http://tools.kali.org/tools-listing
Enjoy!
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the
Internet Security Research Group (ISRG)
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
The key principles behind Let’s Encrypt are:
We have a page with more detailed information about
how the Let’s Encrypt CA works
Had a good external help from Eugene, I thank you for your great help!
Works with Webmin, Virtualmin,,, checking postfix!
have phun!
Install Let’s Encrypt
Run an ssh shell to your server.
Run the following command:
cd
/usr/local/src/
git clone https:
//github
.com
/letsencrypt/letsencrypt
cd
letsencrypt/
.
/letsencrypt-auto
--help all
Now login to your webmin admin panel at:
https://siteaddress:10000/ using root username.
Webmin configuration>SSL Encryption>Let’s Encrypt
It will show you:
Let's Encrypt is a free, automated, and open certificate authority that can be used to generate an SSL certificate for use by Webmin.
Unfortunately, Let's Encrypt cannot be used on your system : The client command letsencrypt was not found on your system.
Check the module configuration page to ensure you are using the correct path to the letsencrypt or letsencrypt-auto command.
Click on “module configuration”
and type in the path and click Save:
Configuration
For module Webmin Configuration
Full path to Let's Encrypt client command: /usr/local/src/letsencrypt/letsencrypt-auto
To enable SSL certificate for a site, Go to:
Virtualmin>Edit Virtual Server>Enabled features
Enable “SSL website enabled”
To Manage the certificate:
Virtualmin>Server configuration>Manage SSL certificates
Click on Let’s Encrypt and generate a new certificate
NOTES:
To force http:// to https:// include a .htaccess with the following code
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Edit the following /usr/libexec/webmin/virtual-server/feature-ssl.pl lines 2148 and 2152
Save the file and then restart Webmin. I did so from the terminal with the command:
sudo service webmin restart
StarWind Virtual SAN Free targets those who need a SAN or NAS for their home lab, educational or research purposes. It is free for production use, but comes with a basic restricted set of features, compared to the full VSAN. In case a serious project is starting, StarWind Virtual SAN will come in handy. It offers a wider set of features unlocked and more usage scenarios, also being backed by StarWind support. Getting qualified assistance from expert engineers simplifies the building and maintenance of virtualization infrastructure. The complete list of differences between free and paid versions can be found here. In case there is no time for “Do-It-Yourself” tinkering, StarWind offers a turnkey solution – StarWind HyperConverged Appliance. It unifies best-of-breed software and hardware from multiple vendors and covers it with one “support umbrella”.
This only apply after you have installed : TLS/SASL/SSL !
I am using “Virtualmin” so locate your roundcube in here:
/home/[username]/public_html/webmail/config/config.inc.php
Locate this configuration: $config[‘smtp_server’] = ‘localhost’;
Easy fix here!
Remove ‘localhost‘: $config[‘smtp_server’] = ‘ ‘;
Now roundcube will use PHP instead of SMTP
Enjoy!
This entry documents the basic process for setting up CRAM-MD5 authentication for Dovecot.
Firstly, you need to enable the mechanism and specify a passwd database file in Dovecot. The mechanism and passdb file are specified in the dovecot.conf configuration file, on a Red Hat or similar system this is located in the /usr/local/etc/ directory.
# Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi auth_mechanisms = plain login cram-md5 # passwd-like file with specified location passdb { driver = passwd-file # Path for passwd-file. Also set the default password scheme. args = scheme=cram-md5 /etc/cram-md5.pwd }
You see that I’ve added the cram-md5 mechanism to the mechanisms statement and then added a passdb file, /etc/cram-md5.pwd.
Next, you need to create this passdb file and set appropriate permissions.
# touch /etc/cram-md5.pwd # chmod 0600 /etc/cram-md5.pwd
After creating the file you need to add your users and hashed passwords to the passdb file. The users and passwords are added in the format:
username:passwordhash
You can generate password hashes using “doveadm pw”:
# doveadm pw Enter new password: password Retype new password: password {CRAM-MD5}26b633ec8bf9dd526293c5897400bddeef9299fad
Enter the user’s password when prompted and it will be converted and outputted as a hash. The default hashed output is in the CRAM-MD5 scheme. You can change the scheme of the outputted hashes using the -s command line switch.
