OpenCart 3 PDF not loading>? FIX in Information pages?>

We had a strange bug in OC 3.x! When adding a PDF link outside of the OC files structure on the same domain name?!

mod_sec = nothing in my log’s,

.htaccess NO LUCK HERE!

The fix! 

Just call your pdf file(s),  https / http ,.. link inside your image directory structure ! ,,… ,, just create the OC directory “/image/catalog/terms (Or any name), use filezilla to upload your PDF file.

The bottom line is that you cannot call a non-OC directory, Ex,.: public_html/yournamehere/download/

must be located inside the OC structure:

public_html/yournamehere/image/catalog/…

Enjoy!

Adding a hard drive in Centos 7

Whether installing a new physical hard drive to a server or adding an additional disk to your cloud server or VPS, you’ll need to configure CentOS to be able to use it.

We’re going to assume the drive is connected, so first of all, we need to find it.

First of all, we need to know the naming convention your server is using for drives, and we can find this with the ‘df’ command.

[user@server ~] df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda2       24733776 2521604  20942668  11% /
/dev/vda1        1007512  203260    751824  22% /boot

The two lines above show that this particular server is using the vd* notation, but sd* is also used.  Here the primary drive, vda, has two partitions – vda1 and vda2.

We can now use the following command to find other disks:

[user@server ~] ls -1 /dev/[sv]d[a-z]
/dev/vda
/dev/vdb

We can see both our original disk, vda, and the new disk vdb.  Now to create a filesystem the new disk with the ‘mkfs.ext4’ utility.

[user@server ~] sudo mkfs.ext4 /dev/vdb

This will just take a few seconds.

To use the new disk we now need to mount it.  When you’ve decided where you want to mount the disk, first create that folder on your server.  We’re going to use ‘home2’ for our disk.

[user@server ~] sudo mkdir /home2

We can now mount the disk to that location:

[user@server ~] sudo mount /dev/vdb /home2

Revisiting the df command we can now see that the new disk is mounted.

[user@server ~] df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda2       24733776 2521604  20942668  11% /
/dev/vda1        1007512  203260    751824  22% /boot
/dev/vdb        25000000     100  24999900   1% /home2

To ensure the disk is automatically mounted when the server is rebooted, we also need to add it to fstab.  Our preferred editor is ‘nano’ so we type

[user@server ~] sudo nano /etc/fstab

We add, to the end of the file, the line:

/dev/vdb /home2 ext4 defaults 0 0

Then CTRL + O to save and CTRL + X to exit.

The disk will now stay mounted after reboot and you can begin using it.

Stuck in Windows 10 S Mode even if you have formatted!

Good day, I had a issue with a new laptop Acer Swift that used Windows 10 S mode to prevent any installation of software not created by Microsoft! This is very annoying! Here is a quick fix to solve this problem.

  1. Download a fresh copy of windows 10 pro
  2. Burn it on a USB Key drive
  3. You will have to include (2) files on the new created USB Key drive

First you will need to create those 2 files using notepad

First file

ei.cfg < filename to create

Inside this file you will add those lines

[EditionID]
Professional
[Channel]
Retail

Now save the file on your local hard drive.

Second file

pid.txt

Inside this file you will add those lines

[PID]
Value=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

You will need to type your Windows 10 Pro license

Now save the file on your local hard drive.

You will then need to copy those (2) files to the new created windows 10 Pro USB key.

Copy both files in the root of the key
Copy both files in /source

Reboot and install Windows 10 Pro.

Enjoy!

phpMyAdmin Internal 500 error when importing large database!

SYSTEM NFO’s

  • Fresh minimal install of CentOS Linux 7.6.1810
  • Webmin version 1.90
  • ConfigServer Security & Firewall 12.1
  • MariaDB default webmin/virtualmin install
  • LAMP
  • Phpmyadmin

I ran into problem trying to import a large database on a fresh CENTOS 7 test lab! After setting up value in php.ini (I am running PHP version 7.0.27). I was still not able to import the database in phpmyadmin.

Notice the Maximum execution time is set to 120 seconds

Even after changing this value for 240-500, 700 seconds…
I am still having issue importing the database!

Here is the fix,… you need to go in Virtualmin

1. Select the virtual server
2. Navigate to -> Server Configuration -> Website Options
3. In Website and Php options navigate to Maximum Php script run time

I checked “Unlimited” and hit “Save”

Voilà, I am able to import this large database without any errors!

For security reason I suggest that you put back the default value after your importation is finish!

Enjoy!

 

Fix RDP not Saving Password / Credentials

After upgrading to Windows 10, I have had some issues with a couple of RDP connections that wouldn’t store the username and password (credentials). Despite ticking the box to save the credentials, it would always prompt me to enter the password.

Here’s how to fix the issue with RDP not saving the login information, which should work not just on Windows 10, but also other versions of Windows if you have the same problem:

Click Start and type “GPEDIT.MSC” to search for the shortcut to the Windows Group Policy Editor.

Right-click the gpedit.msc shortcut and click run as Administrator.
(Ignore any popups about errors if you get any when the Group Policy Editor console opens up).

Browse to Local Computer Policy > Computer Configuration > Administrative Temples > System > Credentials Delegation

Double click the setting called “Allow delegating default credentials with NTLM-only server authentication” to edit it.

Change the setting to “Enabled” and then click the “Show…” button in the “Options:” window where it says “Add servers to the list:”.

Double click the field below “Value” (with the black arrow to the left) and type in “TERMSRV/*” (without the double quotes).

Click Ok and then Ok again to close both popups, so that you only see the list of settings again.

Now just repeat the exact same for these three policies as well:
Allow delegating default credentials
Allow delegating saved credentials
Allow delegating saved credentials with NTLM-only server authentication

Close the Local Group Policy Editor and RDP should now work as expected again!

hummm,.. reboot needed on some system!>>? wtf!

Enjoy!

Install OrangeScrum Centos 7

First you will need to install LAMP (Linux, Apache, Mysql, PHP) on a fresh Dedicated standalone server! (Do not install on a VPS)

Here is a good online tutorial about deploying LAMP on CentOS

Disable SeLinux?

Edit the /etc/selinux/config file to set the  SELINUX parameter to  disabled, and then reboot the server.

I have noticed after turning back “on” SeLinux after the full installation bellow, that the server is holding!

Still a lot of testing to do but! Working 😉

Install Apache

# sudo yum install httpd

Once installed, you can start Apache

# sudo systemctl start httpd.service

The last thing you will want to do is enable Apache to start on boot. Use the following command to do so:

# sudo systemctl enable httpd.service

How To Find your Server Public IP

If you do not know what your server’s public IP address is, there are a number of ways you can find it. Usually, this is the address you use to connect to your server through SSH.

From the command line get your IP address by typing:

# curl https://ipinfo.io/ip

I suppose you already have proper DNS Server setup!

If you don’t have proper DNS just use your server local IP by running the following command:

# ip a

Install MySQL (MariaDB)

# sudo yum install mariadb-server mariadb

When the installation is complete, we need to start MariaDB with the following command:

# sudo systemctl start mariadb

Now that our MySQL database is running, we want to run a simple security script that will remove some dangerous defaults and lock down access to our database system a little bit. Start the interactive script by running:

# sudo mysql_secure_installation

The prompt will ask you for your current root password. Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter. Then the prompt will ask you if you want to set a root password. Go ahead and enter Y, and follow the instructions:

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorization.

New password: password
Re-enter new password: password
Password updated successfully!
Reloading privilege tables..
… Success!

For the rest of the questions, you should simply hit the “ENTER” key through each prompt to accept the default values. This will remove some sample users and databases, disable remote root logins, and load these new rules so that MySQL immediately respects the changes we have made.

The last thing you will want to do is enable MariaDB to start on boot. Use the following command to do so:

# sudo systemctl enable mariadb.service

Install PHP

We can once again leverage the yum system to install our components. We’re going to include the php-mysql package as well:

# sudo yum install php php-mysql

This should install PHP without any problems. We need to restart the Apache web server in order for it to work with PHP. You can do this by typing this:

# yum search php-

If you are running a firewall, run the following commands to allow HTTP and HTTPS traffic: At the same time let’s open port 3000 for Node.js!

# sudo firewall-cmd –zone=public –add-port=80/tcp –permanent

# sudo firewall-cmd –zone=public –add-port=443/tcp –permanent

# sudo firewall-cmd –zone=public –add-port=3000/tcp –permanent

# sudo firewall-cmd –reload


INSTALL NODE JS ON CENTOS 7

Login to your Server via SSH

# yum update

Update the system and install necessary packages

# yum install curl sudo

Install Node.js and npm from the NodeSource repository
We will install Node.js v6 LTS and npm from the NodeSource repository which depends on the EPEL repository being available.

