HP Server

😉

I really hope that! Ya! virtualmin will work on Centos 8!

Keep it on!

Installing rkhunter 1.4.6 on CentOS 7

I think that rkhunter is a valuable tool no matter the distribution that is used.

In CentOS 7 rkhunter 1.4.6 is found in the EPEL repository, we must make sure that this is available to use first:

$ sudo yum install -y epel-release

The install then is straight forward using yum.

$ sudo yum install rkhunter
$ sudo rkhunter --update
$ sudo rkhunter --propupd

We may also want to manually copy the /etc/passwd and /etc/group file to /var/lib/rkhunter. I gerenerally do not as they are copied in the first scan. The ubuntu install makes copies of these files for you.

If we don’t the first scan will warn that the group file and passwd file could have changed.

$ sudo rkhunter --check --sk
...
Performing group and account checks
    Checking for passwd file                          [ Found ]
    Checking for root equivalent (UID 0) accounts     [ None found ]
    Checking for passwordless accounts                [ None found ]
    Checking for passwd file changes                  [ Warning ]
    Checking for group file changes                   [ Warning ]
    Checking root account shell history files         [ OK ]

Further details can be found in the log file /var/log/rkhunter/rkhunter.log. Note that with rkhunter 1.4.6 on CentOS 7 we have the extra rkhunter log directory.  As this is the first scan though, we know that the reference files did not exist.

They will exist now and on a second running the warning will not show. Of course, adding a new user will trigger the warning again but will also update the reference files, /var/lib/rkhunter/passwd and /var/lib/rkhunter/group. Each check will update the references.

By default the CentOS install does not check root access in SSH. We should enable this by editong /etc/rkhunter.conf. Look for the line:

ALLOW_SSH_ROOT_USER=unset

Change the line to read:

ALLOW_SSH_ROOT_USER=no

The file /etc/ssh/sshd_config can be configured with:

PermitRootLogin=no

Once set, restart the sshd service with:

$ sudo systemctl restart sshd

Running the rkhunter check now will report SSH root login as secured. The execution of rkhunter is enabled with cron by default.

Enjoy!

Lynis is a security auditing tool for UNIX derivatives like Linux, macOS, BSD, Solaris, AIX, and others.

It performs an in-depth security scan. Software packages are available via https://packages.cisofy.com.

Michael Boelen

Michael Boelen is company founder and responsible for defining strategy and development efforts. He is a specialist in the field of Linux and UNIX security. Work experience includes small to Fortune 500 companies (Philips, T-Systems, and ASML).

Contributions to the field include open source security tools like Rootkit Hunter (rkhunter) and Lynis. He is also a regular contributor to our blog Linux Audit, covering Linux security.

Enjoy!

https://cisofy.com/downloads/lynis/

Assuming that you have a running centos 7 server using webmin + virtualmin with a qualified domain name.

Mattermost is an open-source online chat service. Mattermost is developed by Mattermost Inc, and it is written in Golang and Javascript. Mattermost is designed as an internal chat server for organizations and being marketed as an alternate to Slack.

Mattermost has a simple web interface that can be used for administration as well as instant messaging. Besides that, there are various chat clients are available as Desktop and Mobile Apps for Mattermost chat server.

In this article, we are installing Mattermost 5 on CentOS 7 server. We are also installing PostgreSQL 11, as a prerequisite of Mattermost server software.

Install PostgreSQL yum repository as follows:

[root@easy-admin ~]# rpm -ivh https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

The same PostgreSQL package provides the yum repositories for various versions of PostgreSQL database.

Therefore, we are disabling the PostgreSQL yum repositories other than version 11 as follows.

[root@easy-admin ~]# yum-config-manager –disable pgdg10 pgdg94 pgdg95 pgdg96

Build yum cache for PostgreSQL repository.

[root@easy-admin ~]# yum makecache fast

Install PostgreSQL client and server packages using yum command.

