraft-server-linux-centos-7/”. So far i’m yet
Read more
This article shows how to run a Minecraft server on CentOS or Redhat 7. We’re going to download Minecraft, put it in the right place, open the right firewall ports, start Minecraft with sensible settings and run it in a state that we can change things later without having to
Read more
Hi all, If you are getting a Reset Node Error when you are opening your WSUS console on Windows Server 2012 R2, first attempt to restart all associated Windows services (Update Services, WID / SQL, etc.). If that has not fixed it, open a command prompt with elevated privileges and
Read more
This article walks you through adding a volume to a CentOS 7 / Redhat 7 EC2 while it’s running. In this example we’re going to replace the “/var/log” directory with a larger one to prevent the system from running out of disk space due to large logs. Log into AWS
Read more
If you are using Windows backup and want to back up to multiple USB drives, you may receive the above error when configuring the second additional USB drive. If you do, execute the following steps to add it manually. Run Command Prompt under an administrator elevation. Run the following command
Read more
This article is a template for you to copy and modify to fit your business needs. The security baseline described here is for a business. Scope This document described the baseline security posture of business servers. The server may be in the cloud or local infrastructure. The operating system is
Read more
A great article worth your time to read taking into account recent Edwin Snowden comments. The article compares the popular VPN types in use today. The best one? OpenVPN followed closely by IKEv2 (+IPSec). Personally i’d go for IKEv2 if i had a mixed environment (Windows and Macs) and if
Read more
This article is a template for you to copy and modify to fit your business needs. The security baseline described here is for a business. Scope This document described the baseline security posture of business workstations. A workstation is either a desktop computer or laptop or similar. A workstation is
Read more
Think SSL protects websites? Think again. Check out this article and proof-of-concept “https://www.xudongz.com/blog/2017/idn-phishing/”. Try it yourself. Check out this article.
Read more
For those of you who follow my articles, you’d know that i’m a fan of the cloud. But more than that i’m a fan of using the right tool for the job. The decision on whether or not to use the cloud in your business should be an informed one.
Read more
It’s pretty simple to hide what you’re doing online. You’ve basically got two options, a) use a VPN, and b) use TOR. I’ll discuss both here. I’m simply sharing this information to answer questions. I’m not suggesting you use this for any dark reasons. Be good! The simplest way to
Read more
This article shows how you can backup all of your running EC2 instances using a Bash script. In this example we’re ensuring the machines are not rebooted at any time in the process. Also, these images are AMI file that we’d eventually delete because they will simply grow in numbers
Read more
It’s completely silly to compare web browser power usage over anything short of hours of usage by people doing the same thing. In this short article i simply leave the browser windows open for a short period of time, idle, and using websites that i use daily. So yes, this
Read more
For times when standard broadband isn’t available, 4G may be a viable short term solution. This article notes what you need in order to get your service working. In this article we’ve used the TP-Link TL-MR6400 4G router. It has no ADSL capability. It has 4 ethernet ports, supports 802.11n
Read more
So you have a MySQL database and it’s running like a dog. A slow dog, not one of those fast ones. This article is for you. Actually, this article is more of a story about a recent problem a client had with a large Magento database that had become too
Read more
This HowTo shows how to install ClamAV and schedule scans using Ansible. There are Ansible modules for this but it’s so simple that you might as well just do it yourself. Create your playbook. Put the following into a file called “ansible-play-install-clamav.yml”. — – hosts: all sudo: yes tasks: –
Read more
I dare you to find just one other article explaining how to expire a user account using Ansible. You didn’t and that’s why you’re here. An amazingly undocumented (well, there is doco but it’s rubbish) facility that’s more important than creating the user account in the first place. Note that
Read more
I’ve written about wordpress plenty of times and this time is on how to secure a wordpress installation. Specifically, i have been responsible for a few sites that’ve recently been hacked. Essentially the “bad guys” found a way to upload some files onto the sites and then execute php scripts
Read more
Tripwire is a great tool to monitor your server for changes. Skip past my rant to get into the guts of it. Otherwise, enjoy! We all use wordpress because it’s easy to install, there’s plenty of people out there to create themes and it’s so easy to work with. The
Read more
