Setup Sophos XG firewall on Vultr.com virtual server

Standard

There are some tricks required to overcome Sophos’ install idiosyncrasies when trying to install Sophos XG firewall from ISO on a Vultr virtual server.

Sophos UTM (the predecessor) used to be easy to install, but with XG Firewall Sophos have gone back to inflexibility with some basics, that, in my opinion, are unnecessary (SOPHOS, these are things you should fix):

  • 2 network interfaces needed
  • Pre initialisation command line does not allow setting default gateway of any interfaces
  • Pre initialisation command line does not allow setting static IP of all interfaces (only on interface 1)
  • Changing network settings in web admin during initialisation causes loss of access (in this setup case)

So these problems require certain things from Vultr:

  • 2 instances (1 for the XG and another – Linux or Windows – to initially manage the XG)
  • 2 IP addresses in the same subnet (necessary because the XG will only see IPs in the same subnet)
  • Console access to the running instances, which is provided freely by Vultr.
  • Download link to Sophos’ XG ISO

Step by step what I did:

  1. Started 10 (yes ten) servers of the cheapest kind in the hope to get 2 IP addresses in the same subnet, which I did.
  2. Shutdown the other 8 servers as soon as possible, as they cost money.
  3. “Converted” those 2 IP addresses to “reserved IP addresses” – this way you keep them to assign them to the 2 instances you need for this setup process.
  4. Shutdown the 2 instances whose IP addresses you have taken.
  5. Download the Sophos XG ISO to Vultr
  6. Start an instance to install from that ISO and assign one of those 2 reserved IP addresses
  7. Go through the off ISO setup process for Sophos XG. Follow those instructions
  8. Remove ISO from instance. This will reboot the instance and setup will continue.
  9. Login and set the port 1 IP address to the IP address you have allocated above. Then the web interface becomes visible to this network subnet only.
  10. Start another instance of choice with the other reserved IP address in the same subnet. I used a Linux instance, which I ssh’d into and made a tunnel to the XG web interface https://<IP>:4444, but there is no reason (other than cost) why you could not use a Windows instance to access the same web interface from there.
  11. In the Sophos web interface setup enter new password, disable install new firmware and agree to license
  12. select “Continue offline” and confirm you want to continue
  13. Give your machine a name and select your timezone (although you can also change that later)
  14. Continue after basic setup complete.
  15. The next step is critical to get right put only the IP address and the subnet mask exactly like in the command interface in the “LAN Address and Internal Client Network Size” fields. Otherwise you will loose access to the instance and have to start from scratch.
    And disable DHCP
  16. Continue without ticks on network protection (can be changed later)
  17. put your email addresses in the next step  (can be changed later)
  18. Finish. The XG will reboot
  19. Once setup is complete go back into the web interface and login with your new password. You will get the normal XG web interface and you can then make the adjustments in your network settings to get internet access on your XG and register and update etc.
  20. IMPORTANT: make sure you give yourself access to the admin interface from the WAN link otherwise you are locking yourself out and you can start again. See System/Administration/Device Access

Optional extras:

  • I did not register or install licenses or even started a trial and only updated the XG after setup and then I made a snapshot of the XG, because I wanted to release the reserved IP address, as it costs extra unnecessarily. When you create an instance from the snapshot it will have a new dynamic IP address, which is different and you will need to set this in the console interface, which works perfectly for setting the default gateway after setup (Sophos, why not during setup?). Then you can access your new XG via the new IP address. (Yes you can start multiple, because each can get their own IP, serial number and license).
  • Shutdown all unneeded instances and delete the reserved IPs

 

 

Upgrade PHP and MySQL Centos 6.x

Standard

The method I found most simple is:

wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -ivh remi-release-6.rpm
vim /etc/yum.repos.d/remi.repo     (you need to enable the parts you want in this file)
yum -y upgrade php*
yum -y update
reboot

done.

Sentora virtual domains SSL setup – Let’s Encrypt Certificates

Standard

I won’t discuss here why you would want to use Let’s Encrypt Certificates, but 3 of the main reasons for me are:

  1. Certificates are free
  2. Certificates are automatically updated. So it becomes a set and forget affair. No more fiddling around every 1, 2 or 3 years.
  3. Automatic updates are done every 3 months. So the certificates are always fresh.

And now for the setup on a fully up-to-date Sentora Centos 6.7 server

Run

yum -y install mod_ssl wget nc netcat; wget -O - https://get.acme.sh | sh

This will install the stand alone certificate management software, that will get and update your certificates from Let’s Encrypt

This is how you use it (issue a certificate for example.com where the http site files are actually located in /home/wwwroot/example.com):

/root/.acme.sh/acme.sh --issue -d example.com -w /home/wwwroot/example.com

There will be an output containing a variety of information you will need to configure APACHE. Keep it.