Now add the generated password to the passdb file, /etc/cram-md5.pwd.
username:26b633ec8bf9dd526293c5897400bddeef9299fad
Finally, restart Dovecot and test authentication by enabling the appropriate mechanism in your email client. For example, to enable CRAM-MD5 authentication in Thunderbird you need to check the “Use secure authentication” checkbox in the Account Settings page.
I recommend that you also use TLS/SSL to encrypt the authentication process as well.
I have been setting up a new mail server recently with Postfix and SMTP Auth, and got the error message “no SASL authentication mechanisms”.
If you have enabled SMTP Auth with Postfix like this:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
and are getting messages like this (the extract below is from the mail log file):
Nov 2 15:31:09 vps131 postfix/smtpd[14007]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Nov 2 15:31:09 vps131 postfix/smtpd[14007]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms Nov 2 15:31:09 vps131 postfix/smtpd[14007]: fatal: no SASL authentication mechanisms Nov 2 15:31:10 vps131 postfix/master[12004]: warning: process /usr/libexec/postfix/smtpd pid 14007 exit status 1 Nov 2 15:31:10 vps131 postfix/master[12004]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
then you need to install the cyrus-sasl-plain package like so:
yum install cyrus-sasl-plain
The above method will install the cyrus-sasl-plain packages on CentOS and other RPM/Yum based Linux distributions, so you would need to use the appropriate package manager (and software package) for other Linux distros.
# systemctl status saslauthd
# systemctl start saslauthd
# systemctl enable saslauthd
NOTES :
# SASL CONFIGURATION
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
#
You may verified your email server security score here:
http://www.emailsecuritygrader.com
Here is a part of my /etc/postfix/main.cf
# Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
#
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,
permit
# Postfix AntiSpam Configuration
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
#
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
#
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
#
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# Experimental
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
🙂
This is an optional feature you don’t need to do to get everything working but if you want a secure setup you should do this. TLS will allow you to setup an SSL encrypted connection between the server and the mail client. This means that the authentication that is used will be send encrypted over the internet while the normal authentication will be send in clear text over the internet making it possible for others to read.
First you need to buy yourself a certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate. The only problem you will encounter when using your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients by default. If they for instance try to send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:
They need to press continue and from then on your certificate will be accepted and they won’t be asked again.
Just open a Terminal and execute the following command in the directory /etc/postfix
:
sudo openssl req -new -outform PEM -out smtpd.cert \ -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \ -days 365 -x509
This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name.
Country Name (2 letter code) [CA]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:your.mailserver.tld Email Address []:you@yourdomain.tld
Now you have created the certificate you will have to configure Postfix to make use of it and to enforce the usage of TLS to securely communicate with the email client. You’ll have to add the following lines to the configuration file main.cf
in /etc/postfix
:
smtpd_enforce_tls = no smtpd_tls_loglevel = 1 smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_cert_file = /etc/postfix/smtpd.cert
Issue the command sudo postfix reload
to refresh the configuration of your mail server and your ready to test it out. Start a terminal session and issue the following commands:
telnet your.mailserver.tld 25
The server will answer with:
Trying your.mailserver.tld... Connected to your.mailserver.tld. Escape character is ^] 220 your.mailserver.tld ESMTP Postfix
Then type in:
EHLO your.mailserver.tld
And again your server will answer it’s capabilities:
250-your.mailserver.tld 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250 8BITMIME
Now it’s time to test TLS and enter in capitals:
STARTTLS
and the server should respond with:
220 Ready to start TLS
Then you know it will work, you could give your favorite email client a try.
Restart postfix : systemctl restart postfix
NOTES:
After this fix, roundcube cannot send email anymore, investigating this!
To verify ClamAV is working properly, let’s download a test virus (which we can get from http://www.eicar.org/download/eicar.com) to the Maildir
# cd /home/[username]/Maildir # wget http://www.eicar.org/download/eicar.com
And then scan the /home/[username]/Maildir directory recursively:
# clamscan --infected --remove --recursive /home/[username]/Maildir
Now, feel free to set up this scan to run through a cronjob. Create a file named /etc/cron.daily/dailyclamscan
, insert the following lines:
#!/bin/bash SCAN_DIR="/home/[username]/Maildir" LOG_FILE="/var/log/clamav/dailyclamscan.log" touch $LOG_FILE /usr/bin/clamscan --infected --remove --recursive $SCAN_DIR >> $LOG_FILE
and grant execute permissions:
# chmod +x /etc/cron.daily/dailyclamscan
The above cronjob will scan the mail server directory recursively and leave a log of its operation in /var/log/clamav/dailyclamscan.log
(make sure the /var/log/clamav directory exists).