All sysadmins need to know the state of the servers they look after. CloudWatch lets sysadmins monitor their Amazon AWS resources and be alerted when things go wrong. And by wrong, i mean “out of the norm”. For example, if the CPU goes above a percentage, we should be notified
Read more
OpenShift doesn’t allow remote access to MySQL gear. You have to use IPTables to work around this limitation. The good news is that it’s a simple process. This article is a walk-through showing how i’ve done it. First we need to get the application ID of the OpenShift application we’re
Read more
Some commands take longer to complete than your willing to wait. In times like this you can have the results emailed to you with this very simple trick. Here’s a basic example: echo “apples” | mail -s “test” me@example.com – The above would send the email right away with the
Read more
Ansible supports “variables” just like any scripting language. Actually, Ansible uses the YAML format and YAML supports variables. Confused, don’t be. It’s simple. You don’t need to know YAML to use Ansible and i bet you’ve already got things working with Ansible enough that you’re ready to start expanding your
Read more
We recently had a client who couldn’t sudo to become root. They received an error indicating that the “/etc/sudoers” file was corrupt. Being security minded people, they’d prevented the root user from logging in via SSH – which is a good idea by the way. Their only options were to restore
Read more
Apache has plenty of access control features that can help prevent unauthorised access to key parts of your site. This article is about giving a 404 (access denied) response when someone tries to access specific files on your site. In the examples below, we’ll be restricting access to two PHP
Read more
Amazon doesn’t allow you to list or export your EC2 details using their web interface, at least not yet. Until then you have to use the “aws” command. Otherwise known as the “aws cli”. But it’s easier than you think. Get the “aws” cli tool from here: Windows: http://docs.aws.amazon.com/cli/latest/userguide/installing.html#install-msi-on-windows Mac
Read more
Developers love by Git (or any repo, really) but we sysadmins generally don’t care. If the web-server is running and the modules are available, we’re happy! But there are times when a developer asks that a web-server be provisioned with the necessary php modules and also a place for them
Read more
There’s a million things you need to do to get one-to-one NAT working. This is my checklist – a list that’s saved my bacon many-a-time. Let’s suppose the situation is that you have a single host with multiple virtual machine running in it. The host has a network connection to
Read more
Sometimes we want to run a single command at a later time. We could use Cron but that’s more for running commands every day, week, month, etc. Instead we can use the “at” command. The “at” command works in 24 hour time. So to run something at “12:15” means running
Read more
Varnish makes a great load balancer with a very simple configuration process, tolerance features and exceptional caching performance. Things have changed between version 3 and 4 so this article gives an example of how to build a load balancer with Varnish 4. vcl 4.0; import std; import directors; #Specify the
Read more
I can’t say enough good about pfSense. Having said that, i’m not against Cisco devices, Linux and BSD and other proprietary firewall devices and systems. But the PF does stand out as a great option. Like always, it’s about the right tool for the job and in this is what
Read more
To have a website secured with SSL, the administrator needs to generate some files, send them off to an authority, get more file back and put them on the server where they are used to provide the security of SSL. Obvious. But the questions is, “what are these files?”. First
Read more
Which is better for your small business router/firewall? We’re comparing pfSense, Cisco and Linux / BSD. I realise pfSense is based on BSD. I realise there are millions of ways to configure a Linux or BSD server. And i realise there are hundreds of Cisco router/firewall models. That’s not the
Read moreYou can easily see how hard (or not) a Redhat or CentOS system was running on any given day within the past month. For example, if you want to know how hard a system was working three days ago, you can. Here’s how. The “sar” command shows “todays” performance. It
Read moreGoogle puts offline settings all over the place. It would be nice if there was a button in the G-Doc interface somewhere that said “Enable offline more for my documents” but sadly there isn’t. But it’s not hard to enable. Here’s how: In this example, i’ve used “example.com” as my
Read moreThis is how to resolve the CORS issue on an Apache server. The short of it is that a web page may require the browser to make Jquery calls to another server which rightfully rings alarm bells. Add the following to the Apache vhost on the target server – where
Read moreThis article demonstrates how to install VirtualBox on CentOS 7 and RHEL systems. cd /etc/yum.repos.d/ wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo rpm -Uvh http://epel.mirror.net.in/epel/7/x86_64/e/epel-release-7-8.noarch.rpm Install required packages: yum install gcc make patch dkms qt libgomp yum install kernel-headers kernel-devel fontforge binutils glibc-headers glibc-devel Check where the kernel headers went. We need that for a