Then just add this to your crontab:
So your certificates will be automatically updated/renewed

vim /etc/crontab
34 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

 

Now the APACHE setup

If you have SSL enabled on your Sentora admin panel disable it and see below how to integrate it again.

Add this to

# Custom SSL Apache config
Include /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

to:

vim /etc/sentora/configs/apache/httpd.conf

create the file:

vim /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

And fill it with the details for your sites like this (Hint: You will find this in /etc/zpanel/configs/apache/httpd-vhosts.conf):

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com



And now you can add the details for Sentora panel again and re-enable the redirection to ssl for the panel:

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

#Configuration for Sentora control panel.
 <VirtualHost *:443>
 ServerAdmin admin@blue.net.au
 DocumentRoot "/etc/sentora/panel/"
 ServerName sentorapanel.example.com
 ErrorLog "/var/sentora/logs/sentora-error.log"
 CustomLog "/var/sentora/logs/sentora-access.log" combined
 CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
 AddType application/x-httpd-php .php
 <Directory "/etc/sentora/panel/">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order allow,deny
 Allow from all
 </Directory>
# Custom settings are loaded below this line (if any exist)
SSLEngine On
SSLCertificateFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.cer
SSLCertificateKeyFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.key
SSLCACertificateFile /root/.acme.sh/sentorapanel.example.com/ca.cer
SSLCertificateChainFile /root/.acme.sh/sentorapanel.example.com/fullchain.cer

 </VirtualHost>
# END Configuration for Sentora control panel.


# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com

 

You might also want to redirect all traffic to your https now.

Put this into your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

 

 

 

 

Chocolatey – a software management system for Windows

Standard

Chocolatey (https://chocolatey.org/) is a software manager for Windows. There are almost 5000 packages. The one you use are certainly in there. All mine are.

Install choco from an administrator command line:

@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%chocolateybin"

Then run installs like:

choco install -y ccleaner

https://chocolatey.org/packages contains a list  of all the packages

I recommend the GUI:

choco install -y chocolateygui chocolatey-core.extension

But I like the command line, too.

And I like, that you can update all your installed packages at once (yes they need to be installed by choc first):

choco upgrade -y

Sysadmin

windirstat winrar treesizefree TeraCopy Recuva nmap lockhunter ccleaner autoruns

User

sublimetext3 vlc WhatsApp XnView WindowsLiveInstaller WindowsLiveWriter PDFXchangeEditor paint.net notepadplusplus.install libreoffice lastpass irfanview GoogleChrome-AllUsers Firefox dropbox ditto

 

 

robots.txt prevent certain spiders / bots to scan your site.

Standard

Put this into robots.txt in the root of your site:

User-agent: Rogerbot 
User-agent: Exabot 
User-agent: MJ12bot 
User-agent: Dotbot 
User-agent: Gigabot 
User-agent: AhrefsBot 
User-agent: BlackWidow 
User-agent: Bot [EMAIL="craftbot@yahoo.com"]mailto:craftbot@yahoo.com[/EMAIL] 
User-agent: ChinaClaw 
User-agent: Custo 
User-agent: DISCo 
User-agent: Download Demon 
User-agent: eCatch 
User-agent: EirGrabber 
User-agent: EmailSiphon 
User-agent: EmailWolf 
User-agent: Express WebPictures 
User-agent: ExtractorPro 
User-agent: EyeNetIE 
User-agent: FlashGet 
User-agent: GetRight 
User-agent: GetWeb! 
User-agent: Go!Zilla 
User-agent: Go-Ahead-Got-It 
User-agent: GrabNet 
User-agent: Grafula 
User-agent: HMView 
User-agent: HTTrack 
User-agent: Image Stripper 
User-agent: Image Sucker 
User-agent: Indy Library
User-agent: InterGET 
User-agent: Internet Ninja 
User-agent: JetCar 
User-agent: JOC Web Spider 
User-agent: larbin 
User-agent: LeechFTP 
User-agent: Mass Downloader 
User-agent: MIDown tool 
User-agent: Mister PiX 
User-agent: Navroad 
User-agent: NearSite 
User-agent: NetAnts 
User-agent: NetSpider 
User-agent: Net Vampire 
User-agent: NetZIP 
User-agent: Octopus 
User-agent: Offline Explorer 
User-agent: Offline Navigator 
User-agent: PageGrabber 
User-agent: Papa Foto 
User-agent: pavuk 
User-agent: pcBrowser 
User-agent: RealDownload 
User-agent: ReGet 
User-agent: SiteSnagger 
User-agent: SmartDownload 
User-agent: SuperBot 
User-agent: SuperHTTP 
User-agent: Surfbot 
User-agent: tAkeOut 
User-agent: Teleport Pro 
User-agent: VoidEYE 
User-agent: Web Image Collector 
User-agent: Web Sucker 
User-agent: WebAuto 
User-agent: WebCopier 
User-agent: WebFetch 
User-agent: WebGo IS 
User-agent: WebLeacher 
User-agent: WebReaper 
User-agent: WebSauger 
User-agent: Website eXtractor 
User-agent: Website Quester 
User-agent: WebStripper 
User-agent: WebWhacker 
User-agent: WebZIP 
User-agent: Wget 
User-agent: Widow 
User-agent: WWWOFFLE 
User-agent: Xaldon WebSpider 
User-agent: Zeus
Disallow: /

