Centos: Release 5 now „end of life“

On 2017, March 31th the official Release End of Version 5 is reached. This also touches SME Server Version 8.1.

  • If you use this you must now upgrade the Webserver to the next Version.
  • Checkout which last version offers latest Options like PHP7, MYSQL 6 ..more
  • Checkout that you current Content PHP Kits Support the new OS Options (PHP7)
  • As Remark you should do at first a FULL BACKUP of your DATA!! see here
  • Save manual the /etc folder to Backup, dump crontabs and firewall settings! (ufw)
  • Setup a fresh OS if you are not a Professional Admin cause to prevent old Config Files wasting the OS!
  • Restore all Backups, set crontabs, set firewall settings
  • Check the new OS with hardening default linux tools like „nmap“, „arp-scan“ or „systat“ .. more
  • Check daily the Logs of the OS, auth daemons, Webserver Logs, Database Logs.. all Services you installed!
  • If you run into problems „white pages“, checkout the PHP5 to PHP7 Release Change Notes and Changes
  • Backup the fresh OS again..

..enjoy the new Webserver Setup..

Security: Webserver HTTPS with Self Signed Certificate Do it yourself in 5 Minutes!!

Today the Point of Security and encrypted Webserver Communication is rolling over every User who hosts own Websites on the Internet. Last decades HTTPS was only used by Online Login Pages like Shops and Banks to verify the Communication between a User PC and the Website. But after January 2015 the most Search Engines like google decides to force index of Websites with HTTPS Protocol. The Background is that a TLS encrypted Connection isn’t easy to track and to force „drive-by-load-Viruses“ to the Website Visitors.

Self Signed Certificate Sample
Self Signed Certificate Sample

But a lot of Webmasters of the Opensource Community were angry about this handling. Thats is not real problem if you won’t buy a SSL/TLS Certificate. Every Webmaster can create a self signed Certificate on his Webserver if he is able to login via ssh and to config the Webserver like Apache. Self signed Certificates are warned by the Webbrowsers at the only first view, but if the User wants to install the Certificate the Browser isn’t warning next visits!

The Search Engines like Google don’t check the trust of the Certificates by the robots and so your Site will be good placed on the Index like the last decades. The ONLY thing is that you MUST move all Files,Images, Internal Links and Bookmarks to „https://“  that the „LOCK“ of the Browser Dialog is „CLOSED“  and „GREEN“ like on the Picture .

Of course if you want, you can buy and install „Domain Name Trusted“ Certificates, but if you only host private Websites/Blogs you won’t really pay over 100$ per Year for the Certificates.

Advantages:

  • Secure Login to your Site/Blog
  • Encrypted Transfer of Data
  • Security for your Visitors
  • No Drive-BY-Loads
  • Less Content Stealing

You will remark next years that the internet will be moved to HTTPS!

To create a Certificate use „OPENSSL“ with this command,answere the Questions of the Script, later put the Certificates .crt and .key to /etc/ssl/.. and tell Apache to pull them there!

$sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

Owncloud: Howto harden owncloud access with a ssh tunnel and squid

If you want to use a private secure owncloud (WebDAV Space Server) as Backup for all your devices you can harden the access thru a openssh Login with key auth and a squid as relay.

  • Install apache2, php5, mysql-Server, openssh, squid3
  • config Apache2 to listen on https://localhost:443
  • setup squid3  and config the Proxy to listen only on localhost:3128
  • install owncloud to /var/WWW with forced „https“ settings at the config.php
  • create ssh-keys to auth with password protected key to the SSH Server

If done, you can access the private Backup-Server via a Terminal/ Putty with the Tunneling Options

  1. $ssh -L 3128:localhost:3128 username@owncloudserver.home
  2. Open your Browser on your Client/PC with enabled Proxy usage = localhost 3128
  3. Connect the WebDAV by the URL https://localhost/ the owncloud Login should be displayed! Same with the WebDAV URL possible!

Advantage? You have a two factor protected Owncloud Access, with encryption inside a encrypted SSH Tunnel! Nobody should see files which are transmitted! Thats a tube inside a tube ..