NOTES:
# man clamscan
# clamscan -r -i /home
In the process of receiving email, spamassassin will stand between the outside world and the email services running on your server itself. If it finds, according to its definition rules and configuration, that an incoming message is spam, it will rewrite the subject line to clearly identify it as such. Let’s see how.
The main configuration file is /etc/mail/spamassassin/local.cf
, and we should make sure the following options are available (add them if they are not present or uncomment if necessary):
report_safe 0 required_score 8.0 rewrite_header Subject [SPAM]
Once you’ve saved those changes, enable and start the spam filter service, and then update the spam rules:
# systemctl enable spamassassin # systemctl start spamassassin # sa-update
In order to efficiently integrate Postfix and spamassassin, we will need to create a dedicated user and group to run the spam filter daemon:
# useradd spamd -s /bin/false -d /var/log/spamassassin
Next, add the following line at the bottom of /etc/postfix/master.cf
:
spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
And indicate (at the top) that spamassassin will serve as content_filter:
Finally, restart Postfix to apply changes:
# systemctl restart postfix
To verify that SpamAssassin is working properly and detecting incoming spam, a test known as GTUBE (Generic Test for Unsolicited Bulk Email) is provided.
To perform this test, send an email from a domain outside your network (such as Yahoo!, Hotmail, or Gmail) to an account residing in your email server. Set the Subject line to whatever you want and include the following text in the message body:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
And shows the corresponding notice in the logs:
Additionally, you can test spamassassin right from the command line:
# spamassassin -D < /usr/share/doc/spamassassin-3.4.0/sample-spam.txt
What is chkrootkit and the steps to Install chkrootkit
The chkrootkit is a security scanner to check if the system is infected with the ‘rootkit’. A rootkit is a malicious software which is capable of having administrator-level access to a computer or network. The rootkit allows the hackers to take the control of a system without the user knowing it. This means that the rootkit is capable of executing files and changing system configurations on the target machine and many more which can be done only as the super user of the Linux machine.
Please note that scanning for rootkits will not stop all attacks, it is not an active defense. If your server has been compromised then a scan will not stop the rootkit.
The following steps will help you to install chkrootkit on CentOS.
cd /usr/local/src wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvf chkrootkit.tar.gz cd chkrootkit-* make sense
Now, you can run the chkrootkit to scan the server. Please note that the present working directory should be “/usr/local/src/chkrootkit-0.50”.
./chkrootkit
Daily scan report script
Create a file named scan.sh
vim /etc/cron.daily/chkrootkit.sh
#!/bin/bash cd /usr/local/src/chkrootkit-*/ ; ./chkrootkit |grep -v not| /bin/mail -s 'CHROOTKIT Scan Result' your@email.com
Make it executable
chmod +x /etc/cron.daily/chkrootkit.sh
The script will email your daily scan report. Also the above steps can also be used to install chkrootkit on cPanel server. Also, please keep this in mind that, using chkrootkit, you can’t remove and found 100% rootkits. You can secure your server from rootkits by ensuring that all applications and softwares are up-to-date and the system kept patched against all known vulnerabilities.
ISPProtect is a Malware and Antivirus scanner for web servers. It contains a signature based scan engine and a heuristic scan engine to detect Malware in websites, CMS- and shop systems like WordPress, Joomla, Drupal, Magentocommerce etc. A third scan level in ISPProtect detects outdated installations of e. g. WordPress, Joomla, Drupal, … and shows their location on the web server. ISPProtect is developed by the ISPConfig developer team. ISPConfig is a widely used OpenSource Webhosting Control Panel.
Do I need ISPProtect on my server? Yes, when you run your own web server, are a hosting company or provide support for web servers.
Try ISPProtect for free
https://ispprotect.com
Try ISPProtect for free on your server now, no registration required. Just download it and start the scan, enter the word „trial“ when the scanner asks for the license key.
cd /tmp wget http://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz ./ispp_scan
systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
# systemctl is-enabled microcode.service
enabled
# systemctl disable microcode.service
Removed symlink /etc/systemd/system/basic.target.wants/microcode.service.
