Basic squid authentication

Standard

squid.conf

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Then on the command line add your user:
htpasswd -c /etc/squid3/passwords username_you_like

and restart squid
service squid3 restart
service squid3 restart

Procmail recipe – smart recipes

Standard

Smart recipes

I use the following handy recipe to forward puzzles that any friend sends to me, while I keep a copy of it myself. That is, I have to perform two tasks at the same time. Here’s how you can go about it:

# forward puzzles to a friend
#and also keep a copy
:0
* ^Subject:.*(puzzle)
{
  :0 c
  ! myfriend@buddy.com

  :0
  puzzle
}

Here we use a nested block (enclosed in braces) instead of an action line. This block allows us to put multiple recipes within it, which are used only if the parent recipe is true.

In both the recipes in the block, we don’t have any condition statements. In the first action, the c flag is used to copy the message. Typically, a message will only run through the first recipe that is true. That is, if we don’t use the c flag, we can’t run the mail through the second recipe. The bang (!) before the email address indicates we want to forward the mail. The second recipe in the block delivers the mail to the puzzle directory.

SOPHOS UTM 9 (Sophos SG Firewall) update firmware

Standard

NOTE: This description is NOT for Sophos XG firewall. That is a completely different product.

Easiest way to manually update / upgrade the firmware in Sophos UTM (aka ASTARO aka Sophos SG firewall) is via the ssh command line interface.

  1. Log into the SSH with Putty or from another ssh server and become root / su.
  2. cd /var/up2date/sys
  3. wget all the needed updates from http://download.astaro.com/UTM/v9/up2date/ :
    wget http://download.astaro.com/UTM/v9/up2date/u2d-sys-9.601005-602003.tgz.gpg
    etc….
  4. Make updates visible and available in the GUI with:
    auisys.plx -showdesc --verbose
  5. Run updates from the GUI or run this command to execute the updates / upgrades in the CLI:
    auisys.plx --verbose
  6. The system will automatically reboot when the updates / upgrades are done.

Continue reading

Setup Sophos XG firewall on Vultr.com virtual server

Standard

There are some tricks required to overcome Sophos’ install idiosyncrasies when trying to install Sophos XG firewall from ISO on a Vultr virtual server.

Sophos UTM (the predecessor) used to be easy to install, but with XG Firewall Sophos have gone back to inflexibility with some basics, that, in my opinion, are unnecessary (SOPHOS, these are things you should fix):

  • 2 network interfaces needed
  • Pre initialisation command line does not allow setting default gateway of any interfaces
  • Pre initialisation command line does not allow setting static IP of all interfaces (only on interface 1)
  • Changing network settings in web admin during initialisation causes loss of access (in this setup case)

So these problems require certain things from Vultr:

  • 2 instances (1 for the XG and another – Linux or Windows – to initially manage the XG)
  • 2 IP addresses in the same subnet (necessary because the XG will only see IPs in the same subnet)
  • Console access to the running instances, which is provided freely by Vultr.
  • Download link to Sophos’ XG ISO

Step by step what I did:

  1. Started 10 (yes ten) servers of the cheapest kind in the hope to get 2 IP addresses in the same subnet, which I did.
  2. Shutdown the other 8 servers as soon as possible, as they cost money.
  3. “Converted” those 2 IP addresses to “reserved IP addresses” – this way you keep them to assign them to the 2 instances you need for this setup process.
  4. Shutdown the 2 instances whose IP addresses you have taken.
  5. Download the Sophos XG ISO to Vultr
  6. Start an instance to install from that ISO and assign one of those 2 reserved IP addresses
  7. Go through the off ISO setup process for Sophos XG. Follow those instructions
  8. Remove ISO from instance. This will reboot the instance and setup will continue.
  9. Login and set the port 1 IP address to the IP address you have allocated above. Then the web interface becomes visible to this network subnet only.
  10. Start another instance of choice with the other reserved IP address in the same subnet. I used a Linux instance, which I ssh’d into and made a tunnel to the XG web interface https://<IP>:4444, but there is no reason (other than cost) why you could not use a Windows instance to access the same web interface from there.
  11. In the Sophos web interface setup enter new password, disable install new firmware and agree to license
  12. select “Continue offline” and confirm you want to continue
  13. Give your machine a name and select your timezone (although you can also change that later)
  14. Continue after basic setup complete.
  15. The next step is critical to get right put only the IP address and the subnet mask exactly like in the command interface in the “LAN Address and Internal Client Network Size” fields. Otherwise you will loose access to the instance and have to start from scratch.
    And disable DHCP
  16. Continue without ticks on network protection (can be changed later)
  17. put your email addresses in the next step  (can be changed later)
  18. Finish. The XG will reboot
  19. Once setup is complete go back into the web interface and login with your new password. You will get the normal XG web interface and you can then make the adjustments in your network settings to get internet access on your XG and register and update etc.
  20. IMPORTANT: make sure you give yourself access to the admin interface from the WAN link otherwise you are locking yourself out and you can start again. See System/Administration/Device Access

