Vagrant maintenace i.e. Box clean up

I use vagrant alot,

If you do not prune and / or removed unsed box you can quiet easily see yourself waisting space.

Case in point.

bclark@bclark:~$ du -sh .vagrant.d/boxes/
5.7G    .vagrant.d/boxes/


If you want to see what boxes you have:

vagrant box list

i.e.
bclark@bclark:~$ vagrant box list
debian/stretch64 (virtualbox, 9.5.0)
debian/stretch64 (virtualbox, 9.7.0)
debian/stretch64 (virtualbox, 9.8.0)
debian/stretch64 (virtualbox, 9.9.0)
ubuntu/bionic64  (virtualbox, 20190212.1.0)
ubuntu/trusty64  (virtualbox, 20180814.0.0)
ubuntu/xenial64  (virtualbox, 20190325.0.0)


To clean up you can use:

vagrant box remove debian/stretch64 --box-version 9.5.0

HTH
Brent

Modsecuritys upload / scanning testing

If you ever need to test Modsecuritys upload / scanning function, here a method.

curl -k -i -F 'upload=@"//tmp/bad.txt"' https://$domain/


HTH
Brent

Easiest way to scp files from host to Vagrant guest (or visa versa)

If you running a vagrant instance, and you forgot to set up file sharing, but *now* you need to copy a file off to a guest, or on a guest.

Here is a method, I used to save my bacon.

Try this:

vagrant plugin install vagrant-scp (From vagrant-scp)

And then the method is

 
vagrant scp <some_local_file_or_dir> [vm_name]:<somewhere_on_the_vm>

To get "vm_name" you need to run:

vagrant global-status

In my instance:

bclark@bclark:~/Vagrant_Projects/Imapproxy$ vagrant global-status
id       name         provider   state    directory                                          
--------------------------------------------------------------------------------------------- 
5250600  default      virtualbox running  /home/bclark/Vagrant_Projects/Imapproxy

Then to copy the files, I run:

vagrant scp 5250600:/etc/dovecot /path/to/where/you/want/it/stored

HTH
Brent

If you are having to use rsync, and transferring a lot of data. I find -z (--compress) is a great bandwith and time saver.

But the caveat is compressing already compressed data. It does not make sense to (re)compress. Therefore '--skip-compress=' is to the rescue.

The rsync man pages say, the list needs to be seperated by forward slashes (/). I dont know why forward slashes, when pretty much every other script / program makes use of commas.

Here is a list I found and all you need to do is:

export RSYNC_SKIP_COMPRESS=3g2/3gp/3gpp/7z/aac/ace/amr/apk/appx/appxbundle/arc/arj/asf/avi/bz2/cab/crypt5/crypt7/crypt8/deb/dmg/drc/ear/gz/flac/flv/gpg/iso/jar/jp2/jpg/jpeg/lz/lzma/lzo/m4a/m4p/m4v/mkv/msi/mov/mp3/mp4/mpeg/mpg/mpv/oga/ogg/ogv/opus/png/qt/rar/rpm/rzip/s7z/sfx/svgz/tbz/tgz/tlz/txz/vob/wim/wma/wmv/xz/z/zip


rsync -vaz --skip-compress=$RSYNC_SKIP_COMPRESS /source /target

HTH

Verify all account password hashes are shadowed

Heres how to verify that all your account password hashes, are shadowed. 

 

The command below should return “x”: 

 

# cut -d: -f2 /etc/passwd|uniq 

HTH 

Quicky secure Apache

LAMP stack which stands for Linux, Apache, MySQL/MariaDB and PHP/Python/Perl is a very popular model for serving websites.

This is my take on quickly and briefly apache on your server.

Securing Apache:

The default for Apache reveals a little too much about the server. Lets start by hiding some of that information, by editing:

sudo apt-get install libapache2-modsecurity

sudo vi /etc/apache2/conf-available/custom_security.conf

Paste the following:

ServerSignature Off

ServerTokens Prod 

TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None

Run:

 
sudo a2enmod headers

sudo a2enconf custom_security.conf

sudo /etc/init.d/apache2 restart

Configuring mod_security:

sudo a2enmod security2

Configure the module and enable the OWASP ModSecurity Core Rule Set (CRS):

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

vi /etc/modsecurity/modsecurity.conf 

Paste:

 
SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

sudo vi /etc/apache2/mods-enabled/security2.conf

<IfModule security2_module>
  SecDataDir      /var/cache/modsecurity
  IncludeOptional /etc/modsecurity/*.conf
  IncludeOptional "/usr/share/modsecurity-crs/*.conf"
  IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>

sudo /etc/init.d/apache2 restart

Be sure to keep an eye on the apache and mod_security logs but running:

sudo tail -f /var/log/apache2/*.log /var/log/mod_evasive/*

Automatic updates:

Last but not least, automatic updates. I know I said, this blog post is to secure apache, but one thing I am an advocate of, is secure your server. If you are a one man show, use unattended-upgrades.

Unattended-upgrades purpose is to keep the server current, up to date with the latest security (and other) updates automatically. This alone will allow you too sleep safe and tight at night. :)

sudo apt-get install unattended-upgrades

For extra security look at mod_evasive, and dont forget fail2ban.

Puppetserver refuses to start with /tmp mounted noexec.

Im in the process of investigating and moving our code base to Puppet 4.

I came across something very interesting today, in that Puppet 4 does not like /tmp to be mounted noexec.

Now, we mount /tmp with nosuid and noexec as per the recommendation in the Securing Debian Manual.

After much hours of trouble shooting I came across "Puppet Server run issue when /tmp/ directory mounted noexec" (And I dont know why I didnt read this in the first place.)

As per the recommendation, you basically need to add to /etc/default/puppetserver.


JAVA_ARGS="-Xms2g -Xmx2g -Djava.io.tmpdir=/var/tmp"

HTH

Brent