To enable the EPEL repository on your CentOS 7, issue the following command:

# sudo yum install epel-release

Once the EPEL repository is enabled run the following command to add the Node.js v6 LTS repository:

# curl –silent –location https://rpm.nodesource.com/setup_6.x | sudo bash –

If you want to enable the Node.js v8 repository instead of the command above run the following command:

# curl –silent –location https://rpm.nodesource.com/setup_8.x | sudo bash –

Once the NodeSource repository is enabled we can proceed with the Node.js v6 LTS and npm installation:

# sudo yum install nodejs

Install the Node.js and NPM build tools

To compile and install native add-on from the npm repository we also need to install build tools:

# sudo yum install gcc-c++ make

To verify if the Node.js installation was successful, issue the following command:

# node -v

The output should be like the following:

v6.11.5

Verify npm installation
To verify if the npm installation was successful, issue the following command:

# npm -v

The output should be like the following:

3.10.10

Test the installation
If you want to test the installation, create a test file:
nano hello_world.js

and then add the following content:

const http = require(‘http’);
const port = 3000;
const ip = ‘0.0.0.0’;

http.createServer(function (req, res) {
res.writeHead(200, {‘Content-Type’: ‘text/plain’});
res.end(‘Hello World’);
}).listen(port, ip);

console.log(server is running on ${ip}:${port});

Start the node web server by issuing the following command:

# node hello_world.js

the output should be like the following:

server is running on your_server_IP:3000

Test the installation

If you now visit http://your_server_IP:3000 from your browser, you will see ‘Hello World’.

Note: You must open the port 3000 in your firewall

Now enable the “NODEJS_HOST” with your server details under ‘define(“NODEJS_HOST’,”);'[ex: http://your IP:3000/]
on ‘app/Config/constants.php


INSTALL FOREVER ON CENTOS

If you have nodejs and npm installed on CentOS, you should be able to install forever by calling:

# npm install forever -g


INSTALL ORANGESCRUM ON CENTOS

First let’s start by ensuring your system is up-to-date.

# yum clean all

# yum -y update

Install required PHP modules

# yum -y install epel-release

# yum -y install php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel

Installing Orangescrum

# wget https://github.com/Orangescrum/orangescrum/archive/master.zip

After downloading Orangescrum you will need to unzip master.zip. To do this, run:

# yum install unzip

# unzip master.zip

# mv orangescrum-master /var/www/html/

We will need to change some folders permissions:

# chown apache:apache -R /var/www/html/

I am still missing something here for the 0777

Configuring MariaDB for Orangescrum

By default, MariaDB is not hardened. You can secure MariaDB using the mysql_secure_installation script. You should read each steps below carefully which will set root password, remove anonymous user, disallow remote root login, and remove the test database in your MariaDB (MySQL) Server:

# mysql_secure_installation

Configure it like this:

  • Set root password? [Y/n] y
  • Remove anonymous users? [Y/n] y
  • Disallow root login remotely? [Y/n] y
  • Remove test database and access to it? [Y/n] y
  • Reload privilege tables now? [Y/n] y

Next we will need to log in to the MariaDB console and create a database for the Orangescrum. Run the following command:

# mysql -u root -p

This will prompt you for a password, so enter your MariaDB root password and hit Enter. Once you are logged in to your database server you need to create a database for Orangescrum installation:

CREATE DATABASE orangescrum;
CREATE USER ‘orangescrumuser’@’localhost’ IDENTIFIED BY ‘PASSWORD’;
GRANT ALL PRIVILEGES ON orangescrum.* TO ‘orangescrumuser’@’localhost’ IDENTIFIED BY ‘password’ WITH GRANT OPTION;
FLUSH PRIVILEGES;

Username : orangescrumuser
Password : PASSWORD *CAP is important here!~
Database : orangescrum

Next you need to import the data from the database.sql file located in the /var/www/html/ directory:

# cd /var/www/html/

# mysql -u orangescrum -p password < database.sql

Next, By default STRICT mode is set to on in MySQL. You will need to disable it:

# nano /etc/my.cnf

Find and change or add the line from:

sql_mode=”STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION”

To:

sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES

Next step, Now you need to change the post_max_size and upload_max_filesize to 200M in the php.ini file:

# nano /etc/php.ini

Find and change those values

post_max_size=200M

upload_max_filesize=200M

You may use those commands:

cp /etc/php.ini /etc/php.ini.bak sudo sed -i "s/post_max_size = 8M/post_max_size = 200M/" /etc/php.ini sudo sed -i "s/upload_max_filesize =2M/upload_max_filesize = 200M/" /etc/php.ini

Configuring Apache web server for Orangescrum

We will create Apache virtual host for your Orangescrum website. First create ‘/etc/httpd/conf.d/vhosts.conf’ file with using a text editor of your choice:

# nano /etc/httpd/conf.d/vhosts.conf

Add this value

IncludeOptional vhosts.d/*.conf

Next, create the virtual host:

# mkdir /etc/httpd/vhosts.d/

# nano /etc/httpd/vhosts.d/yourdomain.com.conf

Add the following lines:


ServerAdmin webmaster@yourdomain.com
DocumentRoot “/var/www/html/”
ServerName yourdomain.com
ServerAlias www.yourdomain.com
ErrorLog “/var/log/httpd/error_log”
CustomLog “/var/log/httpd/access_log” combined
DirectoryIndex index.html index.php Options FollowSymLinks AllowOverride All Require all granted

Save and close the file. Restart the apache service for the changes to take effects:

# systemctl restart httpd.service

Configure Orangescrum

Now you need to edit the database.php file to update the database connection details:

# nano /var/www/html/app/Config/database.php

Change the file as shown below, Save and close the file when you are finished:

class DATABASE_CONFIG {

public $default = array(
        'datasource' => 'Database/Mysql',
        'persistent' => false,
        'host' => 'localhost',
        'login' => 'orangescrumuser',
        'password' => 'PASSWORD',
        'database' => 'orangescrum',
        'prefix' => '',
        'encoding' => 'utf8',
);

Next, you need to provide your valid email address and password for SMTP, and update the FROM_EMAIL_NOTIFY and SUPPORT_EMAIL configurations in the constants.php file:

# nano /var/www/html/app/Config/constants.php

Change the following lines as per your need:

//Gmail SMTP
define(“SMTP_HOST”, “ssl://smtp.example.com”);
define(“SMTP_PORT”, “465”);
define(“SMTP_UNAME”, “email@example.com”);
define(“SMTP_PWORD”, “[Your email password]”);

define(‘FROM_EMAIL_NOTIFY’, ’email@example.com’); //(REQUIRED)
define(‘SUPPORT_EMAIL’, ‘ email@example.com ‘); //(REQUIRED) From Email
define(“DEV_EMAIL”, ’email@example.com’); // Developer Email ID to report the application error

define(‘SUB_FOLDER’, ‘/’);

Save and close the file when you are finished.

Have fun!

[print-me]

NOTES: This post is not finish yet! Still in trial and error phase. 1-16-2019 

# mysql -u root -p orangescrum < /var/www/html/database.sql

# nano /var/www/html/app/Config/database.php

7 Days to Die Alpha 17 Release

With over 3 million copies sold on PC (digital download), 7 Days to Die has redefined the survival genre, with unrivaled crafting and world-building content. Set in a brutally unforgiving post-apocalyptic world overrun by the undead, 7 Days to Die is an open-world game that is a unique combination of first person shooter, survival horror, tower defense, and role-playing games.

If you don’t want to deal with that sort of thing you may wish to consider waiting until the stable build is released. It has been mentioned that TFP would love to do a 3 week or less experimental. Hopefully things work out in their favor so that those of you waiting on the stable build don’t have to wait all that long.

A17 Experimental
byu/Delta7x in7daystodie

Navezgane awaits!

OHHH YESSSS!!! 6:23pm Montreal Local Time!

Lynis and CISOfy Anniversaries

Anniversaries: Lynis project (11 years) and CISOfy (5 years)

The Lynis project celebrated its 11th birthday last week! Also, Lynis 2.7.0 was released last week. Did you already upgrade?

If you think about it, it is rare. Just a handful of open source security projects reach the age of 10 years AND are still actively maintained. The secret? As its project founder, I believe it is dedication, involving the community, and helping others with sincere promotion.

Staying committed

It is hard for developers to stay involved with a project on a daily basis, especially if one has a full-time job and personal commitments.

To ensure the Lynis project would not suffer from the same issue, the company CISOfy was founded 5 years ago. The first priority for the company was getting the project back on its tracks and enhance its code.

Another special milestone is that we also reached a point where both the open source version and a commercial offering (demo) can co-exist. They increase value in both directions.

