Friday, February 12, 2021
Open a terminal application or login to your server over the ssh session using ssh command. Open php.ini file using a text editor such as vim command or nano command:
$ sudo nano /etc/php.ini
Find disable_functions and set new list as follows:
# list of function to disable globally #
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:
allow_url_fopen=Off
allow_url_include=Off
open_basedir = /var/www:/var/..
Save and close the file. Restart
# service apache2 restart
Login to server as root
$ letsencrypt renew
Change directory to Zimbra Letsecnrpyt SSL folder
# cd /opt/zimbra/ssl/letsencrypt/
Copy new SSL files to Zimbra Letsencrypt folder then change owner to Zimbra.
# cp /etc/letsencrypt/live/yourdomain.com/* .
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
[Read more…]
1. Install the Let’s Encrypt Certbot
# Install Certbot on the linux box
yum install -y certbot
# Generate our first SSL cert. Subsequent certificates will be renewed by our script below
certbot certonly --standalone -d mail.protectigate.com -m [email protected] --agree-tos -n
# Prepare the Zimbra directory for the new certificate
mkdir /opt/zimbra/ssl/letsencrypt
2. Install the Certificate and create the Script for auto-renewal
a. Create script as /root/ssl.sh
#Change work dir to /tmp
cd /tmp
#Renew cert if needed
certbot certonly --standalone -d mail.protectigate.com -m [email protected] --agree-tos -n
# Stop the nginx Zimbra service
sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop
#Rename existing Zimbra letsencrypt folder and create new
if [[ -e /opt/zimbra/ssl/letsencrypt ]]; then
mv /opt/zimbra/ssl/letsencrypt /opt/zimbra/ssl/letsencrypt$(date +'%Y%m%d')
mkdir /opt/zimbra/ssl/letsencrypt
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
fi
# Copy Let's Encrypt SSL cert into Zimbra SSL dir
/bin/cp -rf /etc/letsencrypt/live/mail.protectigate.com/* /opt/zimbra/ssl/letsencrypt/
#Download the Let's Encrypt root cert
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt -O /opt/zimbra/ssl/letsencrypt/root.pem
#Merge the root cert into the chain file
cat /opt/zimbra/ssl/letsencrypt/root.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem
[Read more...]
Friday, December 4, 2020
what is .htaccess?
htaccess is a server configuration file which is use for Apache Web Server software. when a .htaccess place in a web directory then this .htaccess file loaded via Apache Web Server and follow .htaccess instructions. Apache web server works which command use on .htaccess file. .htaccess files provide a way to change web server configurations.
Custom Directory Index Files
DirectoryIndex index.php index.html index.htm
Prevent Directory Listing
Options -Indexes
Force www or non-www
You can specify your website www or non-www by using .htaccess www and non-www means when a user browse your website then which type of link will display in users browser.
www.example.com or example.com selct is yours. You can specify it using .htaccess
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
Custom Error Page
You can setup custom error pages for your website. If you not set custom error pages for your website then your website will display default error pages which are provided by your hosting service provider. but you can set custom error pages using a .htaccess file.