# reboot
Check this out ~
http://www.linuxquestions.org/questions/centos-111/centos-yum-update-depency-problem-4175541770/
https://www.centos.org/forums/viewtopic.php?f=19&t=14128&sid=f0771137550b57aab58066711d223c78&start=10
Yum commands :
# yum repolist all [verifie the installed repos]
# rm -rf /var/cache/yum/* [clear yum cache]
# rpm -Va [check all packages]
# yum clean all [clean yum]
# rpm --rebuilddb [rebuild database]
# yum update -d6 [yum update]
# yum check-update -d6 --noplugins
# rpm -qa yum \* [output yum infos]
,,,…maybe,,, the Time Protocol? 😉 and more to this…,,,,,
have a FUN_YUM!
FIXED on a live server, Thanks to a wizard of OZ!!! Don’t ask me how!
Cheers!
P.S Do not do complex commands on a live server ,,, or just have fun, in the learning 😉
# rm -rf /var/cache/yum/*
I’ve been going at this for a little while but came up with the following steps to get it working.
*** 1. First install Let’s Encrypt script/programm. ***
Login to SSH and get root privileges (root/sudo -i):
cd /home/user/ && git clone https://github.com/letsencrypt/letsencrypt
OR
cd /root/ && git clone https://github.com/letsencrypt/letsencrypt
^^ This will download the Let’s Encrypt from github with executable script
*** 2. Create your directory where you will be saving your certificate later on. Reason for this is because Virtualmin has a protection where it only allows a certificate from the user/domains directory: ***
mkdir /home/MYUSERNAMEFORDOMAIN/ssl_certificates
*** 3. Setup your cronjobs by running: “sudo crontab -e” ***
It wil probably ask you which editor, i choose Nano, once in the editor enter the following somewhere on a new line (pick the option you choose on step 1!):
01 3 1 * * cd /home/user/letsencrypt/ && ./letsencrypt-auto certonly --email info@MYDOMAIN --agree-tos --webroot --renew-by-default -w /home/MYDOMAIN/public_html/ -d www.MYDOMAIN.net -d MYDOMAIN.net --authenticator webroot && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/cert.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/chain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/chain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/fullchain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/privkey.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem
OR
01 3 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email info@MYDOMAIN --agree-tos --webroot --renew-by-default -w /home/MYDOMAIN/public_html/ -d www.MYDOMAIN.net -d MYDOMAIN.net --authenticator webroot && cp /etc/letsencrypt/live/www.MYDOMAIN.net/cert.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/chain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/chain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/fullchain.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/privkey.pem /home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem
^^ Above command will copy the certificates to the correct directory after requesting them (i gave a warning in step 2). It will do this every 1st of the month during the night. The reason we do this every month is because the certs are only valid 90 days and we have plenty of time to repair if something appears to be wrong with the cert later on..
Allright! The hard part is done!
*** 3.1 Please log into your Virtualmin admin panel, Select “Webmin -> System -> Scheduled Cron Jobs”. Go to your newly created Cronjob by clicking on it and select “RUN NOW”.
*** 4. in Virtualmin, select you domain and go to “Edit virtual server”, make sure that SSL is enabled under “Enabled features”.
*** 5. Under “Server configuration” go to “Manage SSL Certificate”. Select the tab “Update Certificate and Key” and under “Signed SSL certificate” select the option “File on server”, fill in the location of the certificate: "/home/MYUSERNAMEFORDOMAIN/ssl_certificates/cert.pem"
*** 6. Do the same for section “Matching private key”. Select: "/home/MYUSERNAMEFORDOMAIN/ssl_certificates/privkey.pem"
*** 7. Click on “Install Now”.
*** 8. Switch to tab “CA Certificate”, select “In file on server ” and fill in: "/home/MYUSERNAMEFORDOMAIN/ssl_certificates/fullchain.pem"
*** 9. Click on “Save Certificate”. ***
DONE! ! ! It will now update every month 🙂
Go to your website with HTTPS, what do you get??? 😀 🙂 😀
IF you run into any issues please let me know in the comments and i’ll try to help out!
NOTE: You can’t request a lot of different certificates. You will get the message: Too many certificates already issued for: xxx. If you want a lot of certificates for subdomains please consider using a paid wildcard certificate. Letsencrypt is a service to help out (starting/small) websites.