So let me take this moment to thank the community and also our customers who trust our solution. Both the standalone tool and solution would have been very different without your feedback and suggestions!

Michael (and team)

Software Repository
https://packages.cisofy.com/

Love your Work!

Installing Teamspeak on Centos 7

Teamspeak is a VOIP server that can be used for teams or multiple people to communicate. It is relatively lightweight, and secure, as updates are released regularly.

How to install Teamspeak on a CentOS instance.

Prerequisites

Before we begin, you’ll need:

  • CentOS 7 system (64 bit only).
  • 512 MB of RAM or higher.
  • wget (utility used for downloading files).
  • nano or vim (any text editor is fine).

Installation

Prerequisites

Update the system packages. This may take some time.

yum update -y

Install tools needed for this tutorial.

yum install nano wget perl tar net-tools bzip2 -y

Installation

Add an unprivileged user to run Teamspeak. When prompted, enter your desired password.

useradd ts
passwd ts

Retrieve the Teamspeak server software.
Make sure you have the latest release here

cd ~
wget http://dl.4players.de/ts/releases/3.0.13.8/teamspeak3-server_linux_amd64-3.5.0.tar.bz2

Extract the Teamspeak tarball and copy all of the files to our unprivileged user’s home directory.

tar -xvf teamspeak3-server_linux_amd64-3.5.0.tar.bz2
cd teamspeak3-server_linux_amd64
cp * -R /home/ts

Remove temporary files.

cd ~
rm -rf teamspeak3-server_linux_amd64
rm -rf teamspeak3-server_linux_amd64-3.5.0.tar.bz2

Grant the appropriate permissions to our ts user.

chown -R ts:ts /home/ts

Create a Systemd service for Teamspeak.

nano /lib/systemd/system/teamspeak.service

Paste the following:

[Unit]
Description=Team Speak 3 Server
After=network.target
[Service]
WorkingDirectory=/home/teamspeak/
User=ts
Group=ts
Type=forking
ExecStart=/home/teamspeak/ts3server_startscript.sh start inifile=ts3server.ini
ExecStop=/home/teamspeak/ts3server_startscript.sh stop
PIDFile=/home/teamspeak/ts3server.pid
RestartSec=15
Restart=always
[Install]
WantedBy=multi-user.target

Save and exit.

Reload Systemd units.

systemctl --system daemon-reload

Make Teamspeak run on startup.

systemctl enable teamspeak.service

Starting, stopping and restarting

Controlling Teamspeak is simple. You can control Teamspeak with the following command:

systemctl (option) teamspeak.service

Replace (option) with start, stop, or restart.

For now it will not start! Check the notes at the bottom of this post,

P.S If you are running a standalone Centos you may change the location in the configuration to /var/www/html/(Teamspeak).

Configuring the firewall

CentOS 7 no longer uses iptables. As an alternative, CentOS 7 comes with firewalld by default.

Find the default zone. On Vultr instances running CentOS 7, the default zone is public.

firewall-cmd --get-default-zone

Open the default ports for Teamspeak. If each rule is added successfully, the output will read “success”.

firewall-cmd --zone=public --permanent --add-port=10011/tcp
firewall-cmd --zone=public --permanent --add-port=30033/tcp
firewall-cmd --zone=public --permanent --add-port=9987/udp

Reload firewalld.

firewall-cmd --reload

Congratulations! You’ve successfully created a Teamspeak server. You can connect to it with the Teamspeak Client. Sorry, for mobile they have a paid version for iPhone and Android! Hummm

Teamspeak on Centos

This is what it should look when you are connected!

NOTES :

– Make sure you CHOWN all files to ts:ts
– Create this empty file where your server directory is located to accept the license terms .ts3server_license_accepted
– To retrieve the privilege key you need to check the Logs in the /Logs directory where you installed your Teamspeak server

Enjoy!

Check Internet Speed With Speedtest-cli on CentOS

In this tutorial, we’ll be installing Speedtest-cli to test the network speed of your server. Speedtest-cli is a command line interface for the popular speed-testing service, speedtest.net. It is quite simple to do and will only require basic Linux knowledge. This tutorial will work on CentOS 5, 6, and 7.

Dependencies

Before we do anything, we must install one dependency.

yum install -y python

Installation

Enter the root directory.

cd ~

Retrieve the Python script using wget. This script was written by Sivel; you can learn more about it on the GitHub page.

wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py

Make the speedtest.py script executable.

chmod +x speedtest.py

Usage

Run the script to determine your inbound/outbound connection bandwidth.

./speedtest.py

If you want an image of the result, run the following command instead.

./speedtest.py --share

Enjoy!

HP Proliant G7 NMI received for unknown reason

Was trying to install Centos 7 on a HP Proliant G7 DL380 Server and received some strange NMI errors! I was booting from a fresh version of Centos 7! The error was generated by NMI. First I taught it was memory related, I tested like 30 different DDR3 Memory sticks!

No luck it’s not memory related

Centos 7 is installed on the G7 Server,.. CentOS load but hang with all kinds of weird errors related to NMI!

The weird part:  I was able to install Windows Server 2012 R2 without any problem?

By digging this error since 4 days and did a lot of test! I found out what was the cause of this nightmare bug!

Easy fix here!

Power on your server and go into the bios settings (F9)

Disable Hypertread technology!

reboot your server, CentOS 7 latest Minimal install should Boot now!!

Enjoy!

HP SPP Update – Could not find kernel image

When trying to patch a HP DL380 G7 Server to the latest service pack (SPP) I ran into a problem creating a valid USB Boot Key! When trying to boot the server using the USB Key it seem that I was missing some files when I build the USB Key using Rufus latest flavor!

I found the perfect tool to make this work. Download and install UNetbootin Diskimage to copy the bootable .ISO over to the USB Flash Drive.

NOTE: Not working using 32GB+ USB KEY!

https://unetbootin.github.io/

First thing is to format your USB Flash drive to FAT32!

Download FAT32Format tool here

Once properly formatted run the UNetbootin tool to create the SPP USB Flash drive.

UNetBootin

Enjoy!

CWP Control Web Pannel on Centos 7

CentOS Web Panel – a Free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers minus the chore and effort to use ssh console for every time you want to do something, offers a huge number of options and features for server management in its control panel package.

CentOS 7: Installer for CentOS 7

cd /usr/local/src
wget http://centos-webpanel.com/cwp-el7-latest
sh cwp-el7-latest

If download link doesn’t work then you can use the following:

CentOS 7: http://dl1.centos-webpanel.com/files/cwp-el7-latest

Reboot Server
Reboot your server so that all updates can take affect and CWP gets started.

reboot

CentOS Web Panel Configuration

Log in to your CWP server using the link provided by the installer on your server
CentOS WebPanel Admin GUI at http://SERVER-IP:2030/
Username: root
Password: your root password

– Setup nameservers
– Setup shared ip (must be your public IP address)
– Setup at least one hosting package (or edit default package)
– Setup root email
& now you are ready to host domains…

For additional configuration instruction, please check our wiki/documentation site.
http://wiki.centos-webpanel.com/

Kerio Connect 502 Bad Gateway Timeout using Webmail

Good day, having a timeout issue in your Kerio Connect webmail server running on Microsoft IIS webserver? It’s not Kerio Connect mail server the problem! The problem is something to do with your Microsoft IIS Webserver,,….

Here is the complete error message:

IIS 502 – Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed.

When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

Here is a solution to fix this problem when a user is using the webmail part of Kerio Connect, the user get a 502 Gateway Timeout error after 2 min of inactivity!

First you need to open your IIS server configuration in Windows 2012

Locate this …

Now we need to locate the system.webServer > proxy > proxy

Now open the configuration and apply a new timeout value

You have to set the value to 30:00min+ so when a user is connected to Kerio Connect mail server using the webmail Interface..,,, the user will not be disconnected after 2 min of inactivity!

Hint! Always revert back until it work’s!

Don’t forget to click the apply button to add this proxy timeout function active on your IIS webserver.

Enjoy!

Tuned – Automatic Performance

Tuned is a powerful daemon for dynamically auto-tuning Linux server performance based on information it gathers from monitoring use of system components, to squeeze maximum performance out of a server.

It does this by tuning system settings dynamically on the fly depending on system activity, using tuning profiles. Tuning profiles include sysctl configs, disk-elevators configs, transparent hugepages, power management options and your custom scripts.

By default tuned will not dynamically adjust system settings, but you can modify how the tuned daemon operates and allow it to dynamically alter settings based on system usage. You can use the tuned-adm command-line tool to manage the daemon once it is running.

On CentOS/RHEL 7 and Fedora, tuned comes pre-installed and activated by default, but on older version of CentOS/RHEL 6.x, you need to install it.

# yum install tuned

After the installation, you will find following important tuned configuration files.