Read moreThis article demonstrates how to install Vagrant on CentOS 7 and RHEL. Note that as of recently, Vagrant is installed differently. Download it for your OS here “https://www.vagrantup.com/downloads.html”. The following is only if you want to do it the old way. sudo yum install ruby sudo gem install vagrant Find
Read moreThis article explains how to set the inode limit on a tmpfs on a CentOS or RHEL server. The default inode limit may be too small if you intend to store many small files on it. The following will set the tmpfs resource to 2GB with a default inode limit
Read more
This article explains how to send SSH commands (SSH, SCP, SFTP) to a remote server using php. In this example we have a working php56w installation with Apache. We’re using CentOS 7. SELinux is enabled. Download the libraries: https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.5.zip/download Unzip the files into a new library directory: # Go to
Read moreThe OpenSSL team have released an advisory to upgrade to version 1.1.0c. Read the notice here: “https://www.openssl.org/news/secadv/20161110.txt”. Redhat’s article can be found here: “https://access.redhat.com/security/cve/cve-2016-7054”. Severity: High TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue
Read moreThis article explains how to migrate your Moodle to Enterprise LMS. My objective here is to migrate the entire Moodle including theme, plugins, users and course data from my Moodle to eLMS. I need SSH (command line) access to my Moodle for this to work because i need to backup
Read moreThis article is a walk-through of how to use Siege to load (or performance) test a website. In this example the target is the Magento application. The question is “how many visitors can the target site handle while keeping page maximum load times below 10 seconds”? There are add-on tools
Read moreHonestly, the next time i am on the receiving end of an IT audit and am asked if the workstations have antivirus installed, i’ll go crazy! It’s like all auditors who aren’t “real auditors” simply go through the same old questions and fail to ask the questions that matter. I
Read moreThis is a list of things i do every time i log into a Linux server. It’s habit now and something you might consider doing too. Essentially we want to know who’s on the server, what the server state is and how different it is to normal. Check who’s on
Read moreIf you try to rsync a subset of many files from a single directory, you might get the error “Argument list too long”. Actually, you can get this error with many bash commands. This article explains how to work around it. rsync -avz /images/* cdn.example.com:/images/ -bash: /usr/bin/rsync: Argument list too
Read moreSpam starts and ends with us technicians. It’s our servers that get compromised and it’s our servers that receive it at the other end. With this in mind, we need to ensure only “good” email is going out to the Internet and only “good” email coming in from the Internet.
Read moreThis article explains how Varnish, Apache and NginX fit together and/or differ. Varnish is an excellent cache and speeds up web-sites significantly. Terminate the HTTP connection at Varnish on port 80 and point Varnish internally to an NginX server listening for HTTP on port 81 (they can’t both be on
Read moreAGIX is proud to be part of a very exciting project to build the Rolls-Royce or Moodle hosting services. The business is called Enterprise LMS (www.enterpriselms.com) and AGIX has been working with the eLMS team to get the new platform up and running and ready for use. Right now the
Read moreIn this article we’re adding a Samba 3 server to a Workgroup and configuring the Samba server to serve a printer. This article includes CUPS but not Printer Drivers. I’ve made some comments at the end of this article which are worth your time to read if you need direction
Read moreIf you’re a system administrator and you’ve been asked to create a WordPress Multisite, you’re in the right place. You simply need to add the following line to the “wp-cofig.php” file right above the “/* That’s all, stop editing! Happy blogging. */” line. define(‘MULTISITE’, true); define(‘SUBDOMAIN_INSTALL’, true); define(‘DOMAIN_CURRENT_SITE’, ‘blog.example.com’); define(‘PATH_CURRENT_SITE’,
Read moreAs part of your IT Security policy, you should consider that modern scanners (possibly part of a multi function device) have hard disks which store scanned documents. These hard disks would allow others who acquire your discarded scanner to view your scanned documents. My suggestion is to remove the hard
Read moreThis article shows how to set and change the speed and duplexing of an Ethernet device. You can see more examples at “http://www.cyberciti.biz/faq/linux-change-the-speed-and-duplex-settings-of-an-ethernet-card/”. View the current settings: mii-tool The output will be something similar to the following. Notice only physical network devices are listed. eth0: negotiated 1000baseT-FD flow-control, link ok
Read moreThis article shows an example configuration for NginX with php-fpm on CentOS 7. This is not a HowTo but rather something for you to copy/paste to help you on your way. The website domain is “www.example.com” and we’re serving SSL as well. You can ignore that part if you like.