The issue isn’t with postgrey or postfix, but with milter-greylist.
What you may want to do is edit /etc/postfix/main.cf, and comment out the lines beginning with “smtpd_milters” and “non_smtpd_milters”. After that, restart Postfix.
not working,,,, hummm 😉
NOTE: http://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki
warning: connect to Milter service local:/run/milter-greylist/milter-greylist.sock: Connection refused
http://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki
To enable DKIM signing of outgoing email messages, follow these steps :
root
and go to Email Messages -> DomainKeys Identified Mail2010
. Do NOT enter default
, as this can trigger a bug in the current Virtualmin release which deletes the /etc/default
directory!Assuming all goes well, Virtualmin will report the steps taken to configure and enable DKIM.
Only virtual servers that have both the DNS and email features enabled will have DKIM activated, as the mail server needs to be setup to use a private signing key whose corresponding public key is added to DNS.
By default, Virtualmin will also configure the DKIM milter to verify incoming email that has the proper signatures. DKIM-signed messages where the signature is incorrect or cannot be checked with a DNS lookup will be bounced or delayed. If you want to disable verification, set the Verify DKIM signatures on incoming email? option to No.
To turn off DKIM signing completely, just do the following :
root
and go to Email Messages -> DomainKeys Identified MailThis will remove the public key from all domains, and stop your mail server from signing messages with the DKIM milter.
NOTES:
Common problems:
NOTES:
For rDNS should be easy to sort. Best and easiest solution would be to use the hostname (either way it should be FQDN), so if your hostname is “myserver.domain.tld” then check if you have in your DNS records “myserver.domain.tld. IN A your.server.IP.address”. If you are missing this record be sure to add it before you proceed to set rDNS. Once done go to your host control panel and set rDNS to “myserver.domain.tld”.
Tools like mxtoolbox.com should give you some info if there is a problem, another option is intodns.com but it will check only DNS (there are other solutions just use google). To test email only you can use https://www.unlocktheinbox.com/mail-tester . One thing you must know, every single thing what is not properly set or defined, it will increase spam score of your emails and more problems you have it will be easier for emails to end in spam or be rejected by receiver.
NOTES:
You can enable dmarc if you go virtualmin – domain – server configuration and click dns options. There you scroll down and click enabled on DMARC record enabled? also you can change policy there. You may perhaps wait 24 hours to apply this as its dns which could take time a bit.
NOTES:
I do see your point but I am hosting sites with emails without rDNS - that does not need to be concerned at all
Well based on RFC1912 we have:
2.1 Inconsistent, Missing, or Bad Data
Every Internet-reachable host should have a name. The consequences
of this are becoming more and more obvious. Many services available
on the Internet will not talk to you if you aren’t correctly
registered in the DNS.
Make sure your PTR and A records match. For every IP address, there
should be a matching PTR record in the in-addr.arpa domain. If a
host is multi-homed, (more than one IP address) make sure that all IP
addresses have a corresponding PTR record (not just the first one).
Failure to have matching PTR and A records can cause loss of Internet
services similar to not being registered in the DNS at all. Also,
PTR records must point back to a valid A record, not a alias defined
by a CNAME.
It is highly recommended that you use some software
which automates this checking, or generate your DNS data from a
database which automatically creates consistent data…So please read it you will find a lot of information there about rDNS.
For the rest there is difference between helping and hand holding and i will not do the later. If someone dont want to spend few minutes on google then he or she dont deserve any attention and if you want to do differently please be my guest, i’m sure no one will stop you.
P.S. Stop telling people wrong information, there are rules you must follow so instead of teaching people wrong things lets educate them to properly follow the rules.
Diabolico
https://www.virtualmin.com/node/41321
– I often come to the conclusion that my brain has too many tabs open. –
Failing at desktop publishing & graphic design since 1994.