  • /etc/tuned – tuned configuration directory.
  • /etc/tuned/tuned-main.conf– tuned mail configuration file.
  • /usr/lib/tuned/ – stores a sub-directory for all tuning profiles.

Now you can start or manage the tuned service using following commands.

--------------- On RHEL/CentOS 7 --------------- 
# systemctl start tuned	        
# systemctl enable tuned	
# systemctl status tuned	
# systemctl stop tuned		
--------------- On RHEL/CentOS 6 ---------------
# service tuned start
# chkconfig tuned on
# service tuned status
# service tuned stop

Now you can control tuned using the tunde-adm tool. There are a number of predefined tuning profiles already included for some common use cases. You can check the current active profile with following command.

tuned-adm active

You can get a list of available tuning profiles using following command.

# tuned-adm list

To switch to any of the available profiles for example throughput-performance – a tuning which results into excellent performance across a variety of common server workloads.

# tuned-adm  profile throughput-performance
# tuned-adm active

To use the recommended profile for your system, run the following command.

# tuned-adm recommend

And you can disable all tuning as shown.

# tuned-adm off

That’s all for now! Tuned is a daemon that monitors usage of system components and dynamically auto-tunes a Linux server for maximum performance.

Installing Memcached on CentOS

Introduction

Memory object caching systems like Memcached can optimize backend database performance by temporarily storing information in memory, retaining frequently or recently requested records. In this way, they reduce the number of direct requests to your databases.

Because systems like Memcached can contribute to denial of service attacks if improperly configured, it is important to secure your Memcached servers. In this guide, we will cover how to protect your Memcached server by binding your installation to a local or private network interface and creating an authorized user for your Memcached instance.

Installing Memcached from Official Repositories

If you don’t already have Memcached installed on your server, you can install it from the official CentOS repositories. First, make sure that your local package index is updated:

sudo yum update

Next, install the official package as follows:

sudo yum install memcached

We can also install libmemcached, a library that provides several tools to work with your Memcached server:

sudo yum install libmemcached

Memcached should now be installed as a service on your server, along with tools that will allow you to test its connectivity. We can now move on to securing its configuration settings.

Securing Memcached Configuration Settings

To ensure that our Memcached instance is listening on the local interface 127.0.0.1, we will modify the OPTIONS variable in the configuration file located at /etc/sysconfig/memcached. We will also disable the UDP listener. Both of these actions will protect our server from denial of service attacks.

You can open /etc/sysconfig/memcached with nano:

sudo nano /etc/sysconfig/memcached

Locate the OPTIONS variable, which will initially look like this:

/etc/sysconfig/memcached
. . .
OPTIONS=""

Binding to our local network interface will restrict traffic to clients on the same machine. We will do this by adding -l 127.0.0.1 to our OPTIONS variable. This may be too restrictive for certain environments, but it can make a good starting point as a security measure.

Because UDP protocol is much more effective for denial of service attacks than TCP, we can also disable the UDP listener. To do this, we will add the -U 0 parameter to our OPTIONS variable. The file in full should look like this:

/etc/sysconfig/memcached

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1 -U 0" 

Save and close the file when you are done.

Restart your Memcached service to apply your changes:

sudo systemctl restart memcached

Verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing:

sudo netstat -plunt

You should see the following output:

Output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
. . .
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      2383/memcached
. . .

This confirms that memcached is bound to the 127.0.0.1 address using only TCP.

Adding Authorized Users

To add authenticated users to your Memcached service, it is possible to use Simple Authentication and Security Layer (SASL), a framework that de-couples authentication procedures from application protocols. We will enable SASL within our Memcached configuration file and then move on to adding a user with authentication credentials.

Configuring SASL Support

We can first test the connectivity of our Memcached instance with the memstat command. This will help us establish that SASL and user authentication are enabled after we make changes to our configuration files.

To check that Memcached is up and running, type the following:

memstat --servers="127.0.0.1"

You should see output like the following:

Output

Server: 127.0.0.1 (11211)
     pid: 3831
     uptime: 9
     time: 1520028517
     version: 1.4.25
     . . .

Now we can move on to enabling SASL. First, we can add the -S parameter to our OPTIONS variable in /etc/sysconfig/memcached, which will enable SASL. Open the file again:

sudo nano /etc/sysconfig/memcached

We will add both the -S and -vv parameters to our OPTIONS variable. The -vv option will provide verbose output to /var/log/memcached, which will help us as we debug. Add these options to the OPTIONS variable as follows:

/etc/sysconfig/memcached
. . .
OPTIONS="-l 127.0.0.1 -U 0 -S -vv" 

Save and close the file.

Restart the Memcached service:

sudo systemctl restart memcached

Next, we can take a look at the logs to be sure that SASL support has been enabled:

sudo journalctl -u memcached

You should see the following line, indicating that SASL support has been initialized:

Output

. . .
Mar 05 18:16:11 memcached-server memcached[3846]: Initialized SASL.
. . .

We can check the connectivity again, but because SASL has been initialized, this command should fail without authentication:

memstat --servers="127.0.0.1"

This command should not produce output. We can type the following to check its status:

echo $?

$? will always return the exit code of the last command that exited. Typically, anything besides 0 indicates process failure. In this case, we should see an exit status of 1, which tells us that the memstat command failed.

Adding an Authenticated User

Now we can download two packages that will allow us to work with the Cyrus SASL Library and its authentication mechanisms, including plugins that support PLAIN authentication schemes. These packages, cyrus-sasl-devel and cyrus-sasl-plain, will allow us to create and authenticate our user. Install the packages by typing:

sudo yum install cyrus-sasl-devel cyrus-sasl-plain

Next, we will create the directory and file that Memcached will check for its SASL configuration settings:

sudo mkdir -p /etc/sasl2
sudo nano /etc/sasl2/memcached.conf 

Add the following to the SASL configuration file:

/etc/sasl2/memcached.conf
mech_list: plain
log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2

In addition to specifying our logging level, we will set mech_list to plain, which tells Memcached that it should use its own password file and verify a plaintext password. We will also specify the path to the user database file that we will create next. Save and close the file when you are finished.

Now we will create a SASL database with our user credentials. We will use the saslpasswd2 command to make a new entry for our user in our database using the -c option. Our user will be sammy here, but you can replace this name with your own user. Using the -f option, we will specify the path to our database, which will be the path we set in /etc/sasl2/memcached.conf:

sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 sammy

Finally, we want to give the memcached user ownership over the SASL database:

sudo chown memcached:memcached /etc/sasl2/memcached-sasldb2

Restart the Memcached service:

sudo systemctl restart memcached

Running memstat again will confirm whether or not our authentication process worked. This time we will run it with our authentication credentials:

memstat --servers="127.0.0.1" --username=sammy --password=your_password

You should see output like the following:

Output

Server: 127.0.0.1 (11211)
     pid: 3831
     uptime: 9
     time: 1520028517
     version: 1.4.25
     . . .

Our Memcached service is now successfully running with SASL support and user authentication.

Allowing Access Over the Private Network

We have covered how to configure Memcached to listen on the local interface, which can prevent denial of service attacks by protecting the Memcached interface from exposure to outside parties. There may be instances where you will need to allow access from other servers, however. In this case, you can adjust your configuration settings to bind Memcached to the private network interface.

Limiting IP Access With Firewalls

Before you adjust your configuration settings, it is a good idea to set up firewall rules to limit the machines that can connect to your Memcached server. If you followed the prerequisites and installed FirewallD on your server and do not plan on connecting to Memcached from another host, then you do not need to adjust your firewall rules. Your standalone Memcached instance should be listening on 127.0.0.1, thanks to the OPTIONS variable we defined earlier, and there should therefore be no concerns about incoming traffic. If you plan to allow access to your Memcached server from other hosts, however, then you will need to make changes to your firewall settings using the firewall-cmd command.

Begin by adding a dedicated Memcached zone to your firewalld policy:

sudo firewall-cmd --permanent --new-zone=memcached

Then, specify which port you would like to keep open. Memcached uses port 11211 by default:

sudo firewall-cmd --permanent --zone=memcached --add-port=11211/tcp

Next, specify the private IP addresses that should be allowed to access Memcached. For this, you will need to know your client server’s private IP address:

sudo firewall-cmd --permanent --zone=memcached --add-source=client_server_private_IP

Reload the firewall to ensure that the new rules take effect:

sudo firewall-cmd --reload

Packets from your client’s IP address should now be processed according to the rules in the dedicated Memcached zone. All other connections will be processed by the default public zone.

With these changes in place, we can move on to making the necessary configuration changes to our Memcached service, binding it to our server’s private networking interface.

Binding Memcached to the Private Network Interface

The first step in binding to our server’s private networking interface will be modifying the OPTIONS variable we set earlier.

