Debian Unattended Security Updates

Follow these instructions and set your email to receive notifications.

https://wiki.debian.org/UnattendedUpgrades

apt-get install unattended-upgrades apt-listchanges

nano /etc/apt/apt.conf.d/50unattended-upgrades

Set your email to receive notificaitons:
Unattended
-Upgrade::Mail "your@email.com";

To activate unattended-upgrades, you need to ensure that the apt configuration stub /etc/apt/apt.conf.d/20auto-upgrades contains at least the following lines:

  • # editor /etc/apt/apt.conf.d/20auto-upgrades

    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";
    dpkg-reconfigure -plow unattended-upgrades

 

Alternatively, you can also create the apt configuration file /etc/apt/apt.conf.d/02periodic to activate unattended-upgrades:

  • # nano /etc/apt/apt.conf.d/02periodic
    
    

     

    Below is an example /etc/apt/apt.conf.d/02periodic:

    • // Control parameters for cron jobs by /etc/cron.daily/apt-compat //
      
      
      // Enable the update/upgrade script (0=disable)
      APT::Periodic::Enable "1";
      
      
      // Do "apt-get update" automatically every n-days (0=disable)
      APT::Periodic::Update-Package-Lists "1";
      
      
      // Do "apt-get upgrade --download-only" every n-days (0=disable)
      APT::Periodic::Download-Upgradeable-Packages "1";
      
      
      // Run the "unattended-upgrade" security upgrade script
      // every n-days (0=disabled)
      // Requires the package "unattended-upgrades" and will write
      // a log in /var/log/unattended-upgrades
      APT::Periodic::Unattended-Upgrade "1";
      
      
      // Do "apt-get autoclean" every n-days (0=disable)
      APT::Periodic::AutocleanInterval "21";
      
      
      // Send report mail to root
      //     0:  no report             (or null string)
      //     1:  progress report       (actually any string)
      //     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
      //     3:  + trace on
      APT::Periodic::Verbose "2";
      
      Unattended-Upgrade::Mail "your@email.com";
      
      

Optimal secure SSL Cipher Configuration for Apache and Nginx

 

# apache SSLProtocol all -SSLv2 -SSLv3
# RC4 is broken and is not specified in the allowed ciphers, 3DES is used instead for legacy connections, still somewhat secure
SSLHonorCipherOrder on 
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
 
# nginx 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_prefer_server_ciphers on; 
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_ciphers "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES”;

REFERENCES

http://security.stackexchange.com/questions/51680/optimal-web-server-ssl-cipher-suite-configuration

 

HAProxy SSL SNI Configuration

 

 

http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

 

Adding SSL Cert

 

Create SSL Bundle in this order

certificate, intermediate, intermediate, key,


Should modify haproxy.cfg to look like this


 

# Single VIP with sni content switching
frontend ft_ssl_vip
bind 10.10.10.0:443 ssl crt /etc/ssl/certs/your.bundle.pem
mode tcp

 



Creds:

http://serverfault.com/questions/622206/haproxy-1-5-3-openssl-creating-pem 



SSH Public key failed authentication

 

Set permissions with

chmod 700 .ssh chmod 600 .ssh/authorized_keys

 If find the following in your logs.

sshd[28426]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

sshd[28426]: Authentication refused: bad ownership or modes for file /home/beta/.ssh/authorized_keys

 

 

 Check in logs for clues

 For Debian:

less /var/log/auth.log

For Redhat:

less /var/log/secure 

 

 

References:

http://unix.stackexchange.com/questions/163570/ssh-failed-public-key-authentication

Set apache to run under current user Ubuntu desktop 14

 

using the command:

sudo nano /etc/apache2/envvars 

change the user and group to yourself if there is only one user and you will never have permissions problems again.

I.E., if you are only logging in and running the server as user ‘big_dog’:

export APACHE_RUN_USER=big_dog export APACHE_RUN_GROUP=big_dog 

Heck, for that matter you could change that user to the current user I’m sure somehow. Then, install user_dir you all have webs only you can have full control of (unless you modify this).

Restart the server (if unsure, just reboot or goole) and you are good to go.

 

 Creds: http://askubuntu.com/questions/97810/how-to-make-apache-run-as-current-user

LAMP Permissions Ubuntu, Debian

First, you should ensure that your username is included in www-data group. If not, you can add your username as www-data group

sudo adduser user www-data 

user can be changed with your username.

After that, you should change the ownership of /var/www to your username

sudo chown user:www-data -R /var/www 

Next step, you should change permission to 755, not recommend changing permission to 777 for security reason

sudo chmod 0755 -R /var/www
sudo chmod g+s -R /var/www 

Single Line command

sudo chmod 0755 -R /var/www/html/myfolder && sudo chmod g+s -R /var/www/html/myfolder
 

 

 

 

Creds: http://askubuntu.com/questions/162866/correct-permissions-for-var-www-and-wordpress

 For executable files, this means that when the file is executed, it is executed as the group that owns the file, not the group of the user executing the file.

This is useful if you want users to be able to assume the permissions of a particular group just for running one command.

This can represent a security risk when the group security group is more elevated than the user’s group.

Generally, this is safe to use with Apache as it allows the user’s home folder files to be manipulated by the Apache2 group which is the intended behaviour. The Apache2 security group www-data is not considered an elevated group which allows any unsafe operations to already executed programmatically.

In other words, the following would not constitute a security risk as the www folder is already assigned the www-data group.

sudo chmod g+s -R /var/www 

Disable and Delete .DS_Store file creation on OSX

 

Run this command first 

 http://osxdaily.com/2010/02/03/how-to-prevent-ds_store-file-creation/

Then run this command, then reboot. For good measure run this command again. Also, if you have connected external disk you may want to delete DS_Store files that were created on them by specifying the path and running the command below for each mounted device.

http://osxdaily.com/2012/07/05/delete-all-ds-store-files-from-mac-os-x/