ANVIL(8) ANVIL(8) NAME anvil - Postfix session count and request rate control SYNOPSIS anvil [generic Postfix daemon options] DESCRIPTION The Postfix anvil(8) server maintains statistics about client connec- tion counts or client request rates. This information can be used to defend against clients that hammer a server with either too many simul- taneous sessions, or with too many successive requests within a config- urable time interval. This server is designed to run under control by the Postfix master(8) server. In the following text, ident specifies a (service, client) combination. The exact syntax of that information is application-dependent; the anvil(8) server does not care. CONNECTION COUNT/RATE CONTROL To register a new connection send the following request to the anvil(8) server: request=connect ident=string The anvil(8) server answers with the number of simultaneous connections and the number of connections per unit time for the (service, client) combination specified with ident: status=0 count=number rate=number To register a disconnect event send the following request to the anvil(8) server: request=disconnect ident=string The anvil(8) server replies with: status=0 MESSAGE RATE CONTROL To register a message delivery request send the following request to the anvil(8) server: request=message ident=string The anvil(8) server answers with the number of message delivery requests per unit time for the (service, client) combination specified with ident: status=0 rate=number RECIPIENT RATE CONTROL To register a recipient request send the following request to the anvil(8) server: request=recipient ident=string The anvil(8) server answers with the number of recipient addresses per unit time for the (service, client) combination specified with ident: status=0 rate=number TLS SESSION NEGOTIATION RATE CONTROL The features described in this section are available with Postfix 2.3 and later. To register a request for a new (i.e. not cached) TLS session send the following request to the anvil(8) server: request=newtls ident=string The anvil(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with ident: status=0 rate=number To retrieve new TLS session request rate information without updating the counter information, send: request=newtls_report ident=string The anvil(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with ident: status=0 rate=number AUTH RATE CONTROL To register an AUTH request send the following request to the anvil(8) server: request=auth ident=string The anvil(8) server answers with the number of auth requests per unit time for the (service, client) combination specified with ident: status=0 rate=number SECURITY The anvil(8) server does not talk to the network or to local users, and can run chrooted at fixed low privilege. The anvil(8) server maintains an in-memory table with information about recent clients requests. No persistent state is kept because standard system library routines are not sufficiently robust for update-inten- sive applications. Although the in-memory state is kept only temporarily, this may require a lot of memory on systems that handle connections from many remote clients. To reduce memory usage, reduce the time unit over which state is kept. DIAGNOSTICS Problems and transactions are logged to syslogd(8). Upon exit, and every anvil_status_update_time seconds, the server logs the maximal count and rate values measured, together with (service, client) information and the time of day associated with those events. In order to avoid unnecessary overhead, no measurements are done for activity that isn't concurrency limited or rate limited. BUGS Systems behind network address translating routers or proxies appear to have the same client address and can run into connection count and/or rate limits falsely. In this preliminary implementation, a count (or rate) limited server process can have only one remote client at a time. If a server process reports multiple simultaneous clients, state is kept only for the last reported client. The anvil(8) server automatically discards client request information after it expires. To prevent the anvil(8) server from discarding client request rate information too early or too late, a rate limited service should always register connect/disconnect events even when it does not explicitly limit them. CONFIGURATION PARAMETERS On low-traffic mail systems, changes to main.cf are picked up automati- cally as anvil(8) processes run for only a limited amount of time. On other mail systems, use the command "postfix reload" to speed up a change. The text below provides only a parameter summary. See postconf(5) for more details including examples. anvil_rate_time_unit (60s) The time unit over which client connection rates and other rates are calculated. anvil_status_update_time (600s) How frequently the anvil(8) connection and rate limiting server logs peak usage information. config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. ipc_timeout (3600s) The time limit for sending or receiving information over an internal communication channel. max_idle (100s) The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) The maximal number of incoming connections that a Postfix daemon process will service before terminating voluntarily. process_id (read-only) The process ID of a Postfix command or daemon process. process_name (read-only) The process name of a Postfix command or daemon process. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". SEE ALSO smtpd(8), Postfix SMTP server postconf(5), configuration parameters master(5), generic daemon options README FILES TUNING_README, performance tuning LICENSE The Secure Mailer license must be distributed with this software. HISTORY The anvil service is available in Postfix 2.2 and later. AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA Wietse Venema Google, Inc. 111 8th Avenue New York, NY 10011, USA
The icons – including submenu indicator arrows – for example in UberMenu are font icons. Some browsers – most commonly Firefox – enforce a Cross-origin resource sharing (CORS) restriction policy for fonts. As a result, if you serve the Font Awesome fonts from a separate domain, Firefox (and depending on your server configuration, other browsers as well), will not load the fonts due to this policy, so the icons are not displayed.