We can open /etc/sysconfig/memcached again by typing:

sudo nano /etc/sysconfig/memcached

Inside, locate the OPTIONS variable. We can now modify -l 127.0.0.1 to reflect our Memcached server’s private IP:

/etc/sysconfig/memcached
. . .
OPTIONS="-l memcached_servers_private_IP -U 0 -S -vv"

Save and close the file when you are finished.

Restart the Memcached service again:

sudo systemctl restart memcached

Check your new settings with netstat to confirm the change:

sudo netstat -plunt
Output
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
. . .
tcp        0      0 memcached_servers_private_IP:11211         0.0.0.0:*               LISTEN      2383/memcached

Test connectivity from your external client to ensure that you can still reach the service. It is a good idea to also check access from a non-authorized client to ensure that your firewall rules are effective.

Guide to secure SSH on Centos 7

1. Overview

 

SSH is the default secured remote management protocol for almost all of Linux distributions. SSH provides a confidentiality and integrity by data encryption and passwords are no longer sent in plain text over the network. Nevertheless, a default configuration of SSH can put the server in a security risk.

That is why it is important to follow a few simple steps to harden an SSH server that can dramatically reduce the risk.

2. Prerequisites

 

In this document, it is assumed that:

You have already install RHEL/CentOS 7 Linux server up and running.

3. Disable Root Logins

 

For security concern, it is not recommended to use root user to login via SSH over a network. The best approach is to use normal user to login to the server and use command sudo to perform the task that required root privilege. For more detail about Sudo, please check Linux Privilege Delegation With Sudoers. To disable root login via SSH, update file /etc/ssh/sshd_config and restart SSH service as the following.

#vim /etc/ssh/sshd_config
PermitRootLogin no
#systemctl restart sshd

4. Limit User Logins

 

By default, all valid users on the system are able access the server. For security reason, we should limit to only certain users who really need to have SSH access to the server. Add the parameter AllowUsers followed by a space separated list of usernames to file /etc/ssh/sshd_config. In the following example, there are only two users, “john” and “sysadmin” who can remote SSH to the server.

$sudo vim /etc/ssh/sshd_config
AllowUsers  john sysadmin
$sudo systemctl restart sshd

5. Disable Protocol 1

 

Using protocol 1 of SSH is less secure. We should be disabled it and always use protocol 2 only instead. Edit file /etc/ssh/sshd_config and restart SSH service as the following.

$sudo vim /etc/ssh/sshd_config
Protocol 2
$sudo systemctl restart sshd

6. Change Default Port

 

Port 22 is the default SSH listens port for incoming connections. The hacker can constantly scanning the server for port 22, and an effective method is to changing the default SSH port, for example to port 22224 as the following,  to eliminate this attacks.

$sudo vim /etc/ssh/sshd_config
Port 22224

Now we need to check SELinux what ports sshd is allowed to listen on by executing the following command.

$sudo semanage port -l | grep ssh
ssh_port_t                     tcp      22224

To allow sshd to listen on the new port 2223 we have to add a rule to SELinux and restart SSH service as the following

$sudo semanage port -a -t ssh_port_t -p tcp 22224
$sudo systemctl restart sshd

7. Limit Access With Firewall

 

For security enhancement, we should filter the connections with firewall by adding a firewall rule in IPTables to limit access on the changed port 2223 to only an authorized IP addresses. Edit file /etc/sysconfig/iptables and restart IPTable service as the following.

$sudo vim /etc/sysconfig/iptables
-A INPUT -p tcp -m state –state NEW -m tcp -s 192.168.10.0/24 –dport 22224 -j ACCEPT
$sudo systemctl restart iptables

8. Limit Idle Timeout Interval

 

If a timeout period for SSH connections on a server is not setting up, it is a security risk. In many cases, people stay away from their computers without locking the screens and SSH is still connected to the server. Thus, it could be compromise. Edit file /etc/ssh/sshd_config as the following. The timeout interval is in seconds.  So let set it to 300 seconds to have 5 minutes idle timeout.

$sudo vim /etc/ssh/sshd_config
ClientAliveInterval 300
ClientAliveCountMax 0
$sudo systemctl restart sshd

9. Limit Maximum Fail Authentication

 

Limiting a maximum fail authentication with SSH is a good method to stop the password brute-forcing attacks. If a user input the password incorrectly for N-1 times of the limited N time, the SSH remote session will be disconnected and will have to reconnect again. In below configuration, when user incorrectly input the password for times, the remote session  will be disconnected.

$sudo vim /etc/ssh/sshd_config
MaxAuthTries 5
$sudo systemctl restart sshd

10. Limit Listen Address

 

The default configuration of SSH will listens on all available interfaces which it should be limited. If there are multiple interfaces on the server configured with different IP addresses, it is always best to limit the user to login to the server using management IP address only.

$sudo vim /etc/ssh/sshd_config
ListenAddress 192.168.10.10
$sudo systemctl restart sshd

11. Disable Rhosts Files Support

 

File .rhosts is used to control which computers trust other computers for SSH remote access to with a certain user account. If a computer trust another computer, then it will allow a specified user to remote SSH access to the trusted computers without having to enter a password.

$sudo vim /etc/ssh/sshd_config
IgnoreRhosts yes
$sudo systemctl restart sshd

12. Disable Empty Passwords Access

 

In some case, a certain user account on the server might not have set a password or has empty password. It is a best to always disable these users connecting with remote SSH server.

$sudo vim /etc/ssh/sshd_config
PermitEmptyPasswords no
$sudo systemctl restart sshd

13. Disable Host-Based Authentication

 

Host-based authentication allows hosts to authenticate on behalf of all or some of the users using the public key.

$sudo vim /etc/ssh/sshd_config
HostbasedAuthentication no
$sudo systemctl restart sshd

14. Enable Informational Log Level

 

It is good to configure SSH server to log INFO level information. Since SSH is an entry point to our server, it is recommended to log as much as possible, so we will a comprehensive log information when we run into a problem.

$sudo vim /etc/ssh/sshd_config
LogLevel INFO
$sudo systemctl restart sshd

15. Reduce Maximum Start Up Connection

 

Reducing the maximum number of concurrent connections to the SSH daemon can be helpful against a brute-force attack. The setting of MaxStartups 4 tells the ssh server to allow only 4 users to attempt logging in at the same time.

$sudo vim /etc/ssh/sshd_config
MaxStartups 4
$sudo systemctl restart sshd

16. Reduce Login Grace Time

 

When we try to remote SSH a server, the default configuration will us 2 minutes to login. If we do not do any thing or cannot successfully login within 2 minutes, SSH session will be disconnected. The default 2 minutes time to login successfully is too much. we should consider reduce it to 1 minute instead.

$sudo vim /etc/ssh/sshd_config
LoginGraceTime 1m
$sudo systemctl restart sshd

Cannot send email from OpenCart 3.x webform?

It’s not OpenCart 3.x the problem! The problem is your internet hosting company bad mail server configuration and spam security policy control! VERY Complicated stuff to fix but all working good on my side!

Hint: Use MAIL and Port 995 Pop3! and the famous -f email option in OpenCart!

😉

Have a good fun with this one!

MBSTRING PHP 7 conflicts with PHP5

Having problem installing mbstring on your Centos 7 Server running php 5.5.x and php 7.x  In my case php-mbstring for php 7.x is missing!

Solutions:

yum install scl-utils

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

yum install php70-php-mbstring

With this you have PHP7 and php-mbstring extension running next to the other PHP versions!

Don’t forget to restart your apache webserver

systemctl restart httpd

Enjoy!

 

Let’s Encrypt Kerio Connect Mail Server on Windows Server

I had a hard time to figure out how to use Let’s Encrypt SSL Certificate on a Kerio Connect Mail server running on a Windows 2012 R2 Webserver / IIS

The first thing I installed is called Certify the Web!
https://certifytheweb.com/

This tool was already deploy on the Windows 2012 R2 Server, follow the step or dig out how to deploy Certify the Web on your Windows 2012 R2 Server.

The first thing to do! You must request a certificate using Certify the Web for the PRIMARY mail domain name;

So now you have a valid certificate for mail.yourdomain.x

just test it… https://mail.yourdomain.x

Now to use the Let’s Encrypt SSL certificate on your Kerio Connect mail server, you must use a tool to be able to export the .key and .crt file to your Kerio Connect mail server. This tool is called DigiCert Certificate Utility Free for Windows!

https://www.digicert.com/util/

The Next Step is to get our hand on those .key and .crt files

1. Yes, export the private key with this…

2. You must provide a password to your private key…

3. Save the Private Key… You will use this KEY file for Kerio Connect

4. Now export the certificate itself

Again save this file! This will generate the .cer for your Kerio Connect mail server.