Read moreThis article demonstrates how to upgrade php-fpm to 7.0. This information is based on “https://webtatic.com/packages/php70/”. Get the repositories ready: rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm Do the upgrade: yum install yum-plugin-replace yum replace php-common –replace-with=php70w-common Confirm your work: php -v
Read moreThis article shows how to expand a filesystem on a CentOS 7 or Redhat Enterprise Linux 7 system by adding a second disk/filesystem. The disk in this example is “/dev/sda” and it has two filesystems on it “/dev/sda1” and “/dev/sda2”. There is plenty of unused disk space available no “/dev/sda”.
Read moreThis article walks you through the process of building a very simple program in assembly language in 5 minutes. Tutorial programs usually go by the name “Hello World” because that’s all they print out to the screen. Plenty of this information came from: http://www.tutorialspoint.com/assembly_programming/assembly_environment_setup.htm. Install the tools. yum install nasm
Read moreThis article demonstrates how to configure a Squid transparent proxy. We’re using CentOS or Redhat here but the configuration its self will work on any distribution. Note that Debian related distributions call it “squid3” while Redhat related distributions just call it “squid”. A few extra notes. We’re going to be
Read moreThis is a short howto to hide the Apache version information on a CentOS or similar server. Open the file “/etc/httpd/conf/httpd.conf” and change the following options to be as detailed below: ServerTokens ProductOnly ServerSignature Off Now restart Apache and the version should be hidden.
Read moreThis howto describes how to keep an Apache server up to date with SSL security. Test your own server at: https://www.ssllabs.com/ssltest/analyze.html Run the above SSL scan first and then, if you score less than an “A”, continue on to make these changes. Edit the following in your “/etc/httpd/conf.d/ssl.conf”: SSLProtocol +TLSv1.2
Read moreThis article explains step by step how to create (spin up) an EC2 instance within AWS using Ansible and a few extras. Unlike 100% of other articles out there, this one actually demonstrates how to do it. Pay attention to the date of this article because things DO change over
Read moreAmazon has a head-start with AWS IaaS services. We use AWS at AGIX by default because we know what they have to offer and we know what to expect with pricing and performance. We also have automation tools that work well with their stack. We’re often asked for alternatives for comparison
Read moreWhen logged into the Varnish server, you can see which requests are most common using the commands below. These will help determine popular content and also assist with troubleshooting during high-load times. The following command shows the requests from the Internet to Varnish: varnishtop -i TxURL The following command shows
Read moreJust a simple script thrown together to record the time and date of an outage on a server using ping from a Windows machine. You can view the data in Excel from this script if you set excel to separate the file using carriage returns. @ECHO OFF echo Monitoring Server
Read moreThis article explains how to get around the problem of remote access to a non-public RDS database within Amazon’s AWS. The problem is that RDS databases can be set to public or private when being created but are not easy to change later due to DNS issues. There are ways
Read moreThis article is an example of a “/etc/ssh/sshd_config” file that forces the use of SSH keys. Password logins are disabled. Root logins are disable too. Tip for testing: You can login as root, apply these settings and then test it with a second session – this won’t kick you off
Read moreJust lately I reinstalled my Gentoo server and when it came to putting Handbrake back on the system Portage began complaining that it was failing to emerge automake version 1.11.6. After checking the system I could see that I already had version 1.15 but that should not be causing the
Read moreThis article demonstrates how to add Letsencrypt SSL certificates to a CentOS 7 apache server. Some information for this article was obtained (and simplified) from here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7 This is the minimum you’d do to get Letsencrypt working on your CentOS 7 or RHEL 7 server. We’re keeping SELinux on and
Read moreThis article demonstrates how to disable logging for the bind / named service. Why? Because you may not like DNS errors filling up your logs. Unlike most of our articles, this is not focused on CentOS or Redhat. Add the following to the end of you “/etc/named.conf”. This file sometimes
Read moreI’ve previously documented how to configure Rsyslog to store logs in MySQL which gives a good tutorial on setting up MySQL as the Rsyslog backend and also remote logging to that Rsyslog server. To extend on that, you can easily view and filter the logs using the php web-app below.