[root@easy-admin ~]# yum install -y postgresql11 postgresql11-server

Initialize PostgreSQL database instance as follows.

[root@easy-admin ~]# /usr/pgsql-11/bin/postgresql-11-setup initdb

Edit pg_hba.conf file to allow md5 based user authentication.

[root@easy-admin ~]# nano /var/lib/pgsql/11/data/pg_hba.conf

Find following directive:

host                   all               all            127.0.0.1/32             ident
and update it as:
host                   all               all            127.0.0.1/32             md5

Enable and start PostgreSQL service.

[root@easy-admin ~]# systemctl enable postgresql-11.service

Start PostgreSQL

[root@easy-admin ~]# systemctl start postgresql-11.service

Connect as postgres user and set password for admin user.

[root@easy-admin ~]# su – postgres

-bash-4.2$ psql

psql (11.4)

Type “help” for help.

postgres=# ALTER USER postgres WITH PASSWORD ‘123’;
ALTER ROLE

Create the Mattermost database.

postgres=# CREATE DATABASE mattermost;

Create the Mattermost user.

postgres=# CREATE USER mmuser WITH PASSWORD ‘123’;
CREATE ROLE

Grant all privileges on mattermost database to mmuser.

postgres=# GRANT ALL PRIVILEGES ON DATABASE mattermost to mmuser;
GRANT

Exit from psql and logout from postgres user.

postgres=# \q
-bash-4.2$ exit
logout

PostgreSQL 11 has been installed on CentOS 7 server.

Installing Mattermost 5 on CentOS 7 server:

Download Mattermost software using wget command.

[root@easy-admin ~]# cd /tmp

[root@easy-admin ~]# wget https://releases.mattermost.com/5.26.1/mattermost-5.26.1-linux-amd64.tar.gz

Extract downloaded TAR file using following command.

[root@easy-admin ~]# tar -C /opt -xvf mattermost-5.26.1-linux-amd64.tar.gz

Create the storage directory for Mattermost files. This storage directory is used to store files and images posted by Mattermost users.

[root@easy-admin ~]# cd

[root@easy-admin ~]# mkdir /opt/mattermost/data

Create OS user and group for Mattermost software.

[root@easy-admin ~]# useradd –system –user-group mattermost

Adjust file permissions and ownership of /opt/mattermost directory.

[root@easy-admin ~]# chown -R mattermost:mattermost /opt/mattermost [root@easy-admin ~]# chmod -R g+w /opt/mattermost

Edit /opt/mattermost/config/config.json file to set PostgreSQL database configurations.

[root@easy-admin ~]# nano /opt/mattermost/config/config.json

Search for “SqlSettings” section and update following directives therein.

“DriverName”: “postgres”, “DataSource”: “postgres://mmuser:123@127.0.0.1:5432/mattermost?sslmode=disable&connect_timeout=10”,

Testing Mattermost configurations by executing mattermost command.

[root@easy-admin ~]# cd /opt/mattermost/

[root@easy-admin ~]# sudo -u mattermost ./bin/mattermost
* Go get yourself a cupof coffee and let it run a bit,

The server should run now!

Exit!

Create a systemd service unit for Mattermost.

[root@easy-admin ~]# cd

[root@easy-admin ~]# nano /usr/lib/systemd/system/mattermost

…and define the service unit directives as follows.

[Unit]
Description=Mattermost
After=syslog.target network.target postgresql-11.service

[Service]
Type=notify
WorkingDirectory=/opt/mattermost
User=mattermost
ExecStart=/opt/mattermost/bin/mattermost PIDFile=/var/spool/mattermost/pid/master.pid
TimeoutStartSec=3600 LimitNOFILE=49152

[Install]
WantedBy=multi-user.target

Save and close Nano.

Enable and start mattermost.service.

[root@easy-admin ~]# systemctl enable mattermost.service

[root@easy-admin ~]# systemctl start mattermost.service

Allow Mattermost service port in Linux firewall (I use CSF).