The most common occurrence is using a CDN. For example, if your site is mydomain.com
, but your stylesheets are served from cdn.mydomain.com
, or cdn.someotherdomain.com
, the browser will not load the fonts because they are served from another domain.
There are two options to resolve the issue: either serve your fonts from the same domain as your site, or configure the fonts on your secondary domain to be served with the appropriate headers to allow cross-origin resource sharing.
This generally means that you would exclude the Font Awesome files from your CDN, and link the files on your main server instead. The font file itself is the important resource, but generally this would come down to excluding the Font Awesome stylesheet. If you’re using UberMenu’s copy, it is found at
/wp-content/plugins/ubermenu/assets/css/fontawesome/css/font-awesome.min.css
This solution will work, but you won’t be able to take advantage of your CDN for these files.
This means that you would configure your server to tell the browser that it’s okay to load these resources from a different domain.
What you’ll need to do is set the Access-Control-Allow-Origin
header to *
for the fonts. If your server is running apache, this generally just means dropping an .htaccess
file into the directory containing the font with the following configuration
<FilesMatch “.(eot|ttf|otf|woff)”>
Header set Access-Control-Allow-Origin “*”
</FilesMatch>
You may have to check your Theme directory if you are not using UberMenu’s Font Awesone…
wp-content/themes/theme_name/fonts and simply add the file
.htaccess in the directory!
UberMenu’s Font Awesome assets are located in /wp-content/plugins/ubermenu/assets/css/fontawesome/fonts/
[Experimental] for SSL website
Header add Access-Control-Allow-Origin “https://www.domain.com”
#Header add Access-Control-Allow-Origin “https://domain.com”
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Good day to all ~
p.s : This only apply if you are already running “WordFence” on your WordPress website,,, and then ,,, …,,, 😉
~ maybe you have to update first WordFence plugin on a old wordpress installation!? Was like 11 updates on this thing!@ will dig this!
We had a serious problem with restoring a crashed website that was using the plugin “Wordfence”. We are using the “XCloner” pluging for many years now to restore all our wordpress websites. After noticing that the customer website was not loading anymore, We started to investigate the problem(s)?>
The reason was caused by Wordfence itself!?
Fatal error: Unknown: Failed opening required
,,… … when opening the website!@
Restoration was not possible anymore using XCloner because of the..,,,
famous Internal 500 error!
Here is what..,,, We did to make this work…,
This is the tricky part!
Open a browser to point to this page
http://www.yourdomain.xxx/XCloner.php
This will start the restoration page of XCloner plugin…
Okay here are the steps
; Wordfence WAF
auto_prepend_file = '/public_html/wordfence-waf.php'
; END Wordfence WAF
# Wordfence WAF
<IfModule mod_php5.c>
php_value auto_prepend_file '/public_html/wordfence-waf.php'
</IfModule>
</Files>
.htaccess you need to remove anything related to Wordfence
Re-upload both files using your FTP Client
Now go back to your XCloner restoration webpage..,,,
“Please click here to continue with database import…”
*** MAKE SURE THAT USERS.INI file is empty before the next step!
Refresh your ftp folder!
Also make sure that there is nothing related to Wordfence in your .htaccess
Click Continue to trigger the database restoration!
After the restoration you will be able to connect to your wordpress dashboard and un-install Wordfence #@!%f%^
You should make now a fresh backup of your wordpress site.
~ Up to you if you wish to re-install WordFence!
Here you go!
The syntax is:
## get list ## yum history ## Okay undo/downgrade it ## yum history undo {NUMBER-HERE} |
Apply only when you had updated via root the PHP-MySQL on,,.
webmin / virtualmin.