Passwords – Longer is better

Standard

The choice of passwords is often a source of plenty of deliberation. Make it too simple and you will get hacked (check your password for safety here: https://howsecureismypassword.net/) make it too complicated and you cannot remember it and have to write it down.

There are some basic NO NO rules:

  1. NEVER write your passwords down
  2. NEVER use the same password for different things
  3. NEVER simply use your name or date of birth or any other easy to guess passwords (https://nakedsecurity.sophos.com/2010/12/15/the-top-50-passwords-you-should-never-use/)

When you follow these 3 simple rules you are starting to get into the safer zone for online security.

So how do you get a secure AND easy to remember password? 

Here are some ways to do this:

  • You pick a sentense you can remember (Just make sure it is not a simple phrase or a phrase taken from existing literature, because that would make it insecure again.) and only use the first 2 characters of each word:

    The chicken is riding on the roof of the bus = Thchisrionthroofthbu

You could also replace o with 0 (zero), e with 3, b with 8 or & and i with 1
Thch1sr10nthr00fth8u

and this looks like a very secure password. And when you add some special characters !@#$%^&*()_-+= you are getting really save.

cugobuco90
xocivazu85
tudovike47
Xepnym82
etc

  • Password card (http://www.passwordcard.org/en) is a card with random passwords. You can use the passwords on it in any combination. Forwards, backwards, diagonally, every second character, start 3 characters in on the 5th row then diagonally up and right or any other way you can think up and remember.

This way you don’t need to remember your passwords. You just need to remember which way your password is written on the card and it is secure because nobody knows how you are using that card, as long as you NOT simply use them line by line as they are printed on the card. That would be too easy and the only danger with this method. SO AVOID IT.

  • Password manager. I personally use and recommend https://www.lastpass.com/ . I generate passwords very long and randomly with Lastpass and then safe them in there to be kept save with only the one master password I need to remember to access the password manager.

All these are good ways to make you safer online. Good luck.

 

Amazon web services AWS Cloudwatch – difference between Maximum and Average metrics in cloudwatch.

Standard

I asked myself why has my cloudwatch monitoring such a big difference between maximum and average.

Lets just look at some facts first:

Cloudwatch can either monitor every 5 minutes, which is the default or you can select detailed monitoring then it is every 1 minute.

For the sake of this explanation we assume 5 minutes monitoring and we are graphing 1 hour.

So average would do this:

( 2 + 3 + 5 + 7+ 4 + 6 + 3 + 8 + 9 + 4 + 10 + 1) / 12 = 5.1666

So 5.1666 would be shown on the graph

On maximum it would show the highest number 10

And SUM of course would be

2 + 3 + 5 + 7+ 4 + 6 + 3 + 8 + 9 + 4 + 10 + 1 = 62

 

 

 

Get rid of / cancel / delete / don’t show recommended posts from your Tumblr dashboard

Standard

I am unbelievably annoyed about the recommended posts in my own tumblr dashboard.

Here is what to you do to get rid of / cancel / delete / don’t show the recommended posts in tumblr dashboard.

  1. Install Adblock Plus (available for Firefox and Google Chrome)
  2. Click Options
  3. Click Add your own filters
  4. Add the following filter:
    tumblr.com##[data-is_recommended=”1″]

That’s it.

Change WordPress admin password without email access

Standard

There is a multitude of ways to change the admin password for a wordpress installation. Do a Google search, if you don’t like this one.

I find the easiest  to change it directly in the database (database details can be looked up, if you have FTP access and can look at wp-config.php)

  1. Create an MD5 encrypted password – http://www.miraclesalad.com/webtools/md5.php
  2. Log in to your database : Home > Database Management > phpMyAdmin
  3. Credentials can be found on Home > Database Management > MySQL User
  4. Once logged in, find the wp_users table in your database
  5. Select the user you want to change by clicking on the pencil icon
  6. Change the user_pass field by copying the MD5 password created above into the field. Make sure MD5 is selected for the changes to reflect.

Then you can log in again.