[root@easy-admin ~]# firewall-cmd –permanent –add-port=8065/tcp

[root@easy-admin ~]# firewall-cmd –reload

Open your browser and go to http://yourdomain:8065

Fill out the information requested!

Et Voilà

😉

This will work on the latest Mattermost 5.26.1 release.

Hope you enjoy!

DIRECTOR: Stefan Malešević
CAST: Marta Bjelica, Dražen Pavlović, Nabi Tang, Vuk Janošević, Radoje Čupić

Jovana works at a bakery in the small town where she lives with her father. Her somewhat shy peer Marko is supposed to follow in his own father’s footsteps and become a truck driver. But the events of one night change both their lives…

Good day, we had some issues over the weekend at LiquidWeb! The problem was a large volume of crawling on some specific websites. Here is a good practice to prevent this from happening.

—————————————————————-
robot.txt (Block only those bots)
—————————————————————-
user-agent: AhrefsBot
user-agent: MJ12bot
user-agent: Semrushbot
disallow: /

—————————————————————-
robot.txt (Block all except google)
—————————————————————-
User-Agent: Googlebot
Allow: /
User-Agent: *
Disallow: /

This input will block access to your website to all bots apart of Google.

In Theory. Many bots don’t respect it so it is good idea to block them through .htaccess file.

—————————————————————-
.htaccess
—————————————————————-
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} .*Twice.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Yand.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Yahoo.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Voil.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*libw.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Java.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Sogou.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*psbot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Exabot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*boitho.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*ajSitemap.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Rankivabot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*DBLBot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*MJ1.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Rankivabot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*ask.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*AhrefsBot.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*Semrush.*
RewriteRule ^(.*)$ http://example.com/ [L,R=301]

Order Allow,Deny
Allow from all
Deny from 104.16.0.0/12
Deny from 110.0.0.0/8
Deny from 111.0.0.0/8
Deny from 112.0.0.0/5
Deny from 120.0.0.0/6
Deny from 124.0.0.0/8
Deny from 125.0.0.0/8
Deny from 147.0.0.0/8
Deny from 169.208.0.0
Deny from 175.0.0.0/8
Deny from 180.0.0.0/8
Deny from 182.0.0.0/8
Deny from 183.0.0.0/8
Deny from 202.0.0.0/8
Deny from 203.0.0.0/8
Deny from 210.0.0.0/8
Deny from 211.0.0.0/8
Deny from 218.0.0.0/8
Deny from 219.0.0.0/8
Deny from 220.0.0.0/8
Deny from 221.0.0.0/8
Deny from 222.0.0.0/8

# make your own list 😉 PlaySafe!

Note: RewriteCond ^(.*)$ ,…. will forward all crawler’s to http://example.com [L,R=301]

Enjoy!

Good day!

I ran into problem when I decided to test drive the new CentOS 8 on my test lab. The install was good until I tried to install VirtualMIN! No luck it’s not compatible yet and will take a while to be compatible “Webmin” is compatible and working smooth!

I would suggest you stick with CentOS 7.

So far CentOS 8 is quite interesting. 😉

CentOS 8 Updated Features

Desktop Environment
Unlike previous CentOS versions where the default installation did not include a GUI, the CentOS 8 default desktop environment is GNOME 3.28. What’s more, the GNOME Display Manager now uses Wayland as the default display server (as opposed to the X.org server).

The newest GNOME (nicknamed Chongqing) includes a number of useful features including:

Extended Device Support
GNOME is now integrated with Thunderbolt 3 connection support. Whenever Thunderbolt 3 establishes a connection and becomes active, you will get notified. This feature allows you to monitor all connections closely and detect any security breaches or attempts at data breach or theft.