 

Ubuntu 13.04 Bug: gvfs smb Nautilus freeze hangs on copy files from a Samba Share

gvfs-smb Bug #1075923 (seen on Debian+Ubuntu+Centos..more..)

Workaround:

downgrade gvfs-* to Version 1.12 of 12.10 with:

  • add /etc/apt/sources.list

deb http://de.archive.ubuntu.com/ubuntu precise main
deb-src http://de.archive.ubuntu.com/ubuntu precise main

  • run: sudo apt-get update
  • install synaptic: sudo apt-get install synaptic
  • run synaptic: sudo synaptic
  • remove all gvfs-* nautilus with synaptics (REALLY CHECK ALL! see „dpkg -l | grep gvfs“)
  • search gvfs-*, select, press CTRL+E (Force Menu)
  • select: gvfs-* Versions 1.12
  • install by run install button
  • search and install nautilus again..

Voila…Test Nautilus copy 1TB Files without freeze

Linux Tip: Split Console Screen on Widescreen Laptop / PCs with „screen“ and „terminator“

Current Laptops / PCs uses 16:9 Widescreen Displays and if you dont want to use Xorg (Gnome,unity,Openbox Desktops)

you can use on Linux Console the program called „screen“ it offers:

– Split Consoles horizontally and vertically
– disconnect the screen and let the scripts/commands active on remote Systems
– reconnect if the remote Session was broken cause network problems

On Gnome or unity you can use „terminator“

screen-tiled

see:

– manpage of screen
– http://unix.stackexchange.com/questions/7453/how-to-split-the-terminal-into-more-than-one-view

Linux Info: UEFI + GPT + Secure Boot = Dongled OS = Printing Dollars

UEFI+GPT+dongled OS = Printing endles Dollars for PC Manufacter and  M$.

 

UEFI was offered for „security reasons“ but in my opinion the normal users should be prevented by this „UEFI LOCK“ to use Dual Boot or remove Windows on owned hardware, in cases of Mainboard failures the Users are forced to buy new Mainboards with OS-Key. Legacy Mode on Bios will disappear in the next generation of PCs than every OS is „dongled“ to Hardware like MacOS to their Products…

 

Linux FreeBSD: Protect your Disc Data against power loss

Problem: If you use IDE or SATA Disc Drives inside your Workstation or Server without a additional uninterruppted power supply after a power loss your Disc Drives can lose data, do not boot clean up agian or damage the drive headers and sectors.

Background: SATA or IDE Drives uses „Disc Cached Controllers“, the count of this disc cache reach from 8 to 64 megabytes. In case of data write to disc, the disc controllers do cache some data who are often used. A Raid 1 Disc Mirror is affected too by this problem. SCSI od SAS are not using Cache by default.

Solution:

Install the software tool called hdparm to set the cache parameters to disabled, cause most of operating systems have enabled by default.

  1. at Debian/ubuntu do : # sudo aptitude install hdparm
  2. at Centos/Redhat do:  #sudo yum install hdparm

now lets show discs which are installed:

  1. at Debian/ubuntu do: # sudo fdisk -l
  2. at Centos/Redhat do: #sudo  /sbin/sfdisk -l
  3. at FreeBSD do: # fdisk -l

yet lets take settings to disable the cache on every boot:

  1. at all linux do: sudo nano /etc/rc.local
  2. insert for every drive
    hdarm -W 0 /dev/sdX
    (X is for a to …)
  3. at FreeBSD  do : #vi /etc/loader.conf
  4. insert once for all drives 
    hw.ata.wc="0"

Remarks:

  1. If you have two drives with same physical size inside your PC config a mdadm Software Raid 1 additional on your System.
  2. Set the PC Bios Settings to auto boot ofter power failure and plug off the power on you testing System, check the results. There should not be needed a check disk called fsck after the Test, but its better to do it.
  3. Hardware Raid Controllers do often have RAM Cache too, size 128MB up to 2GB, at power loss these Data lost, this can only be surpressed by a addtition RAM Cache Backup Battery connected to the Hardware Raid Controller