You should have now in your directory those files…

Now let see in Kerio Connect what to do!

Now import your .key and .crt files into Kerio Connect SSL Certificate

You have now Kerio Connect using a Let’s Encrypt Certificate that will be valid for a period of 3 months. The down side of this is that you will have to manually repeat this every time the key expired or maybe not! Will see in 3 months 😉

Now your Kerio Connect mail server running on a Windows Server will be able to offer secured SSL email connection!

ENJOY!

Cryptsetup on Centos 7 Server

Linux encryption methods

There are two methods to encrypt your data:

#1: Filesystem stacked level encryption

  1. eCryptfs – It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu’s Encrypted Home Directory, natively within Google’s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
  2. EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

#2: Block device level encryption

  1. Loop-AES – Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
  2. VeraCrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase.
  3. dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

In this post, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop.

Step #1: Install cryptsetup utility

You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command or apt command:
# apt-get install cryptsetup
OR
$ sudo apt install cryptsetup
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  console-setup console-setup-linux cryptsetup-bin kbd keyboard-configuration xkb-data
Suggested packages:
  dosfstools keyutils
The following NEW packages will be installed:
  console-setup console-setup-linux cryptsetup cryptsetup-bin kbd keyboard-configuration xkb-data
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,130 kB of archives.
After this operation, 13.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian stretch/main amd64 kbd amd64 2.0.3-2+b1 [343 kB]
Get:2 http://deb.debian.org/debian stretch/main amd64 keyboard-configuration all 1.164 [644 kB]
Get:3 http://deb.debian.org/debian stretch/main amd64 console-setup-linux all 1.164 [983 kB]
Get:4 http://deb.debian.org/debian stretch/main amd64 xkb-data all 2.19-1 [648 kB]
Get:5 http://deb.debian.org/debian stretch/main amd64 console-setup all 1.164 [117 kB]
Get:6 http://deb.debian.org/debian stretch/main amd64 cryptsetup-bin amd64 2:1.7.3-4 [221 kB]
Get:7 http://deb.debian.org/debian stretch/main amd64 cryptsetup amd64 2:1.7.3-4 [174 kB]
Fetched 3,130 kB in 0s (7,803 kB/s)
Preconfiguring packages ...
Selecting previously unselected package kbd.
(Reading database ... 22194 files and directories currently installed.)
Preparing to unpack .../0-kbd_2.0.3-2+b1_amd64.deb ...
Unpacking kbd (2.0.3-2+b1) ...
Selecting previously unselected package keyboard-configuration.
Preparing to unpack .../1-keyboard-configuration_1.164_all.deb ...
Unpacking keyboard-configuration (1.164) ...
Selecting previously unselected package console-setup-linux.
Preparing to unpack .../2-console-setup-linux_1.164_all.deb ...
Unpacking console-setup-linux (1.164) ...
Selecting previously unselected package xkb-data.
Preparing to unpack .../3-xkb-data_2.19-1_all.deb ...
Unpacking xkb-data (2.19-1) ...
Selecting previously unselected package console-setup.
Preparing to unpack .../4-console-setup_1.164_all.deb ...
Unpacking console-setup (1.164) ...
Selecting previously unselected package cryptsetup-bin.
Preparing to unpack .../5-cryptsetup-bin_2%3a1.7.3-4_amd64.deb ...
Unpacking cryptsetup-bin (2:1.7.3-4) ...
Selecting previously unselected package cryptsetup.
Preparing to unpack .../6-cryptsetup_2%3a1.7.3-4_amd64.deb ...
Unpacking cryptsetup (2:1.7.3-4) ...
Setting up keyboard-configuration (1.164) ...
Setting up xkb-data (2.19-1) ...
Setting up kbd (2.0.3-2+b1) ...
Processing triggers for systemd (232-25+deb9u1) ...
Setting up cryptsetup-bin (2:1.7.3-4) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up console-setup-linux (1.164) ...
Created symlink /etc/systemd/system/sysinit.target.wants/keyboard-setup.service → /lib/systemd/system/keyboard-setup.service.
Created symlink /etc/systemd/system/multi-user.target.wants/console-setup.service → /lib/systemd/system/console-setup.service.
Setting up console-setup (1.164) ...
Setting up cryptsetup (2:1.7.3-4) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for systemd (232-25+deb9u1) ...
Processing triggers for initramfs-tools (0.130) ...
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64

RHEL / CentOS / Oracle / Scientific Linux user type the following yum command:
# yum install cryptsetup-luks
OR Fedora Linux user use the dnf command:
# dnf install cryptsetup-luks

Step #2: Configure LUKS partition

WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.

In this example, I’m going to encrpt /dev/xvdc. Type the following command:
# cryptsetup -y -v luksFormat /dev/xvdc
Sample outputs:

WARNING!
========
This will overwrite data on /dev/xvdc irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:
# cryptsetup luksOpen /dev/xvdc backup2
Sample outputs:

Enter passphrase for /dev/xvdc:

You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:
# ls -l /dev/mapper/backup2
Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0

You can use the following command to see the status for the mapping:
# cryptsetup -v status backup2
Sample outputs:

/dev/mapper/backup2 is active.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/xvdc
  offset:  4096 sectors
  size:    419426304 sectors
  mode:    read/write
Command successful.

You can dump LUKS headers using the following command:
# cryptsetup luksDump /dev/xvdc
Sample outputs:

LUKS header information for /dev/xvdc
 
Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	256
MK digest:     	21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f 
MK salt:       	8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94 
               	7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70 
MK iterations: 	222000
UUID:          	4dd563a9-5bff-4fea-b51d-b4124f7185d1
 
Key Slot 0: ENABLED
	Iterations:         	2245613
	Salt:               	05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53 
	                      	3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Step #3: Format LUKS partition

First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:
# dd if=/dev/zero of=/dev/mapper/backup2
The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:
# pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
Sample outputs:

dd: error writing '/dev/mapper/backup2': No space left on device                                                                                                            ]
 200GiB 0:16:47 [ 203MiB/s] [                      <=>                                                                                                                      ]
1600+1 records in
1599+1 records out
214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB/s

You can also pass the status=progress option to the dd command:
# dd if=/dev/zero of=/dev/mapper/backup2 status=progress
Sample outputs:

2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB/s

Next, create a filesystem i.e. format filesystem, enter:
# mkfs.ext4 /dev/mapper/backup2
Sample outputs:

mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 52428288 4k blocks and 13107200 inodes
Filesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

To mount the new filesystem at /backup2, enter:
# mkdir /backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# cd /backup2
# ls -l

How do I unmount and secure data?

Type the following commands:
# umount /backup2
# cryptsetup luksClose backup2

How do I mount or remount encrypted partition?

Type the following command:
# cryptsetup luksOpen /dev/xvdc backup2
# mount /dev/mapper/backup2 /backup2
# df -H
# mount

Sample outputs:

Fig.01: Encrypted partition mounted on /backup2
Fig.01: Encrypted partition mounted on /backup2

See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.

Can I run fsck on LUKS based partition / LVM volume?

Yes, you can use the fsck command On LUKS based systems:
# umount /backup2
# fsck -vy /dev/mapper/backup2
# mount /dev/mapper/backup2 /backu2

See how to run fsck On LUKS (dm-crypt) based LVM physical volume for more details.

How do I change LUKS passphrase (password) for encrypted partition?

Type the following command
### see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
# cryptsetup luksDump /dev/xvdc
# cryptsetup luksAddKey /dev/xvdc

Enter any passphrase: 
Enter new passphrase for key slot: 
Verify passphrase: 

Remove or delete the old password:
# cryptsetup luksRemoveKey /dev/xvdc
Please note that you need to enter the old password / passphrase.

What next?

You can store files or store backups using following software:

Check out related media

This tutorial also available in video format:

(Video 01: cryptsetup command demo)

Conclusion

You now have an encrypted partition for all of your data.

Pros:

  1. LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media (usb pen) or laptop disk drives.
  2. You can also use with your nas server to protect backups.
  3. Intel and AMD cpus with AES-NI (Advanced Encryption Standard Instruction Set) can accelerate dm-crypt based encryption for Linux kernel v2.6.32+. This will speed up harddisk encryption.
  4. Works with swap partition too so that your laptop can use hibernation feature (suspend-to-disk) that writes out the contents of RAM to the swap partition before turning off the machine.

Cons:

  1. LUKS only support up to 8 passwords i.e. only 8 users can have distinct access keys to the same device.
  2. LUKS is also not recommend for applications requiring file-level encryption.

For more information see cryptsetup man page and read RHEL 6.x documentation.