Read moreThis article explains how to use TCPWrappers to control which hosts can connect to a server using SSH. The two files we’ll be using are “/etc/hosts.allow” and “/etc/hosts.deny”. As the names imply, we’re controlling which “hosts” can access the server, not which users. Find out more here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-tcpwrappers-access.html Why not
Read moreThis article explains how to create an Rsyslog server that logs to MySQL (MariaDB). We’ve used CentOS 7 for this article. A few tips to save you time: 1. If you’re logging from a remote node to this server, make sure you have proper host names because that’s what ends up
Read moreThis article explains how to install and configure periodic scans with ClamAV on CentOS7 or Redhat (RHEL) 7 servers. Much of this came from “https://ismailyenigul.wordpress.com/2015/01/05/install-clamav-on-centos-7/”. I’ve updated this article with a work-around for the (seemingly common) cron issue. Clamscan doesn’t seem to run from “/etc/cron.d/whatever” but does from “crontab -e”. Install
Read moreThe .htaccess file can restrict access to web browsers to specific things. I’ve written about this (on this blog) previously. However, here i talk about file types. The snippets below are (or can be) the entire contents of the .htaccess file. Prevent access to bash files that shouldn’t be in
Read moreRecently i wrote about the importance of a sensible IT setup for small businesses. See it here http://www.agix.com.au/?p=5422. I discussed security but skipped a-lot to keep it simple. This document goes further into depth. A well thought and simple computer network goes a long way to good security but the
Read moreI update this article periodically to keep it current. The principles never change though. Who should read this? Those who are responsible for small business IT systems. Do things the right way. When staff ask why things aren’t as simple or easy as they’d like, you know their expectations of business
Read moreA distributed denial of service attack (or DDoS) will either bring your server down or significantly degrade its performance. This article explains a quick way to tackle the problem. The IPTables firewall rules that follow ensure packets are limited to a set number per period of time. This rule will
Read moreJust a quick reference for setting up your Gentoo server to get its time from an NTP server either local or on the Internet. Get NTP onto the machine emerge –ask -jv ntp Edit the NTP config vi /etc/ntp.conf Comment out the servers that you do not need and add
Read moreCreate the key and set a passphrase: openssl genrsa -des3 -out server.key 2048 Create the csr file making sure the CN (common name) matches whatever domain name it represents such as “www.agix.local”. This requires the passphrase from the step above: openssl req -new -key server.key -out server.csr Remove the passphrase:
Read moreTest the remote servers HTTPS certificate: openssl s_client -showcerts -connect www.agix.local:443 Test the remote servers SMTP STARTTLS certificate: openssl s_client -connect mail.agix.local:25 -starttls smtp
Read moreThis playbook will add the script “myscript.sh” to the target machine(s) “/etc/cron.monthly” directory thereby having it run each month by cron. You can simply change the location to have it go into one of the other cron.x locations. I’ve used ansible version “ansible 1.9.4”. — – hosts: all sudo: yes
Read moreYou’ve dumped a DB from MySQL and didn’t use the “–no-triggers” option. Now you’re trying to import your data into RDS MySQL which complains that: ERROR 1227 (42000) at line xxx: Access denied; you need (at least one of) the SUPER privilege(s) for this operation You can solve this by
Read moreMinor cause of frustration when you are installing Apache on a server that some one else has configured, is that if they have not setup the hosts file correctly apache will refuse to start. The error is in /var/log/apache2/error_log and looks like below: Name or service not known: mod_unique_id: unable
Read more