Hardening my linux server

Install mod-security for apache2

apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev
sudo apt-get install libapache2-mod-security2
emacs /etc/modsecurity/modsecurity.conf

and change to following:

grep -i SecRuleEngine  /etc/modsecurity/modsecurity.conf
SecRuleEngine On

Restart apache2:

service apache2 restart

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Fix seafile server for folder names containing spaces

This is an apache bug.

Use a newer apache version:

Generic steps to install a newer version of a package with apt than provided in the stable stream:

In /etc/apt/apt.conf.d add the following file

99defaultrelease:

APT::Default-Release "stable";

In /etc/apt/sources.list.d – add urls for testing / unstable sources

stable.list:

deb     http://ftp.de.debian.org/debian/    stable main contrib non-free
deb-src http://ftp.de.debian.org/debian/    stable main contrib non-free

deb     http://security.debian.org/         stable/updates  main contrib non-free

testing.list:

deb     http://ftp.de.debian.org/debian/    testing main contrib non-free
deb-src http://ftp.de.debian.org/debian/    testing main contrib non-free

deb     http://security.debian.org/         testing/updates  main contrib non-free
run
apt-get update

and then install what you need with

apt-get -t testing install something

So for our purpose:

apt-get update
apt-get -t testing install apache2
service apache2 restart

Choose to keep all your default config files with no changes.

Credits:
Serverfault
https://wiki.debian.org/AptPreferences


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Solve wordpress error: exceeds the maximum upload size for this site.

If you tried to upload a big file in WordPress and came across this error “exceeds the maximum upload size for this site”, this is for you.

This has nothing to do with WordPress and is a php.ini resource limit set by the server. If you are in a shared hosting environment with no access to editing php.ini, woe on you. There’s nothing you can do. Get a VPS or dedicated server!

On a VPS or dedi, the first step in fixing the issue is determining which php.ini is the cause of this, as there may be many. For this, create a file with the following content:

<?php
phpinfo();
?>

Name it as phpinfo.php and run it on you site. It will show you the resource limits, and the php.ini file which caused this. Once you locate the correct php.ini, edit it and change the values for these variables: upload_max_filesize and post_max_size. Yes both of them need to be increased.
Save the php file and you’ll notice the changes right away. If not restart the apache (or nginx) server with:

service apache2 restart

Note that on Webmin, each Virtualmin virtual server has a seperate php.ini file. You can edit it at Virtualmin>Services>php5 configuration>Resource limits


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Error restarting apache2 after server upgrade

AH00526: Syntax error on line 2 of /etc/apache2/sites-enabled/cp2.joel.co.in.conf:
Invalid command 'SuexecUserGroup', perhaps misspelled or defined by a module not included in the server configuration

Fix:

a2enmod suexec
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

Fix:

a2enmod rewrite
AH00526: Syntax error on line 89 of /etc/apache2/apache2.conf:
Invalid command 'LockFile', perhaps misspelled or defined by a module not included in the server configuration

Fix:
Replace the line in /etc/apache2/apache2.conf:

LockFile ${APACHE_LOCK_DIR}/accept.lock

By:

Mutex file:${APACHE_LOCK_DIR} default
[....] Restarting web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using ks4.droidzone.in. Set the 'ServerName' directive globally to suppress this message

Fix:
Add the following line to the end of /etc/apache2/apache2.conf:

ServerName localhost

Restart apache after the fixes.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Installing Davical on Debian server

apt-get install libpq-dev postgresql php5 php5-pgsql php5-imap php5-curl php5-cgi libyaml-perl libdbi-perl davical
emacs /etc/postgresql/9.4/main/pg_hba.conf

Add at the very top of the file:

local   davical    davical_app   trust
local   davical    davical_app   trust

Reload postgresql:

/etc/init.d/postgresql restart

Now:

cd /usr/share/davical/dba
su postgres -c /usr/share/davical/dba/create-database.sh

It gives message:

Supported locales updated.
Updated view: dav_principal.sql applied.
CalDAV functions updated.
RRULE functions updated.
Database permissions updated.
NOTE
====
*  The password for the 'admin' user has been set to 'something'
Thanks for trying DAViCal!  Check in /usr/share/doc/davical/examples/ for
some configuration examples.  For help, visit #davical on irc.oftc.net.

Create virtual server and edit the config:

emacs /etc/apache2/sites-available/davical.joel.co.in.conf
Davical wiki recommends the following:

<VirtualHost x.y.z.a>
	DocumentRoot /usr/share/davical/htdocs
	DirectoryIndex index.php index.html
	ServerName davical.yoursite.com
	ServerAlias calendar.yoursite.com
	Alias /images/ /usr/share/davical/htdocs/images/
	ErrorLog /var/log/virtualmin/davical.yoursite.com_error_log
	CustomLog /var/log/virtualmin/davical.yoursite.com_access_log combined
	<Directory /usr/share/davical/htdocs/>
		  AllowOverride None
		  Order allow,deny
		  Allow from all
	</Directory>
	AcceptPathInfo On
</VirtualHost>

But only the following worked:

<VirtualHost *:80>
ServerName davical.yoursite.com
ServerAlias calendar.yoursite.com
DocumentRoot /usr/share/davical/htdocs
DirectoryIndex index.php index.html
Alias /images/ /usr/share/davical/htdocs/images/
ErrorLog /var/log/virtualmin/davical.yoursite.com_error_log
CustomLog /var/log/virtualmin/davical.yoursite.com_access_log combined
<Directory /usr/share/davical/htdocs/>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php5
    FCGIWrapper /home/joel/domains/davical.yoursite.com/fcgi-bin/php5.fcgi .php
    FCGIWrapper /home/joel/domains/davical.yoursite.com/fcgi-bin/php5.fcgi .php5
</Directory>
AcceptPathInfo On
</VirtualHost>