Create a Chat Server Using Matrix Synapse and Riot on CentOS 7

Matrix is an open standard communication protocol for decentralized real time communication. Matrix is implemented as home servers which are distributed over the internet; hence there is no single point of control or failure. Matrix provides a RESTful HTTP API for creating and managing the distributed chat servers that includes sending and receiving messages, inviting and managing chat room members, maintaining user accounts, and providing advanced chat features such as VoIP and Video calls, etc. Matrix also establishes a secure synchronization between home servers which are distributed across the globe.

Synapse is the implementation of Matrix home server written by the Matrix team. The Matrix ecosystem consists of the network of many federated home servers distributed across the globe. A Matrix user uses a chat client to connect to the home server, which in turn connects to the Matrix network. Homeserver stores the chat history and the login information of that particular user.

Prerequisites

  • A Vultr CentOS 7 server instance.
  • A sudo user.

In this tutorial, we will use matrix.example.com as the domain name used for Matrix Synapse. Replace all occurrences of matrix.example.com with your actual domain name you want to use for your Synapse home server.

Update your base system using the guide How to Update CentOS 7. Once your system is updated, proceed to install Python.

Install Development Tools

Matrix Synapse needs Python 2.7 to work. Python 2.7 comes preinstalled in all CentOS server instances. You can check the installed version of Python.

python -V

You should get a similar output.

[user@vultr ~]$ python -V
Python 2.7.5

Changing the default version of Python may break YUM repository manager. However, if you want the most recent version of Python, you can make an alternative install, without replacing the default Python.

Install the packages in the Development tools group that are required for compiling the installer files.

sudo yum groupinstall -y "Development tools"

Install a few more required dependencies.

sudo yum -y install libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel redhat-rpm-config python-virtualenv libffi-devel openssl-devel 

Install Python pip. Pip is the dependency manager for Python packages.

wget https://bootstrap.pypa.io/get-pip.py
sudo python get-pip.py

Install Synapse

Create a virtual environment for your Synapse application. Python virtual environment is used to create an isolated virtual environment for a Python project. A virtual environment contains its own installation directories and doesn’t share libraries with global and other virtual environments.

sudo virtualenv -p python2.7 /opt/synapse

Provide the ownership of the directory to the current user.

sudo chown -R $USER:$USER /opt/synapse/

Now activate the virtual environment.

source /opt/synapse/bin/activate

Ensure that you have the latest version of pip and setuptools.

pip install --upgrade pip 
pip install --upgrade setuptools

Install the latest version of Synapse using pip.

pip install https://github.com/matrix-org/synapse/tarball/master

The above command will take some time to execute as it pulls and installs the latest version of Synapse and all the dependencies from Github repository.

Installing and Configuring PostgreSQL

Synapse uses SQLite as the default database. SQLite stores the data in a database which is kept as a flat file on disk. Using SQLite is very simple, but not recommended for production as it is very slow compared to PostgreSQL.

PostgreSQL is an object relational database system. You will need to add the PostgreSQL repository in your system, as the application is not available in the default YUM repository.

sudo rpm -Uvh https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm

Install the PostgreSQL database server.

sudo yum -y install postgresql96-server postgresql96-contrib

Initialize the database.

sudo /usr/pgsql-9.6/bin/postgresql96-setup initdb

Edit the /var/lib/pgsql/9.6/data/pg_hba.conf to enable MD5 based authentication.

sudo nano /var/lib/pgsql/9.6/data/pg_hba.conf

Find the following lines and change peer to trust and idnet to md5.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            idnet
# IPv6 local connections:
host    all             all             ::1/128                 idnet

Once updated, the configuration should look like this.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

Start the PostgreSQL server and enable it to start automatically at boot.

sudo systemctl start postgresql-9.6
sudo systemctl enable postgresql-9.6

Change the password for the default PostgreSQL user.

sudo passwd postgres

Login.

sudo su - postgres

Create a new PostgreSQL user for Synapse.

createuser synapse

PostgreSQL provides the psql shell to run queries on the database. Switch to the PostgreSQL shell by running.

psql

Set a password for the newly created user for Synapse database.

ALTER USER synapse WITH ENCRYPTED password 'DBPassword';

Replace DBPassword with a strong password and make a note of it as we will use the password later. Create a new database for the PostgreSQL database.

CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;

Exit from the psql shell.

\q

Switch to the sudo user from current postgres user.

exit

You will also need to install the packages required for Synapse to communicate with the PostgreSQL database server.

sudo yum -y install postgresql-devel libpqxx-devel.x86_64
source /opt/synapse/bin/activate
pip install psycopg2

Configuring Synapse

Synapse requires a configuration file before it can be started. The configuration file stores the server settings. Switch to the virtual environment and generate the configuration for Synapse.

source /opt/synapse/bin/activate
cd /opt/synapse
python -m synapse.app.homeserver --server-name matrix.example.com --config-path homeserver.yaml --generate-config --report-stats=yes

Replace matrix.example.com with your actual domain name and make sure that the server name is resolvable to the IP address of your Vultr instance. Provide --report-stats=yes if you want the servers to generate the reports, provide --report-stats=no to disable the generation of reports and statistics.

You should see a similar output.

(synapse)[user@vultr synapse]$ python -m synapse.app.homeserver --server-name matrix.example.com --config-path homeserver.yaml --generate-config --report-stats=yes
A config file has been generated in 'homeserver.yaml' for server name 'matrix.example.com' with corresponding SSL keys and self-signed certificates. Please review this file and customise it to your needs.
If this server name is incorrect, you will need to regenerate the SSL certificates

By default, the homeserver.yaml is configured to use a SQLite database. We need to modify it to use the PostgreSQL database we have created earlier.

Edit the newly created homeserver.yaml.

nano homeserver.yaml

Find the existing database configuration which uses SQLite3. Comment out the lines as shown below. Also, add the new database configuration for PostgreSQL. Make sure that you use the correct database credentials.

# Database configuration
#database:
  # The database engine name
  #name: "sqlite3"
  # Arguments to pass to the engine
  #args:
    # Path to the database
    #database: "/opt/synapse/homeserver.db"


database:
    name: psycopg2
    args:
        user: synapse
        password: DBPassword
        database: synapse
        host: localhost
        cp_min: 5
        cp_max: 10

Registration of a new user from a web interface is disabled by default. To enable registration, you can set enable_registration to True. You can also set a secret registration key, which allows anyone to register who has the secret key, even if registration is disabled.

enable_registration: False

registration_shared_secret: "YPPqCPYqCQ-Rj,ws~FfeLS@maRV9vz5MnnV^r8~pP.Q6yNBDG;"

Save the file and exit from the editor. Now you will need to register your first user. Before you can register a new user, though, you will need to start the application first.

source /opt/synapse/bin/activate && cd /opt/synapse
synctl start

You should see the following lines.

2017-09-05 11:10:41,921 - twisted - 131 - INFO - - SynapseSite starting on 8008
2017-09-05 11:10:41,921 - twisted - 131 - INFO - - Starting factory <synapse.http.site.SynapseSite instance at 0x44bbc68>
2017-09-05 11:10:41,921 - synapse.app.homeserver - 201 - INFO - - Synapse now listening on port 8008
2017-09-05 11:10:41,922 - synapse.app.homeserver - 442 - INFO - - Scheduling stats reporting for 3 hour intervals
started synapse.app.homeserver('homeserver.yaml')

Register a new Matrix user.

register_new_matrix_user -c homeserver.yaml https://localhost:8448

You should see the following.

(synapse)[user@vultr synapse]$ register_new_matrix_user -c homeserver.yaml https://localhost:8448
New user localpart [user]: admin
Password:
Confirm password:
Make admin [no]: yes
Sending registration request...
Success.

Finally, before you can use the Homeserver, you will need to allow port 8448 through the Firewall. Port 8448 is used as the secured federation port. Homeservers use this port to communicate with each other securely. You can also use the built-in Matrix web chat client through this port.

sudo firewall-cmd --permanent --zone=public --add-port=8448/tcp
sudo firewall-cmd --reload

You can now log in to the Matrix web chat client by going to https://matrix.example.com:8448 through your favorite browser. You will see a warning about the SSL certificate as the certificates used are self-signed. We will not use this web chat client as it is outdated and not maintained anymore. Just try to check if you can log in using the user account you just created.

Setting up Let’s Encrypt Certificates

Instead of using a self-signed certificate for securing federation port, we can use Let’s Encrypt free SSL. Let’s Encrypt free SSL can be obtained through the official Let’s Encrypt client called Certbot.

Install Certbot.

sudo yum -y install certbot

Adjust your firewall setting to allow the standard HTTP and HTTPS ports through the firewall. Certbot needs to make an HTTP connection to verify the domain authority.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

To obtain certificates from Let’s Encrypt CA, you must ensure that the domain for which you wish to generate the certificates is pointed towards the server. If it is not, then make the necessary changes to the DNS records of your domain and wait for the DNS to propagate before making the certificate request again. Certbot checks the domain authority before providing the certificates.