Optional extras:

  • I did not register or install licenses or even started a trial and only updated the XG after setup and then I made a snapshot of the XG, because I wanted to release the reserved IP address, as it costs extra unnecessarily. When you create an instance from the snapshot it will have a new dynamic IP address, which is different and you will need to set this in the console interface, which works perfectly for setting the default gateway after setup (Sophos, why not during setup?). Then you can access your new XG via the new IP address. (Yes you can start multiple, because each can get their own IP, serial number and license).
  • Shutdown all unneeded instances and delete the reserved IPs

 

 

Upgrade PHP and MySQL Centos 6.x

Standard

The method I found most simple is:

wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -ivh remi-release-6.rpm
vim /etc/yum.repos.d/remi.repo     (you need to enable the parts you want in this file)
yum -y upgrade php*
yum -y update
reboot

done.

Sentora virtual domains SSL setup – Let’s Encrypt Certificates

Standard

I won’t discuss here why you would want to use Let’s Encrypt Certificates, but 3 of the main reasons for me are:

  1. Certificates are free
  2. Certificates are automatically updated. So it becomes a set and forget affair. No more fiddling around every 1, 2 or 3 years.
  3. Automatic updates are done every 3 months. So the certificates are always fresh.

And now for the setup on a fully up-to-date Sentora Centos 6.7 server

Run

yum -y install mod_ssl wget nc netcat; wget -O - https://get.acme.sh | sh

This will install the stand alone certificate management software, that will get and update your certificates from Let’s Encrypt

This is how you use it (issue a certificate for example.com where the http site files are actually located in /home/wwwroot/example.com):

/root/.acme.sh/acme.sh --issue -d example.com -w /home/wwwroot/example.com

There will be an output containing a variety of information you will need to configure APACHE. Keep it.

Then just add this to your crontab:
So your certificates will be automatically updated/renewed

vim /etc/crontab
34 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

 

Now the APACHE setup

If you have SSL enabled on your Sentora admin panel disable it and see below how to integrate it again.

Add this to

# Custom SSL Apache config
Include /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

to:

vim /etc/sentora/configs/apache/httpd.conf

create the file:

vim /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

And fill it with the details for your sites like this (Hint: You will find this in /etc/zpanel/configs/apache/httpd-vhosts.conf):

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com



And now you can add the details for Sentora panel again and re-enable the redirection to ssl for the panel:

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

#Configuration for Sentora control panel.
 <VirtualHost *:443>
 ServerAdmin admin@blue.net.au
 DocumentRoot "/etc/sentora/panel/"
 ServerName sentorapanel.example.com
 ErrorLog "/var/sentora/logs/sentora-error.log"
 CustomLog "/var/sentora/logs/sentora-access.log" combined
 CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
 AddType application/x-httpd-php .php
 <Directory "/etc/sentora/panel/">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order allow,deny
 Allow from all
 </Directory>
# Custom settings are loaded below this line (if any exist)
SSLEngine On
SSLCertificateFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.cer
SSLCertificateKeyFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.key
SSLCACertificateFile /root/.acme.sh/sentorapanel.example.com/ca.cer
SSLCertificateChainFile /root/.acme.sh/sentorapanel.example.com/fullchain.cer

 </VirtualHost>
# END Configuration for Sentora control panel.


# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com

 

You might also want to redirect all traffic to your https now.

Put this into your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

 

 

 

 

Chocolatey – a software management system for Windows

Standard

Chocolatey (https://chocolatey.org/) is a software manager for Windows. There are almost 5000 packages. The one you use are certainly in there. All mine are.

Install choco from an administrator command line:

@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%chocolateybin"

Then run installs like:

choco install -y ccleaner

https://chocolatey.org/packages contains a list  of all the packages

I recommend the GUI:

choco install -y chocolateygui chocolatey-core.extension

But I like the command line, too.

And I like, that you can update all your installed packages at once (yes they need to be installed by choc first):

choco upgrade -y

Sysadmin

windirstat winrar treesizefree TeraCopy Recuva nmap lockhunter ccleaner autoruns

User

sublimetext3 vlc WhatsApp XnView WindowsLiveInstaller WindowsLiveWriter PDFXchangeEditor paint.net notepadplusplus.install libreoffice lastpass irfanview GoogleChrome-AllUsers Firefox dropbox ditto

 

 

robots.txt prevent certain spiders / bots to scan your site.