Now reload apache and the webpage.
Configure the file adding the following:

$c->admin_email = [email protected]';
    $c->system_name = "DAViCal CalDAV Server";
      $c->enable_row_linking = true;
        $c->default_locale = 'en_US.UTF-8';

  $c->pg_connect[] = 'dbname=davical port=5432 user=davical_app';

Now reload the page and it should show login screen. Use the password that was earlier generated.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Installing AgenDAV, a self hosted calendar

Create a virtual server.
In the public web directory:

wget https://github.com/adobo/agendav/releases/download/2.0.0/agendav-2.0.0.tar.gz
tar xf agendav-2.0.0.tar.gz
cd agendav-2.0.0/web
curl -s https://getcomposer.org/installer | php
php composer.phar install --prefer-dist --no-dev

Edit /etc/apache2/sites-available/cal.joel.co.in.conf:
Add at the end:

<Location />
   RewriteEngine On
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteRule ^ index.php [QSA,L]
</Location>

Modify DocumentRoot:

DocumentRoot /home/joel/domains/cal.joel.co.in/public_html/web/public

Create a mysql db and assign a user and password for it.
Set permissions (replace www-data with the virtualhost user):
chown -R www-data:www-data web/
chmod -R 750 web/var/

Edit file settings.php:

cd web/config/
cp default.settings.php settings.php
emacs settings.php

Now migrate databases:

cd /home/joel/domains/cal.joel.co.in/public_html
php agendavcli migrations:migrate

Now try going to the dav url.

Ref:
http://docs.agendav.org/en/stable/admin/installation/


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Tutorial-How to use letsencrypt public beta to get a new SSL certificate

New information:
Requesting a certificate for your domains on an apache webserver running on Debian server is extremely easy.
Install certbot, a utility to help request letsencrypt certificates:

apt-get install python-certbot-apache -t jessie-backports

Now run it:

certbot --apache

This will start a curses interface to select sites whose certificates you want to renew.
This works very well and worked when the certicate module of webmin was botched up.

Older post:
This tutorial describes how to create a new SSL certificate using Let’s Encrypt (Public beta as of 06/12/2015).

Let’s Encrypt doku is at: http://letsencrypt.readthedocs.org/en/latest/using.html#installation

Let’s create a new droplet at Digitalocean to test Let’s Encrypt.
Now login via ssh to the server:

Install git, an editor (I prefer emacs) and letsencrypt:

apt-get install git emacs
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

To install and run the client you just need to type:

./letsencrypt-auto certonly --webroot -w /var/www/virtual/maindomain.com/mydomain.in/htdocs/ -d www.mydomain.in -d mydomain.in

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected]
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.in/fullchain.pem. Your cert will
expire on 2016-03-05. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Automatically installing letsencrypt certificates for a server running i-mscp control panel:
Once you’ve generated certificates as mentioned above, login to i-mscp,
Go to https://yourcpsite.com:2087/client/domains_manage.php
Next to your domain, click on “Add/Edit SSL Certificate”

Use the contents of the following file for each text box:

Private key -> /etc/letsencrypt/live/www.elephant.in/privkey.pem
Certificate -> /etc/letsencrypt/live/www.elephant.in/cert.pem
Intermediate certificate(s) -> /etc/letsencrypt/live/www.elephant.in/chain.pem

Manually installing letsencrypt certificates for a server running i-mscp control panel:
The following additional information pertains to manually installing these certificates for a server running i-mscp:

So, you’ve generated a certificate for the site www.elephant.in. The files created are at /etc/letsencrypt/live/www.elephant.in/ and are as followings:

lrwxrwxrwx 1 root root   36 Dec  6 09:12 cert.pem -> ../../archive/www.elephant.in/cert1.pem
lrwxrwxrwx 1 root root   37 Dec  6 09:12 chain.pem -> ../../archive/www.elephant.in/chain1.pem
lrwxrwxrwx 1 root root   41 Dec  6 09:12 fullchain.pem -> ../../archive/www.elephant.in/fullchain1.pem
lrwxrwxrwx 1 root root   39 Dec  6 09:12 privkey.pem -> ../../archive/www.elephant.in/privkey1.pem

Copy these as follows:

cp /etc/letsencrypt/live/www.elephant.in/privkey.pem /var/www/imscp/gui/data/certs/elephant.in.privkey.pem
cp /etc/letsencrypt/live/www.elephant.in/cert.pem /var/www/imscp/gui/data/certs/elephant.in.cert.pem
cp /etc/letsencrypt/live/www.elephant.in/chain.pem /var/www/imscp/gui/data/certs/elephant.in.chain.pem

Now edit the file /etc/apache2/sites-enabled/elephant.in_ssl.conf:

Add/Edit the following directives:

SSLEngine On
SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem
SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem
SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem

Restart apache2:

service apache2 restart

Now reload your website, and you will see the following certificate information:

SSLEngine On
SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem
SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem
SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem

If your site shows invalid issuer information, you havent done these steps correctly.

Renewing certificates

Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

For renewing, use the same command as you did when you generated the certificates. For automating renewal use --renew-by-default.

Eg:

./letsencrypt-auto certonly --webroot -w /var/www/virtual/joel.co.in/elephant.in/htdocs/ -d www.elephant.in -d elephant.in --renew-by-default

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Apache listing: List directories before files

Add the following to .htaccess:

IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* SuppressHTMLPreamble

Then in the .conf file inside /etc/apache2/sites.., you should have the following under :

AllowOverride All

For more customization, read here.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

List directories first in apache2 directory listing

Add the following to .htaccess:

# SET INDEX OPTIONS
Options +Indexes
IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* SuppressHTMLPreamble


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.