New Boxes Feature. There are a couple of new features included in GNOME’s application for managing remote and virtual machines. The updated version simplifies the process of creating virtual environments with its automatic downloading of operating systems. Also, its drag-and-drop feature lets you easily transfer files between machines.
New On-Screen Keyboard. The GNOME team rewrote the on-screen keyboard for the newest release in an attempt to resolve the pressing UI issues. Now, the feature has a variety of layouts supported for different locales, automatic keyboard activation, and view-shift, so the user has a clear view of the text when writing.

Upgraded UI. The new desktop environment also has several additional features added to improve UI, as well as UX. This includes multi-monitor handling, direct window handling, improved scaling, to list a few.

Networking
As far as networking features, there are two major updates:

CentOS now comes with the TCP Networking Stack version 4.16.
The default packet filtering framework used is nftables.
Most of all, these changes ensure better stability, scaling, and performance.

nftables replaces iptables, iptablesip6table, arptables, and ebtables, serving as a single framework for IPv4 and IPv6 protocols. In addition, the firewalld deamon will also use the same subsystem for filtering network transactions as its default backend.

Cockpit Web Console
The open web-based interface, Cockpit, now comes as part of the new CentOS release. Use this platform to easily manage your servers through a web console interface. Perform system tasks, create and manage virtual machines, configure networks, start containers, and inspect logs all via web browser.

Cockpit is highly integrated. Not only does it have an embedded terminal allowing you to switch from terminal to browser at any time, but it also works on mobile devices.

Therefore, when you install CentOS 8 it will automatically set up the Cockpit web console, along with opening the required firewall ports. However, you do not worry about it burdening the system. The software is quite efficient as it uses memory and CPU only when active.

Software Management
CentOS 8 comes with the YUM package manager version v4.0.4, which now uses DNF (Dandified YUM) technology as its backend. DNF is the next generation of YUM and the new OS version lets you use both for managing packages.

Integrated with DNF technology, the latest release has a much-improved software management system. It’s increased performance, has well-defined APIs, and support for modular content, software AppStreams for cloud, container workloads, and CI/CD.

Virtualization
CentOS version 8 comes with KVM (qemu-kvm 2.12) that supports:

A 5-level paging feature, extending the size of virtual addresses and increasing the addressable virtual memory.
User-Mode Instruction Prevention (UMIP), a security feature restricting access to user-space applications to system-wide settings.
Ceph storage, providing block storage capabilities on all RHEL CPU architectures.
Q35 machine type to which all the virtual machines are pre-set (the machine type includes a native PCIe hotplug, IOMMU, Secure Boot and many other newly integrated features).
Compatibility between NVIDIA vGPU and the VNC console.
A sandboxing feature, introduced by the QEMU emulator, to ensure secure code testing.

Upgraded Security
The CentOS team has improved security features to ensure data protection and prevent breaches. The latest release will now have OpenSSL 1.1.1 which by default includes TLS 1.3. This ensures that all your data, as well as your clients’ data, will be cryptographically protected.

Also, the OS comes with a system-wide cryptographic policy which means you will not have to modify security configurations for individual applications.

Good day! Here are the steps to install PHP v. 7.3 in CentOS 7

Step 1: Add PHP 7.3 Remi repository

PHP 7.3 is available for CentOS 7 and Fedora distributions from the Remi repository. Add it to your system by running

# sudo yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
# sudo yum -y install epel-release yum-utils

Step 2: Disable repo for PHP 5.4

By default, the enabled repository is for PHP 5.4. Disable this repo and enable on for PHP 7.3

# sudo yum-config-manager –disable remi-php54
# sudo yum-config-manager –enable remi-php73

Step 3: Install PHP 7.3 on CentOS 7

Once the repo has been enabled, install php 7.3 on CentOS 7 or Fedora using the command

# sudo yum -y install php php-cli php-fpm php-mysqlnd php-zip php-devel php-gd php-mcrypt php-mbstring php-curl php-xml php-pear php-bcmath php-json

Check version installed

# php -v

Enjoy!