Now use the built-in web server in Certbot to generate the certificates for your domain.

sudo certbot certonly --standalone -d matrix.example.com

The generated certificates are likely to be stored in /etc/letsencrypt/live/matrix.example.com/. The SSL certificate will be stored as fullchain.pem and the private key will be stored as privkey.pem.

Copy the certificates.

sudo cp /etc/letsencrypt/live/matrix.example.com/fullchain.pem /opt/synapse/letsencrypt-fullchain.pem

sudo cp /etc/letsencrypt/live/matrix.example.com/privkey.pem /opt/synapse/letsencrypt-privkey.pem

You will need to change the path to the certificates and keys from the homeserver.yaml file. Edit the configuration.

nano /opt/synapse/homeserver.yaml

Find the following lines and modify the path.

tls_certificate_path: "/opt/synapse/letsencrypt-fullchain.pem"

# PEM encoded private key for TLS
tls_private_key_path: "/opt/synapse/letsencrypt-privkey.pem"

Save the file and exit from the editor. Restart the Synapse server so that the changes can take effect.

source /opt/synapse/bin/activate && cd /opt/synapse
synctl restart

Let’s Encrypt certificates are due to expire in 90 days, so it is recommended that you setup auto renewal for the certificates using cron jobs. Cron is a system service which is used to run periodic tasks.

Create a new script to renew certificates and copy the renewed certificates to the Synapse directory.

sudo nano /opt/renew-letsencypt.sh  

Populate the file.

#!/bin/sh

/usr/bin/certbot renew --quiet --nginx
cp /etc/letsencrypt/live/matrix.example.com/fullchain.pem /opt/synapse/letsencrypt-fullchain.pem
cp /etc/letsencrypt/live/matrix.example.com/privkey.pem /opt/synapse/letsencrypt-privkey.pem

Provide the execution permission.

sudo chmod +x /opt/renew-letsencypt.sh

Open the cron job file.

sudo crontab -e

Add the following line at the end of the file.

30 5 * * 1 /opt/renew-letsencypt.sh

The above cron job will run every Monday at 5:30 AM. If the certificate is due to expire, it will automatically renew them.

Now you can visit https://matrix.example.com:8448. You will see that there is no SSL warning before connection.

Setup Nginx With Let’s Encrypt

Apart from the secured federation port 8448, Synapse also listens to the unsecured client port 8008. We will now configure Nginx as a reverse proxy to the Synapse application.

sudo yum -y install nginx

Create a new configuration file.

sudo nano /etc/nginx/conf.d/synapse.conf

Populate the file with the following content.

server {
    listen 80;
    server_name matrix.example.com;
    return 301 https://$host$request_uri;
}
server {

    listen 443;
    server_name matrix.example.com;

    ssl_certificate           /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/matrix.example.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log    /var/log/nginx/synapse.access.log;

    location /_matrix {

      proxy_pass          http://localhost:8008;
      proxy_set_header X-Forwarded-For $remote_addr;

    }
  }

Restart and enable Nginx to automatically start at boot time.

sudo systemctl restart nginx
sudo systemctl enable nginx

Finally, you can verify if Synapse can be accessed through the reverse proxy.

curl https://matrix.example.com/_matrix/key/v2/server/auto

You should get similar output.

[user@vultr ~]$ curl https://matrix.example.com/_matrix/key/v2/server/auto
{"old_verify_keys":{},"server_name":"matrix.example.com","signatures":{"matrix.example.com":{"ed25519:a_ffMf":"T/Uq/UN5vyc4w7v0azALjPIJeZx1vQ+HC6ohUGkTSqiFI4WI/ojGpb2763arwSSQLr/tP/2diCi1KLU2DEnOCQ"}},"tls_fingerprints":[{"sha256":"eorhQj/kubI2PEQZyBZvGV7K1x3EcQ7j/AO2MtZMplw"}],"valid_until_ts":1504876080512,"verify_keys":{"ed25519:a_ffMf":{"key":"Gc1hxkpPmQv71Cvjyk+uzR5UtrpmgV/UwlsLtosawEs"}}}

Setting up the Systemd Service

It is recommended to use the Systemd service to manage the Synapse server process. Using Systemd will ensure that the server is automatically started on system startup and failures.

Create a new Systemd service file.

sudo nano /etc/systemd/system/matrix-synapse.service

Populate the file.

[Unit]
Description=Matrix Synapse service
After=network.target

[Service]
Type=forking
WorkingDirectory=/opt/synapse/
ExecStart=/opt/synapse/bin/synctl start
ExecStop=/opt/synapse/bin/synctl stop
ExecReload=/opt/synapse/bin/synctl restart
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=synapse

[Install]
WantedBy=multi-user.target

Now you can quickly start the Synapse server.

sudo systemctl start matrix-synapse

To stop or restart the server using following commands.

sudo systemctl stop matrix-synapse
sudo systemctl restart matrix-synapse

You can check the status of service.

sudo systemctl status matrix-synapse

Using Riot

Matrix Synapse server is now installed and configured on your server. As the built-in web client for Matrix is outdated, you can choose from the variety of the client applications available for chat. Riot is the most popular chat client, which is available on almost all platforms. You can use the hosted version of Riot’s web chat client, or you can also host a copy of it on your own server. Apart from this, you can also use Riot’s desktop and mobile chat clients, which are available for Windows, Mac, Linux, IOS and Android.

If you wish to host your own copy of Riot web client, you can read further for the instructions to install Riot on your server. For hosted, desktop and mobile client, you can use your username and password to login directly to your homeserver. Just choose my Matrix ID from the dropdown menu of the Sign In option and provide the username and password you have created during the registration of a new user. Click on the Custom server and use the domain name of your Synapse instance. As we have already configured Nginx, we can just use https://matrix.example.com as the Home server and https://matrix.org as Identity server URL.

Riot Login Example

Setup Riot on Your Own Server.

Riot is also open source and free to host on your own server. It does not require any database or dependencies. As we already have an Nginx server running, we can host it on the same server.

The domain or subdomain you are using for Synapse and Riot must be different to avoid cross-site scripting. However, you can use two subdomains of the same domain. In this tutorial, we will be using riot.example.com as the domain for the Riot application. Replace all occurrence of riot.example.com with your actual domain or subdomain for the Riot application.

Download Riot on your server.

cd /opt/
sudo wget https://github.com/vector-im/riot-web/releases/download/v0.12.3/riot-v0.12.3.tar.gz

You can always find the link to the latest version on Riot’s Github.

Extract the archive.

sudo tar -xzf riot-v*.tar.gz

Rename the directory for handling convenience.

sudo mv riot-v*/ riot/

Because we have already installed Certbot, we can generate the certificates directly. Make sure that the domain or subdomain you are using is pointed towards the server.

sudo systemctl stop nginx
sudo certbot certonly --standalone -d riot.example.com

The generated certificates are likely to be stored in the /etc/letsencrypt/live/riot.example.com/ directory.

Create a virtual host for the Riot application.

sudo nano /etc/nginx/conf.d/riot.conf

Populate the file.

server {
    listen 80;
    server_name riot.example.com;
    return 301 https://$host$request_uri;
}
server {

    listen 443;
    server_name riot.example.com;

    ssl_certificate           /etc/letsencrypt/live/riot.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/riot.example.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    root /opt/riot;
    index index.html index.htm;

    location / {
            try_files $uri $uri/ =404;
    }

    access_log    /var/log/nginx/riot.access.log;

  }

Copy the sample configuration file.

sudo cp /opt/riot/config.sample.json /opt/riot/config.json

Now edit the configuration file to make few changes.

sudo nano /opt/riot/config.json

Find the following lines.

"default_hs_url": "https://matrix.org",
"default_is_url": "https://vector.im",

Replace the value of the default home server URL with the URL of your Matrix server. For the identity server URL, you can use the default option, or you can also provide its value to the Matrix identity server, which is https://matrix.org.

"default_hs_url": "https://matrix.example.com",
"default_is_url": "https://matrix.org",

Save the file and exit. Provide ownership of the files to the Nginx user.

sudo chown -R nginx:nginx /opt/riot/

Restart Nginx.

sudo systemctl restart nginx

You can access Riot on https://riot.example.com. You can now log in using the username and password which you have created earlier. You can connect using the default server as we have already changed the default Matrix server for our application.

You now have a Matrix Synapse home server up and running. You also have a hosted copy of Riot, which you can use to send a message to other people using their Matrix ID, email or mobile number. Start by creating a chat room on your server and invite your friends on Matrix to join the chat room you have created.

Have fun!