ErrorDocument 400 error/400-badrequest.php
ErrorDocument 401 error/401-authorizationrequired.php
ErrorDocument 404 error/404-notfound.php
ErrorDocument 403 error/403-forbidden.php
ErrorDocument 500 error/500-servererror.php
[Read more…]
.htaccess Code to Block SQL Injection Attacks in QUERY_STRING
##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START
#QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test
#Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives
RewriteCond %{QUERY_STRING} !^$
RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{QUERY_STRING} union [NC,OR]
RewriteCond %{QUERY_STRING} select [NC,OR]
RewriteCond %{QUERY_STRING} cast [NC,OR]
RewriteCond %{QUERY_STRING} declare [NC,OR]
RewriteCond %{QUERY_STRING} drop [NC,OR]
RewriteCond %{QUERY_STRING} md5 [NC,OR]
RewriteCond %{QUERY_STRING} benchmark [NC,OR]
RewriteCond %{QUERY_STRING} table [NC,OR]
RewriteCond %{QUERY_STRING} column [NC,OR]
RewriteCond %{QUERY_STRING} distinct [NC,OR]
RewriteCond %{QUERY_STRING} substr [NC,OR]
RewriteCond %{QUERY_STRING} concat [NC,OR]
RewriteCond %{QUERY_STRING} schema [NC,OR]
RewriteCond %{QUERY_STRING} hex [NC,OR]
RewriteCond %{QUERY_STRING} truncate [NC,OR]
RewriteCond %{QUERY_STRING} convert [NC,OR]
RewriteCond %{QUERY_STRING} exec [NC,OR]
RewriteCond %{QUERY_STRING} passthru [NC,OR]
RewriteCond %{QUERY_STRING} system [NC,OR]
RewriteCond %{QUERY_STRING} popen [NC,OR]
RewriteCond %{QUERY_STRING} proc [NC,OR]
RewriteCond %{QUERY_STRING} load [NC,OR]
RewriteCond %{QUERY_STRING} between [NC,OR]
RewriteCond %{QUERY_STRING} null [NC,OR]
RewriteCond %{QUERY_STRING} delay [NC,OR]
RewriteCond %{QUERY_STRING} char [NC,OR]
RewriteCond %{QUERY_STRING} sleep [NC,OR]
RewriteCond %{ QUERY_STRING } schema [NC,OR]
RewriteCond %{QUERY_STRING} unhex [NC]
RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END
[Read more…]
Step 1: Enable mod_rewrite
sudo a2enmod rewrite
You must restart Apache once you make any change to its configuration. To do this, type the command below on a terminal window:
sudo systemctl restart apache2
Your server is now ready to accept rewrite rules.
Step 2: Setup your server to accept .htaccess files
By default, Apache does not allow the use of ‘.htaccess’ file so you will need to edit the configuration of each website’s virtual host file by adding the following code:
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
[Read more…]
Friday, November 13, 2020
Step 1: Install certbot-auto tool
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
Move the script to directory in your PATH.
sudo mv certbot-auto /usr/local/bin
Confirm it working.
sudo certbot-auto --version
Step 2: Stop Zimbra Proxy Service
We need to stop the jetty or nginx service services before we can configure it to use Let’s Encrypt SSL certificate.
$ sudo su - zimbra -c "zmproxyctl stop"
Stopping proxy...done.
$ sudo su - zimbra -c "zmmailboxdctl stop"
Stopping mailboxd...done.
Step 3: Obtain Let’s Encrypt SSL Certificate
Once the Zimbra proxy and mailboxd services are stopped we can proceed to request for Let’s Encrypt in auto mode. Make sure you pass all the hostnames used by your Mail Server.
# export EMAIL="[email protected]"
# certbot-auto certonly --standalone
-d mail.computingforgeeks.com
--preferred-challenges http
--agree-tos
-n
-m $EMAIL
--keep-until-expiring
You can find all your files under /etc/letsencrypt/live/$domain
$ ls -lh /etc/letsencrypt/live/mail.computingforgeeks.com
total 4.0K
lrwxrwxrwx. 1 root root 50 Jul 5 23:42 cert.pem -> ../../archive/mail.computingforgeeks.com/cert1.pem
lrwxrwxrwx. 1 root root 51 Jul 5 23:42 chain.pem -> ../../archive/mail.computingforgeeks.com/chain1.pem
lrwxrwxrwx. 1 root root 55 Jul 5 23:42 fullchain.pem -> ../../archive/mail.computingforgeeks.com/fullchain1.pem
lrwxrwxrwx. 1 root root 53 Jul 5 23:42 privkey.pem -> ../../archive/mail.computingforgeeks.com/privkey1.pem
-rw-r--r--. 1 root root 692 Jul 5 23:42 README
[Read more…]