For demo purpose, I’m going to install/update zsh:
sudo yum install zsh
Now, list yum history:
sudo yum history
sudo yum history list
sudo yum history info
Sample outputs:
Loaded plugins: fastestmirror ID | Login user | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 11 | <veryv> | 2015-05-05 11:14 | Update | 1 10 | <veryv> | 2015-05-05 11:08 | Downgrade | 1 9 | <veryv> | 2015-05-05 10:56 | Install | 1 8 | <veryv> | 2015-05-05 10:56 | Install | 1 7 | <veryv> | 2015-05-05 09:59 | Update | 1 6 | System <unset> | 2015-04-23 20:02 | I, O, U | 156 EE 5 | System <unset> | 2015-04-23 20:02 | Install | 1 4 | System <unset> | 2015-04-23 20:02 | Install | 1 EE 3 | System <unset> | 2015-04-23 20:02 | Install | 1 2 | System <unset> | 2015-04-23 20:02 | Install | 1 1 | System <unset> | 2015-04-23 20:00 | Install | 280 history list |
Let us undo (downgrade) ID #11 (i.e. the last action of zsh update):
sudo yum history undo 11
Sample outputs:
Loaded plugins: fastestmirror Undoing transaction 11, from Tue May 5 11:14:21 2015 Updated zsh-5.0.2-7.el7.x86_64 @base Update 5.0.2-7.el7_1.1.x86_64 @updates Loading mirror speeds from cached hostfile * base: mirror.web-ster.com * extras: mirror.raystedman.net * updates: centos-distro.cavecreek.net Resolving Dependencies --> Running transaction check ---> Package zsh.x86_64 0:5.0.2-7.el7 will be a downgrade ---> Package zsh.x86_64 0:5.0.2-7.el7_1.1 will be erased --> Finished Dependency Resolution Dependencies Resolved =========================================================================================== Package Arch Version Repository Size =========================================================================================== Downgrading: zsh x86_64 5.0.2-7.el7 base 2.4 M Transaction Summary =========================================================================================== Downgrade 1 Package Total download size: 2.4 M Is this ok [y/d/N]: y Downloading packages: zsh-5.0.2-7.el7.x86_64.rpm | 2.4 MB 00:00:02 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : zsh-5.0.2-7.el7.x86_64 1/2 Cleanup : zsh-5.0.2-7.el7_1.1.x86_64 2/2 Verifying : zsh-5.0.2-7.el7.x86_64 1/2 Verifying : zsh-5.0.2-7.el7_1.1.x86_64 2/2 Removed: zsh.x86_64 0:5.0.2-7.el7_1.1 Installed: zsh.x86_64 0:5.0.2-7.el7 Complete! |
Verify zsh package history, enter:
sudo yum history list zsh
Sample outputs:
Loaded plugins: fastestmirror ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 12 | history undo 11 | 2015-05-05 11:19 | Downgrade | 1 11 | install zsh | 2015-05-05 11:14 | Update | 1 10 | downgrade zsh | 2015-05-05 11:08 | Downgrade | 1 8 | install zsh | 2015-05-05 10:56 | Install | 1 history lis
~ HAVE A GOOD TIME FIXING THIS!!!
Server is fixed! but lost some data!
Cheers!
I used Remi repo and PHP7 seems to work perfect. This is what I did (if someone sees something bad, just say because I am not 100% sure if it is perfect, but here it works).
yum install scl-utils
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install php70
yum install php70-php-mysqlnd
yum install php70-php-curl
yum install php70-php-simplexml
yum install php70-php-devel php70-php-gd php70-php-json php70-php-mcrypt php70-php-mbstring php70-php-opcache php70-php-pear php70-php-pecl-apcu php70-php-pecl-geoip php70-php-pecl-imagick php70-php-pecl-json-post php70-php-pecl-memcache php70-php-pecl-xmldiff php70-php-pecl-zip php70-php-pspell php70-php-soap php70-php-tidy php70-php-xml php70-php-xmlrpc
With this you have PHP7 and all important extensions running next to the other PHP versions!
If anyone sees room for improvement, then I am very interested. Would be good information on this topic.
And I know it would be better to not use third party repos, but I could not find PHP7 for CentOS 7.2 then. Is it correct you only can get this with a third party (Remi) repo?
Also I hope it wasn’t a bad choice to choose this repo.
Had a hard time installing the php 5.6.x version on VirtualMIN
module php5.x-mysql missing… when loading your WordPress?? 😉
# yum install scl-utils
# yum -y update
# yum -y install php56-php-mysql
Installation done!
Now test your wordpress, set VirtualMIN domain to use PHP version 5.6.x!
NOTE: Must “Re-Check Configuration” after adding a new php version into VirtualMIN
> VirtualMIN > System Settings > Re-Check Configuration
The following PHP versions are available : 5.4.16 (/bin/php-cgi), 5.5.38 (/bin/php55-cgi), 5.6.30 (/bin/php56-cgi), 7.0.15 (/bin/php70-cgi)
Et voilà!