Standard

Put this into robots.txt in the root of your site:

User-agent: Rogerbot 
User-agent: Exabot 
User-agent: MJ12bot 
User-agent: Dotbot 
User-agent: Gigabot 
User-agent: AhrefsBot 
User-agent: BlackWidow 
User-agent: Bot [EMAIL="craftbot@yahoo.com"]mailto:craftbot@yahoo.com[/EMAIL] 
User-agent: ChinaClaw 
User-agent: Custo 
User-agent: DISCo 
User-agent: Download Demon 
User-agent: eCatch 
User-agent: EirGrabber 
User-agent: EmailSiphon 
User-agent: EmailWolf 
User-agent: Express WebPictures 
User-agent: ExtractorPro 
User-agent: EyeNetIE 
User-agent: FlashGet 
User-agent: GetRight 
User-agent: GetWeb! 
User-agent: Go!Zilla 
User-agent: Go-Ahead-Got-It 
User-agent: GrabNet 
User-agent: Grafula 
User-agent: HMView 
User-agent: HTTrack 
User-agent: Image Stripper 
User-agent: Image Sucker 
User-agent: Indy Library
User-agent: InterGET 
User-agent: Internet Ninja 
User-agent: JetCar 
User-agent: JOC Web Spider 
User-agent: larbin 
User-agent: LeechFTP 
User-agent: Mass Downloader 
User-agent: MIDown tool 
User-agent: Mister PiX 
User-agent: Navroad 
User-agent: NearSite 
User-agent: NetAnts 
User-agent: NetSpider 
User-agent: Net Vampire 
User-agent: NetZIP 
User-agent: Octopus 
User-agent: Offline Explorer 
User-agent: Offline Navigator 
User-agent: PageGrabber 
User-agent: Papa Foto 
User-agent: pavuk 
User-agent: pcBrowser 
User-agent: RealDownload 
User-agent: ReGet 
User-agent: SiteSnagger 
User-agent: SmartDownload 
User-agent: SuperBot 
User-agent: SuperHTTP 
User-agent: Surfbot 
User-agent: tAkeOut 
User-agent: Teleport Pro 
User-agent: VoidEYE 
User-agent: Web Image Collector 
User-agent: Web Sucker 
User-agent: WebAuto 
User-agent: WebCopier 
User-agent: WebFetch 
User-agent: WebGo IS 
User-agent: WebLeacher 
User-agent: WebReaper 
User-agent: WebSauger 
User-agent: Website eXtractor 
User-agent: Website Quester 
User-agent: WebStripper 
User-agent: WebWhacker 
User-agent: WebZIP 
User-agent: Wget 
User-agent: Widow 
User-agent: WWWOFFLE 
User-agent: Xaldon WebSpider 
User-agent: Zeus
Disallow: /

Passwords – Longer is better

Standard

The choice of passwords is often a source of plenty of deliberation. Make it too simple and you will get hacked (check your password for safety here: https://howsecureismypassword.net/) make it too complicated and you cannot remember it and have to write it down.

There are some basic NO NO rules:

  1. NEVER write your passwords down
  2. NEVER use the same password for different things
  3. NEVER simply use your name or date of birth or any other easy to guess passwords (https://nakedsecurity.sophos.com/2010/12/15/the-top-50-passwords-you-should-never-use/)

When you follow these 3 simple rules you are starting to get into the safer zone for online security.

So how do you get a secure AND easy to remember password? 

Here are some ways to do this:

  • You pick a sentense you can remember (Just make sure it is not a simple phrase or a phrase taken from existing literature, because that would make it insecure again.) and only use the first 2 characters of each word:

    The chicken is riding on the roof of the bus = Thchisrionthroofthbu

You could also replace o with 0 (zero), e with 3, b with 8 or & and i with 1
Thch1sr10nthr00fth8u

and this looks like a very secure password. And when you add some special characters !@#$%^&*()_-+= you are getting really save.

cugobuco90
xocivazu85
tudovike47
Xepnym82
etc

  • Password card (http://www.passwordcard.org/en) is a card with random passwords. You can use the passwords on it in any combination. Forwards, backwards, diagonally, every second character, start 3 characters in on the 5th row then diagonally up and right or any other way you can think up and remember.

This way you don’t need to remember your passwords. You just need to remember which way your password is written on the card and it is secure because nobody knows how you are using that card, as long as you NOT simply use them line by line as they are printed on the card. That would be too easy and the only danger with this method. SO AVOID IT.

  • Password manager. I personally use and recommend https://www.lastpass.com/ . I generate passwords very long and randomly with Lastpass and then safe them in there to be kept save with only the one master password I need to remember to access the password manager.

All these are good ways to make you safer online. Good luck.